Deploying Agents Across Multiple Domains

  • Article

It is a common scenario to manage computers across multiple domains. You can remotely install agents in a domain other than the Management Server domain whether the domain is trusted or not.

Important

If you want to use a Management Server to manage computers in both trusted and non-trusted domains, you cannot use mutual authentication. Mutual authentication requires a two-way Active Directory trust relationship between the Management Server domain and the domains for all agents.

Multiple Domains with Trust Relationships

The Management Server deployment process requires local administrator credentials on the target computers to install agents. One way to achieve this is to establish a trust relationship between the Management Server domain and the target computer domain and then to grant these permissions to the Management Server Action Account. Using this method, the Management Server can automatically install and remove agents on remote computers. Therefore, you do not need to install agents manually.

Note

If you are not using the Management Server Action Account to push-install agents remotely, you do not need to perform these steps. Your security policies might prevent this. If this is the case, you can still remotely install agents by supplying the credentials in the Install/Uninstall Agents Wizard.

To manage computers across domains by using a trust relationship

  1. Establish a trust relationship in which the domain of the managed computer trusts the domain of the Management Server.

  2. Create a domain group within the trusting domain, and include the Management Server Action Account if you are using push-installation of agents or want to automatically update agents.

  3. Add the domain group as a member of the Administrators group on each target computer in the trusting domain.

  4. Install agents remotely by following the procedures in the "Install Agents Remotely" section in Chapter 4, "Discovering Computers and Deploying MOM Agents."

Multiple Domains with a Non-Trust Relationship

You can use the Install/Uninstall Agents Wizard to install agents on computers in a non-trusted domain. In the wizard, you must provide credentials that have administrator rights on the target computers.