Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

scom monitoring non domain computers

Posted on 2014-09-27
9
Medium Priority
?
1,556 Views
Last Modified: 2014-10-14
hello experts
i have scom 2012 and want to monitor non domain computers (servers in dmz)
i have created new template in ca server then create new certificates for dmz server and scom rms server.
no i have connection between two servers but there is an authentication error.
hear are logs.
please help

log from dmz server
Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          27/09/2014 14:10:17
Event ID:      20071
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-AB-WWW1.somebank.am
Description:
The OpsMgr Connector connected to scom.ameriabank.am, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which indicate a failure to authenticate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">20071</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-09-27T10:10:17.000000000Z" />
    <EventRecordID>1445</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-AB-WWW1.somebank.am</Computer>
    <Security />
  </System>
  <EventData>
    <Data>scom.ameriabank.am</Data>
  </EventData>
</Event>


log from rms server

Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          27/09/2014 14:34:39
Event ID:      21010
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-SCOM1.somebank.local
Description:
The OpsMgr Connector negotiated the use of mutual authentication with <dmz-server-ip>:49741, but Active Directory is not available and no certificate is installed. A connection cannot be established.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">21010</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-09-27T10:34:39.000000000Z" />
    <EventRecordID>1265875</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-SCOM1.somebank.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>"dmz-server-ip":49741</Data>
  </EventData>
</Event>
0
Comment
Question by:ameriaadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
9 Comments
 

Author Comment

by:ameriaadmin
ID: 40349310
thank you for your comment but the first link is partial, it does not work. the second is ok, but after the steps i have error. please suggest what to do in my reason?
0
 

Author Comment

by:ameriaadmin
ID: 40349383
log from dmz computer
Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          29/09/2014 10:54:51
Event ID:      20071
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-AB-WWW1.somebank.am
Description:
The OpsMgr Connector connected to scom.somebank.am
, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which indicate a failure to authenticate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">20071</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-09-29T06:54:51.000000000Z" />
    <EventRecordID>2163</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-AB-WWW1.somebank.am</Computer>
    <Security />
  </System>
  <EventData>
    <Data>scom.somebank.am</Data>
  </EventData>
</Event>

scom rms computer
Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          29/09/2014 11:18:57
Event ID:      21010
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-SCOM1.somebank.local
Description:
The OpsMgr Connector negotiated the use of mutual authentication with 192.168.169.40:53552, but Active Directory is not available and no certificate is installed. A connection cannot be established.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">21010</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-09-29T07:18:57.000000000Z" />
    <EventRecordID>1269145</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-SCOM1.somebank.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>192.168.169.40:53552</Data>
  </EventData>
</Event>
1.PNG
2.PNG
3.PNG
4.PNG
0
 

Author Comment

by:ameriaadmin
ID: 40353927
dear experts any suggestion?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 12

Accepted Solution

by:
Ganesh Kumar A earned 2000 total points
ID: 40354233
Have you tried all the above listed and how did you import the certificate. Check this link ensure you dont miss any steps mentioned. Once it is done post the details if you get any error.

https://support2.microsoft.com/kb/947691?wa=wsignin1.0


First : The certificates you have for the management server and agent must be the actual FQDN names of those machines (even if that is machine.domain.local ). You need to make sure that the agent can resolve the name of the management server (that direction). If you have a vpn or direct connection you specify the internal ip address of the management server. If you are behind an internet connection than you specify the ip address of the outside firewall of your company where your management server was published on port 5723. Just make sure the firewall passes all traffic which arrives at TCP 5723 to the management server. Test with telnet as you have seen and done.
So internal: use hosts file on agent to point to internal ip address of MS. External: use agent hosts file to point to external ip address of MS (and make sure it blindly forwards the 5723 traffic to the MS). These methods worked for me in several instances.
For first few minutes it could still refuse connection as you have seen as well. But a restart of the agent and waiting 10 minutes should start to accept the agent.

If the agent from to be a domain controller (I think it was somewhere in this thread as well for one box) and you want to monitor AD than please run that thing and restart the agent service.
0
 
LVL 12

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 2000 total points
ID: 40355207
The server which are dmz might be in workgroup, add dns suffix of your AD domain.
0
 

Author Comment

by:ameriaadmin
ID: 40359050
i have done all steps. then check the certificates by the script.

#####################################################################
# OpsMgrCertChecker.ps1
# Version 1.0
#
# Checks for valid OpsMgr Agent certificate and it configuration
#
# Vadims Podans (c) 2010
# http://en-us.sysadmins.lv/
#####################################################################

Write-Host "This script will inspect Local Machine certificate" -ForegroundColor Cyan
Write-Host "store and registry settings. This will take several seconds..." -ForegroundColor Cyan
Write-Host $("-" * 50) -ForegroundColor Cyan
Write-Host "Script will check certificates to match the following requirements:"
Write-Host "`tSubject equals computer FQDN"
Write-Host "`tCertificate is time valid"
Write-Host "`tCertificate has private key and it supposed for computer certificate"
Write-Host "`tKeySpec is set to 1"
Write-Host "`tCertificate Application Policies (in former EKU) contains both Server and Client Authentication"
Write-Host $("-" * 50) -ForegroundColor Cyan
Write-Host ""

trap {continue}
# get managed computer FQDN. If this workgroup computer, NetBIOS name is used
$domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
if ($domain -eq $null) {
    $fqdn = $Env:COMPUTERNAME
} else {
    $fqdn = $env:COMPUTERNAME + "." + $domain
}
# read for existing OpsMgr Agent certificate configuration
$RegKey = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings" -ErrorAction SilentlyContinue
if ($RegKey.ChannelCertificateSerialNumber -ne $null) {
# if configuration exist, retrieve serial number that is stored as reversed byte array
    $Reg = $true
# reverse backward array to foreward array
    [array]::Reverse($RegKey.ChannelCertificateSerialNumber)
# convert each byte to it hex representation and concatenate each byte to a string
    $SerialNumber = [string]::Join("",$($RegKey.ChannelCertificateSerialNumber | %{"{0:X2}" -f $_}))
} else {$Reg = $false}
# looking to local machine store for any valid certificate that match the following requirements
$certs = Get-ChildItem cert:\LocalMachine\My | Where-Object {
    $EKUs = ($_.Extensions | Where-Object {$_.ToString() -match "X509EnhancedKeyUsageExtension"}).EnhancedKeyUsages | ForEach-Object {$_.Value}
    $_.Subject -match 'CN=([^,]+)' -and
    $fqdn -eq $matches[1] -and
    $_.HasPrivateKey -eq $true -and
    $_.NotBefore -lt [DateTime]::Now -and
    $_.NotAfter -gt [DateTime]::Now -and
    $_.PrivateKey.CspKeyContainerInfo.MachineKeyStore -eq $true -and
    $_.PrivateKey.CspKeyContainerInfo.KeyNumber.Value__ -eq 1 -and
    $EKUs -contains "1.3.6.1.5.5.7.3.1" -and
    $EKUs -contains "1.3.6.1.5.5.7.3.2"
}
if ($certs -eq $null -and $SerialNumber -eq $null) {
# based on results return appropriate messages.
    Write-Warning "There is no valid certificates and no configuration is set for OpsMgr Agent"
    Write-Host "To resolve this issue, obtain new certificate from trusted Certification Authority"
    Write-Host "using the following instructions: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5"
    Write-Host "and install it by running the following command: MOMCertImport /Subject $fqdn"
} elseif ($certs -eq $null -and $SerialNumber -ne $null) {
    Write-Warning "OpsMgr Agent is already configured to work with certificate, but this certificate don't exist in"
    Write-Warning "LocalComputer store or not match all certificate requirements."
    Write-Host "To resolve this issue, obtain new certificate from trusted Certification Authority"
    Write-Host "using the following instructions: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5"
    Write-Host "and install it by running the following command: MOMCertImport /Subject $fqdn"
} elseif ($certs -ne $null -and $SerialNumber -eq $null) {
    Write-Warning "Ther"
    Write-Host "There is a valid certificate(s):"
    $certs
    Write-Host "but neither of them is configured for OpsMgr Agent."
    Write-Host "To resolve this issue, install this certificate using the following instructions:"
    Write-Host "http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5#import_cert1"
} elseif ($certs -ne $null -and $SerialNumber -ne $null) {
# if configuration and valid certificates exist, check if valid certificate is the same
# as written in registry.
    $cert = $certs | Where-Object {$_.SerialNumber -eq $SerialNumber}
    if ($cert -eq $null) {
        Write-Warning "OpsMgr Agent is already configured to work with certificate that don't exist in"
        Write-Warning "LocalComputer store or not match all certificate requirements."
        Write-Host "However there is a valid certificate(s):"
        $certs
        Write-Host "To resolve this issue, install this certificate using the following instructions:"
        Write-Host "http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5#import_cert1"
    } else {
# if valid certificate serial number match registry entry, check certificate passing it through
# certificate chaining engine adding Application Policies constraints for cross-certification cases.
        $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
        $status = $chain.Build($cert)
        if ($status -eq $true) {
            Write-Host "The existing certificate with SerialNumber:$SerialNumber match all certificate requirements" -ForegroundColor Green
            Write-Host "and is properly configured and imported for OpsMgr use." -ForegroundColor Green
# By default (prior Windows 7/Server 2008 R2) X509Chain validate chain to CurrentUser Trusted Root CAs container
# therefore we need to ensure if chain trust anchor exist in appropriate container in LocalMachine store.
            if ((Get-ChildItem cert:\LocalMachine\Root) -notcontains ($chain.ChainElements | select -last 1).Certificate) {
                Write-Warning "Root certificate is not stored in Trusted Root Certification Authorities container in"
                Write-Warning "LocalComputer store. Move root certificate from CurrentUser store to"
                Write-Warning "LocalComputer store."
            } else {
                Write-Host "Root certificate is valid and is located in Trusted Root Certification Authority" -ForegroundColor Green
                Write-Host "in LocalComputer store." -ForegroundColor Green
            }
        } else {
            Write-Warning "The existing certificate with SerialNumber:$SerialNumber match all certificate requirements"
            Write-Warning "but fails certificate chain validation due of the following reasons:"
            $chain.ChainStatus | Format-Table -AutoSize
            Write-Warning "If certificate is revoked - reenroll new certificate using the following instructions:"
            Write-Warning "http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5"
            Write-Host ""
            Write-Warning "If certificate chain is not completed, install required Certification Authority certificates"
            Write-Warning "using the following instrustions:"
            Write-Warning "http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5#export_ca_chain"
            Write-Warning "http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5#distribute_ca_chain"
            Write-Host ""
            Write-Warning "If certificate fails Application Policies constraints, select another"
            Write-Warning "Certification Authority to enroll certificate."
        }
    }
}

after correcting certificate errors all works .  but now i have some errors on agent computer
0
 

Author Comment

by:ameriaadmin
ID: 40359051
Log Name:      Operations Manager
Source:        Health Service Modules
Date:          03/10/2014 13:16:02
Event ID:      11903
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      srv-ns1
Description:
The Microsoft Operations Manager Expression Filter Module could not convert the received value to the requested type.

Property Expression: Property[@Name='QueriesResponded']

Property Value: Property[@Name='QueriesResponded']

Conversion Type: DataItemElementTypeInteger(5)

Original Error: 0x80FF005A

One or more workflows were affected by this.  
please help to solve them.

Workflow name: Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries
Instance name: saveroads.ru on srv-ns1
Instance ID: {467F243B-596F-8FD4-D067-914E87F5B317}
Management group: AmeriabankMG
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Health Service Modules" />
    <EventID Qualifiers="49152">11903</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-03T09:16:02.000000000Z" />
    <EventRecordID>1215</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>srv-ns1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>AmeriabankMG</Data>
    <Data>Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries</Data>
    <Data>saveroads.ru on srv-ns1</Data>
    <Data>{467F243B-596F-8FD4-D067-914E87F5B317}</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>DataItemElementTypeInteger(5)</Data>
    <Data>0x80FF005A</Data>
  </EventData>
</Event>


*************

Log Name:      Operations Manager
Source:        Health Service Modules
Date:          03/10/2014 13:16:02
Event ID:      11903
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      srv-ns1
Description:
The Microsoft Operations Manager Expression Filter Module could not convert the received value to the requested type.

Property Expression: Property[@Name='QueriesResponded']

Property Value: Property[@Name='QueriesResponded']

Conversion Type: DataItemElementTypeInteger(5)

Original Error: 0x80FF005A

One or more workflows were affected by this.  

Workflow name: Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries
Instance name: pddos.com on srv-ns1
Instance ID: {3E0DB1C1-EBE3-4267-8ED7-0F25D35229AD}
Management group: AmeriabankMG
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Health Service Modules" />
    <EventID Qualifiers="49152">11903</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-03T09:16:02.000000000Z" />
    <EventRecordID>1213</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>srv-ns1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>AmeriabankMG</Data>
    <Data>Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries</Data>
    <Data>pddos.com on srv-ns1</Data>
    <Data>{3E0DB1C1-EBE3-4267-8ED7-0F25D35229AD}</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>DataItemElementTypeInteger(5)</Data>
    <Data>0x80FF005A</Data>
  </EventData>
</Event>


***************.

Log Name:      Operations Manager
Source:        Health Service Modules
Date:          03/10/2014 13:16:02
Event ID:      11903
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      srv-ns1
Description:
The Microsoft Operations Manager Expression Filter Module could not convert the received value to the requested type.

Property Expression: Property[@Name='QueriesResponded']

Property Value: Property[@Name='QueriesResponded']

Conversion Type: DataItemElementTypeInteger(5)

Original Error: 0x80FF005A

One or more workflows were affected by this.  

Workflow name: Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries
Instance name: ameria.am on srv-ns1
Instance ID: {5B66B0F9-D71B-FB97-9B04-B1BB20BB997D}
Management group: AmeriabankMG
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Health Service Modules" />
    <EventID Qualifiers="49152">11903</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-03T09:16:02.000000000Z" />
    <EventRecordID>1211</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>srv-ns1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>AmeriabankMG</Data>
    <Data>Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries</Data>
    <Data>ameria.am on srv-ns1</Data>
    <Data>{5B66B0F9-D71B-FB97-9B04-B1BB20BB997D}</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>DataItemElementTypeInteger(5)</Data>
    <Data>0x80FF005A</Data>
  </EventData>
</Event>
0
 

Author Closing Comment

by:ameriaadmin
ID: 40381528
i have checked all configurations find the mistakes and it wokrs
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question