DMZ server monitoring with SCOM

Hello Experts
I have a SCOM 2012 and want to monitor DMZ servers. I have used the link below
http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx

and now agen from the dmz computer can not connect to scom rms server.

hear are my log from dmz computer

Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          5/15/2013 3:09:48 PM
Event ID:      21007
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-AB-WWW1
Description:
The OpsMgr Connector cannot create a mutually authenticated connection to scom2012.ameriabank.local because it is not in a trusted domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">21007</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-05-15T11:09:48.000000000Z" />
    <EventRecordID>2799</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-AB-WWW1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>scom2012.ameriabank.local</Data>
  </EventData>
</Event>
ameriaadminAsked:
Who is Participating?
 
ameriaadminConnect With a Mentor Author Commented:
the monitoring server out from domain it is not possible without enterprise ca.
0
 
ameriaadminAuthor Commented:
Examining cert - Serial number 642103125E6A6F9A47194E172512F933
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN=WMSvc-SRV-AB-WWW1
        Expected (case insensitive)- CN=SRV-AB-WWW1
Private key
Expiration
Enhanced Key Usage Extension
        Enhanced key usage extension does not meet requirements.
        Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
        EKUs found on this cert are:
        1.3.6.1.5.5.7.3.1
Key Usage Extensions
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: 33F91225174E19479A6F
        Actual registry entry:   33F91225174E19479A6F6A5E12032164
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.

Examining cert - Serial number 1B23DA660000000021BE
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN="<SRV-AB-WWW1>"
        Expected (case insensitive)- CN=SRV-AB-WWW1
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: BE210000000066DA231B
        Actual registry entry:   33F91225174E19479A6F6A5E12032164
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.
PS C:\Users\Administrator>
0
 
ameriaadminAuthor Commented:
results from SCOM RMS server

Examining cert - Serial number 6315095F000000001FEC
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN=scom.ameriabank.am, OU=IT, O=Ameriabank CJSC, L=Yerevan, S=Armenia, C=AM
        Expected (case insensitive)- CN=SCOM2012.ameriabank.local
Private key
Expiration
Enhanced Key Usage Extension
        Enhanced key usage extension does not meet requirements.
        Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
        EKUs found on this cert are:
        1.3.6.1.5.5.7.3.1
Key Usage Extensions
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: EC1F000000005F091563
        Actual registry entry:   BA2100000000EE9FA61A
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.

Examining cert - Serial number 1AA69FEE0000000021BA
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN="<scom2012.ameriabank.local>"
        Expected (case insensitive)- CN=SCOM2012.ameriabank.local
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.

Examining cert - Serial number 2C472DF53281849348E2F90321216DA2
---------------------------------------------------
Cert subjectname
Private key
Expiration
Enhanced Key Usage Extension
        Enhanced key usage extension does not meet requirements.
        Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
        EKUs found on this cert are:
        1.3.6.1.5.5.7.3.1
Key Usage Extensions
        Key usage extension exists but does not meet requirements.
        A KeyUsage extension matching 0xA0 (Digital Signature, Key Encipherment)
        or better is required.
        KeyUsage found on this cert matches:
        DataEncipherment, KeyEncipherment
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: A26D212103F9E2489384
        Actual registry entry:   BA2100000000EE9FA61A
Certification chain
        The following error occurred building a certification chain with this cert:
        A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

        This is an error if the certificates on the remote machines are issued
        from this same CA - CN=scom2012.ameriabank.local
        Please ensure the certificates for the CAs which issued the certificates configured
        on the remote machines is installed to the Local Machine Trusted Root Authorities
        store on this machine.
PS C:\Users\administrator.AMERIABANK>
0
 
ameriaadminAuthor Commented:
i will install new ca and than try to solve the issue
0
 
ameriaadminAuthor Commented:
i have install the new ca server, becose with olde one it was not possible to monitor non domain servers. with enterprise ca now it is possible.
i have used the guide
http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx
all is ok.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.