Solved

scom monitoring non domain computers

Posted on 2014-09-27
9
1,224 Views
Last Modified: 2014-10-14
hello experts
i have scom 2012 and want to monitor non domain computers (servers in dmz)
i have created new template in ca server then create new certificates for dmz server and scom rms server.
no i have connection between two servers but there is an authentication error.
hear are logs.
please help

log from dmz server
Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          27/09/2014 14:10:17
Event ID:      20071
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-AB-WWW1.somebank.am
Description:
The OpsMgr Connector connected to scom.ameriabank.am, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which indicate a failure to authenticate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">20071</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-09-27T10:10:17.000000000Z" />
    <EventRecordID>1445</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-AB-WWW1.somebank.am</Computer>
    <Security />
  </System>
  <EventData>
    <Data>scom.ameriabank.am</Data>
  </EventData>
</Event>


log from rms server

Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          27/09/2014 14:34:39
Event ID:      21010
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-SCOM1.somebank.local
Description:
The OpsMgr Connector negotiated the use of mutual authentication with <dmz-server-ip>:49741, but Active Directory is not available and no certificate is installed. A connection cannot be established.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">21010</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-09-27T10:34:39.000000000Z" />
    <EventRecordID>1265875</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-SCOM1.somebank.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>"dmz-server-ip":49741</Data>
  </EventData>
</Event>
0
Comment
Question by:ameriaadmin
  • 6
  • 2
9 Comments
 

Author Comment

by:ameriaadmin
ID: 40349310
thank you for your comment but the first link is partial, it does not work. the second is ok, but after the steps i have error. please suggest what to do in my reason?
0
 

Author Comment

by:ameriaadmin
ID: 40349383
log from dmz computer
Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          29/09/2014 10:54:51
Event ID:      20071
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-AB-WWW1.somebank.am
Description:
The OpsMgr Connector connected to scom.somebank.am
, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which indicate a failure to authenticate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">20071</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-09-29T06:54:51.000000000Z" />
    <EventRecordID>2163</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-AB-WWW1.somebank.am</Computer>
    <Security />
  </System>
  <EventData>
    <Data>scom.somebank.am</Data>
  </EventData>
</Event>

scom rms computer
Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          29/09/2014 11:18:57
Event ID:      21010
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SRV-SCOM1.somebank.local
Description:
The OpsMgr Connector negotiated the use of mutual authentication with 192.168.169.40:53552, but Active Directory is not available and no certificate is installed. A connection cannot be established.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="OpsMgr Connector" />
    <EventID Qualifiers="49152">21010</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-09-29T07:18:57.000000000Z" />
    <EventRecordID>1269145</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SRV-SCOM1.somebank.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>192.168.169.40:53552</Data>
  </EventData>
</Event>
1.PNG
2.PNG
3.PNG
4.PNG
0
 

Author Comment

by:ameriaadmin
ID: 40353927
dear experts any suggestion?
0
 
LVL 10

Accepted Solution

by:
Ganesh Kumar A earned 500 total points
ID: 40354233
Have you tried all the above listed and how did you import the certificate. Check this link ensure you dont miss any steps mentioned. Once it is done post the details if you get any error.

https://support2.microsoft.com/kb/947691?wa=wsignin1.0


First : The certificates you have for the management server and agent must be the actual FQDN names of those machines (even if that is machine.domain.local ). You need to make sure that the agent can resolve the name of the management server (that direction). If you have a vpn or direct connection you specify the internal ip address of the management server. If you are behind an internet connection than you specify the ip address of the outside firewall of your company where your management server was published on port 5723. Just make sure the firewall passes all traffic which arrives at TCP 5723 to the management server. Test with telnet as you have seen and done.
So internal: use hosts file on agent to point to internal ip address of MS. External: use agent hosts file to point to external ip address of MS (and make sure it blindly forwards the 5723 traffic to the MS). These methods worked for me in several instances.
For first few minutes it could still refuse connection as you have seen as well. But a restart of the agent and waiting 10 minutes should start to accept the agent.

If the agent from to be a domain controller (I think it was somewhere in this thread as well for one box) and you want to monitor AD than please run that thing and restart the agent service.
0
 
LVL 10

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 500 total points
ID: 40355207
The server which are dmz might be in workgroup, add dns suffix of your AD domain.
0
 

Author Comment

by:ameriaadmin
ID: 40359050
i have done all steps. then check the certificates by the script.

#####################################################################
# OpsMgrCertChecker.ps1
# Version 1.0
#
# Checks for valid OpsMgr Agent certificate and it configuration
#
# Vadims Podans (c) 2010
# http://en-us.sysadmins.lv/
#####################################################################

Write-Host "This script will inspect Local Machine certificate" -ForegroundColor Cyan
Write-Host "store and registry settings. This will take several seconds..." -ForegroundColor Cyan
Write-Host $("-" * 50) -ForegroundColor Cyan
Write-Host "Script will check certificates to match the following requirements:"
Write-Host "`tSubject equals computer FQDN"
Write-Host "`tCertificate is time valid"
Write-Host "`tCertificate has private key and it supposed for computer certificate"
Write-Host "`tKeySpec is set to 1"
Write-Host "`tCertificate Application Policies (in former EKU) contains both Server and Client Authentication"
Write-Host $("-" * 50) -ForegroundColor Cyan
Write-Host ""

trap {continue}
# get managed computer FQDN. If this workgroup computer, NetBIOS name is used
$domain = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
if ($domain -eq $null) {
    $fqdn = $Env:COMPUTERNAME
} else {
    $fqdn = $env:COMPUTERNAME + "." + $domain
}
# read for existing OpsMgr Agent certificate configuration
$RegKey = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings" -ErrorAction SilentlyContinue
if ($RegKey.ChannelCertificateSerialNumber -ne $null) {
# if configuration exist, retrieve serial number that is stored as reversed byte array
    $Reg = $true
# reverse backward array to foreward array
    [array]::Reverse($RegKey.ChannelCertificateSerialNumber)
# convert each byte to it hex representation and concatenate each byte to a string
    $SerialNumber = [string]::Join("",$($RegKey.ChannelCertificateSerialNumber | %{"{0:X2}" -f $_}))
} else {$Reg = $false}
# looking to local machine store for any valid certificate that match the following requirements
$certs = Get-ChildItem cert:\LocalMachine\My | Where-Object {
    $EKUs = ($_.Extensions | Where-Object {$_.ToString() -match "X509EnhancedKeyUsageExtension"}).EnhancedKeyUsages | ForEach-Object {$_.Value}
    $_.Subject -match 'CN=([^,]+)' -and
    $fqdn -eq $matches[1] -and
    $_.HasPrivateKey -eq $true -and
    $_.NotBefore -lt [DateTime]::Now -and
    $_.NotAfter -gt [DateTime]::Now -and
    $_.PrivateKey.CspKeyContainerInfo.MachineKeyStore -eq $true -and
    $_.PrivateKey.CspKeyContainerInfo.KeyNumber.Value__ -eq 1 -and
    $EKUs -contains "1.3.6.1.5.5.7.3.1" -and
    $EKUs -contains "1.3.6.1.5.5.7.3.2"
}
if ($certs -eq $null -and $SerialNumber -eq $null) {
# based on results return appropriate messages.
    Write-Warning "There is no valid certificates and no configuration is set for OpsMgr Agent"
    Write-Host "To resolve this issue, obtain new certificate from trusted Certification Authority"
    Write-Host "using the following instructions: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5"
    Write-Host "and install it by running the following command: MOMCertImport /Subject $fqdn"
} elseif ($certs -eq $null -and $SerialNumber -ne $null) {
    Write-Warning "OpsMgr Agent is already configured to work with certificate, but this certificate don't exist in"
    Write-Warning "LocalComputer store or not match all certificate requirements."
    Write-Host "To resolve this issue, obtain new certificate from trusted Certification Authority"
    Write-Host "using the following instructions: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5"
    Write-Host "and install it by running the following command: MOMCertImport /Subject $fqdn"
} elseif ($certs -ne $null -and $SerialNumber -eq $null) {
    Write-Warning "Ther"
    Write-Host "There is a valid certificate(s):"
    $certs
    Write-Host "but neither of them is configured for OpsMgr Agent."
    Write-Host "To resolve this issue, install this certificate using the following instructions:"
    Write-Host "http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5#import_cert1"
} elseif ($certs -ne $null -and $SerialNumber -ne $null) {
# if configuration and valid certificates exist, check if valid certificate is the same
# as written in registry.
    $cert = $certs | Where-Object {$_.SerialNumber -eq $SerialNumber}
    if ($cert -eq $null) {
        Write-Warning "OpsMgr Agent is already configured to work with certificate that don't exist in"
        Write-Warning "LocalComputer store or not match all certificate requirements."
        Write-Host "However there is a valid certificate(s):"
        $certs
        Write-Host "To resolve this issue, install this certificate using the following instructions:"
        Write-Host "http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5#import_cert1"
    } else {
# if valid certificate serial number match registry entry, check certificate passing it through
# certificate chaining engine adding Application Policies constraints for cross-certification cases.
        $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
        $status = $chain.Build($cert)
        if ($status -eq $true) {
            Write-Host "The existing certificate with SerialNumber:$SerialNumber match all certificate requirements" -ForegroundColor Green
            Write-Host "and is properly configured and imported for OpsMgr use." -ForegroundColor Green
# By default (prior Windows 7/Server 2008 R2) X509Chain validate chain to CurrentUser Trusted Root CAs container
# therefore we need to ensure if chain trust anchor exist in appropriate container in LocalMachine store.
            if ((Get-ChildItem cert:\LocalMachine\Root) -notcontains ($chain.ChainElements | select -last 1).Certificate) {
                Write-Warning "Root certificate is not stored in Trusted Root Certification Authorities container in"
                Write-Warning "LocalComputer store. Move root certificate from CurrentUser store to"
                Write-Warning "LocalComputer store."
            } else {
                Write-Host "Root certificate is valid and is located in Trusted Root Certification Authority" -ForegroundColor Green
                Write-Host "in LocalComputer store." -ForegroundColor Green
            }
        } else {
            Write-Warning "The existing certificate with SerialNumber:$SerialNumber match all certificate requirements"
            Write-Warning "but fails certificate chain validation due of the following reasons:"
            $chain.ChainStatus | Format-Table -AutoSize
            Write-Warning "If certificate is revoked - reenroll new certificate using the following instructions:"
            Write-Warning "http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5"
            Write-Host ""
            Write-Warning "If certificate chain is not completed, install required Certification Authority certificates"
            Write-Warning "using the following instrustions:"
            Write-Warning "http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5#export_ca_chain"
            Write-Warning "http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5#distribute_ca_chain"
            Write-Host ""
            Write-Warning "If certificate fails Application Policies constraints, select another"
            Write-Warning "Certification Authority to enroll certificate."
        }
    }
}

after correcting certificate errors all works .  but now i have some errors on agent computer
0
 

Author Comment

by:ameriaadmin
ID: 40359051
Log Name:      Operations Manager
Source:        Health Service Modules
Date:          03/10/2014 13:16:02
Event ID:      11903
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      srv-ns1
Description:
The Microsoft Operations Manager Expression Filter Module could not convert the received value to the requested type.

Property Expression: Property[@Name='QueriesResponded']

Property Value: Property[@Name='QueriesResponded']

Conversion Type: DataItemElementTypeInteger(5)

Original Error: 0x80FF005A

One or more workflows were affected by this.  
please help to solve them.

Workflow name: Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries
Instance name: saveroads.ru on srv-ns1
Instance ID: {467F243B-596F-8FD4-D067-914E87F5B317}
Management group: AmeriabankMG
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Health Service Modules" />
    <EventID Qualifiers="49152">11903</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-03T09:16:02.000000000Z" />
    <EventRecordID>1215</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>srv-ns1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>AmeriabankMG</Data>
    <Data>Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries</Data>
    <Data>saveroads.ru on srv-ns1</Data>
    <Data>{467F243B-596F-8FD4-D067-914E87F5B317}</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>DataItemElementTypeInteger(5)</Data>
    <Data>0x80FF005A</Data>
  </EventData>
</Event>


*************

Log Name:      Operations Manager
Source:        Health Service Modules
Date:          03/10/2014 13:16:02
Event ID:      11903
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      srv-ns1
Description:
The Microsoft Operations Manager Expression Filter Module could not convert the received value to the requested type.

Property Expression: Property[@Name='QueriesResponded']

Property Value: Property[@Name='QueriesResponded']

Conversion Type: DataItemElementTypeInteger(5)

Original Error: 0x80FF005A

One or more workflows were affected by this.  

Workflow name: Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries
Instance name: pddos.com on srv-ns1
Instance ID: {3E0DB1C1-EBE3-4267-8ED7-0F25D35229AD}
Management group: AmeriabankMG
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Health Service Modules" />
    <EventID Qualifiers="49152">11903</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-03T09:16:02.000000000Z" />
    <EventRecordID>1213</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>srv-ns1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>AmeriabankMG</Data>
    <Data>Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries</Data>
    <Data>pddos.com on srv-ns1</Data>
    <Data>{3E0DB1C1-EBE3-4267-8ED7-0F25D35229AD}</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>DataItemElementTypeInteger(5)</Data>
    <Data>0x80FF005A</Data>
  </EventData>
</Event>


***************.

Log Name:      Operations Manager
Source:        Health Service Modules
Date:          03/10/2014 13:16:02
Event ID:      11903
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      srv-ns1
Description:
The Microsoft Operations Manager Expression Filter Module could not convert the received value to the requested type.

Property Expression: Property[@Name='QueriesResponded']

Property Value: Property[@Name='QueriesResponded']

Conversion Type: DataItemElementTypeInteger(5)

Original Error: 0x80FF005A

One or more workflows were affected by this.  

Workflow name: Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries
Instance name: ameria.am on srv-ns1
Instance ID: {5B66B0F9-D71B-FB97-9B04-B1BB20BB997D}
Management group: AmeriabankMG
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Health Service Modules" />
    <EventID Qualifiers="49152">11903</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-03T09:16:02.000000000Z" />
    <EventRecordID>1211</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>srv-ns1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>AmeriabankMG</Data>
    <Data>Microsoft.Windows.Server.DNS.2012R2.Monitor.DNSSEC.NameResolutionQueries</Data>
    <Data>ameria.am on srv-ns1</Data>
    <Data>{5B66B0F9-D71B-FB97-9B04-B1BB20BB997D}</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>Property[@Name='QueriesResponded']</Data>
    <Data>DataItemElementTypeInteger(5)</Data>
    <Data>0x80FF005A</Data>
  </EventData>
</Event>
0
 

Author Closing Comment

by:ameriaadmin
ID: 40381528
i have checked all configurations find the mistakes and it wokrs
0

Join & Write a Comment

Article by: Leon
Software Metering within our group of companies has always been an afterthought until auditing of software and licensing became a pain point. Orchestrator and SCCM metering gave us the answer and it was an exciting process.
Technology opened people to different means of presenting information, but PowerPoint remains to be above competition. Know why PPT still works today.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now