Hi there,

I have a question about management groups. I've read this page http://technet.microsoft.com/en-us/library/bb418761.aspx among some other documentation and I am still wondering a couple of things.

First of all I would like to know whether it's possible to have multiple management groups from non-trusted domains connected to a local management group. The following text suggests it is possible:

-----------
If local and connected management groups are not in the same domain and there is no trust relationship between the two domains, you will have to create accounts in the connected management group domain for the users in the local management group domain to use
----------

But how does this work? Will users, using the console connected to the local management group, have to give concerning credentials when clicking on the "Show Connected Alerts" button?

The following text suggest you have to give credentials all the time. No matter whether the management group is in a trusted or non-trusted domain.

----
A Log On dialog box appears and prompts the user for credentials (to log on to the connected management groups). Enter the credentials, and then click OK. Alerts appear from all connected management groups for which you have access and permission. You can run tasks in the managed computers of connected management groups.
-----

Another text on this page tells you connecting management groups from non-trusted domains is not possible at all?!

-----
In this procedure, you create a connection between two management groups. These management groups can be in the same domain, or they can be in trusted domains. You can connect to management groups that are in domains that are not trusted, but you cannot view data from those domains until you add an account from the domain of the local management groups to an Operations Manager role for the connected management group. To do this, a trust must be established between the domains
------

I don't get it. 
Anyone does?

• Edited by Chris20052005 Tuesday, July 03, 2012 1:38 PM

Hello Chris,

Did you notify this paragraph: 

If the local management group and the connected management group are not using the same SDK and Config Service account, then select Other user account, and complete the User name, Password, and Domain fields with the SDK account for the connected management group.

I believe monitoring across trust boundaries is possible if you have proper accounts in the connected management group domain.

Thanks,

Yes I did. But the whole documentation about it is still pretty confusing. I still need clear info.

• Edited by Chris20052005 Thursday, July 05, 2012 9:51 PM

Hi Chris,

I have played arround with this for a while. I also found that there is a bug in th SCOM 2012 RC. I wrote a blog about this that also describes some steps to take: http://www.pageonline.nl/index.php/performance/pc/50-intro

I hope this helps!

• Marked as answer by Yog LiModerator Wednesday, July 18, 2012 10:45 AM
• Unmarked as answer by Chris20052005 Thursday, July 19, 2012 5:12 PM

The blog doesn't cover the issue I've posted. Yog Li's post doesn't either to be honest. So Yog Li, pls don't Mark this thread As Answer yet. Thanx.

• Edited by Chris20052005 Thursday, July 19, 2012 5:15 PM

hi Chris,

if these links do not provide you with an answer can you please tell us the exact question? The short answer to if it is possible to connect management groups in untrusted domains is: yes, if the builds for the conected management groups is the same, you have the right ports open : tcp 5723 and tcp 5724, name resolution works and certificates are installed.

thnx.

• Edited by Marthijn van Rheenen Wednesday, August 01, 2012 9:08 PM

Ok let's pick one question at a time:

I would like to know whether it's possible to have multiple management groups from non-trusted domains connected to a local management group. The following text from http://technet.microsoft.com/en-us/library/bb418761.aspx suggests it is possible:

-----------
If local and connected management groups are not in the same domain and there is no trust relationship between the two domains, you will have to create accounts in the connected management group domain for the users in the local management group domain to use
----------

Then again the following text tells you it is not possible:

In this procedure, you create a connection between two management groups. These management groups can be in the same domain, or they can be in trusted domains. You can connect to management groups that are in domains that are not trusted, but you cannot view data from those domains until you add an account from the domain of the local management groups to an Operations Manager role for the connected management group. To do this, a trust must be established between the domains

Which is true?

Hi Chris20052005, 

Both are true!

1. Yes you can connect to another management group which is on untrusted domain. But keep versions of UR the same (especially if this dll is changed : Microsoft.EnterpriseManagement.DataAccessService.OperationsManager.dll) because as usual you can connect to not updated MS, but I doubt whether you connect from not updated MS to updated, to be more exact you'll be able connect but see no alerts from connected management group.

2. it's about addtion of accounts ...so this means You can not add local management group accounts to an Operations Manager role for the connected management group. And only this can be done if there is a trust between the domains. Read once again and be careful))))..But you can use accounts of connected management group to connect.

but you dont need a trust between domains to use feature of connected management group.

So the answer to your question is YES

• Edited by Alexis YakovlevMicrosoft community contributor Thursday, October 25, 2012 4:41 PM
• Marked as answer by Jonathan AlmquistModerator Tuesday, November 06, 2012 4:56 AM

if these links do not provide you with an answer can you please tell us the exact question? The short answer to if it is possible to connect management groups in untrusted domains is: yes, if the builds for the conected management groups is the same, you have the right ports open : tcp 5723 and tcp 5724, name resolution works and certificates are installed.

thnx.

Hi Marthijn, you're right but we dont need certificates to use connected management groups feature between management groups in untrusted domains.

Hi Alexis,

You are right. There is no need for certificates.
Thanks for correcting this!

It possible to connect scom sdk service(MS) from non-trust domain?

pls check this below link and tell your suggestions;

http://social.technet.microsoft.com/Forums/systemcenter/en-US/6786f129-6a8e-4020-8730-32a1ee2966a5/unable-to-connect-managementgroupscom-sdk-service-from-nontrust-domain-via-c-code-using-sdk?forum=operationsmanagergeneral

In this link i run this c# code in non-trust domain to access sdk service(ManagementGroup) running in another domain. here it showing Timeout exception. So its possible way to connect or not?

Thanks

satheesh

Hi Chris

I know your post is from July 2012 but I'm just about to look at doing this too. I want to connect SCOM 2012 R2 from Azure (as my local mgmt. group) to an untrusted 'on-premise' domain SCOM 2012 R2 Mgmt Group. Did you ever have much luck in getting this to work? I need to avoid AD domain trusts.

Darren

• Edited by ChallengeLogic Thursday, February 12, 2015 2:28 PM