none
Monitoring Workgroup Server in SCOM 2012 R2 RRS feed

  • Question

  • Hi All,

    We are using SCOM 2012 R2. I need to monitor one edge servers which is in workgroup(DMZ). So we need to monitor that edge servers EDGE1 via Gateway server.

    We have 2 Management servers. 1 gateway server . 150 agent reporting to that gateway . So now this DMZ server also need to report to gateway. how to acheive that. 

    I have taken pfx certificate from GW ADCS and imported in edge server with server name EDGE1.XXXX.XXX (it has dns alias , server full computer name) But this server showing in console as Not Monitored state for long time. 

    So my queries are:
    1:certificate for EDGE1 should be taken from GW AD or MS AD.?
    2.server name should be EDGE1 or EDGE1.XXXX.XXX with some domain prefix?
    3.certificate should be imported to only DMZ server or any where else?
    4.Any Seperate workgroup account need to be created for this?

    Monday, June 24, 2019 2:49 PM

Answers

  • 1. It needs its own certificate in its "Personnal" cert store, and the Certification Authority certificate(s) in the trusted root store. 

    2. It needs to be the Full computer name, which may or may not contain the domain suffix depending on how the server is configured, even in workgroup :

    3. EDGE 1 certificate only needs to be imported to EDGE1 server

    4. no



    Monday, June 24, 2019 3:07 PM

All replies

  • 1. It needs its own certificate in its "Personnal" cert store, and the Certification Authority certificate(s) in the trusted root store. 

    2. It needs to be the Full computer name, which may or may not contain the domain suffix depending on how the server is configured, even in workgroup :

    3. EDGE 1 certificate only needs to be imported to EDGE1 server

    4. no



    Monday, June 24, 2019 3:07 PM
  • Hello,

    Certificates must be issued and installed, for the gateway and management servers and the managed servers.

    The server name must match the name in the certificate.

    Check if non-domain member server can connect to port 5723 from Management Server.

    No separate workgroup account needed, it's enough that you have local administrator rights on the servers.

    The following illustration shows the authentication relationships in a management group using a gateway server.

    There are a lot of good guides and material out there, I suggest you check them out:

    Monitoring OpsMgr workgroup clients - Part 1: Installing and configuring the Root CA

    Monitoring OpsMgr workgroup clients - Part 2: Installing certificates and final configuration

    Monitoring OpsMgr workgroup clients - Part 3: Installing and configuring a gateway


    Here's also a very detailed blog explaining everything:

    Monitoring non-domain members with OM 2012


    Here's a step-by-step guide as well:

    Monitor Workgroup / DMZ servers in SCOM using Certificates

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:


    • Edited by Leon Laude Monday, June 24, 2019 3:48 PM corrected
    Monday, June 24, 2019 3:11 PM
  • Sorry Leon but I'll have to disagree here :

    - A monitored server in a workgroup need its own certificate as well, in addition to the ones in the gateway and the MS.

    - There is no hard requirement to use a full FQDN, you just need a cert name matching the Full computer name in windows

    Monday, June 24, 2019 3:15 PM
  • Yes that's very correct, it's been too long... I only use FQDN always (old habits I guess) but it does work without!

    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, June 24, 2019 3:40 PM
  • Hi,

     

    Totally agree with CyrAz. If the Edge server is in workgroup, the subject of certificate we request from Root CA can be “EDGE1”. You can confirm on EDGE1’s certificate store and the name is matched.

     


     

    At the same time, make sure the root CA certificate is already put in the “Trusted Root Certification Authorities” in above picture on EDGE1, Gateway server and Management server.

     

    However, if the issue still persist, we can go to Event Viewer->Applications and Services Logs->Operations Manager to see the detailed error.

     

    Hope the information can help.

     

    Best regards.

    Crystal


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 25, 2019 2:00 AM
  • >>But this server showing in console as Not Monitored state for long time.
    1) go to administration workspace --> Agent Manged
       If EDGE1  entity exist, this means this server successful report to gateway server. also check the entity whether it is in healthy state or not-monitored state.
    2) If not Not monitored and gray agents, pls. refer to
    https://docs.microsoft.com/en-us/system-center/scom/manage-agents-not-healthy?view=sc-om-2019

    3) also checking agent action account, such that MP monitor and rule can deploy to workgroup agent.

    Roger
    Tuesday, June 25, 2019 2:49 AM
  • Hi,

    were you able to figure that one out? The guys provided really helpfull asnwers. We appreaciate your feedback and thank you in advance!

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Wednesday, July 3, 2019 1:01 PM
    Moderator