Hello,

we have set-up SCOM 2012 SP1 in our primary domain, PROD. Agents deployed fine in thatr one. When addressing domain PREP we are stuck in "Failed Agent installation".

With a manual installation we get on all trusted domain agents:

"OpsMgr was unable to set up a communications channel to dom-admin-sco01.prod.dom.local and there are no failover hosts.  Communication will resume when fla-admin-sco01.prod.fla.local is available and communication from this computer is allowed."

As we go trough FW, we made sure ports 88, 389 are opened from PREP members to PROD DC so that Kerberos should work.

Port 5723 from PREP members to Management Server dom-admin-sco01.prod.dom.local is also opened.

With a bi-directional trust, we should not need proxy with certificates exchange.

What am I missing?

Thanks in advance for help.

Patrice

Hi, Have you approved the agent in SCOM console? By default, SCOM/Operations Manager will reject manually installed agents automatically. You need to change the setting in the Administration Pane -> Settings -> Security to Review new manual agent installations in pending management. Once this is ticked, you should see the agents come up in Pending Management within a few minutes, where you can app

Hi,

yes auto-approval is ON and agents end in "Failed Agent Installation".

If the installation have already encountered an issue that we will need to see what is the show stopper. Refer to the link below to install the SCOM agent is command line with verbose logging enabled so hat the failure can be diagnosed by the logs http://msscadmin.wordpress.com/2013/02/11/scom-2012-sp1-agent-command-line-install/ If you encounter uninstallation issues , you may wish to follow the below as a mean of manual uninstallation http://www.opsman.co.za/?p=74

Thanks, it helped to find initial faulty event 20057 from the OpsMgr Connector:

Failed to initialize security context for target MSOMHSvc/dom-admin-sco01.prod.dom.local The error returned is 0x80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.

Then in agent installation log there are no errors: MSI (s) (F0:14) [16:00:06:077]: Windows Installer installed the product. Product Name: System Center 2012 - Operations Manager Agent. Product Version: 7.0.9538.0. Product Language: 0. Manufacturer: Microsoft Corporation. Installation success or error status: 0.

It is clear to me that a FW is blocking between the agent and the management server (dom-admin-sco01.prod.dom.local)

>As we go trough FW, we made sure ports 88, 389 are opened from PREP members to PROD DC so that Kerberos should work.

Kerberos will work ONLY with a forest trust. It is the only trust type allowing Kerberos. From your errors I am pretty sure you have an external bi-directional trust. Can you check this out?

Yes we have bi-directional forest trust. A moment after FW ports were opened, agents started to connect succesfully.

Thanks all for your help!