In a recent POC, I encountered a scenario where the customer did not allow u to join the Ops Manager server into the domain. This was the challenge put forth as we would have issues with mutual authentication.
Due to limitation of resources as well, we could not set up a Gateway Server.
After much hair loss, we performed the following solution.
The Concept
Create a certificate services environment to achive mutual authentication between the trusted and untrusted domain then install agents to get it monitored.
The Grind
We installed and setup Certificate Services on the Windows 2000 Active Directory Domain Controller (yes. the customer was using this so we had to simulate their environment). We then requested the server certificate and client certificate.
After which we used the MOMCertImport Tool to import the server certificate into the Management Server and the Client certificate into the monitored servers.
We then proceeded to install the Agents. DONE! Hooray!... wait... why isn't anything showing up on the Management Server?
After much more hair loss and loss of brain cells, we finally figured it out. What was missing was the Root Certificate.
So the following are the correct steps:
- Use MOMCertImport tool to import the Root Certificate and Server Certificate into the MS
- Use MOMCertImport tool to import the Root Certificate and Client Certificate into the Monitored server in the untrusted domain
- Install the Agent
Pooof!!! Monitored server appears in the Pending view.
Hope this helps you guys out there who are posed with the situation of monitoring in untrusted domains.