none
MOM 2005 Agent Deployment Questions

    Question

  • Hello,

    I have a MOM 2005 mgmt svr on an internal network and would like to install agents on several standalone hosts in a DMZ network. There is a firewall between the DMZ network and the internal network. The hosts in the DMZ are in their own individual workgroups.

    My questions are:

       1. A manual agent installation is the only feasible option. Is this doable?

       2. If 1 is true, what ports need to be opened on a firewall?

       3. If both 1 and 2 are doable, which MOM login account should be used for installation and communications?

     

    Thanks in advance.


    • Edited by nfts Wednesday, December 7, 2011 3:56 PM
    Wednesday, December 7, 2011 3:55 PM

Answers

  • http://support.microsoft.com/kb/904866 (you should not have to change anything on other clients)

    PLEASE read and follow ALL the directions in this KB.

    I would suggest uninstalling the client off the dmz box and starting at the beginning of this kb article and follow its directions to the end.

    also disable Mutual Authentication

     

    To configure the MOM server to accept manual agent installations
    1. In the MOM Administrator console, expand the Administration node and select Global Settings.

    2. In the details pane, select Management Servers.

    3. Select the Agent Install tab, and then clear the Reject new manual agent installations check box.

    4. On the Administration pane, select Global Settings.

    5. On the Security tab, clear the Mutual Authentication Required field.

    6. Right-click the Management Pack folder, and click Commit Configuration Change.

    7. Stop and then start the MOM Service on all management servers in the management group.

     

     


    Scott Moss MVP (Operations Manager) President - System Center Virtual Users Group |Vice President - Atlanta Southeast Management Users Group (ATL SMUG)
    Please remember to click “Mark as Answer” on the post that helps you!
    my new blog om2012.wordpress.com



    • Edited by ScottMossModerator Saturday, December 24, 2011 12:01 AM
    • Marked as answer by nfts Thursday, December 29, 2011 5:57 PM
    Friday, December 23, 2011 11:34 PM
    Moderator

All replies

  • Manual install yes. Port 1270.
    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    Thursday, December 8, 2011 12:13 PM
    Moderator
  • @Bob

    Thanks.  Do any ports need to be opened for authentication?  Should the MOM action account be used for communications?


    • Edited by nfts Thursday, December 8, 2011 2:33 PM
    Thursday, December 8, 2011 2:32 PM
  • well you would need to logon to the computer with an admin account and locally install the mom agent on the machine. then approve it in pending actions assuming that the security settings have been set to put manually installed agents in pending actions.

    you will probably have to make host file entry for the mom server on the dmz box, and a host entry on the mom server to the dmz box.

    the local account should be used for the action account.

    hope this helps.

    WOW MOM 2005.. I'm feeling old now..

     


    Scott Moss MVP (Operations Manager) | President - System Center Virtual Users Group | Vice President - Atlanta Southeast Management Users Group (ATL SMUG) Please remember to click “Mark as Answer” on the post that helps you!
    Thursday, December 8, 2011 4:10 PM
    Moderator
  • I see Scott already jumped in for your third question. So thats the deal. manual install, approve.. local action account. and make sure the machines get to know how to find each other.

    @ Scott... yeah the good old days of MOM :-)


    Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient
    Thursday, December 8, 2011 5:44 PM
    Moderator
  • @Scott

    I have the network information setup so both hosts know how to talk to each other.  And, after doing so, I am seeing a dialog box with "The Management Server Could Not Be Contacted".  Is there a debugger that can help troubleshoot the installation? 

    Thursday, December 8, 2011 6:57 PM
  • For MOM 2005, not really that product hit the end of life, a few years ago.

    I'd verify with your network folks that the mom 2005 port is open in both directions, if it isn't that is what could cause the same problem. 9 times out of 10 this is usually the problem, the port is only open in one direction but it does need to be open Both  ways.

    If this fixes it then good if not verify the name of the ms is right and the name of the agent is correct in the hosts file.

    Last thing to do is to Verify in add remove programs select mom 2005, and select change, edit management group, and then verify that the name added to the host file is the same name as the management server. if it is uninstall the agent, then reinstall it.

    Good Luck!


    Scott Moss MVP (Operations Manager) | President - System Center Virtual Users Group | Vice President - Atlanta Southeast Management Users Group (ATL SMUG) Please remember to click “Mark as Answer” on the post that helps you!
    • Marked as answer by Yog LiModerator Friday, December 16, 2011 10:22 AM
    • Unmarked as answer by nfts Thursday, December 22, 2011 2:33 PM
    Friday, December 9, 2011 3:37 AM
    Moderator
  • Connectivity is established.  I am seeing the agent in the mom admin console.  On the agent, i'm seeing this:

    Event Type: Information
    Event Source: Microsoft Operations Manager
    Event Category: MOM Agent
    Event ID: 21218
    Date:  12/22/2011
    Time:  11:41:45 AM
    User:  NT AUTHORITY\NETWORK SERVICE
    Computer: <Agent Name>
    Description:
    The Agent could not load any cached configuration information. This error may occur when the configuration cache file is not present (which will be the case when an agent/server gets installed for the first time), or when the file becomes corrupted.
    Management Group: <Name of Mgmt Grp> 

    The Agent will not process data until it successfully retrieves configuration information.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    This event is registered repeatedly.  Any thoughts?

    Thursday, December 22, 2011 6:57 PM
  • The HOST file on the AGENT has the name of the MS, and the MS HOST file has the name of the AGENT machine correct?

    From the agent machine you are able to ping by NAME the MS? And from the MS your able to ping BY NAME the agent machine? 

    If the above are true, uninstall MOM 2005 agent from the box, and reinstall the agent and verify that the name in the AGENTS host file is used for The MS. If I recall, the install error is ok, just be patient and wait a few minutes, the agent should pop into the mom 2005 pending actions..  Restarting the mom 2005 agent after the install might help. 

    if it does not, you might want to do a network capture between the agent and the MS when the agent starts up and see what server name it is trying to connect to.

    -one other thing are there any mom 2005 agent hot fixes that you need to manually install that are also installed on your mom 2005 infrastructure? 


    Scott Moss MVP (Operations Manager) President - System Center Virtual Users Group |Vice President - Atlanta Southeast Management Users Group (ATL SMUG)
    Please remember to click “Mark as Answer” on the post that helps you!
    my new blog om2012.wordpress.com
    Thursday, December 22, 2011 6:59 PM
    Moderator
  • One more thing, on the mgmt svr, this event is registered, even though the svr is running W2K3-SP2:

    Event Type:        Error

    Event Source:    Microsoft Operations Manager

    Event Category:                None

    Event ID:              26005

    Date:                     12/22/2011

    Time:                     11:41:48 AM

    User:                     NT AUTHORITY\NETWORK SERVICE

    Computer:          <Mgmt Svr Name>
    Description:

    A MOM 2000 SP1 or earlier client attempted to connect to the MOM Server, but the server is configured to reject legacy clients.  The agent attempted to connect from x.x.x.x. 

     

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    Thursday, December 22, 2011 7:30 PM
  • Hi,

    I think this event is self-explaining:

    The agent trying to connect is too old (mom2000). You can override this in the settings.

    But why are you still using a product that is almost 5 generations old. ??  (2000 -> 2005 -> 2005 sp1 -> 2007 -> 2007R2 -> 2012)

    I would stop trying to solve this and put the time into deploying scom2012.. sorry

    Michel Kamp

    Thursday, December 22, 2011 9:16 PM
  • I agree with you Michel.  As mentioned previously, the agent (workgroup) is in a dmz network and the mom mgmt svr in on an internal domain network.

    Network communications between the two is working, and the agent has W2K3-SP2.  Even though, the mgmt svr is generating the "..mom 2000 sp1.." event in the logs.

    Thursday, December 22, 2011 10:13 PM
  • uninstall the agent on the dmz box. verify that your installing mom 2005 sp1 agent, and re-install it. get a fresh copy from the management server under the agent directory.

    Communications is working, now you need to install the right client on the agent machine. 


    Scott Moss MVP (Operations Manager) President - System Center Virtual Users Group |Vice President - Atlanta Southeast Management Users Group (ATL SMUG)
    Please remember to click “Mark as Answer” on the post that helps you!
    my new blog om2012.wordpress.com
    Friday, December 23, 2011 4:45 AM
    Moderator
  • Hi make sure you dont mix up the agent version as being the operating system version of the machine you want to install an agent on and the MOM agent version (2000, 2000 sp1, 2005, 2005 sp1, 2007, 2007sp1, 2007r2, 2012). The error seemed to indicate that the MOM agent installed was an older version (whatever operating system you are installing it on). So pick up the agent installer files from the MOM server and try again. See what happens.
    Bob Cornelissen - BICTT (My Blog about SCOM) - Microsoft Community Contributor 2011 Recipient
    Friday, December 23, 2011 8:06 AM
    Moderator
  • @Scott/@Bob - the only available agent is being installed.  Verified this thru the registry, the version is MOM 2005 SP1 agent - 5.0.2911.0.

    Uninstalled and reinstalled the agent.  Same events on the mgmt svr.  Is this a known bug for this type of setup?


    Event Type: Error
    Event Source: Microsoft Operations Manager
    Event Category: None
    Event ID: 26005
    Date:  12/23/2011
    Time:  11:06:46 AM
    User:  NT AUTHORITY\NETWORK SERVICE
    Computer: <Mgmt Svr Name>
    Description:
    A MOM 2000 SP1 or earlier client attempted to connect to the MOM Server, but the server is configured to reject legacy clients.  The agent attempted to connect from x.x.x.x. 

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Event Type: Warning
    Event Source: Microsoft Operations Manager
    Event Category: None
    Event ID: 26027
    Date:  12/23/2011
    Time:  11:06:46 AM
    User:  NT AUTHORITY\NETWORK SERVICE
    Computer: <Mgmt Svr Name>
    Description:
    The MOM Server is configured to use Mutual Authentication, but the MOM Agent at x.x.x.x is not.  This is a misconfiguration and is typically caused by a manual agent install configuration that does not match the MOM Server.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



    For event id 26027, i have 16 other domain servers that have the agent installed and i changing the global setting may require reinstallation of the agent on all 16 machines.
    • Edited by nfts Friday, December 23, 2011 6:45 PM
    Friday, December 23, 2011 6:12 PM
  • http://support.microsoft.com/kb/904866 (you should not have to change anything on other clients)

    PLEASE read and follow ALL the directions in this KB.

    I would suggest uninstalling the client off the dmz box and starting at the beginning of this kb article and follow its directions to the end.

    also disable Mutual Authentication

     

    To configure the MOM server to accept manual agent installations
    1. In the MOM Administrator console, expand the Administration node and select Global Settings.

    2. In the details pane, select Management Servers.

    3. Select the Agent Install tab, and then clear the Reject new manual agent installations check box.

    4. On the Administration pane, select Global Settings.

    5. On the Security tab, clear the Mutual Authentication Required field.

    6. Right-click the Management Pack folder, and click Commit Configuration Change.

    7. Stop and then start the MOM Service on all management servers in the management group.

     

     


    Scott Moss MVP (Operations Manager) President - System Center Virtual Users Group |Vice President - Atlanta Southeast Management Users Group (ATL SMUG)
    Please remember to click “Mark as Answer” on the post that helps you!
    my new blog om2012.wordpress.com



    • Edited by ScottMossModerator Saturday, December 24, 2011 12:01 AM
    • Marked as answer by nfts Thursday, December 29, 2011 5:57 PM
    Friday, December 23, 2011 11:34 PM
    Moderator
  • @Scott - That did the trick.  However, I'm seeing a warning in the app log with event id 26026.

    Event Type: Warning
    Event Source: Microsoft Operations Manager
    Event Category: None
    Event ID: 26026
    Date:  12/29/2011
    Time:  11:56:49 AM
    User:  NT AUTHORITY\NETWORK SERVICE
    Computer: <MOM Mgmt Svr>
    Description:
    The MOM Agent at x.x.x.x is configured to use Mutual Authentication, but the MOM Server is not.  This is a misconfiguration and is typically caused by a manual agent install configuration that does not match the MOM Server. 

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    Does this require that I reinstall the agent on all managed machines?

    Thursday, December 29, 2011 5:58 PM
  • no you should not have to re-install agents, see last post.

    Just make sure that agents that have these events are still communicating with the mom server and you should be good to go.


    Scott Moss MVP (Operations Manager) President - System Center Virtual Users Group |Vice President - Atlanta Southeast Management Users Group (ATL SMUG)
    Please remember to click “Mark as Answer” on the post that helps you!
    my new blog om2012.wordpress.com
    Thursday, December 29, 2011 7:28 PM
    Moderator
  • @Scott,

    Happy New Year!  I am seeing the dmz svr in the agent-managed computers console.  A new question I have is besides tcp port 1270, what port(s) is used between the dmz host and mom after the agent is installed.

    TCP port 1270 is open between the two and the ICMP port range is opened as well for the heartbeat.  MOM broke for me after limiting the ports to tcp 1270 and the icmp range. 

    where i'm going with this is that on the dmz host, i have a script setup to monitor the drive space.  upon reaching below a certain threshold, mom is setup to email a notification alert.  under normal conditions, mom sends the email alerts as soon as the event is registed in the application log.

     


    • Edited by nfts Friday, January 6, 2012 4:01 PM
    Friday, January 6, 2012 3:58 PM
  • Also open UDP 1270 from agent to mom server.
    Bob Cornelissen - BICTT (My Blog about SCOM) - Microsoft Community Contributor 2011 Recipient
    Friday, January 6, 2012 4:02 PM
    Moderator