Trust relationships between Active Directory domains

If your managed environment includes more than one Active Directory domain, you must ensure that the correct trust relationships exist between these domains. Management servers, consoles, and nodes can run in different domains, and if two-way trusts exist between all your domains, no issues should arise. However, if some trust relationships do not exist, certain HPOM features may not function properly.

Specifically, to make full use of all HPOM features, the following trust relationships must exist:

• Trust is required between the management server's domain and the domain where the HPOM service accounts exist. The management server consists of a number of services, which run under service accounts (called HP-OVE-User and HP-OVE-Deleg-User by default).
• Trust is required between the management server's domain and the console user's domain.

  The console uses DCOM to communicate with the management server. The management server must be able to verify the console user's credentials.

  NOTE:
  You can open remote consoles in the same domain as the management server, and in its trusted domains. You cannot open remote consoles in domains that the management server does not trust. You also cannot open remote consoles if the management server is part of a workgroup. Instead, you can use Microsoft Terminal Services or Citrix Metaframe to remotely access the management server, and then open the console locally on the management server.
• Trust is required between the domain of the computer on which the console runs and the domain where the HPOM service accounts exist.

  The management server uses a DCOM interface to notify the console of updates that it must display (for example, the status change of a deployment job). The computer on which the console runs must be able to verify the management server's credentials. (The management server runs under the HPOM service accounts.)

Some remote agent installation options do not require trust relationships to exist. However, to enable all remote agent installation options, the following trust relationships are required:

• Trust between the managed node's domain and the domain where the HPOM service accounts exist.
• Trust between the managed node's domain and the console user's domain.

The figure below shows a management server, console, and managed nodes, all in separate domains. In addition, the HPOM service accounts exist in a fourth domain.

• domain-a.example.com: remote console domain
• domain-b.example.com: management server domain
  In addition another management console or managed nodes can exist in the domain as well.
• domain-c.example.com: managed nodes domain
• domain-d.example.com: HPOM service users domain

The figure above shows the following trust relationships:

1. The trust relationship from the managed nodes domain to the remote console domain.
2. The two-way trust relationship between the management server domain and the remote console domain.
3. The trust relationships from the remote console domain, management server domain, and managed nodes domain, to the HPOM service users domains.

Related Topics:

• Install agents remotely
• Install agents in trusted domains