locked
Cross-forest monitoring RRS feed

  • Question

  • Hi,

    We need to perform cross-forest monitoring for a number of servers and I believe the best way to do this is to install a Gateway in the untrusted forest and then put a certificate in place on the Gateway.  This way we only need the certificate on the gateway and we can point the Servers to that gateway.

    I've built the gateway and added it using the Gateway Approval Tool.  I've also created the certificate and put it in place using the MomCertImport tool.

    However, when I restart the Health Service I still get errors similar to this:

    Failed to initialize security context for target MSOMHSvc/[ManagementServerName] The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.

    The error makes me feel like it's still trying to use Kerberos (mainly due to the mention of the SPN) and i'm curious as to why this is.

    Does anyone have any ideas on this please?

    I've tried finding a step-by-step guide for this but i've not managed to find one yet which covers cross-forest monitoring.

    Thanks in advance for any help.

    Pete

    Wednesday, August 12, 2020 3:32 PM

Answers

  • The Management Server has been in production for a while and already talks to a number of other Gateways, although these are all within the same forest.

    If we have two forests known as Forest A (which is our main 'trusted' forest) and Forest B (which is the one we want the Gateway in), then I am correct in saying that the certificate to be installed in Forest B should come from the PKI infrastructure in Forest A?

    If that's the case then that's what we have done.  The Management Server has a certificate from the PKI Server in the root domain (foresta.root) and the same PKI infrastructure was also used for the remote forest.  The certificates are installed and the full chain can be verified.

    Hi Peter,

    preferably the certificate should come from the same CA, that is correct. If not, both Certificate Authorities have to be trusted. My recommendation in this case is to use the following script to check the certificates both on your management server and also on your Gateway:

    Troubleshooting OpsMgr SCOM Certificate Issues with PowerShell Script
    https://gallery.technet.microsoft.com/scriptcenter/Troubleshooting-OpsMgr-27be19d3

    This script help identifying issues with the config of the certificate. Simply run it on both ends and check the output. And one more thing: don't forget to check if TLS 1.2 is enabled. I had this case and described the resolution here just two days ago:

    Newly Installed Gateway Server cannot connect to the management servers
    https://social.technet.microsoft.com/Forums/en-US/071a127b-ea32-4641-8f7d-c6989cb0833a/newly-installed-gateway-server-cannot-connect-to-the-management-servers?forum=operationsmanagerdeployment

    Can you please check those two points and post back. Thanks!

    Regards,




    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    • Marked as answer by Peter J West Thursday, August 13, 2020 11:41 AM
    Thursday, August 13, 2020 6:33 AM

All replies

  • You also need a certificate on the SCOM Management Server the gateway is talking to... did you create one?
    Wednesday, August 12, 2020 4:14 PM
  • The Management Server has been in production for a while and already talks to a number of other Gateways, although these are all within the same forest.

    If we have two forests known as Forest A (which is our main 'trusted' forest) and Forest B (which is the one we want the Gateway in), then I am correct in saying that the certificate to be installed in Forest B should come from the PKI infrastructure in Forest A?

    If that's the case then that's what we have done.  The Management Server has a certificate from the PKI Server in the root domain (foresta.root) and the same PKI infrastructure was also used for the remote forest.  The certificates are installed and the full chain can be verified.

    Wednesday, August 12, 2020 5:50 PM
  • A Management Server can talk with other gateways in its domain without needing a certificate, their mutual authentication is based on Kerberos just the same as with agents in the same domain.

    However, a Manager Server requires a SCOM certificate (same template used for the gateway, imported with MomCertImport) to talk with a Gateway.

    It doesn't necessarily need to come from the same PKI, but the MS needs to trust the PKI that created the gateway's certificate and the gateway needs to trust the PKI that created the MS certificate

    • Edited by CyrAz Wednesday, August 12, 2020 11:46 PM
    Wednesday, August 12, 2020 11:45 PM
  • Hi Peter,

    Did we try the following steps to initiate communication between the management server and the gateway
    3. Distribute the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to the management server.
    4. Run the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe tool to initiate communication between the management server and the gateway.

    https://docs.microsoft.com/en-us/system-center/scom/deploy-install-gateway-server?view=sc-om-2019#how-to-deploy-a-gateway-server
    https://gallery.technet.microsoft.com/Step-by-Step-Gateway-62fbfce2

    If all steps are done, Please check if the Gateway server is monitored under SCOM console.

    Hope it can help.

    Tips: This SCOM Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

        
    Best regards.
    Crystal

    "SCOM" forum will be migrating to a new home on   Microsoft Q&A!
      We invite you to post new questions in the "SCOM" forum's new home on   Microsoft Q&A!
      For more information, please refer to the sticky post.

    Thursday, August 13, 2020 1:42 AM
  • The Management Server has been in production for a while and already talks to a number of other Gateways, although these are all within the same forest.

    If we have two forests known as Forest A (which is our main 'trusted' forest) and Forest B (which is the one we want the Gateway in), then I am correct in saying that the certificate to be installed in Forest B should come from the PKI infrastructure in Forest A?

    If that's the case then that's what we have done.  The Management Server has a certificate from the PKI Server in the root domain (foresta.root) and the same PKI infrastructure was also used for the remote forest.  The certificates are installed and the full chain can be verified.

    Hi Peter,

    preferably the certificate should come from the same CA, that is correct. If not, both Certificate Authorities have to be trusted. My recommendation in this case is to use the following script to check the certificates both on your management server and also on your Gateway:

    Troubleshooting OpsMgr SCOM Certificate Issues with PowerShell Script
    https://gallery.technet.microsoft.com/scriptcenter/Troubleshooting-OpsMgr-27be19d3

    This script help identifying issues with the config of the certificate. Simply run it on both ends and check the output. And one more thing: don't forget to check if TLS 1.2 is enabled. I had this case and described the resolution here just two days ago:

    Newly Installed Gateway Server cannot connect to the management servers
    https://social.technet.microsoft.com/Forums/en-US/071a127b-ea32-4641-8f7d-c6989cb0833a/newly-installed-gateway-server-cannot-connect-to-the-management-servers?forum=operationsmanagerdeployment

    Can you please check those two points and post back. Thanks!

    Regards,




    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    • Marked as answer by Peter J West Thursday, August 13, 2020 11:41 AM
    Thursday, August 13, 2020 6:33 AM
  • Hi Stoyan,

    Many thanks - it was actually the script you linked to that does the certificate check that helped us fix the issue in the end.

    It turned out we had some issues with the certificates which it highlighted.  We fixed those and now it's working perfectly.

    Many thanks

    Pete

    Thursday, August 13, 2020 11:41 AM
  • Hi Peter,
     
    Glad to hear that the issue is resolved. Congratulations! Here, please let me write a summary for our issue:
     
    Issue Definition:
    ==================
    The Gateway in another forest is not working
     
    Resolution:
    =================
    Run the following script and find some issue with certificates. Fix it and it is working.
    Troubleshooting OpsMgr SCOM Certificate Issues with PowerShell Script
    https://gallery.technet.microsoft.com/scriptcenter/Troubleshooting-OpsMgr-27be19d3
     
    Thanks for your time and have a nice day!
     
    Best regards.
    Crystal

    "SCOM" forum will be migrating to a new home on   Microsoft Q&A!
      We invite you to post new questions in the "SCOM" forum's new home on   Microsoft Q&A!
      For more information, please refer to the sticky post.

    Friday, August 14, 2020 2:52 AM
  • Hi Pete,

    glad to hear it worked :)

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Monday, August 17, 2020 2:34 PM