Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

problem with momadadmin in untrusted domain (with GW server runnin

270 views
Skip to first unread message

Javier Saxo

unread,
Apr 17, 2008, 3:07:01 PM4/17/08
to
Are there any specific considerations or additional configuration steps to
enable AD integration in an untrusted domain (where there already are Gateway
Servers running properly)

After finishing setting up gateway servers, I tried runing momadadmin.exe in
the domain where the gateway servers reside with, supposed correctly (domain
admin account, running from a domain controller and using the documented
momadadmin syntax) but I am unable to create the containers, getting the
following error:

***
C:\Documents and Settings\xxxadmin\Desktop>momadadmin MyManagementGroup
domain\OpsMgrAdmins domain\MyRMS MYuntrustedDomain

Microsoft System Center Operations Manager 2007 -- MOM AD Configuration Tool
(C) Copyright 2000-2006 Microsoft Corp.


Unhandled Exception:
System.DirectoryServices.ActiveDirectory.ActiveDirectoryOpe
rationException: A local error has occurred.
---> System.DirectoryServices.DirectoryServicesCOMException (0x8007203B): A
loc
al error has occurred.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry
entr
y, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String
propertyName)
at
System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(
DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
--- End of inner exception stack trace ---
at
System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(
DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
at
System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext
context)
at
Microsoft.EnterpriseManagement.Mom.Configuration.MomADAdmin.ConvertToLdapP
ath(String groupName, String domain, String searchString)
at
Microsoft.EnterpriseManagement.Mom.Configuration.MomADAdmin.CreateManageme
ntGroupContainer(String managementGroupName, String momAdmin, String
runAsUser,
String domain)
at
Microsoft.EnterpriseManagement.Mom.Configuration.MomADAdmin.Main(String[]
args)
***

Any suggestions? Thanks in advance

Rob Kuehfus [MSFT]

unread,
Apr 18, 2008, 6:10:24 PM4/18/08
to
Instead of this -

C:\Documents and Settings\xxxadmin\Desktop>momadadmin MyManagementGroup
domain\OpsMgrAdmins domain\MyRMS MYuntrustedDomain

Try this -

Create a service account in the untrusted domain. ex. MOMADMIN

Create a group like "OpsMgrAdmis" - tool expects a group

C:\Documents and Settings\xxxadmin\Desktop>momadadmin MyManagementGroup

MYuntrustedDomain\OpsMgrAdmins untrustedDomain\MOMADMIN MYuntrustedDomain

Create a new RunAsAccount of type Windows, specifying the user credentials
as above.

Create a new RunAsProfile “untrustedDomain AD Integration Profile”

Set up your AgentAssignment Rule for your Gateway server, specifying the
domain name untrustedDomain,and ticking the box to select the RunAs Profile
that you have just created.

Hope this helps!!!


--

Rob Kuehfus
System Center Operations Manager

-------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
-------------------------


"Javier Saxo" <Javie...@discussions.microsoft.com> wrote in message
news:568C1036-BDB4-4977...@microsoft.com...

Javier Saxo

unread,
Apr 25, 2008, 4:31:01 AM4/25/08
to
Thanks, this did the job :-)

Javier Saxo

unread,
Apr 25, 2008, 7:30:00 AM4/25/08
to
Actually, I missed part of my reply...

I have been able to create the container(s)

Now the following questions?

- in the run as profile, shall I add the created run as account?
- should the target computers for the run as profile be my gateway servers?
or?

Think that's all for now :-)

Thanks

Lincoln Atkinson [MSFT]

unread,
Apr 25, 2008, 12:49:09 PM4/25/08
to
Yes, you must use this new runas account you created. You need to create a
runas profile which targets this account to your RMS (NOT gateway, which is
admittedly kind of confusing. This is a common mistake which is easy to
make), then use that profile in your AD Integration rule.

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Javier Saxo

unread,
May 8, 2008, 3:22:02 AM5/8/08
to
Hi again,

You previously explained: "Set up your AgentAssignment Rule for your Gateway

server, specifying the
domain name untrustedDomain,and ticking the box to select the RunAs Profile
that you have just created.
"

I have done so, and to make sure i see the changes quickly, modified the "AD
rule for domain" to run every 60 seconds, but so far, I cannot see the new
groups being created in the target domain...

So I am wondering where to look for errors or any information that can point
to the problem.

Thanks!

Lincoln Atkinson [MSFT]

unread,
May 8, 2008, 12:52:01 PM5/8/08
to
The Ops Mgr event log should show errors if this is not working, with some
explanation of the problem. Do you see any? If so please provide them to
help diagnose the problem.

Javier Saxo

unread,
May 9, 2008, 2:00:01 AM5/9/08
to
my gateway server has this warning repeatedly in the operations manager event
log:

***
Event Type: Warning
Event Source: Health Service Script
Event Category: None
Event ID: 6028
Date: 5/9/2008
Time: 5:22:51 AM
User: N/A
Computer: GW1
Description:
DiscoverHealthServiceCommunicationRelationships.js :
HealthServiceCommuncation relationship discovery for HealthServices
configured via AD Integration
Could not find "HKLM\SOFTWARE\Microsoft\Microsoft Operations
Manager\3.0\Agent Management Groups\cphprod01\AD Cache\Primary SCP
Info\Service DNS Name"
The HealthService needs at least a primary management server to communicate.
This may indicate that the following:
* HealthService has not queried and cached the AD SCPs yet
* HealthService doesn't have access to any SCPs, yet is configured for AD
Integration
Match results: undefined

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
***

Now the interesting thing is that I dont have this registry key in my inside
Management Servers, which are also AD enabled and working properly so far.

My RMS also has this Warning:

***
Event Type: Warning
Event Source: Health Service Modules
Event Category: None
Event ID: 11701
Date: 5/9/2008
Time: 5:53:53 AM
User: N/A
Computer: SYSSCOMRMS1-S5
Description:
Error calling ADsOpenObject in LDAP probe module

Object: LDAP://dmz.dom Provider: LDAP Provider Error string: Error code: 0
HRESULT: 0x8007203a HRESULT Details: The server is not operational.

One or more workflows were affected by this.

Workflow name: DMZ_GW1.dom
Instance name: sysscomrms1-s5.mid.dom
Instance ID: {2BE6900B-C584-E222-5BFC-6730823332CB}
Management group: CPHPROD01

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
***

0 new messages