DMZ server monitoring with SCOM
Hello Experts
I have a SCOM 2012 and want to monitor DMZ servers. I have used the link below
http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx
and now agen from the dmz computer can not connect to scom rms server.
hear are my log from dmz computer
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 5/15/2013 3:09:48 PM
Event ID: 21007
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SRV-AB-WWW1
Description:
The OpsMgr Connector cannot create a mutually authenticated connection to scom2012.ameriabank.local because it is not in a trusted domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="OpsMgr Connector" />
<EventID Qualifiers="49152">21007</
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2013-05-15T11:
<EventRecordID>2799</Event
<Channel>Operations Manager</Channel>
<Computer>SRV-AB-WWW1</Com
<Security />
</System>
<EventData>
<Data>scom2012.ameriabank.
</EventData>
</Event>
I have a SCOM 2012 and want to monitor DMZ servers. I have used the link below
http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx
and now agen from the dmz computer can not connect to scom rms server.
hear are my log from dmz computer
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 5/15/2013 3:09:48 PM
Event ID: 21007
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SRV-AB-WWW1
Description:
The OpsMgr Connector cannot create a mutually authenticated connection to scom2012.ameriabank.local because it is not in a trusted domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="OpsMgr Connector" />
<EventID Qualifiers="49152">21007</
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2013-05-15T11:
<EventRecordID>2799</Event
<Channel>Operations Manager</Channel>
<Computer>SRV-AB-WWW1</Com
<Security />
</System>
<EventData>
<Data>scom2012.ameriabank.
</EventData>
</Event>
ASKER
results from SCOM RMS server
Examining cert - Serial number 6315095F000000001FEC
--------------------------
Cert subjectname
The SubjectName of this cert does not match the FQDN of this machine.
Actual - CN=scom.ameriabank.am, OU=IT, O=Ameriabank CJSC, L=Yerevan, S=Armenia, C=AM
Expected (case insensitive)- CN=SCOM2012.ameriabank.loc
Private key
Expiration
Enhanced Key Usage Extension
Enhanced key usage extension does not meet requirements.
Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
EKUs found on this cert are:
1.3.6.1.5.5.7.3.1
Key Usage Extensions
KeySpec
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: EC1F000000005F091563
Actual registry entry: BA2100000000EE9FA61A
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.
Examining cert - Serial number 1AA69FEE0000000021BA
--------------------------
Cert subjectname
The SubjectName of this cert does not match the FQDN of this machine.
Actual - CN="<scom2012.ameriabank.l
Expected (case insensitive)- CN=SCOM2012.ameriabank.loc
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.
Examining cert - Serial number 2C472DF53281849348E2F90321
--------------------------
Cert subjectname
Private key
Expiration
Enhanced Key Usage Extension
Enhanced key usage extension does not meet requirements.
Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
EKUs found on this cert are:
1.3.6.1.5.5.7.3.1
Key Usage Extensions
Key usage extension exists but does not meet requirements.
A KeyUsage extension matching 0xA0 (Digital Signature, Key Encipherment)
or better is required.
KeyUsage found on this cert matches:
DataEncipherment, KeyEncipherment
KeySpec
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: A26D212103F9E2489384
Actual registry entry: BA2100000000EE9FA61A
Certification chain
The following error occurred building a certification chain with this cert:
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
This is an error if the certificates on the remote machines are issued
from this same CA - CN=scom2012.ameriabank.loc
Please ensure the certificates for the CAs which issued the certificates configured
on the remote machines is installed to the Local Machine Trusted Root Authorities
store on this machine.
PS C:\Users\administrator.AME
Examining cert - Serial number 6315095F000000001FEC
--------------------------
Cert subjectname
The SubjectName of this cert does not match the FQDN of this machine.
Actual - CN=scom.ameriabank.am, OU=IT, O=Ameriabank CJSC, L=Yerevan, S=Armenia, C=AM
Expected (case insensitive)- CN=SCOM2012.ameriabank.loc
Private key
Expiration
Enhanced Key Usage Extension
Enhanced key usage extension does not meet requirements.
Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
EKUs found on this cert are:
1.3.6.1.5.5.7.3.1
Key Usage Extensions
KeySpec
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: EC1F000000005F091563
Actual registry entry: BA2100000000EE9FA61A
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.
Examining cert - Serial number 1AA69FEE0000000021BA
--------------------------
Cert subjectname
The SubjectName of this cert does not match the FQDN of this machine.
Actual - CN="<scom2012.ameriabank.l
Expected (case insensitive)- CN=SCOM2012.ameriabank.loc
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.
Examining cert - Serial number 2C472DF53281849348E2F90321
--------------------------
Cert subjectname
Private key
Expiration
Enhanced Key Usage Extension
Enhanced key usage extension does not meet requirements.
Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
EKUs found on this cert are:
1.3.6.1.5.5.7.3.1
Key Usage Extensions
Key usage extension exists but does not meet requirements.
A KeyUsage extension matching 0xA0 (Digital Signature, Key Encipherment)
or better is required.
KeyUsage found on this cert matches:
DataEncipherment, KeyEncipherment
KeySpec
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: A26D212103F9E2489384
Actual registry entry: BA2100000000EE9FA61A
Certification chain
The following error occurred building a certification chain with this cert:
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
This is an error if the certificates on the remote machines are issued
from this same CA - CN=scom2012.ameriabank.loc
Please ensure the certificates for the CAs which issued the certificates configured
on the remote machines is installed to the Local Machine Trusted Root Authorities
store on this machine.
PS C:\Users\administrator.AME
ASKER
i will install new ca and than try to solve the issue
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i have install the new ca server, becose with olde one it was not possible to monitor non domain servers. with enterprise ca now it is possible.
i have used the guide
http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx
all is ok.
i have used the guide
http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx
all is ok.
ASKER
--------------------------
Cert subjectname
The SubjectName of this cert does not match the FQDN of this machine.
Actual - CN=WMSvc-SRV-AB-WWW1
Expected (case insensitive)- CN=SRV-AB-WWW1
Private key
Expiration
Enhanced Key Usage Extension
Enhanced key usage extension does not meet requirements.
Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
EKUs found on this cert are:
1.3.6.1.5.5.7.3.1
Key Usage Extensions
KeySpec
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: 33F91225174E19479A6F
Actual registry entry: 33F91225174E19479A6F6A5E12
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.
Examining cert - Serial number 1B23DA660000000021BE
--------------------------
Cert subjectname
The SubjectName of this cert does not match the FQDN of this machine.
Actual - CN="<SRV-AB-WWW1>"
Expected (case insensitive)- CN=SRV-AB-WWW1
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: BE210000000066DA231B
Actual registry entry: 33F91225174E19479A6F6A5E12
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.
PS C:\Users\Administrator>