Monitoring untrusted servers using SCOM, a step-by-step guide
May 17, 2010 6 Comments
Most of the time through Operations Manager, you may require to monitor servers and clients that are located outside of the Active Directory environment. These servers and clients may be located in the DMZ as workgroup machines, or maybe you have a number of completely different Active Directory domains and forests that have no relation with each other but need to be monitored by a central Operation Monitor implementation.
The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
Following are the high-level overview of tasks involved in monitoring servers and clients located outside Active Directory domain.
- Check communication port availability
- Download the Trusted Root (CA) certificate
- Import the Trusted Root (CA) certificate
- Create a certificate template
- Request a certificate from the enterprise CA
- Import the certificate into SCOM
- Manual installation of agents and importing the SCOM certificate to the servers to be monitored
- Approve agents in SCOM console
The below links provide a detailed step-by-step guide for configuring untrusted servers to be monitored through System Centre Operations Manager:
Monitoring Untrusted Servers Using Operations Manager Part 1 of 3
Monitoring Untrusted Servers Using Operations Manager Part 2 of 3
Monitoring Untrusted Servers Using Operations Manager Part 3 of 3
Hope this post will be helful for someone by saving time in configuring servers outside the Active Directory domain.
Hi,
Thanks i like your blog very much , i come back most days to find new posts like this!Good effort.
I learnt it.
Apostille
.
Can I use SCOM 2007 R2 to monitor untrusted server located in DMZ by “agentless” monitoring ?
Hi Wyatt Wong,
To discover computer for agentless monitoring, the management server’s action account must be a local administrator on the remote computer and must be in the same domain, or a trust relationship must exist between their domains.
The below link will provide more details on the Security Considerations for Agentless Management in Operations Manager 2007 R2.
http://technet.microsoft.com/en-us/library/bb735426.aspx
What you mention is agentless monitor for server in the SAME domain and I have succeeded to do so. However I mean the agentless monitor for untrust/workgroup server which did not join the domain.
I was able to discover the workgroup server in SCOM 2007 R2 Discovery Wizard in the “Discovery Method” part, however, when the wizard proceed to the “Administrator Account” part and I type in the local administrator account in the workgroup server and also click the “This is a local computer account, not a domain account” checkbox, the wizard end up failing to discover the workgroup server and I cannot proceed further to select “Agentless”.
Here is a workaround to skip the discovery failure:
Create a computer object in your AD with same hostname as the remote computer to fake the domain object listing, this will pass the agent discovery process successfully. The discovery result page will show only a check box, the computer name is not displayed. However, you can click on the check box and then select agentless to proceed….
Hope this helps you to meet your requirement.
After followed your steps, I was able to see the check box with no computer name display and then proceed to select agentless. However, in the Device Management -> Agentless Managed, I noticed the “domain” column for the computer object displayed as the “SAME” domain as my other domain servers instead of showing “WORKGROUP”. I also did not see the computer listed under “Monitoring -> Windows Computers”.
I doubt that the workgroup computer is now being monitored by SCOM in agentless monitoring ?