Solved

DMZ server monitoring with SCOM

Posted on 2013-05-15
7
1,943 Views
Last Modified: 2014-03-12
Hello Experts
I have a SCOM 2012 and want to monitor DMZ servers. I have used the link below
http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx

and now agen from the dmz computer can not connect to scom rms server.

hear are my log from dmz computer

Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          5/15/2013 3:09:48 PM
Event ID:      21007
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-AB-WWW1
Description:
The OpsMgr Connector cannot create a mutually authenticated connection to scom2012.ameriabank.local because it is not in a trusted domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">21007</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-05-15T11:09:48.000000000Z" />
    <EventRecordID>2799</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-AB-WWW1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>scom2012.ameriabank.local</Data>
  </EventData>
</Event>
0
Comment
Question by:ameriaadmin
  • 5
7 Comments
 

Author Comment

by:ameriaadmin
ID: 39177178
Examining cert - Serial number 642103125E6A6F9A47194E172512F933
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN=WMSvc-SRV-AB-WWW1
        Expected (case insensitive)- CN=SRV-AB-WWW1
Private key
Expiration
Enhanced Key Usage Extension
        Enhanced key usage extension does not meet requirements.
        Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
        EKUs found on this cert are:
        1.3.6.1.5.5.7.3.1
Key Usage Extensions
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: 33F91225174E19479A6F
        Actual registry entry:   33F91225174E19479A6F6A5E12032164
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.

Examining cert - Serial number 1B23DA660000000021BE
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN="<SRV-AB-WWW1>"
        Expected (case insensitive)- CN=SRV-AB-WWW1
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: BE210000000066DA231B
        Actual registry entry:   33F91225174E19479A6F6A5E12032164
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.
PS C:\Users\Administrator>
0
 

Author Comment

by:ameriaadmin
ID: 39177183
results from SCOM RMS server

Examining cert - Serial number 6315095F000000001FEC
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN=scom.ameriabank.am, OU=IT, O=Ameriabank CJSC, L=Yerevan, S=Armenia, C=AM
        Expected (case insensitive)- CN=SCOM2012.ameriabank.local
Private key
Expiration
Enhanced Key Usage Extension
        Enhanced key usage extension does not meet requirements.
        Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
        EKUs found on this cert are:
        1.3.6.1.5.5.7.3.1
Key Usage Extensions
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: EC1F000000005F091563
        Actual registry entry:   BA2100000000EE9FA61A
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.

Examining cert - Serial number 1AA69FEE0000000021BA
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN="<scom2012.ameriabank.local>"
        Expected (case insensitive)- CN=SCOM2012.ameriabank.local
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.

Examining cert - Serial number 2C472DF53281849348E2F90321216DA2
---------------------------------------------------
Cert subjectname
Private key
Expiration
Enhanced Key Usage Extension
        Enhanced key usage extension does not meet requirements.
        Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
        EKUs found on this cert are:
        1.3.6.1.5.5.7.3.1
Key Usage Extensions
        Key usage extension exists but does not meet requirements.
        A KeyUsage extension matching 0xA0 (Digital Signature, Key Encipherment)
        or better is required.
        KeyUsage found on this cert matches:
        DataEncipherment, KeyEncipherment
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: A26D212103F9E2489384
        Actual registry entry:   BA2100000000EE9FA61A
Certification chain
        The following error occurred building a certification chain with this cert:
        A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

        This is an error if the certificates on the remote machines are issued
        from this same CA - CN=scom2012.ameriabank.local
        Please ensure the certificates for the CAs which issued the certificates configured
        on the remote machines is installed to the Local Machine Trusted Root Authorities
        store on this machine.
PS C:\Users\administrator.AMERIABANK>
0
 

Author Comment

by:ameriaadmin
ID: 39778482
i will install new ca and than try to solve the issue
0
 

Accepted Solution

by:
ameriaadmin earned 0 total points
ID: 39925616
the monitoring server out from domain it is not possible without enterprise ca.
0
 

Author Closing Comment

by:ameriaadmin
ID: 39925619
i have install the new ca server, becose with olde one it was not possible to monitor non domain servers. with enterprise ca now it is possible.
i have used the guide
http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx
all is ok.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now