locked
Active Directory Certificate Services discovery on Windows Server 2016 RRS feed

  • Question

  • Hello,

    I've deployed new PKI on Windows Server 2016, next goal is to monitor it via SCOM which is already in place.

    New PKI is not shown under Monitoring > "Microsoft Windows Server Active Directory Certificate Services" > Certificate Authorities. Therefore I assume that discovery is not working.

    All avalaible management packs for "AD Certificate Services" are imported already.

    MP for AD Certificate Services 2016 does not exist.

    SCOM agent is installed on server and can communicate with SCOM server.

    Any idea how to easily achieve the same results as from official MP?




    Wednesday, November 29, 2017 12:25 PM

All replies

  • Hi Martin,

    I think the MP for WS 2016 AD Certificate Services isn't ready yet. At least judging by this post:

    Where are the Server 2016 Management Packs?

    What you can do is to check in the MP Guide of the 2012 R2 Certtificate Services MP, which monitors and rules have been configured and try to build a MP on your own. This will require some advanced authoring skills though. 

    You can also take the easy way (as kind of workaround until the MP is out there) and configure monitors for the related services (You can do this either over the GUI or with a tool, like MPSilect for example). In addition to this you can also configure alert generating rules, which track down all events with the Certificate Services as source. This way you will ensure the availability of your services and you will get alerted if events start to flow, indicating that something is wrong. You can see what rules are currently present in the MP Guide for AD CS 2012/2012 R2.

    Let's hope the AD CS 2016 MP will be ready soon. 

    I hope I could help. Regards.


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Wednesday, November 29, 2017 2:25 PM
  • Hello,

    Can you check re-initializing the cache on one of the servers as a test?

    - Stop health service

    - Delete health state folder

    - Start service

    Check in the event logs, do you see stuff being received?



    Cheers, Sam Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!

    Wednesday, November 29, 2017 2:29 PM
  • I started on making it work for Server 2016. Basically you only need to change the Discovery and target the Server 2016 class instead of what the existing 2012R2 PKI MP is targeting.

    Did most of the work here (though not quite finished and tested):

    https://github.com/mortenlerudjordet/lerunTools/tree/master/SCOM/MPs/ActiveDirectoryCertificateServices.2016.Discovery

    • Proposed as answer by Yan Li_ Thursday, November 30, 2017 6:09 AM
    Wednesday, November 29, 2017 4:40 PM
  • Hi,

    There is an update in comments, from blog: Where are the Server 2016 Management Packs?

    Kevin Holman
    December 6, 2017 at 2:07 pm
    I have been asking for it. I am told we plan to release it in January.


    Wednesday, January 24, 2018 12:11 PM