Monitoring untrusted servers using SCOM, a step-by-step guide

Most of the time through Operations Manager, you may require to monitor servers and clients that are located outside of the Active Directory environment. These servers and clients may be located in the DMZ as workgroup machines, or maybe you have a number of completely different Active Directory domains and forests that have no relation with each other but need to be monitored by a central Operation Monitor implementation.

The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.

Following are the high-level overview of tasks involved in monitoring servers and clients located outside Active Directory domain.

  • Check communication port availability
  • Download the Trusted Root (CA) certificate
  • Import the Trusted Root (CA) certificate
  • Create a certificate template
  • Request a certificate from the enterprise CA
  • Import the certificate into SCOM
  • Manual installation of agents and importing the SCOM certificate to the servers to be monitored
  • Approve agents in SCOM console

The below links provide a detailed step-by-step guide for configuring untrusted servers to be monitored through System Centre Operations Manager:

Monitoring Untrusted Servers Using Operations Manager Part 1 of 3

Monitoring Untrusted Servers Using Operations Manager Part 2 of 3

Monitoring Untrusted Servers Using Operations Manager Part 3 of 3

Hope this post will be helful for someone by saving time in configuring servers outside the Active Directory domain.


About Jayachandran PK
My passion is for Microsoft technologies and how if properly implemented, they can provide actual value for an organization especially in the field of infrastructure, virtualization and system monitoring. I work for the biggest Microsoft partner in Kuwait, specialized in project consultation and implementation services for enterprise clients. When I'm not at work, I try to contribute back through a charitable organization dedicated to prompting cultural values of Kerala. In my free time, I dabble in gardening and am also an avid solar power aficionado.

6 Responses to Monitoring untrusted servers using SCOM, a step-by-step guide

  1. Apostille says:

    Thanks i like your blog very much , i come back most days to find new posts like this!Good effort.

    I learnt it.


  2. wyattwong says:

    Can I use SCOM 2007 R2 to monitor untrusted server located in DMZ by “agentless” monitoring ?

    • Hi Wyatt Wong,

      To discover computer for agentless monitoring, the management server’s action account must be a local administrator on the remote computer and must be in the same domain, or a trust relationship must exist between their domains.

      The below link will provide more details on the Security Considerations for Agentless Management in Operations Manager 2007 R2.

      • wyattwong says:

        What you mention is agentless monitor for server in the SAME domain and I have succeeded to do so. However I mean the agentless monitor for untrust/workgroup server which did not join the domain.

        I was able to discover the workgroup server in SCOM 2007 R2 Discovery Wizard in the “Discovery Method” part, however, when the wizard proceed to the “Administrator Account” part and I type in the local administrator account in the workgroup server and also click the “This is a local computer account, not a domain account” checkbox, the wizard end up failing to discover the workgroup server and I cannot proceed further to select “Agentless”.

      • Here is a workaround to skip the discovery failure:
        Create a computer object in your AD with same hostname as the remote computer to fake the domain object listing, this will pass the agent discovery process successfully. The discovery result page will show only a check box, the computer name is not displayed. However, you can click on the check box and then select agentless to proceed….
        Hope this helps you to meet your requirement.

      • Wyatt Wong says:

        After followed your steps, I was able to see the check box with no computer name display and then proceed to select agentless. However, in the Device Management -> Agentless Managed, I noticed the “domain” column for the computer object displayed as the “SAME” domain as my other domain servers instead of showing “WORKGROUP”. I also did not see the computer listed under “Monitoring -> Windows Computers”.

        I doubt that the workgroup computer is now being monitored by SCOM in agentless monitoring ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: