AD integrated agents and child domains

 Hi Everyone,

I am hoping someone has experience with this setup so that I have some insights into how to get it to work. Basically I have a domain parent.com that has been setup to use AD integrated agents and everything is working well as far as agents getting their configuration from AD.

This domain contains an RMS server and two MS servers as well as a SQL back end server. So Ops Manager 2007 across four boxes basically.

Recently a new domain was created child.parent.com and I am hoping to setup the agents in this child domain to get their config from AD and talk to the MS servers in the parent domain.

Is this difficult to achieve? What are the pitfalls?

Not difficult at all. Have you run the MOMAdAdmin tool in the child domains? The tool writes  the container to the domain partition in the AD, so that will be a requirement.

 I have not run MOMAdAdmin in the child domain as yet. When I do will it need to be any different than that run in the parent domain?

 Hi,

I have attempted to run momadadmin.exe in the child domain. I got access denied when I tried to run the command. I was using the same variables as I did in the parent domain.

I'm assumming that I want the same details in the child domain AD so that agents in the child domain will connect to the MS servers etc in the parent domain.

Do you need to run the command as an enterprise admin of the parent domain?

 Hi everyone,

Well AD integration in the parent domain was not difficult. But I have to say the child domain is proving to be more complex than the one liners that the MS documentation contains. I have a case open with MS at the moment and this is the last thing we tried:

1.       Created an Account in Child domain - blah.child.com
2.       Provided Domain admin Rights
3.       Added the Parent domain scom group... to the Admin group of child domain
4.       Added the RMS server action account to the Admin group of Child Domain
5.       Added the account in the Run as Accounts (Windows) within scom
6.       Created a Run AS profiles for the account and Mapped to Child Domain
7.       Added the RMS server to the same account of Child domain (Run As Accounts)
8.       In Configure Active Directory AD Integration Added the Child domain with an option "Use Different Account to perform agent assisgnment in the specific Domain"
9.       Pointed to Child domain - Domain select list
10.   Select * from the list in the inclusion criteria clicked on okay
11.   Restarted the SDK service

 I have to say that so far the above has only created issues and errors from the health service in the child domain. I have basically undone the above as much as possible and have set all agents in the child domain not to use AD integration. I beginning to think that this is not quite as easy as some believe.

 It did allow me to create an OU in the child domain with an SCP. But the agents in the child domain using AD integration obviously did not pick up anything from AD from what I have seen.

Anyone got any real details on how to do this?