Solved

DMZ server monitoring with SCOM

Posted on 2013-05-15
7
1,904 Views
Last Modified: 2014-03-12
Hello Experts
I have a SCOM 2012 and want to monitor DMZ servers. I have used the link below
http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx

and now agen from the dmz computer can not connect to scom rms server.

hear are my log from dmz computer

Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          5/15/2013 3:09:48 PM
Event ID:      21007
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-AB-WWW1
Description:
The OpsMgr Connector cannot create a mutually authenticated connection to scom2012.ameriabank.local because it is not in a trusted domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">21007</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-05-15T11:09:48.000000000Z" />
    <EventRecordID>2799</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-AB-WWW1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>scom2012.ameriabank.local</Data>
  </EventData>
</Event>
0
Comment
Question by:ameriaadmin
  • 5
7 Comments
 

Author Comment

by:ameriaadmin
ID: 39177178
Examining cert - Serial number 642103125E6A6F9A47194E172512F933
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN=WMSvc-SRV-AB-WWW1
        Expected (case insensitive)- CN=SRV-AB-WWW1
Private key
Expiration
Enhanced Key Usage Extension
        Enhanced key usage extension does not meet requirements.
        Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
        EKUs found on this cert are:
        1.3.6.1.5.5.7.3.1
Key Usage Extensions
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: 33F91225174E19479A6F
        Actual registry entry:   33F91225174E19479A6F6A5E12032164
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.

Examining cert - Serial number 1B23DA660000000021BE
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN="<SRV-AB-WWW1>"
        Expected (case insensitive)- CN=SRV-AB-WWW1
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: BE210000000066DA231B
        Actual registry entry:   33F91225174E19479A6F6A5E12032164
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.
PS C:\Users\Administrator>
0
 

Author Comment

by:ameriaadmin
ID: 39177183
results from SCOM RMS server

Examining cert - Serial number 6315095F000000001FEC
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN=scom.ameriabank.am, OU=IT, O=Ameriabank CJSC, L=Yerevan, S=Armenia, C=AM
        Expected (case insensitive)- CN=SCOM2012.ameriabank.local
Private key
Expiration
Enhanced Key Usage Extension
        Enhanced key usage extension does not meet requirements.
        Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
        EKUs found on this cert are:
        1.3.6.1.5.5.7.3.1
Key Usage Extensions
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: EC1F000000005F091563
        Actual registry entry:   BA2100000000EE9FA61A
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.

Examining cert - Serial number 1AA69FEE0000000021BA
---------------------------------------------------
Cert subjectname
        The SubjectName of this cert does not match the FQDN of this machine.
        Actual - CN="<scom2012.ameriabank.local>"
        Expected (case insensitive)- CN=SCOM2012.ameriabank.local
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
Certification chain
        There is a valid certification chain installed for this cert,
        but the remote machines' certificates could potentially be issued from
        different CAs.  Make sure the proper CA certificates are installed
        for these CAs.

Examining cert - Serial number 2C472DF53281849348E2F90321216DA2
---------------------------------------------------
Cert subjectname
Private key
Expiration
Enhanced Key Usage Extension
        Enhanced key usage extension does not meet requirements.
        Required EKUs are 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2
        EKUs found on this cert are:
        1.3.6.1.5.5.7.3.1
Key Usage Extensions
        Key usage extension exists but does not meet requirements.
        A KeyUsage extension matching 0xA0 (Digital Signature, Key Encipherment)
        or better is required.
        KeyUsage found on this cert matches:
        DataEncipherment, KeyEncipherment
KeySpec
Serial number written to registry
        The serial number written to the registry does not match this certificate
        Expected registry entry: A26D212103F9E2489384
        Actual registry entry:   BA2100000000EE9FA61A
Certification chain
        The following error occurred building a certification chain with this cert:
        A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

        This is an error if the certificates on the remote machines are issued
        from this same CA - CN=scom2012.ameriabank.local
        Please ensure the certificates for the CAs which issued the certificates configured
        on the remote machines is installed to the Local Machine Trusted Root Authorities
        store on this machine.
PS C:\Users\administrator.AMERIABANK>
0
 

Author Comment

by:ameriaadmin
ID: 39778482
i will install new ca and than try to solve the issue
0
 

Accepted Solution

by:
ameriaadmin earned 0 total points
ID: 39925616
the monitoring server out from domain it is not possible without enterprise ca.
0
 

Author Closing Comment

by:ameriaadmin
ID: 39925619
i have install the new ca server, becose with olde one it was not possible to monitor non domain servers. with enterprise ca now it is possible.
i have used the guide
http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx
all is ok.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now