RM server in untrusted domain

Similar Messages

• SQL Server Protection untrusted domain

  DPM 2012 R2 on Server 2008R2
  SQL Server:  2008 R2 running SQL 2008R2 in untrusted domain
  Configured environment as Untrusted - local User and agent is communicating with SQL Server.
  Configured protection group and saw all the DB's.  Initially about 1/2 the DB's went to OK but with no recover point and then all went to replica inconsistent. 
  I have configured the local account with local administrator as well as SYSADMIN rights on the SQL application with no luck.  Interesting is on the SQL Server I get App Log events for 1) I/O frozen on DB, 2) I/O resumed, 3) database backed up. 
  I also get System event logs for Software Shadow Copy Provider starting and stopping but I'm getting no data transferred to the DPM server.
  Ideas?

  Fixed:
  Added port 3718 from protected system to DPM on firewall. MS document does not give connection direction so I initially assumed 5718/5719 to be only towards the protected system.

• Error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication" on SQL Server 2008 R2 Enterprise Edition 64-bit SP2 clustered instance

  Hi there,
  I have a Windows 2008 R2 Enterprise x64 SP2 cluster which has 2 SQL Server 2008 R2 Enterprise Edition x64 SP2
  instances.
  A domain account "Domain\Login" is administrator on both physcial nodes and "sysadmin" on both SQL Server instances.
  Currently both instances are running on same node.
  While logging on to SQL Server instance 2 thru "Domain\Login" using "IP2,port2", I get error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication". This happened in the past
  as well but issue resolved post insatllation of SQL Server 2008R2 SP2. This has re-occurred now. But it connects using 'SQLVirtual2\Instance2' without issue.
  Same login with same rights is able to access Instance 1 on both 'SQLVirtual1\Instance1' and "IP1,port1" without any issue.
  Please help resolve the issue.
  Thanks,
  AY

  Hello,
  I Confirm that I encountred the same problem when the first domain controller was dow !!
  During a restarting of the first domain controller, i tried to failover my SQL Server instance to a second node, after that I will be able to authenticate SQL Server Login but Windows Login returns Error 18452 !
  When the firts DC restart finishied restarting every thing was Ok !
  The Question here : Why the cluster instance does'nt used the second DC ???
  Best Regards     
  J.K

• SQL server(PC1) --- PC2: Login failed. The login is from untrusted domain and cannot be used with windows authentification

  Hey,
  I'want to make connection from my laptop(xxx.xxx.xxx.xxx = A) to a fixed computer(SQL server xxx.xxx.xxx.xxx =B). My connection string = "Provider=SQLNCLI11; Data source:name-pc/SQLEXPRESS; Integrated circuit=SSPI;Intial Catalog=Database name for visual
  studio C#.
  Laptop -> PC1 : Eror
  It works when i use localhost or 127.0.0.1 and i can read my database without any problems if i install SQL server on my laptop. Know i install it to PC1 and uninstall on my laptop. When i change the name-pc by an ip-adress i get this error: Login failed.
  The login is from untrusted domain and cannot be used with windows authentification. I did some research on multiple forums where they say about Local security policy(secpol.exe) but i don't have this file. 
  PC2-> PC3: work fine but i want to work with my laptop and i don't understand why it isn't working with my Laptop. 
  Can someone help me?
  Thx a lot and sry about my english(its a disaster) 
  Thibaut

  Hello,
  Yes, for the Windows Authentication to work you should be using the same Windows account and password.
  Are you willing to create SQL logins inside SQL Server and allow your users to connect to SQL Server using SQL Authentication
  instead of Windows Authentication? That could be a solution on a workgroup network.
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• SCCM 2012 R2 - Distribution Point untrusted domain - Not acknowledging Network Access Account (FYI)

  Hello!
  Scenario
  Built a single primary site server in one domain with multiple distribution points. All site servers are member of this one site.
  The distribution points in the primary site servers' domain function as expected. The distribution point deployed to an untrusted domain does not. The primary site server can see all objects in the domain, publishes successfully, and CCM client on the
  DP in the untrusted domain knows its part of the site, knows its AD site (according to locationservices.log). The DP role is installed properly, logs are populating, queries are being made for application lists and updates. nfortuantely authentication
  errors indicate that this software can'tbe downloaded.
  In essence the DP in the untrusted domain can't pull down content from the primary site server. The role uses BITS to download content from IIS on the primary site server, but the requests each throw a 401 error. Unauthorised. This should be an easy fix.
  Create a Network Access Account in the primary site server's domain, assign it to the site (Software Distribution setting), wait for the DP to pick up the setting and watch it retrieve its content. The DP in the untrusted domain is configured as a Pull DP,
  implying it has to use a Network Access Account to download content. It knows the content is available and makes every effort to download it.
  Problem
  The DP in the untrusted domain doesn't know a Network Access Account (NAA) has been defined for the site.
  The account does exist, created in the primary site server's domain and assigned to the site. Its not a password issue. IIS has not been set for Anonymous access as this isn't needed - the NAA should provide the credentials it requires to pull down content.
  A manual check using the URL of the package confirms the package is accessible from the DP when using the NAA's credentials. I've allowed enough time (i think) for the DP to acknowledge the NAA. For fun the DP role was removed, and the CCM agent removed. Both
  were reinstalled. A fresh install didn't detect the NAA.
  Solution
  After some soul searching and a little frustration, it came down to this: A Pull DP always uses the Network Access Account. If the DP can't find a Network Access account it will fail to pull down content. This is undisputed. Found an article that states
  the Pull DP always uses the CCM client configuration to do its dirty work. At that point the CCM client was checked. It had the classic problem of only displaying two Actions - Machine Policy Retrieval & Evaluation Cycle, User policy Retrieval & Evaluation
  Cycle. Most components were installed but not enabled. This is fairly common. Looked at the console, found the device, added the Approval column. Turns out it wasn't auto-approved. Reason being that the client is in an untrusted domain and clients in untrusted
  domains aren't approved automatically (by default).
  In this case something as simple as an Approving the client fixed these issues. 
  The DataTransferService.log highlights the issue:
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}' ErrorCode=0x80190191]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="1" thread="3136" file="dtsjob.cpp:3501">
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' URL='http://PRIMARYSERVER.A.B.COM:80/SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68'
  ProtType=1]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3136" file="dtsjob.cpp:3504">
  <![LOG[Authentication required by the proxy, DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="3" thread="3136" file="dtsjob.cpp:3513">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} in state 'Cancelled'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.h:166">
  <![LOG[DTS job {17E0B672-F699-434D-B063-87CC2ACF715C} BITS job
  {38B81ADE-55B5-4BD7-A881-DBFF13943EDE} encountered Access Denied error during download.  Will retry using Network Access Account.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="2" thread="3136" file="dtsjob.cpp:3652">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} cancelled by client.]LOG]!><time="18:25:54.280+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.cpp:3205">
  <![LOG[No network access account info found.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="1"
  thread="3136" file="netaccessaccount.cpp:288">
  <![LOG[The network access account is not defined.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context=""
  type="1" thread="3136" file="netaccessaccount.cpp:858">
  <![LOG[DTSJob {17E0B672-F699-434D-B063-87CC2ACF715C} encountered error setting BITS job to use Network Access Account
  (0x00000000).]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="3" thread="3136" file="dtsjob.cpp:1885">
  The IIS server logs u_ex150219.log captures the request:
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 2 5 1509 2
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 4
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 3
  2 x Domains: DomainA and DomainX
  - Single domain forests
  - No trusts between domains/forests
  DomainA\PRIMARYSERVER
  - Primary Site Server, MP, DP, IIS, all roles
  DomainX\DP1
  - Distribution Point, IIS, etc
  - CCM client installed

  Based on the above, you are using a PullDP. If so, have you installed the client agent on this system? The client agent is required on PullDPs in untrusted domains so that they can acquire the NAA.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• DPM 2012 - Protect Exchange 2007 in untrusted domain (either via Creds or Certificates)

  Hi,
  I am trying to protect an Exchange 2007 Server which is in an untrusted domain.
  I have tried using both credentials (isNonDomainServer) and via Certificates and have no joy.  Both methods work in terms of getting the agent installed and communicating with DPM.  The agent shows OK in the console and I can browse
  fine when creating a new PG.
  The problem I have is that "All Exchange Storage Groups" is not available as a selection to backup, obviously neither are any of the information stores.
  First question, is backup of Exchange supported in an untrusted domain?  This says it is:  http://technet.microsoft.com/en-us/library/hh757801.aspx  but I read conflicting advice elsewhere.
  Second question, this is the biggie - any ideas on how to get Exchange visible as a selection?
  So far I have:
  Confirmed that LCR is not configured (I am not sure if it *was* at some point though, because there is a disk on the server labled LCR)
  Checked in the DPM agent directory locally and I can see that ExchangeCmdletsWrapperCurr.errlog is created and/or updated when I expand the server name on the DPM server and the server and information stores are listed in the file.  This tells me communication
  is fine, and that the DPM agent on the exchange server can "see" exchange
  Checked the Exchange VSS writer and it is listed and in a healthy state
  Thanks!

  Upgraded to System Centre 2012 R2 and no difference.  I am assuming that its a compatability\support issue, i.e its not supported.  The documentation says otherwise, but its confusing to say the least.
  d

• SCCM MP Account from accessing across untrusted domain

  Hi,
  I am wondering if anyone has any suggestion on how to setup MP connection account from MP in untrusted domain (DMZ) to site server. I tried to create a user account in the domain where SCCM primary site exists and configured that account for MP to use but
  unfortunately I am getting following error..
    *** [28000][18452][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
  I have not tried using SQL replica yet but I thought if account works then I would refrain from using SQL replica.
  Thanks,

  ** Resolved **
  Instead of using DOMAIN\USER, I created a local account on site server and assigned EXECUTE right to DB.. Its now communicating from DMZ without any problem...

• JAAS between WLS (untrusted) domains - ServerIdentity failed validation

  I'm trying to create a proxy/delegate class that can be used by clients to
  transparently access a server.
  The class should be usable from clients within WLS containers and from
  regular java apps.
  Using JNDI authentication everything works fine.
  Using JAAS I'm having a problem when my client is a EJB app in an untrusted
  WLS domain. When the login is requested the following error is occuring:
  <ServerIdentity failed validation, downgrading to anonymous.>
  I want to be able to do a JAAS login to a non-trusted domain. I'm assuming
  that the server is trying to pass the subject who is logged into the current
  container, and my call to LoginContext.login()
  Any thoughts?
  //Example of code
  loginContext = new LoginContext("ServiceSecurity", new
  FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
  loginContext.login();
  Subject subject = loginContext.getSubject();
  serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //JNDI lookup
  //Create session bean instance
  weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //do operation on instance

  Then I'd start talking to BEA support to see if they even know how to do
  this.
  Without the trust relationship I'm not sure if you can achieve what you
  want.
  Dejan
  Mark Fine wrote:
  This is exactly what I am doing.
  Implicitly there is a security context within the session bean (the user
  logs in via the web app and context is propagated). I obtain a LoginContext
  to the other server and call the method within that context.
  It doesn't work because it is implicitly passing the security context of the
  session bean and failing due to lack of trust.
  //Example of code
  loginContext = new LoginContext("ServiceSecurity", new
  FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
  loginContext.login();
  Subject subject = loginContext.getSubject();
  serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //JNDI lookup
  //Create session bean instance
  weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //do operation on instance
  "Deyan D. Bektchiev" <[email protected]> wrote in message
  news:[email protected]...
  In that case you should be able to get the two different Subjects from
  the two different domains (return a different url from the URLCallback
  when you login with JAAS), and afterwards use
  weblogic.security.Security.doAs(...);
  with the correct Subject for the appropriate server when you access the
  servers.
  HTH,
  --dejan
  Mark Fine wrote:
  Thanks, but i think the content was miscommunicated. Everything works
  fine
  when the domains are "trusted". I want to know how to have "untrusted"
  domains talk to each other through explicit logins.
  ie. imagine an application on a domain in a finance department. What if
  they are trusted against other domains and can't / don't want to
  establish
  trust with your domain. They just need access to one particular service
  you
  expose.
  Thanks,
  m
  "Deyan D. Bektchiev" <[email protected]> wrote in message
  news:[email protected]...
  Hi Mark,
  You should first establish a trust relationship between your Weblogic
  servers:
  http://e-docs.bea.com/wls/docs70/secmanage/domain.html#1171534
  Then you can use JAAS to authenticate and get valid Subjects for the two
  users.
  --dejan
  Mark Fine wrote:
  I'm trying to create a proxy/delegate class that can be used by clients
  to
  transparently access a server.
  The class should be usable from clients within WLS containers and from
  regular java apps.
  Using JNDI authentication everything works fine.
  Using JAAS I'm having a problem when my client is a EJB app in an
  untrusted
  WLS domain. When the login is requested the following error is
  occuring:
  <ServerIdentity failed validation, downgrading to anonymous.>
  I want to be able to do a JAAS login to a non-trusted domain. I'm
  assuming
  that the server is trying to pass the subject who is logged into the
  current
  container, and my call to LoginContext.login()
  Any thoughts?
  //Example of code
  loginContext = new LoginContext("ServiceSecurity", new
  FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
  loginContext.login();
  Subject subject = loginContext.getSubject();
  serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //JNDI lookup
  //Create session bean instance
  weblogic.security.Security.runAs( subject,
  new PrivilegedExceptionAction() {
  public Object run() throws Exception{
  //do operation on instance

• Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

  Hello,
  I have gone through couple of posts regarding this issue but couldn't get the right solution. Could you please help what exactly we are missing here.
  Details:
  1) we have two SQL instances on one standalone machine (Default Instance (2008 SP3) + Named Instance (SQL 2012 SP1))
  2) Both instances are configured to accept SQL+ Windows authentication.
  3) when we give access to our users they are getting following exception if they connect with 'windows authentication'. (For both instances)
  Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
  Note: (Being a sys + windows admin I'm able to connect both the instances from same client machine without
  any issues)
  4) Also, we observed following error in windows application event log,
   SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
  The logon attempt failed   [CLIENT: 192.168.xxx.xyx]
  5) If we create SQL login it is working fine without any issues.
  Could someone guide/help  me identifying and fixing this issue.
  Thank you

  Hello,
  Are those Windows Logins associated to domain Windows accounts? Windows Logins work for domain accounts and local Windows account created on the server where the SQL Server instance is installed (and used to login locally to the server).
  Could you try to delete one of the Windows logins that fail to login , and try to recreate them?
  The following resources may help:
  http://blogs.msdn.com/b/dataaccesstechnologies/archive/2012/12/19/error-message-quot-login-failed-the-login-is-from-an-untrusted-domain-and-cannot-be-used-with-windows-authentication-quot.aspx
  http://support.microsoft.com/kb/555332
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• Management Servers in untrusted domains

  Hi,
  I am planning a deployment of SCOM 2012 R2 and have several questions regarding the appropriate placement of management and gateway servers.
  The environment has multiple untrusted domains and need to monitor both Windows and Linux computers on both sides of the firewall. The main domain has 1500 Windows computers and 1300 Linux computers. The untrusted domain has 250 Windows servers and
  450 Linux servers.
  It is understandable that gateway servers are utilized to communicate across the firewall.
  The questions are:
  1. Is it possible to locate one or more management servers in the untrusted domain for the Linux servers and another management server to work with the Windows servers and have those management servers in the untrusted domain communicate through the firewall
  via gateway servers to the databases in the main domain?
  2. If it is not possible to have management servers in the untrusted domain communicate via the gateways; how many gateways would be required to relay to the management servers in the main domains management group?
  3. With the number of Linux servers in the untrusted domain is it better to install a separate management group there?
  Thanks, for any advice in dealing with the above scenario.
  --SG

  Hi There,
  Microsoft recommends you to place all the management servers in the same data center so if 1 goes down the other comes to know about it asap.
  If you place it in another location then fail over may happen late.
  Also you have mentioned to place the management servers in another domain, Which is possible but you need to have trust and permission stuff which is a very hectic work.
  So i would suggest you to place gateways as it will help in compression if the network bandwidth is low between the domains and sites.
  And based on the MS's Sizing and management options a Gateway server can manage 100 Unix boxes for a dedicated gateway server and 500 per management server on the same domain.
  So based on your situation as below:
  1300 Linux - Same domain
  450 - Different domain
  3 Management servers for the main domain for dedicated Linux
  1 MS For Windows Agent monitoring.
  Totally 4 in a management group for the same domain one.
  1 Separate management group with 1 MS will be fine for dedicated Linux monitoring for the 450 servers in the other domain.
  If you want to still place gateways then you will need to place 5 Gateway servers which is difficult to manage.
  Operations Manager supports the following number of monitored items.
  Monitored item
  Recommended limit
  Simultaneous Operations consoles
  50
  Agent-monitored computers reporting to a management server
  3,000
  Agent-monitored computers reporting to a gateway server
  2,000
  Agentless Exception Monitored (AEM)-computers per dedicated management server
  25,000
  Agentless Exception Monitored (AEM)-computers per management group
  100,000
  Collective client monitored computers per management server
  2,500
  Management servers per agent for multihoming
  4
  Agentless-managed computers per management server
  10
  Agentless-managed computers per management group
  60
  Agent-managed and UNIX or Linux computers per management group
  6,000 (with 50 open consoles); 15,000 (with 25 open consoles)
  UNIX or Linux computers per dedicated management server
  500
  UNIX or Linux computers monitored per dedicated gateway server
  100
  Network devices managed by a resource pool with three or more management servers
  1,000
  Network devices managed by two resource pools
  2,000
  Agents for Application Performance Monitoring (APM)
  700
  Applications for Application Performance Monitoring (APM)
  400
  URLs monitored per dedicated management server
  3000
  URLs monitored per dedicated management group
  12,000
  URLs monitored per agent
  50
  Refer the below link for the managing details: https://technet.microsoft.com/en-us/library/dn249696.aspx?f=255&MSPPError=-2147217396
  Gautam.75801

• Protect SQL database from untrusted domain

  Hello,
  I have some problems protecting a SQL 2008 SP3 database from untrusted domain with DPM 2012 R2 RU3. 
  When I try to protect the databases, it does not appear in the tree to select them, also when I try to recover a database into untrusted domain it doesnt appear in the tree.
  The NT Authority\System has sysadmin permissions, I have all TCP ports open and  the following UDP ports: 389,88,netbios-dgm,netbios-ns.
  Any idea ?

  Hi
  Is this sql Server part of Sql Server Cluster or a standalone Sql Server?
  Regards, Trinadh [MSFT] This posting is provided &amp;quot;AS IS&amp;quot; with no warranties, and confers no rights. If you found the reply helpful, please &amp;quot;MARK IT AS ANSWER&amp;quot;. Looking for source of information for DPM?
  http://blogs.technet.com/b/dpm/ http://technet.microsoft.com/en-in/library/hh758173.aspx

• ACS forwarding from untrusted domain 0x80090325 SEC_E_UNTRUSTED_ROOT

  I have SCOM 2012 R2 Update Rollup 4 installed with 2 management servers running WS12R2 in a single management group in my main AD domain. One of the management servers is also an ACS collector. I have an untrusted AD domain, with a SCOM gateway server in
  it, and I used the gateway to install a SCOM agent on a domain controller in that domain. Now I am trying to configure an ACS forwarder on that untrusted domain controller to talk to the ACS collector back on the management server.
  However, when I restart the
  Microsoft Monitoring Agent Audit Forwarding service on that domain controller, I get this error in its
  Event Viewer > Apps and Services > Operations Manager:
  1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
  <acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: <IP>:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
  listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
  on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
  directory.
  I followed these two articles in order to set up the ACS forwarder on the DC in the untrusted domain: "How to configure security events collection by using Audit Collection Services from computers in untrusted environment?" {1/3/12}https://gefufna.wordpress.com/2012/01/03/how-to-configure-security-events-collection-by-using-audit-collection-services-from-computers-in-untrusted-environment/ "Forwarder
  is unable to connect to collector Event id 4369 in forwarder event view" {5/5/14}
  http://jimmy-scom.blogspot.com/2014/05/forwarder-is-unable-to-connect-to.html
  EXTRA INFO Here are the detailed steps that I took (sorry for all this, but there are an awful number of steps!):
  1) I confirmed that the agent for the DC shows as Healthy in OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (right) pane.
  2) On the ACS collector, I stopped
  Operations Manager Audit Collection Service, then from Admin cmd prompt I did this:
  c:> cd \windows\system32\security\adtserver
  c:> adtserver –c
  } 1 certificates found for server authentication usage.
  Enter the number of the certificate you want AdtServer to use for authenticating to AdtAgent or 0 to quit without saving: 1
  Certificate 1 selected. Attempting to save thumbprint to registry ...
  success.
  Then I started
  Operations Manager Audit Collection Service.
  3) On the DC in the untrusted domain, from Admin cmd prompt I did this:
  c:> cd c:\windows\system32
  c:> adtagent -c
  } No  Issued To                   Issued By                   Expires   
  Thumbprint
   1: <untrustedDCfqdn> <untrustedDomainCA>             2015-11-30 02:44:58    <thumbprint>
  2 certificates found for client authentication usage.
  Enter the number of the certificate you want AdtAgent to use for authenticating to AdtServer or 0 to quit without saving: > 1
  } Certificate 1 selected. Attempting to save thumbprint to registry… success.
  4) On the DC in the untrusted domain, I opened mmc > Certificates > Local Computer > Personal > Certificates > I exported the certificate from step 3 to a DER encoded binary X.509 (.CER) file.
  5) I also looked at the Certification Path for the certificate, and figured out which certificate is its Root CA certificate. I copied that certificate to a DER encoded binary X.509 (.CER) file.
  6) I copied the first .CER file to a computer in my main domain, which is at 2012 R2 level. From AD Users and Computers, I created a "dummy" computer object using the NetBios name of the DC back on the untrusted domain. I right clicked the computer
  object > Named Mappings > I added the .CER file, and left "Use Subject for alternate identity" checked. I unchecked "Use Issuer for alternate security identity".
  7) I copied the Root CA certificate .CER file over to the SCOM management server that doubles as my ACS collector, and from there I did mmc > Certificates > Local Computer > Trusted Root Certificates > Certificates > I imported the Root
  CA certificate.
  8) I also went to my CA server on my main domain, I ran pkiview.msc > right clicked “Enterprise PKI” > Manage AD Containers > NTAuthCertificates tab > and I imported the Root CA certificate there as well.
  9) I ran telnet from the DC on the untrusted domain, and confirmed that port 51909 is open from there to the ACS collector on the main domain.
  10) I enabled audit collection fot the DC on the untrusted domain. I did this from OM Console > Monitoring > Operations Manager > Agent Details > Agent Health State > Agent State (second column in middle pane) > I selected the Healthy <untrustedDCfqdn>
  > I clicked Enable Audit Collection.
  Then under "Task Parameters" > i clicked [Override] > for New Value I specified <ACScollectorFQDN>. For task credentials I specified Other account, and specified a domain admin account in the untrusted domain. The result was "The
  task completed successfully. Enable Audit Collection, status:Success".
  11) On the ACS collector, I restarted Operations Manager Audit Collection Service. On the DC in the untrusted domain I restarted Microsoft Monitoring Agent Audit Forwarding service.
  12) Result was this error on the DC in the untrusted domain, in its
  Event Viewer > Apps and Services > Operations Manager
  1/23/2015 5:08:01 PM Source AdtAgent Event ID 4369 Forwarder unsuccessfully tried to connect to the following collector(s):
  <acsCollectorFQDN>:51909, status: 0x80090325 (TCP connect), source:registry addresses tried: 10.1.1.91:51909. If the list of collectors is blank, then AdtAgent was unable to locate a collector. Common reasons for this message are: The machinef(s)
  listed is not online. AdtServer is not running on the machine(s) listed. AdtServer on the machine(s) listed is not listening on the specified port. TCP connectivity to the AdtServer machine is blocked by firewall, IPSec, or other filtering mechanism AdtServer
  on the machine(s) listed actively refused the connection (due to policy or current activity load). For detailed failure information, enable trace logging using the TraceFlags registry key and examine the AdtAgent.log in the \temp subdirectory of the Windows
  directory.
  13) On the DC in the untrusted domain I created DWORD reg value
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdtAgent\Parameters\TraceFlags and set it to 524420 decimal. The resulting c:\windows\temp\AdtAgent.log file only confirmed that I'm getting 0x80090325 errors.
  After all this, why am I getting 0x80090325, which translates to SEC_E_UNTRUSTED_ROOT ??? Did I do something wrong in steps 5, 7 and 8? Thanks for reading all the way through :)
  Marko

  Thanks Yan Li, you gave me an idea. I got the ACS forwarder in the untrusted domain to work (!), by analyzing the setup on the SCOM gateway that I set up in the untrusted domain. I issued the ACS forwarder a certificate from the domain that SCOM is in, INSTEAD
  of configuring the ACS forwarder to use the certificate that it already had from its own domain.
  So the new procedure is: do steps 1 and 2, then instead of step 3 I did this…
  2B) I issued a certificate from the AD domain containing SCOM to the domain controller in the untrusted domain that is my ACS forwarder. I did this from the AD Certificate Services web site, and asked it to use certificate template that I created for the
  SCOM gateway server in the untrusted domain.
  2C) The new certificate appeared in the Personal store of the domain controller. I exported it, then ran the MomCertImport utility so that I would not get an error in the next step (per
  http://www.systemcentercentral.com/scom-deployment-across-multiple-networks/)
  3) On the domain controller in the untrusted domain, I re-ran "adtserver -c", and selected the new certificate.
  3B) I then ran “MomCertImport /Remove”, since I already have a SCOM gateway in the untrusted domain.
  Then I proceeded with steps 4, skipped 5, did 6, skip 7-8, did 9-11, result was this on the DC in the untrusted domain, in its Event Viewer > Apps and Services > Operations Manager
  2/3/2015 12:20:01 PM Source AdtAgent Event ID 4368 Forwarder successfully connected to the following collector:
  <ACScollectorFQDN>:51909, status: 0x0 (success), source: registry
  addresses tried: <IPaddress>:51909
  ACS forwarding works now! I will confirm by repeating the procedure for another domain controller in the untrusted forest.
  Marko

• Administer untrusted domain

  I'm trying to administer users in an untrusted domain from my PC.
  I use the below CMD line and I'm able to get ADUC running. Doing some tasks in ADUC, gives me the error "The specified domain either does not exist or could not be contacted."
  C:\Windows\System32\runas.exe /netonly /user:UntrusedDomain\user"mmc dsa.msc /server=1.1.1.1"

  Hi,
  If you want to access the other domains, you have to configure a trust relationship:
  For more and detail information, please refer to:
  http://windowsitpro.com/windows-server/how-do-i-configure-trust-relationship
  Regards.
  Vivian Wang

• Scom proxy in untrusted domain

  Hi all,
  We have one domain where SCOM is installed and works good. Now we preparing another domain without trusted relations with existing one. In this new domain we want to monitoring the servers with existing SCOM infrastructure. We want to use proxy agent option
  on one of the server from the new domain and entire communications between the new servers from the untrusted  domain and the existing SCOM to realized through this proxy agent.
  I understand we cannot use kerberos so for this reason  is necessary to use certificates. I'm not sure if is necessary to use Servers Gateway for 7-8 remote servers. If we decide to don't use Servers Gateway is enough to open in firewalls the ports TCP
  135 and TCP/UDP 445? 
  Thanks.

  Hi,
  I would like to suggest you use gateway server and certificates to monitor untrusted domain, please go through the below links for more details, we should make sure port 5723 is opened in both directions between your domain and the un-trusted domain.
  Tech Day 2013 Denmark - Monitoring untrusted domains with SCOM 2012 SP1
  http://blogs.technet.com/b/predrag_oparnica/archive/2013/07/11/monitoring-untrusted-domains-with-scom-2012-sp1.aspx
  SCOM 2012 untrusted domain and certificates - impossible to get it to work
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/e50cb72d-5c27-4cd2-8320-b2472c7b1a75/scom-2012-untrusted-domain-and-certificates-impossible-to-get-it-to-work?forum=operationsmanagerdeployment
  Regards,
  Yan Li
  Regards, Yan Li

• Pull DP error for cross untrusted domain

  I have put the pull DP into untrusted domain and opened bidirectional ports in both firewall.clients are not communicating to primary SCCM server. 

  I am trying to install SCCM agent manually on untrusted forest and getting following error.
  Failed to get assigned site from AD.Error 0x800004005
  getADinstallparams failed with 080004005
  no valid source or MP locations could be identified to download content from ccmsetup.exe cannot continue