locked
Monitoring 2008 R2 clustered certificate services RRS feed

  • Question

  •  

    Hi There,

    we've setup a CA Cluster using Server 2008 R2. We followed this dokument : http://www.microsoft.com/en-us/download/details.aspx?id=331

    Everything is working fine so far.

    my question is how to monitor clustered CA's using SCOM. Certificate Services Operations Manager 2007 MP tells me that ist does not support clusters.

    Is there ay other way to monitor a clustered CA?

    Ben

    Thursday, May 24, 2012 10:37 AM

Answers

  • Hi Ben -

    To stand up a clustered CA just to test/repro your question would unfortunately take a spot of time and resources.

    It is interesting information that you provided, thank you for the extra detail. Your experience seems to match the documentation for the management pack: it does not support clusters. I am surprised, but short of deploying the mangaement pack to an actual CA cluster, as you have done, there is no way to know.

    If you opened a Microsoft case, they would probably not pursue a fix because the documentation states that what you are asking for is unsupported. 

    Custom automation (certutil scripts and a 'handmade' management pack), is probably the right solution. Note there are some other special things you need to do with clustered CA as well: http://blogs.technet.com/b/askds/archive/2010/01/07/clustered-certification-authority-maintenance-tasks.aspx.


    John Joyner MVP-SC-CDM

    • Marked as answer by Yog Li Tuesday, June 5, 2012 9:19 AM
    Thursday, May 31, 2012 11:11 AM

All replies

  • Hi Ben -

    That is a great question and the first time I've heard it asked. I checked the management pack discovery and it uses the Windows computer to search for installed instances of certificate services. Certificate services would be running on the active cluster node and should be discovered.

    Can I ask if you have tried this out or are just asking based on the documentation? It could be that it's not listed in the guide becuase the MP authors didn't get to test it, but it might work.


    John Joyner MVP-SC-CDM

    Thursday, May 24, 2012 3:38 PM
  • Hi Jon,

    I've tried ist using SCOM 2007 R2 (6.1.7221.81). I had to setup SCOM for a customer who uses a root (offline) and two subordinate CA's.

    Downloaded and installed Managementpack without any problem, but the subordinate CA's didn't show up in SCOM. Even 48 hours later no CA was detected. I was wondering what happend, because momitoring of AD Certificate Services was not a problem before. So i asked my customer if there is any special with his CA and he told me that both of them are clustered. I've checked that all nodes and cluster adresses are discovered by SCOM - they are.

    I started to read the installation document ( see link above) - not a word about monitoring. I took a look into Certificate Services Operations Manager 2007 MP documentation and found that clusters are not supported. Does Microsoft think because of clustering there is no need to monitor AD Certificate Services?

    Right now my customer uses pkiview to check healthstatus of his CA's but that's only a workaround.

    Of course I can monitor CA availability using certutil and i was wondering if there is no way to use it in a "handmade" Managementpack, but i would appreciate a MP that is able to monitor clustered AD Certificate Services.


    Ben

    Friday, May 25, 2012 7:30 AM
  • Hi out there,

    anyone any news on this or should I ask Microsoft about this ?


    Ben
    Thursday, May 31, 2012 7:02 AM
  • Hi Ben -

    To stand up a clustered CA just to test/repro your question would unfortunately take a spot of time and resources.

    It is interesting information that you provided, thank you for the extra detail. Your experience seems to match the documentation for the management pack: it does not support clusters. I am surprised, but short of deploying the mangaement pack to an actual CA cluster, as you have done, there is no way to know.

    If you opened a Microsoft case, they would probably not pursue a fix because the documentation states that what you are asking for is unsupported. 

    Custom automation (certutil scripts and a 'handmade' management pack), is probably the right solution. Note there are some other special things you need to do with clustered CA as well: http://blogs.technet.com/b/askds/archive/2010/01/07/clustered-certification-authority-maintenance-tasks.aspx.


    John Joyner MVP-SC-CDM

    • Marked as answer by Yog Li Tuesday, June 5, 2012 9:19 AM
    Thursday, May 31, 2012 11:11 AM