Here's another great tip sent to me by Sam Allen, one of the top Support Escalation Engineers in our Las Colinas office. If you're rolling out agents in a remote domain and find that they're unable to communicate with the management server then this is something you'll definitely want to check out:
Issue: After pushing an agent to another domain, the install appears to work fine but the agent can't communicate with the management server. If you run a network trace you will see the SCOM server not being able to do LDAP lookup on the agent. On the agent side you will see the following error.
Event Type: Error Event Source: OpsMgr Connector Event Category: None Event ID: 20070 Description: The OpsMgr Connector connected to <server>, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
Cause: This can happen if the management server does not have permission to look up the machine in the remote domain.
Resolution: To resolve this issue make sure Authenticated Users have Read permissions to the domain:
1. Open AD Users and Computers . 2. Right-click on the name of the domain and select Properties. 3. Select the Security tab. 4. Make sure Authenticated Users have Read permissions.
You should also check the container where the agent is located and verify that the same permissions exist there:
1. Open AD Users and Computers . 2. Right-click on the container holding the computer and select Properties. 3. Select the Security tab. 4. Make sure Authenticated Users have Read permissions.
Once this is done the agent should start communicating properly.
J.C. Hornbeck | Manageability Knowledge Engineer