Cannot use the push installation method to install the Microsoft Operations Manager 2005 agent on domain controllers in untrusted domains (883348)


The information in this article applies to:

  • Microsoft Operations Manager 2005

SYMPTOMS

When you try to use the push installation method to install the Microsoft Operations Manager (MOM) 2005 agent on a domain controller in an untrusted domain, the agent appears to be successfully installed on the remote domain controller. However, the MOM 2005 agent appears in the Pending Actions group on the MOM 2005 server and the MOM 2005 agent status is changed to Approve manual agent installation.

CAUSE

This behavior occurs because using the push installing method to install the MOM 2005 agent on domain controllers in a untrusted domain is not supported in MOM 2005.

To manage a domain controller in an untrusted domain, you must manually install the MOM 2005 agent. However, you can use the push installation method to install MOM 2005 agents on member servers in untrusted domains.

WORKAROUND

To work around this problem, you must manually install the MOM 2005 agent on the domain controller in the untrusted domain. Before you can successfully install the MOM 2005 agent on a domain controller, you may have to configure correct name resolution and modify the computer discovery rules based on one of the following scenarios:
  • For Microsoft Windows Server 2003-based and Microsoft Windows 2000 Server-based domain controllers, you must modify the TCP/IP properties on the domain controller's network adaptor before you install the MOM agent if the following conditions are true:
    • The Windows Server 2003-based and Windows 2000 Server-based domain controllers are in an untrusted domain.
    • The Windows Server 2003-based and Windows 2000 Server-based domain controllers do not have name resolution configured.
    To modify the TCP/IP properties on the domain controller's network adaptor, use the appropriate method.

    Windows Server 2003 domain controller

    1. On the Windows Server 2003-based domain controller, click Start, point to Control Panel, point to Network Connections, right-click the local area connection that is used to communicate with the domain where the MOM Management Server resides, and then click Properties.
    2. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties.
    3. In the Advanced TCP/IP Settings dialog box, click the DNS tab.
    4. On the DNS tab, click Add under DNS server addresses, in order of use, and then add the IP address of the DNS server that provides name resolution for the domain where the MOM Management Server resides. Under For resolution of unqualified names:, click Append these DNS suffixes (in order), click Add, and then add the domain suffix of the untrusted domain in the TCP/IP Domain Suffix dialog box. For example, type example.com.
    5. Click Add, and then click OK until all the dialog boxes are closed.
    6. To verify this change, click Start on the domain controller, click Run, type cmd, and then click OK.
    7. At the command prompt, type ipconfig /all, and then press ENTER. Make sure that the DNS server and the domain suffix of the domain where the MOM Management Server resides is listed.

    Windows 2000 Server domain controller

    1. On the Windows 2000-based computer that is acting as the domain controller, click Start, point to Network and Dial-up Connections, right-click the local area connection that is used to communicate with the domain where the MOM Management Server resides, and then click Properties.
    2. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties.
    3. In the Advanced TCP/IP Settings dialog box, click the DNS tab.
    4. On the DNS tab, click Add under DNS server addresses, in order of use, and then add the IP address of the DNS server that provides name resolution for the domain where the MOM Management server resides. Click Append these DNS suffixes (in order), click Add, and then add the domain suffix of the untrusted domain in the TCP/IP Domain Suffix dialog box. For example, type example.com.
    5. Click Add, and then click OK until all the dialog boxes are closed.
    6. To verify this change, click Start on the domain controller, click Run, type cmd, and then click OK.
    7. At the command prompt, type ipconfig /all, and then press ENTER. Make sure that the DNS server and the domain suffix of the domain where the MOM Management Server resides is listed.
  • For domain controllers in an untrusted domain that already have DNS name resolution configured, you have to manually update the Computer Discovery rule to include domain controllers to make sure that computer grouping is correct. To do this, follow these steps:
    1. Click Start, point to All Programs, point to Microsoft Operations Manager 2005, and then click Administrator Console.
    2. In the MOM 2005 Administrator console, expand Microsoft Operations Manager (name of your MOM Management Server), expand Administration, expand Computers, and then click Computer Discovery Rules.
    3. In the right pane of the MOM 2005 Administrators console, right-click the rule that you want to modify, and then click Properties.
    4. In the Computer discovery Rule dialog box, click to select the Apply query criteria to domain controllers check box, and then click OK.

STATUS

This behavior is by design.

MORE INFORMATION

For more information about configuring name resolution across forests, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/mtfstwp.mspx#XSLTsection128121120120

Modification Type:MinorLast Reviewed:6/13/2005
Keywords:kbtshoot kbprb KB883348 kbAudITPRO kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.