Hi

I am interested to hear people's deployment experiences with SCOM OpsMgr 2012 R2 in a multi-tenant / Service Provider environment.

I have an interest in setting up a Management Group that will receive alerts (etc.) from external SCOM 2012 agents located in another geographical location & domain - WITHOUT any AD domain trusts involved. I plan to host my new SCOM 2012 R2 deployment in Azure.

I've looked at the IPD Guide for SCOM but this scenario is out-of-scope of that document. I have read other articles suggesting a 'Gateway Server' - but now I'm confused by the choices for my requirements. Any help / guidance appreciated. Does Microsoft have any sample Architecture guides for this approach?

Thank you

• Edited by RITS Tech Thursday, February 12, 2015 4:00 PM

Hi!

Usually you put the whole Management Group (Management Server, OPS-DB and DWH-DB) in a shared zone (Azure in your case). In each customers network you place a Gateway Server which is joined to the customers domain. For trusts you need certs for the Management Servers and all Gateways from the same root CA. All agents in the customers domain will communicate with the GW, no need for certs as long as they are in the same domain or other domains that have domain level trusts to the domain where the GW is hosted..

HTH,
Patrick

Hi Patrick

Thank you for taking some time out to reply to my question - I appreciate your response.

I should have also been clearer by stating that the customer's run their own full SCOM 2012 R2 environments - so they have SCOM agents on servers reporting back to their own local deployment of OpsMgr. Therefore the desired situation would be one where our SCOM Management Group (in Azure) can receive alerts from multiple customer's SCOM Management Groups (which are not joined by an AD trust).

I know it is possible to add a Management Group from the SCOM console but unsure of how SCOM can receive alerts without a domain trust in place.

thanks

Darren

Hi Darren,

Based on my understanding trust is not required. You must add that management group to your console by entering a SCOM Admin credentials and join both the management groups like in the below screenshot.

Also ensure that SCOM Server in another domain is pingable and you SCOM server is able to resolve its FQDN from your DNS server. 

So for the above you will manually provide creditientials for authentication rather than creating a trust.

Hi Gautam

Thanks for the reply. I'm going to test this all out in a lab now.

I also found this which pretty much nails what I want to do:

http://scug.be/dieter/2014/08/21/scom-connect-management-groups-between-on-prem-and-azure/