locked
Gateway redundancy question RRS feed

  • Question

  • Hi,

    I read some post about gateway redundancy but i'm not sure i did it correctly.

    Running a SCOM 2019 environment with 1 management group called SCOM-P

    Created 2 gateway servers in 1 other domain. Domain is called ACPT
    Servers in domain ACPT with installed agents pointing to GW servername and SCOM group name SCOM-P
    Now 1 GW server has failed, agents don't failover to 2nd GW server.
    Probably cause they don't know it's there.

    Please point me to a instruction how to set this up?
    Not sure i'm using the right keywords for my situation to find it.

    Thanks

    Tuesday, August 4, 2020 10:51 AM

All replies

  • There is no automatic failover configuration when using gateways, you need to specify the failover servers yourself : https://docs.microsoft.com/en-us/system-center/scom/manage-config-agent-failover-multiple-gateway-servers?view=sc-om-2019

    Tuesday, August 4, 2020 11:52 AM
  • Hi,

    SCOM agents will not automatically failover to other Gateway servers by default, this needs to be configured manually.

    You can follow along here:
    https://kevinholman.com/2018/08/06/assigning-gateways-and-agents-to-management-servers-using-powershell/

    or the official documentation here:
    https://docs.microsoft.com/en-us/system-center/scom/manage-config-agent-failover-multiple-gateway-servers?view=sc-om-2019

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:


    Tuesday, August 4, 2020 11:53 AM
  • I have a powershell script running as a scheduled task that automatically sets it (using the OM shell). I have a text file that has the FQDNs of the gateway server pairs like this:

    gw1.domain1.contoso.com gw2.domain1.contoso.com

    gw1.domain2.contoso.com gw2.domain2.contoso.com

    The powershell script is really quite simple:

    import-module OperationsManager
    new-SCOMmanagementgroupconnection "ms01.contoso.com"
    $infile = "e:\scripts\input_files\gateways.txt"
    $filexists = test-path -path $infile
    if (-NOT (test-path $infile)) {
        write-host "Input file not there"
        exit
    }
    
    foreach ($line in (get-content $infile)) {
        $pri,$sec = $line -split ",",2 
        write-host "pri: " $pri "  sec: " $sec
        $prims = get-scommanagementserver -Name $pri
        $secms = get-scommanagementserver -Name $sec
    
        #first we set it for systems with prims=pri
        $agents = get-scomagent -managementserver $prims
        foreach ($agent in $agents) {
            set-scomparentmanagementserver -agent $agent -failoverserver $secms
        }
    
        #now we do it for prims=sec
        $agents = get-scomagent -managementserver $secms
        foreach ($agent in $agents) {
            set-scomparentmanagementserver -agent $agent -failoverserver $prims
        }
    }
           
           


    "Fear disturbs your concentration"

    Tuesday, August 4, 2020 2:37 PM
  • Hi Thomas,

    Agreed with CyrAz and Leon, when one Gateway server goes down. the agents points to this Gateway server will NOT automatically failover to another GateWay server. We need to configure the agents to use another server (GW2), using a PowerShell script.

    #Agents reporting to "GW1" – Failover to "GW2"
    $primaryMS = Get-SCOMManagementServer | where {$_.Name –eq "GW1"}
    $failoverMS = Get-SCOMManagementServer | where {$_.Name –eq "GW2"}
    $agent = Get-SCOMAgent | where {$_.PrimaryManagementServerName -eq "GW1"}
    Set-SCOMParentManagementServer -Agent: $agent -PrimaryServer: $primaryMS
    Set-SCOMParentManagementServer -Agent: $agent -FailoverServer: $failoverMS

    The following article for the reference:
    https://social.technet.microsoft.com/wiki/contents/articles/52106.scom-windows-agents-failover.aspx

       
    Hope it can help.
     
    Best regards.
    Crystal

    "SCOM" forum will be migrating to a new home on   Microsoft Q&A!
      We invite you to post new questions in the "SCOM" forum's new home on   Microsoft Q&A!
      For more information, please refer to the sticky post.


    Wednesday, August 5, 2020 3:05 AM
  • Hi,

    How's everything going? Is there anything else we can help? If yes, feel free to let us know.

    Best regards.

    Crystal


    "SCOM" forum will be migrating to a new home on   Microsoft Q&A!
      We invite you to post new questions in the "SCOM" forum's new home on   Microsoft Q&A!
      For more information, please refer to the sticky post.

    Friday, August 7, 2020 6:31 AM
  • Hi,

    How's everything going? Is there anything else we can help? If yes, feel free to let us know.

    Best regards.

    Crystal


    "SCOM" forum will be migrating to a new home on   Microsoft Q&A!
      We invite you to post new questions in the "SCOM" forum's new home on   Microsoft Q&A!
      For more information, please refer to the sticky post.

    Thank you.
    Currently experiencing problems with my gateway server.
    It's greyed out, maybe certificate problems or something else. Trying to learn / understand how it works.
    I have 6 management servers in 1 prod VLAN, 3 other VLAN's with each 2 GW servers.
    I know each GW server needs to trust the root CA from my prod VLAN and needs to have a certificate to communicatie with a management server in PROD vlan. But what about the other mgmt servers in PROD. Do they also need certificated for the GW servers or does the GW server needs certificates to all the GW servers? Looked at some video's but they all have 1 MGMT server and 1 GW server.
    Friday, August 7, 2020 7:51 AM
  • You can have a look at the webinar hosted by Bob in July:
    https://www.youtube.com/watch?v=Sxc4kkB02Kk

    This is great and goes through the SCOM Gateway best practices and a lot more how everything works :-)


    Blog: https://thesystemcenterblog.com LinkedIn:

    Friday, August 7, 2020 8:13 AM
  • Hi,

    How's everything going? Is there anything else we can help? If yes, feel free to let us know.

    Best regards.

    Crystal


    "SCOM" forum will be migrating to a new home on   Microsoft Q&A!
      We invite you to post new questions in the "SCOM" forum's new home on   Microsoft Q&A!
      For more information, please refer to the sticky post.

    Thank you.
    Currently experiencing problems with my gateway server.
    It's greyed out, maybe certificate problems or something else. Trying to learn / understand how it works.
    I have 6 management servers in 1 prod VLAN, 3 other VLAN's with each 2 GW servers.
    I know each GW server needs to trust the root CA from my prod VLAN and needs to have a certificate to communicatie with a management server in PROD vlan. But what about the other mgmt servers in PROD. Do they also need certificated for the GW servers or does the GW server needs certificates to all the GW servers? Looked at some video's but they all have 1 MGMT server and 1 GW server.

    A gateway only needs to be able to authenticate with the Management Server(s) it talks to, not the other MS nor the other GW. 

    The GW needs to trust the MS's certificate  certification chain (root and any sub-CA in the chain as well), and the opposite is true as well : the MS needs to trust the GW certification chain, if a different CA was used for the MS and the GW.

    Friday, August 7, 2020 8:28 AM
  • You can have a look at the webinar hosted by Bob in July:
    https://www.youtube.com/watch?v=Sxc4kkB02Kk

    This is great and goes through the SCOM Gateway best practices and a lot more how everything works :-)


    Blog: https://thesystemcenterblog.com LinkedIn:

    I watched it. It's a graphical not a technical guide.
    Friday, August 7, 2020 8:41 AM
  • Hi,

    For the Gateway greyed out issue, we can check if there's any network change between the MS and Gateway. 

    Best regards.

    Crystal


    "SCOM" forum will be migrating to a new home on   Microsoft Q&A!
      We invite you to post new questions in the "SCOM" forum's new home on   Microsoft Q&A!
      For more information, please refer to the sticky post.

    Friday, August 7, 2020 9:35 AM