What does it take to monitor servers in workgroup from SCOM
To configure SCOM server to monitor the stand-alone servers in the workgroup , you must follow the following steps.
1) First and foremost make sure that you have access to a root certification authority and you must be able to create client and server certificates. If in case you don’t have a root CA available in your network then get one installed preferably on a separate server discounting the RMS or MS server. The root CA could either be a stand-alone or enterprise CA.
2) Now since we have access to a CA, browse to the following URL from the agent managed workgroup computer. https://certificatio_authority_server/certsrv.
a. Click download a CA certificate, certificate chain , or CRL.
b. Click Download CA certificate chain.
Tip:- If in case you are not able to access the above HTTP URL don’t be upset, there is another way out by which you can still be copy the CA certificate chain on the workgroup computer. Just go to the C:\WINDOWS\system32\certsrv directory on the CA server and copy the certnew.p7b file from this folder to the server in the workgroup.
3) Import the above certificate under the trusted root certificate authority. The only thing to remember here is that while opening the certificate MMC, you choose COMPUTER account instead of other two options.
4) At this point of time we need to generate a certificate for the server in the workgroup. There are several ways by which you can generate a certificate but I would recommend you following the steps documented under the following KB article.
To request a certificate from a stand-alone CA
https://technet.microsoft.com/en-us/library/bb735417.aspx
Note:- Please make sure that you also generate a server certificates for the RMS , MS servers as we need to import these certificates under different zones on the servers. The steps would be same to generate the server certificates for RMS, MS, workgroup servers.
5) Now since we have imported both CA certificate chain and server certificate under the respective zone on the workgroup computer , it is time to import the server certificate into another zone using the MOMCERTIMPORT tool (\SupportTools\i386) . But before this we need to get the server certificate exported with its private key. And also we need to get the server certificate exported with its private key on the RMS server as well (If you have already done this then you can ignore this).
Following are the steps to do so.
Click Start, click Run, type mmc, and then press ENTER.
On the File menu, click Add/Remove Snap-in.
Click Add.
Click Certificates, and then click Add.
Select Computer account, and then click Finish.
Select Local computer, click Finish, click Close to close the snap-in list, and then click OK to close the Add/remove snap-in window.
Expand Certificates (local computer) , expand Personal, expand Certificates, and then select a suitable certificate.
Right-click the certificate, point to All tasks, and then click Export.
Click Next.
Select Yes, export private key, and then click Next.
Use the default setting for the file format.
Type a password for the file.
Type a file name, and then click Next. For example, type C:\Workgroup_ComputerName.pfx.
Click Finish.
Note:- Repeat all these steps on the management server and on the workgroup computer.
6) Install the MOMAgent.msi setup file on the workgroup computer.
7) It’s time to import the exported PFX file on the workgroup servers using MOMCERTIMPORT tool.
a. Type the following command, and then press ENTER:
MOMCertImport path_of_the_certificate .pfx_file_that_is_exported_in_step_5
Note:- One of the most important thing to remember here is that we import the exported certificates using the above commands on the RMS and MS servers.
8) Restart the System center management service on the workgroup servers and on the RMS, MS servers.
9) After this if everything has gone according to the plan then you must see the workgroup servers either in pending management or in the agent managed pane under SCOM console.
If in case you don’t see the workgroup computer under any of the above panes in SCOM console then it’s time to start with the troubleshooting.
Troubleshooting steps:-
1) Make sure the servers in the workgroup can ping the FQDN of the RMS or MS server which have provided while installing the SCOM agent on the server.
2) Port number 5723 should be opened bi-directional between the RMS, MS <-> workgroup servers.
3) View the operation manager Event logs under the workgroup computer. You should look for the error messages like:-
Event Type: Error
Event Source: ABC Connector
Event Category: None
Event ID: 21016
Date: 9/27/2009
Time: 2:52:20 AM
User: N/A
Computer: ABC
Description:
ABC was unable to set up a communications channel to HOST.HOMEDC.COm and there are no failover hosts. Communication will resume when HOST.HOMEDC.COm is available and communication from this computer is allowed.
Event Type: Error
Event Source: ABC Connector
Event Category: None
Event ID: 20070
Date: 9/27/2009
Time: 2:52:17 AM
User: N/A
Computer: ABC
Description:
The ABC Connector connected to HOST.HOMEDC.COm, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
Now it’s time to look for the error messages under the RMS or MS servers regarding the communication failure with the above ABC server.
Event Type: Error
Event Source: ABC Connector
Event Category: None
Event ID: 21010
Date: 9/27/2009
Time: 2:21:49 AM
User: N/A
Computer: HOST
Description:
The ABC Connector negotiated the use of mutual authentication with 192.168.1.8:1077, but Active Directory is not available and no certificate is installed. A connection cannot be established.
The above error message means that there is no certificate available with the SCOM server on the RMS or MS to authenticate the workgroup server. Make sure you have correctly imported the server certificate using the MOMCERTIMPORT tool on the RMS and MS server.