Agent communication error – 21001 – caused by wrong type of trust

I was working with a customer that had deployed several agents in the same domain as the OpsMgr servers, but when deploying to servers in other trusted domains, the following error occurred in the Agents OpsMgr event log:

Event Type:    Error
Event Source:    OpsMgr Connector
Event Category:    None
Event ID:    21001
User:        N/A
Computer:    AGENT
Description: The OpsMgr Connector could not connect to MSOMHSvc/OPSMGRMS.customer.local because mutual authentication failed. 
Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

We checked the SPNs and they were set correctly and agents within the same domain had no issues with connecting to the OpsMgr servers.

The customer ensured me that the trusts, worked as they should because they accessed resources and applications across the domains without issues.

The problem was, that all trusts were created as External Trusts and not as Forest trusts. Among other differences, the External Trust contra the Forest trust does not support Kerberos authentication, which is an requirement for the OpsMgr agent to Management Server communication.

Therefore two solutions were possible, either remove the trusts and create them again as Forest trusts or introduce the OpsMgr Gateway Servers in the trusted domains.

Some additional information about the different types of trusts is listed below. (Links and summary kindly provided by my colleague Craig Forster)

External Trusts only support NTLM:

“Access to resources between domains that are connected by an external trust requires Pre-Windows 2000 Compatibility. Because external trusts only support NTLM authentication, queries to a directory in a different forest are always handled as anonymous access.”

 Forest Trusts work on Windows Server 2003:

Trusts between two Windows Server 2003 forests

It is possible to extend the transitivity of domain trusts within a single Windows Server 2003 forest to another Windows Server 2003 forest by manually creating a one-way or two-way forest trust. A forest trust is a transitive trust between a forest root domain and a second forest root domain. A one-way forest trust allows all users in one forest to trust all domains in the other forest; a two-way forest trust forms a transitive trust relationship between every domain in both forests. The transitivity of forest trusts is limited to the two forest partners; the forest trust does not extend to additional forests trusted by either of the partners.




Comments (1)
  1. showbox app says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    Latest version of Showbox App download for all android smart phones and tablets. – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    Showbox for PC articles:
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android.
    The above all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.

Comments are closed.

Skip to main content