Hi everyone, I'm trying to determine how to setup AD Integration for systems in an AD domain that is in a separate forest from the RMS. Our RMS (cluster) in our corporate domain and the domain controllers for our Test Network are in a separate forest. The test network domain controllers connect to gateways that are connected to the RMS. There is a one way trust between the corporate domain and Test Network domain (users can login to the test network machines using their corporate domain logins). AD Integration has been setup for the corporate domain and it is working fine. However, although the SCOM console will permit me to manually type in the test network FQDN and create a query for those systems that are connected to the test network gateway, do I need to run the momadmin tool on the test network domain as well? What I'm thinking is if the test network DCs try to query AD for management server information, they will query the test network domain since that is their domain. Therefore, I'm thinking that I will need to run the momadamin tool to create objects in AD for the test network domain as well (but I'm not sure about this). Thank you in advance for your help!

i've never tried this scenario, but you definitely need to set up the AD integration in the test domain. Rob Korving http://jama00.wordpress.com/

You can use the AD integration across Gateways. You need to set up each Gateway with the AD integration wizard and ensure the password for the Gateway can access the AD. You then need to run the monadmon tool in each forest.Simon Skinner MS MVP www.systemcentercentral.com

From what it sounds like, you want these DC's in the other domain to use AD Integration. This will not work as expected, because DC's inherently can read all objects. If a DC is configured to use AD Int, they will be able to query all SCP's and they will set the first MS they read as their Primary. Your LDAP queries defined in your AD Int rules will not be used. For all other agent-management computers (not DC's)...yes, you do need to run MOMAdAdmin tool in the other domain, using an account that is in that domain, and setting up a Run As Account in the management group. Tip: do not use the domain drop-down list. Enter credential in domain\username format.HTH, Jonathan Almquist - MSFT

Thanks everyone for your help. Just to clarify, our Test Network forest contains two child domains. From what I understand, the MOMADAdmin tool will also need to be run on a DC in each child domain as well right? There are a total of six domain controllers in that forest (two DCs for each domain). However, everything in that forest will ultimately point to two Gateway servers (extra gateway is for fail-over purposes). So my thought was to run the MOMADAdmin tool on each domain, using the gateway server as the management server. My thought is that all agents that are installed in each domain (to non-DCs) would then know to connect to the gateway server as its management server automatically and fail-over to the backup gateway server if needed. Thanks!

I just wanted to follow up and see if someone could tell me if my thoughts listed above were correct? Also, the Ops Manager Action account is in the same domain as the RMS. The gateways, however, are in the test network domain (the same domain as the gateways). There is a one-way trust from the main domain to the test network domain; but this action account is also part of the domain administrators group in the test network domain. Is it possible to use this account as the action account for test network machine as well? Or do I need to create another Action Account in the test network domain? Finally, when running the momadmin command on the test network domain, should I be using the name of one of the gateways instead of the RMS name? Or will the RMS automatically assign agents in the test network domain to use the gateways (based on the AD query that I setup in the console)? Thanks for your help!

You would want to run MOMAdmin in each domain.