Identifying the type of installed Certificate Authority.

Click Start, click Run, type Regedit, and then press Enter

Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\

Configuration\<CA name>\CAType

Double click to CAType

CAType = 0  is installed as Enterprise Root CA
CAType = 1  is installed as Enterprise Subordinate CA
CAType = 3  is installed as Stand Alone CA
CAType = 4  is installed as Stand Alone Subordinate CA

Monitoring untrusted servers using SCOM

Operations Manager uses a more secure communication model which requires mutual authenticationbetween agent and management server. Mutual authentication between Operations Manager components can be achieved either using Kerberos or certificate authentication.  Mutual authentication via Kerberos requires trusted scenarios where all machines in the conversation are in the same Active Directory domain or in a domain with a two-way trust relationship with the domain containing the target Management Server.

However, in cases where machines outside the trusted environment must be monitored, Kerberos authentication is not possible. In these cases, Operations Manager 2007 can utilize x.509 certificates for mutual authentication in a variety of scenarios.

Following diagram explains the scenario solution.

Monitoring non-trusted servers using SCOM

Monitoring untrusted servers using SCOM, a step-by-step guide

Most of the time through Operations Manager, you may require to monitor servers and clients that are located outside of the Active Directory environment. These servers and clients may be located in the DMZ as workgroup machines, or maybe you have a number of completely different Active Directory domains and forests that have no relation with each other but need to be monitored by a central Operation Monitor implementation.

The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.

Following are the high-level overview of tasks involved in monitoring servers and clients located outside Active Directory domain.

• Check communication port availability
• Download the Trusted Root (CA) certificate
• Import the Trusted Root (CA) certificate
• Create a certificate template
• Request a certificate from the enterprise CA
• Import the certificate into SCOM
• Manual installation of agents and importing the SCOM certificate to the servers to be monitored
• Approve agents in SCOM console

The below links provide a detailed step-by-step guide for configuring untrusted servers to be monitored through System Centre Operations Manager:

Monitoring Untrusted Servers Using Operations Manager Part 1 of 3

Monitoring Untrusted Servers Using Operations Manager Part 2 of 3

Monitoring Untrusted Servers Using Operations Manager Part 3 of 3

Hope this post will be helful for someone by saving time in configuring servers outside the Active Directory domain.

Manually creating virtual directory for Certificate Services

When the Certificate Authority is installed before installing IIS service, the virtual directory required for accessing certificate services web page (http://<certificateserver>/certsrv) should be created manually.

To create virtual directory, open up the command prompt and run

certutil –vroot

restart IIS services and access certificate services webpage to request certificate in GUI mode.