Tuesday, June 23, 2009

Monitoring SCVMM with OpsMgr between two separate forests without any trusts

Recently I bumped into this situation: Forest A with OpsMgr installed, Forest B without OpsMgr but with Hyper-V servers and SCVMM to administer these Hyper-V servers and their guests. A dedicated server in this forest is VMM.

Between these forests A and B no trust exists nor will there ever be. However, the administrators wanted to use SCVMM (Forest B) in conjunction with OpsMgr (Forest A) so the PRO-tips could be used.

However, the run-as account of VMM needs access to the OpsMgr Management Group (MG) and the OpsMgr Action Account needs VMM Admin access. Since there is not a full trust between both Forests this wasn’t going to work.

The only two options which remained were:

  1. Building a new OpsMgr Management Group in Forest B and use this MG together with the SCVMM MP for the PRO-tips. And use the OpsMgr MG in Forest A as a looking glass by using the option ‘Connected Management Groups’ in OpsMgr.
  2. Building an OpsMgr Gateway Server in Forest B and use this Gateway Server to monitor the Hyper-V hosts but not SCVMM nor using the PRO tips.

In the end, option 2 was chosen.

So whenever OpsMgr needs to work in conjunction with SCVMM, both solutions need to be in the same Forest or – when residing in different forests, a full trust between both Forests needs to be present. Otherwise it will not work.

No comments: