SCOM 2012 Gateway servers certificates

Similar Messages

• SCOM 2012 Gateway fails to communicate - Certificate Problem?

  Hello SCOM Guru's
  I wonder if someone out there may be able to help.
  I have two (non-trusted) domains - both hosted in
  Azure. See graphic below (a picture paints a thousand words!)
  Just to put some context around the diagram - I have a two domains, the left-hand side contains the SCOM MS and the right-hand side is a non-trusted domain hosting the SCOM GW. The idea is that I want computers (agents) from the right-hand side domain to
  be able to talk back to the SCOM MS vai the SCOM GW.
  In a nutshell I have followed some great 'how to' guides - for instance:
  http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx
  After hours of messing around I still cannot get my Gateway Server to talk successfully back to the SCOM Management Server in the other domain. I have deployed my own Certificate Authority and followed documentation to put the relevant Certs on both
  servers. I have checked all Certs and they report 'The certificate is OK'.
  Also I can confirm that the MOMCertImport tool was run on both the SCOM MS and SCOM GW server (I did the MS 1st and GW 2nd) - both returned a 'Success' cmd prompt. I have also rebooted both servers - to restart all relevant SCOM Services.
  On the Azure VMs I have allowed TCP 5723 on both servers. Additionally, the SCOM MS can resolve the SCOM GW server in the other domain via a HOSTS file entry (and vice-versa). I have tested connectivity using
  telnet <FQDN> 5723 (both ends seem to connect). No internal Windows Firewalls are enabled on any servers.
  The cluster of errors reported by the
  SCOM Gateway server are (first to last):
  20057: Failed to initialize security context for target MSOMHSvc/SCOM-01.DOMAIN.local The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.
  21001: The OpsMgr Connector could not connect to MSOMHSvc/SCOM-01.DOMAIN.local because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust
  relationship between the two domains
  20071: The OpsMgr Connector connected to SCOM-01.DOMAIN.local, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the
  server .  Check the event log on the server and on the agent for events which indicate a failure to authenticate.
  The same events repeat every 15 mins in the Operations Manager event log - and thus the SCOM Gateway remains 'Not Monitored'.
  I don't get any relevant Events logged from the SCOM MS side - I guess cos it's not even got that far / authenticated?
  I'm sure this is a Certificate type of problem but I'm really not sure where I go from here - any suggestions?
  Many thanks
  Darren

  Hi,
  Check this post:
  Solving the Gateway 20071 event
  http://michelkamp.wordpress.com/2012/01/05/solving-the-gateway-20071-event/
  and this: Event ID 21001 and 20057 on SCOM agents - duplicate SPN:
  http://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx
  Similar answer has been provided by DKTOA Here:
  https://social.technet.microsoft.com/forums/systemcenter/en-US/05019b70-73a3-4a37-993b-66b607f3c222/scom-2012-gateway-server-isses-20057-21001-20071-ids
  Did it solve your problem?
  Regards
  Jure
  Jure Labrovic | Blog

• Difference between Scom 2007 and Scom 2012 Gateway server setup.

  Hi All,
  Greetings!!
  I would like to know the differences for gateway server setup in Scom 2007 and 2012 versions..
  Are there any changes in the data collection or in the configuration? and also the prerequisites for it.
  Please let me know these info..
  Regards,
  Gokul

  There is no great different in settng up gateway server in SCOM 2007 R2 and SCOM 2012. As summary, it requires
  1.Request certificates.
  2. Import those certificates into the target computers by using the MOMCertImport.exe tool.
  3. Distribute the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to the management server.
  4. Run the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe tool to initiate communication between the management server and the gateway
  5. Install the gateway server.
  However, the prerequisites has different between SCOM 2007 R2 and SCOM 2012
  SCOM 2007 R2 gateway server support folloiwng OS
  Windows Server 2003 Standard Edition with Service Pack 1 (SP1)
  Windows Server 2003 Standard Edition with Service Pack 2 (SP2)
  Windows Server 2003 Standard x64 Edition with SP1 or SP2
  Windows Server 2003 Enterprise Edition with SP1
  Windows Server 2003 Enterprise Edition with SP2
  Windows Server 2003 Enterprise x64 Edition with SP1 or SP2
  Windows Server 2003 R2 Standard Edition with SP1 or SP2
  Windows Server 2003 R2 Standard x64 Edition with SP1 or SP2
  Windows Server 2003 R2 Enterprise Edition with SP1 or SP2
  Windows Server 2003 R2 Enterprise x64 Edition with SP1 or SP2
  Windows Server 2008 Standard 32-Bit with SP1 or SP2
  The 64-bit edition of Windows Server 2008 Standard with SP1 or SP2
  Windows Server 2008 Enterprise 32-Bit with SP1 or SP2
  The 64-bit edition of Windows Server 2008 Enterprise with SP1 or SP2
  Windows Server 2008 Datacenter 32-Bit with SP1 or SP2
  The 64-bit edition of Windows Server 2008 Datacenter with SP1 or SP2
  Windows Server 2008 R2
  Windows Server 2008 R2 with SP1
  SCOM 2007 R2 gateway server
  CPU :2.8 GHz or faster
  Memory: 2 GB of RAM or more
  available Space: 20 GB of available hard disk space
  NET Framework 2.0
  Microsoft Core XML Services (MSXML) 6.0
  SCOM 2012 Gateway server
  Disk space: %SYSTEMDRIVE% requires at least 1024 MB free hard disk space.
  Server Operating System: must be Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 Core Installation or Windows Server® 2012 R2.
  Processor Architecture: must be x64.
  Windows PowerShell version: Windows PowerShell version 2.0, or Windows PowerShell version 3.0.
  Microsoft Core XML Services (MSXML) version: Microsoft Core XML Services 6.0 is required for the management server.
  .NET Framework 4 is required if the Gateway server manages UNIX/Linux agents or network devices.
  Roger

• System Center 2012 Gateway servers capabilities

  We're looking into using System Center Operations manage and I have a couple of questions.. We have a number of environments that will need gateway servers. Can gateway servers be configured to send email notifications via an SMTP server or do all alerts
  come from management servers? Also, can a gatway server be behind a NAT?
  Thanks
  Les

  Gateway servers are used to enable agent-management of computers that are outside the Kerberos trust boundary of management groups, such as in a domain that is not trusted. And can be used to managed agent, generate Alerts and can be behind NAT. but you
  won't need NAT because it's only need port 5723,
  Also check below links
  http://technet.microsoft.com/en-us/library/hh212823.aspx
  http://technet.microsoft.com/en-us/library/hh456447.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Need to monitor application folders in scom 2012

  Hi;
  I need to monitor the the size of msmq folder on various windows servers.
  Here the requirement is to monitor the size of respective folders. Most of the files are located at
  C:\Windows\System32\msmq--
  Could someone will help me for configuring these foldes under scom 2012 management servers.
  Thanks..
  Regards, Rajeev Parambil

  Hi,
  We may use script to check file sizes and use the script to create a monitor.
  In addition, hope the below article can be helpful:
  Monitoring File Size with Custom WMI Performance Counter
  http://blogs.msdn.com/b/steverac/archive/2009/08/30/monitoring-file-size-with-custom-wmi-performance-counter.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• Limitations of SCOM 2012 Singel server environment

  Hi All,
  We are monitoring Hyper-v(25) and Lync server in SCOM 2012, Lync servers(12) are deployed in different domain and monitoring via GW.  Rest of the components like Management server, DB, DW and SSRS are hosted in a single server.
  Currently we are monitoring around 38 agents in our environment, I just want to know what is the limitation of agent count?
  As per MS recommedation, we can monitor maximum 3000 agents per Management server. But for the below configuration , how many agents we can monitor?
  Server Hardware Configuration is below..
  Intel Xenon(R) CPU
  24 GB RAM & 20 GB Paging file
  Note - Currently Server is consuming 80% of physical memory.
  Thanks in advance.
  Regards
  Karthick M

  As you have MS, OpsDB, OpsDWH, SSRS - all in one Server, your memory consumption is higher, for monitoring 38 agents you can go with
  0-500 agents configuration which can obtained by sizing helper tool for SCOM
  (Total: 2) (1) management server managing up to 500 agents, plus (1) management server for HA, managing up to 5 SDK users total
  (Total: 2) Operations Database Server, Operations Data Warehouse Server, Web Console Server & SQL Server Reporting Services Server - 1 DB (+1 for HA)
  DB Size
  Number of Days for Data Retention
  7
  Number of Server Computers
  500
  Number of Network Devices
  0
  Number of APM-enabled Computers
  0
  Total Size (MB)
  8208.97
  Total Size (GB)
  8.02
  Total Size (GB) with 50% Buffer
  12.02
  DW Size
  Number of Days for Data Retention
  365
  Number of Server Computers
  500
  Number of Network Devices
  0
  Number of APM-enabled Computers
  0
  Total Size (MB)
  331598.55
  Total Size (GB)
  323.83
  Total Size (GB) with 10% Buffer
  356.21
  Please refer SCOM sizing helper tool 
  http://blogs.technet.com/b/momteam/archive/2012/04/02/operations-manager-2012-sizing-helper-tool.aspx
  Hope this helps
  Faizan

• [SCOM Forest] -- Certificate -- [Gateway Servers Forest] -- Trust Relationship -- [Multiple Forests]

  Hello, and sorry for this strange title, i couldn't find a simple way to write my question.
  - I want to use agent monitoring from my SCOM 2012 SP1 management servers
  to servers in multiple forests.
  - I don't want to set two-way trust between my scom forest and the monitored forests.
  - I would prefer not to install 2 gateway servers in each forest.
  So would it be possible to create a intermediate forest for my gateway servers, use certificate authentication between management and gateway servers, and use two way trust between this intermediate forest and forests to monitor.
  [SCOM Forest]<-- Certificate --> [Gateway Servers Forest] <-- Trust Relationship --> [Multiple Forests]
  Do you think this would work ?

  Hello,
  worked
  your
  approach?
  I'm
  in
  a
  similar
  situation,
  can you
  share
  the
  results?

• Deploy SCOM 2012 R2 Agents to Domain Servers on Perimeter Network using SCOM Gateway on different Domain

  Hi, I have a bit odd situation on a SCOM 2012R2 deployment.
  I have a MS on the internal network, and a Gateway Server on the perimeter network. Each server is connected to different Active Directory Forests and there are no trust relationships between them. I configured the communication between the two using certificates.
  I have already connected some servers through the Gateway using certificates because there are on Workgroups, they are already approved on the MS and reporting their status.
  However, I have some servers that are member servers of the internal AD domain but are located on the perimeter network.
  So I've tried to configure one of them for testing to connect to the Gateway Server using a certificate using manual agent installation. Initially it didn't report on the SCOM, but then I ran the get-scompendingmanagement and saw that it showed there,
  so I ended up approving the agent using Powershell and then it was reported on the Console as "Not Monitored"
  First the agent was running as local system and then tried using a local admin account on the server, neither options have worked.
  I get the following errors:
  The OpsMgr Connector connected to scomgateway.externaldomain.com, but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the
  server has not received configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  OpsMgr was unable to set up a communications channel to scomgateway.externaldomain.com and there are no failover hosts.  Communication will resume when scomgateway.externaldomain.com is available and communication from this computer is allowed.
  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  Is this configuration possible? Or do I need to open communication ports from the agents to the MS inside the corporate network and not use the Gateway?
  Any ideas if someone else has done this are appreciated.
  Thank you.
  Regards.
  Eduardo Rojas

  I'm sorry, maybe I didn't explained myself correctly, I already have the gateway up and running with some Workgroup machines connected to it using certificates, so the Gateway is indeed working. These Workgroup machines are in fact reporting back to the
  Management Server on the internal network through the Gateway.
  My problem is with Domain Member machines that are on the perimeter network. This machines are joined to the Active Directory inside the corporate firewall, not the Active directory from the perimeter network (where the Gateway is joined). So my question
  is, can I connect these machines through the Gateway (even if the Gateway is on a different domain) or do I need to open ports and connect them directly to the management server (which is on the same active directory domain)? 
   Let me know if I made myself clear.
  Thank you.
  Regards.
  Eduardo Rojas

• SCOM Certificates / Gateway servers

  I recently worked an issues with a Gateway server having errors ids 20057, 21001 and 20071.  The problem seems to always be related to certificates used to authenticate.
  My general question is about these certificates since I cant seem to find a clear answer in the MS documentation.
  What kinds of certificates are needed? 
  Should they be Server authentication certificates, Workstation, Operations Manager Certificates (probably the same as server certs)?  
  Do they need to be created from the same template? 
  does the Management server and Gateway or agent need the same kind of certificate and should these be in the personal store always?
  Thanks Lance

  First of all, SCOM communication is based on Kerberos authentication and gateway machine is installed on the domain which has no two-way trust to management server domain. As a result, a certificate is deployed to gateway server. In order to obtain a certificate,
  you need a CA and then apply a computer certificate. For detail on how to deploy certificate, pls. refer to Jim Moldenhauer's Blog:
  http://jimmoldenhauer.blogspot.hk/2012/11/scom-2012-install-and-configure-gateway.html
  Roger

• Error while running gateway approval tool (SCOM 2012)

  We get an error saying "The gateway server does not exist: <GW server name>" while running gateway approval tool in SCOM 2012 MS. referred several blogs, but no help. MS servers are in healthy state and Ops DB has enough free space.
  Port 5723 is the only port open between GW and SCOM MS servers. Could anyone assist with a solution pls?

  Did you first install SCOM gateway server role on that GW Server. are the certificates installed properly.
  Also please confirm that the GW server name exists in AD too.
  Please check that GW server does not already exists in SCOM as a computer object. Check the SCOM database too for any stale entry of the GW Server.
  Once the above are clear. Then you can run the gateway approval tool with action =delete.
  After that again try to run the gateway approval tool with action =create.
  Hope this helps.
  Thanks, S K Agrawal

• Three agent UR versions gets installed from gateway - SCOM 2012 SP1 UR4

  Hi,
  We have a SCOM 2012 SP1 UR4 installation with several gateways that servers connect to and get installation from.
  We noticed that when the agent get installed on a client server it gets first the agent itself, then UR1, UR2 and last UR4.
  From the XML-section in the task that has installed the agent one can read the following:
  SoftwareUpdateInstalled KB2784734-amd64-Agent.msp;KB2826664-amd64-Agent.msp;KB2880799-amd64-Agent.msp; SoftwareUpdateInstalled
  Below is from the application log of a newly installed server that got the agent installed.
  The question I have is if this is correct? Why are all three UR installed?
  Shouldn't it be enough with the latest version of UR? Are they not cumulative?
  Can I simply delete the older versions in the agent directory of the Gateway?
  Regards S-E
  Windows Installer installed the product. Product Name: System Center 2012 - Operations Manager Agent.
  Product Version: 7.0.9538.0. Product Language: 0. Manufacturer: Microsoft Corporation.
  Installation success or error status: 0.
  Windows Installer installed an update. Product Name: System Center 2012 - Operations Manager Agent.
  Product Version: 7.0.9538.0. Product Language: 0. Manufacturer: Microsoft Corporation.
  Update Name: System Center 2012 - Operations Manager SP1 UR1 Update Patch.
  Installation success or error status: 0.
  Windows Installer installed an update. Product Name: System Center 2012 - Operations Manager Agent.
  Product Version: 7.0.9538.0. Product Language: 0. Manufacturer: Microsoft Corporation.
  Update Name: System Center 2012 - Operations Manager SP1 UR2 Update Patch.
  Installation success or error status: 0.
  Windows Installer installed an update. Product Name: System Center 2012 - Operations Manager Agent.
  Product Version: 7.0.9538.0. Product Language: 0. Manufacturer: Microsoft Corporation.
  Update Name: System Center 2012 - Operations Manager SP1 UR4 Update Patch.
  Installation success or error status: 0.
  Windows Installer installed the product. Product Name: Active Directory Management Pack Helper Object.
  Product Version: 1.1.0. Product Language: 1033. Manufacturer: Microsoft Corporation.
  Installation success or error status: 0.

  Hi,
  This should be normal, as we can see in the below two articles. When applying Update Rollup 2, UR1 is listed there, and when applying Update Rollup 3, UR1 and UR2 is listed there also.
  http://blogs.technet.com/b/kevinholman/archive/2013/04/11/applying-update-rollup-2-ur2-to-opsmgr-2012-sp1.aspx
  http://blogs.technet.com/b/kevinholman/archive/2013/09/27/applying-update-rollup-3-ur3-to-opsmgr-2012-sp1.aspx
  For example, UR3 can be applied to System Center Operations Manager 2012 SP1 (as released) or a SCOM 2012 SP1 deployment that has had UR1 or UR2 already applied.
  Regards,
  Yan Li
  Regards, Yan Li

• SCOM 2012 R2 Gateway installation error and no System Center Management server after install

  Hi,
  I have installed SCOM 2012 R2 Gateway and I got an error 25372 error at the start of the install. It still installs though. However I have no system center management service running in services but I can see healthservice.exe is running.
  Why am I not seeing the system center management service?
  Thanks.

  Using gateways with certificates is always a bit complicated because there are several things that needs to be configured correctly.
  DNS: The MS and the GW server need to be able to resolve each others FQDN. you can adjust the hosts files if needed.
  Traffic is only TCP 5723 from the gateway to the MS. You can test this with the telnet client.
  Certificates:
  http://marthijnvanrheenen.wordpress.com/2012/03/28/scom-2012-connecting-a-gateway-server-using-certificates/
  The gateway server should NOT be in pending management. Remove it from here before running the approval.
  You should start by making sure DNS and the 5723 port are functioning because that is probably where the problem is.
  Please remember, if you see a post that helped you please click (Vote As Helpful" and if it answered your question, please click (Mark As Answer).

• SCOM 2012 Get Gray Management Servers With PowerShell

  Hi,
  I have SCOM 2012 R2.
  I want to get all the Management Servers that are in Gray state using powershell. How can I do that?
  I couldn't find anything good in the internet.
  The best I got was Get-SCOMManagementServer but when I tested it out - it still showed that my gateway's HealthState was "Success" even though it was gray.
  Thanks,
  Yakir.

  Hi,
  Check if this one helps
  Get-SCOMClass-name"Microsoft.SystemCenter.ManagementServer"|get-scomclassinstance|selectdisplayname,healthstate
  I dont what is your final objective, but check this link
  http://blogs.technet.com/b/jasonrydstrand/archive/2013/03/27/daily-scom-health-check-with-powershell.aspx

• SCOM 2012 client movement between Management servers

  Hi all,
  I know In SCOM 2012 sp1 all management servers are peers , if I have five management servers ( A, B, C, D,E ) and 2 gateway servers ( F, G ) . One client is assigned to A management server , in case if that management server down , to which management servers
  or Gateway server that particular client will move any rule.
  Thanks,
  Sengottuvel M

  By default, "the first available management server". There is a black-box algorithm that works behind the scenes in terms of agent failover selection. The only way to control this is to set agent failover lists, and this is only possible via the command
  shell (powershell) - but it's relatively easy to do.
  Here are a couple interesting articles about the topic:
  http://blog.scomskills.com/agent-managementlist-primary-and-failover-configuration/
  http://blogs.technet.com/b/jonathanalmquist/archive/2009/11/11/set-failover-management-server-for-gateway-role.aspx
  ...and there are probably 100 other blog posts talking about the same thing.
  Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

• Gateway server and Management server in SCOM 2012

  What are the main Different between Gateway server and Management server in SCOM 2012?
  I have referred this , is there anything ?
  http://blogs.technet.com/b/momteam/archive/2008/02/19/10-reasons-to-use-a-gateway-server.aspx

  1) Management server can write data , gathered from agent, directly into operations manager database. Gateway server should forward data, collected from managed agent to management server.
  2) In a unturst environment for example workgroup or untrust domain, and you do not want to deploy a certificate to every monitored agent, you should deploy gateway server rather than managment server.
  Roger