Forum Discussion
SCOM 2019 agent communication error in workgroup due to certificate issue
Any help to fix the above will be appreciated:
Background:
SCOM 2016 was successfully upgraded to SCOM 2019.
Newly connected client require approval on SCOM Manager
The workgroup clients were manually upgraded to the provided SCOM 2019 agent but there is communication error due to certificate error.
Certificates were re-imported without any error (MOMCertImport.exe /SubjectName) but the error still exists. The root CA certificate was imported into the Trusted Root Certification Authorities folder
Also, a new Client was installed on a new workgroup server but experienced the same error.
Questions:
Any idea how to fix the above on SCOM 2019
Is there a MOMCertImport64.exe
Error on SCOM Manager
The OpsMgr Connector negotiated the use of mutual authentication with x.x.x.x:64332, but Active Directory is not available and no certificate is installed. A connection cannot be established.
Error on Client
OpsMgr was unable to set up a communications channel to xx.domain.com and there are no failover hosts. Communication will resume when xx.domain.com is available and communication from this computer is allowed.
5 Replies
Hi SamTech,
How did you upgrade your SCOM 2016 to SCOM 2019? Was it an in-place upgrade or a side-by-side migration? In other words, are you using existing servers or did you install new servers?
Here's a great script to check if your certificates are OK or not:
https://gallery.technet.microsoft.com/scriptcenter/Troubleshooting-OpsMgr-27be19d3Best regards,
LeonLeon Laude Thank you for provide the link to this script. I did an in-place upgrade.
Please have at a look at the below output
The script provided the below output from both agent and CA/server:
Client/Agent
Examining cert - Serial number 4700000030448E47C0EE3B67E3000000000030
---------------------------------------------------
Cert subjectname
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.***This certificate is properly configured and imported for Ops Manager use.***
Server
Examining cert - Serial number 4700000030448E47C0EE3B67E3000000000030
---------------------------------------------------
Cert subjectname
The SubjectName of this cert does not match the FQDN of this machine.
Actual - CN=Client
Expected (case insensitive)- CN=xxxx.domain.com
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: 300000000000E3673BEEC0478E443000000047
Actual registry entry: 020000000000FD43FC6260FBCF620200000047
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.I suggest you double check this one:
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.
