locked
SCOM Agent - monitoring servers on Different Forest/Domain RRS feed

  • Question

  • Hi,
    I have two domains Domain-A and Domain-B in different forest with no trust exists. Domain-A have SCOM installed up and running with its own Certificate Authority.

    We monitor servers on Domain-A and few DMZ servers which is in workgroup with certificate based. No issues. 

    Now we have a new Domain-B in different forest and no trust exist. We need to monitor the Domain-B servers from the SCOM MS's on Domain-A. Port 5723 is accessible and installed the SCOM agents manually with Certificates from CA that we have on Domain-A. Now the SCOM agents from Domain-B not able to connect to SCOM MS's on Domain-A and have the below errors. Please help me in this regard.

    *************************************

    Event Type:         Error

    Event Source:    OpsMgr Connector

    Event Category: None

    Event ID:           20057

    Date:                9/29/2009

    Time:                12:55:00 PM

    User:                N/A

    Computer:         F2P01

    Description:

    Failed to initialize security context for target MSOMHSvc/opmrmpv01.xxx.yyy The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.

     

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    *************************************
    Event Type:       Error

    Event Source:    OpsMgr Connector

    Event Category: None

    Event ID:           21001

    Date:                9/29/2009

    Time:                12:27:48 PM

    User:                N/A

    Computer:         F2P01

    Description:

    The OpsMgr Connector could not connect to MSOMHSvc/opmrmpv01.xxx.yyy because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

     

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    *************************************
    Event Type:       Error

    Event Source:    OpsMgr Connector

    Event Category: None

    Event ID:           21016

    Date:                9/29/2009

    Time:                12:27:54 PM

    User:                N/A

    Computer:         F2P01

    Description:

    OpsMgr was unable to set up a communications channel to opmrmpv01.xxx.yyy and there are no failover hosts.  Communication will resume when opmrmpv01.xxx.yyy is both available and allows communication from this computer.

     

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    *************************************

    - Manickam A.

    Tuesday, September 29, 2009 8:52 PM

Answers

  • The issue got fixed after calling MS support. It’s due to corrupted certificate on RMS server.

    Note: I couldn’t place the Gateway, due the hardware cost and the time constrain the getting the new server and get it up and running. Further I only have 10 servers on Domain-B to be monitored, so I put certificate on all 10 servers.

    - Manickam A.

    • Marked as answer by manickama Wednesday, September 30, 2009 11:53 PM
    Wednesday, September 30, 2009 11:53 PM

All replies

  • The problem could be that the SPN is not registered correctly. In the deployment document the procedure on using the SetSPN is included. Take a look at http://www2.wolzak.com/index.php?option=com_content&task=view&id=15&Itemid=9

    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    Wednesday, September 30, 2009 6:18 AM
  • Just a thought - if Domain B is an AD domain, then you could use a gateway server instead.
    That way you wouldn't need to install certs on all servers, as they have mutual authentication with the gateway server.
    Not sure it solves your problem, but I don't think it's a CA issue per se fwiw. But at least you would have a single point to work through the cert issues.

    Nick
    • Proposed as answer by Nick Madge Wednesday, September 30, 2009 10:53 AM
    Wednesday, September 30, 2009 9:54 AM
  • This is a key scenario for a Gateway. This updated article on the Gateway has a diagram representing your scenario.

    I have also created a master list of mutual authentication errors I have encountered in the field when dealing with mutual authentication that may be of help. 

    Pete Zerger, MVP-OpsMgr and SCE | http://www.systemcentercentral.com
    Wednesday, September 30, 2009 10:49 AM
  • The issue got fixed after calling MS support. It’s due to corrupted certificate on RMS server.

    Note: I couldn’t place the Gateway, due the hardware cost and the time constrain the getting the new server and get it up and running. Further I only have 10 servers on Domain-B to be monitored, so I put certificate on all 10 servers.

    - Manickam A.

    • Marked as answer by manickama Wednesday, September 30, 2009 11:53 PM
    Wednesday, September 30, 2009 11:53 PM