Thursday, April 3, 2008

And what about SCOM in multiple forests: design SCOM in multiple forests


I have posted a nice amount of posts about SCCM in multiple forests, it looks like I have gave away all of the required info, not sure if I missed something but sure I recall anything I will post it.


For SCOM deployment across forests, it is very easy. More than SCCM, you have 2 options either allow the agent to talk directly to the RMS/MS servers or deploy a opsmgr gateway in the remote forest, based on studying here is the factors the controls your decisions:

-          If you have a small amount of agents with acceptable bandwidth and network connectivity I would go to allow them to connect directly t the SCOM server.

-          If you have a large amount of servers or WAN connectivity, I would go for deploying a GW in the other forest, check and Google about top 10 benefits of using GW servers, as data will be compressed better, less administrative overhead…etc

In both cases you will need a CA around, you cannot use self signed certificates, an enterprise or standard certificate will do the job, once certificates in place and configured communication will flow smoothly and here is 2 tips:

-          You will need to import and configure a certificate on the RMS/MS server in the original forest. And import the certificate using the certificate import utility, it is not clear in the document and people didn’t pay attention to this point.

-          You don’t need a trust in place between forests.

-          In the other forest where the GW installed you don’t need certificates for agents as long as servers are joined to the forest, agents will communicate with the GW using mutual authentication, GW to RMS communication will be secured using certificates.

-          Note the AD MP will not work across forests.

This is the major points I wanted to highlight, I will start posting about transitioning from SMS to SCCM soon, so keep reading J.

No comments: