This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 21%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
Hello,
We've three different forests but all on the same hardware, I will install SCOM 2019 with the latest RU in the forest (ABC.LOCAL), how to monitor the devices in the other two forests (XYZ.LOCAL) (domain.local)
Thanks in advance
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
If the other forests are trusted, you can deploy agents without doing anything particular.
Otherwise the best option would be to deploy SCOM Gateways in these forests.
Thanks, @CyrilAzoulay for your help
If I went through the first scenario which forest type should I use (Forest Trust two-way) direction ?? if so should I use certificates too? if so should I install an active directory certificate service?
sorry for my questions this the first time for me to monitor other forest devices
Thanks again
Technically speaking, you would need the SCOM Management Servers and SCOM Agents to be withinin the same "Kerberos boundaries". To achieve this, you indeed need a two-way forest trust.
As I said previously, in that case you do not do anything particular, so no need for certificates.
However, creating a two-way forest trust is not a decision you should take lightly and surely not just to make scom agents deployment easier... that's something you need to discuss with your AD admins.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Ahmed Essam , If we can deploy Forest Trust with two-way direction, That means users in one forest can access resource in any domain in the other forst. We can see more details about forest trust in the following link:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)#forest-trusts
For the authentication using kerberos between the agents in any domain of one forest and SCOM server in another forest can be routed. We can see more details in the following link:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)#kerberos-based-processing-of-authentication-requests-over-forest-trusts
However, if trust can be not built, to monitor the agent in an untrusted domain, certificate is needed for the authentication. For this situation, Gateway server is recommended to be used for agent management of computers that are outside the Kerberos trust boundary of management group. We can see more details in the following link:
https://learn.microsoft.com/en-us/system-center/scom/deploy-install-gateway-server?view=sc-om-2019
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Ahmed Essam , How's everything going? If there's still anything unclear, feel free to let us know.