So I was working with a customer the other day wrapping-up some final requirements they had for their MOM 2005 implementation, after being away for a couple of weeks. Due to some significant changes in their headcount and long-term organizational structure, they had decided to modify the original MOM 2005 architecture (two tiered hierarchy with three management groups, each in separate forests to monitor AD DC’s) and reduce to a single management group. This single management group would monitor specific roles/servers in the other forests. as well as the forest the management group was defined in, except Active Directory (Since the ADMP does not support monitoring DC’s in other forests).
One thing that is not outlined in our documentation or on-line help, is the removal of a MOM-to-MOM Product Connector between target and source management groups. First thing that came to mind since I never had to do this before was delete the relationship from the Source Management Group, since that is where you define it from in the first place. Sure enough, that was the right method. One thing to note is that you need to log on to the source Management Server with the DAS account defined in the domain where the target MOM management group resides in order to perform this operation, or your you will receive an “Access Denied” error message. This is because the MMPC will by default, use the DAS account for authentication and is a member of the MOM Secuirty local group on the source management group. If there were no trust relationships established between the two domains, then a client certificate would need to be associated with the service account and map it to an account that is member of MOM Service security group on the destination management group.
So take note, don’t just decommission a source management group without deleting the MMPC relationship first, or else you may have to resort to “less than desireable” measures to remove it from the target management group.