SCOM Management Server needs contact to writeable DC (no RODC)

This is just a short info for the rare case that someone will ever stumble upon this issue like I did today:

A customer told me that he could not connect to his Management Server anymore. Looking at the system itself I saw a lot of SDK service crashes (as well in the Operations Manager as in the Application event log) all with the same error:

 System.Runtime.InteropServices.COMException (0x8007054B): The specified domain either does not exist or could not be contacted.”.

DNS worked fine and even the usual troubleshooting step (rebooting the server) did not help. Digging deeper into the error messages I saw a line like this:

 (…)at Microsoft.EnterpriseManagement.Mom.Sdk.Service.SdkSubService+SdkChannel.LookupDistinguishedName(System.String)

What has happened? The customer  changed their firewall rules some days ago and from this point on the Management Server could only contact a RODC to improve security.

From a security point of view a very good idea, from the Management Server perspective quite bad :) The Management Server really needs to contact a writeable Domain Controller, otherwise the SDK service will start and crash soon after.

So even in a high security scenario (e.g. using SCOM in DMZ environments) always make sure that all Management Server could contact a writeable Domain Controller directly!