Forum Discussion

SamTech's avatar
SamTech
Copper Contributor
Oct 11, 2020

SCOM 2019 agent communication error in workgroup due to certificate issue

Any help to fix the above will be appreciated:   Background: SCOM 2016 was successfully upgraded to SCOM 2019. Newly connected client require approval on SCOM Manager The workgroup clients were ...
Operations Manager
System Center
Leon Laude's avatar
Leon Laude
Iron Contributor
Oct 12, 2020

Hi SamTech,

 

How did you upgrade your SCOM 2016 to SCOM 2019? Was it an in-place upgrade or a side-by-side migration? In other words, are you using existing servers or did you install new servers?


Here's a great script to check if your certificates are OK or not:
https://gallery.technet.microsoft.com/scriptcenter/Troubleshooting-OpsMgr-27be19d3

 

Best regards,
Leon

  • SamTech's avatar
    SamTech
    Copper Contributor
    Oct 12, 2020

    Leon Laude Thank you for provide the link to this script.  I did an in-place upgrade.

     

    Please have at a look at the below output

    The script provided the below output from both agent and CA/server:

     

    Client/Agent

    Examining cert - Serial number 4700000030448E47C0EE3B67E3000000000030
    ---------------------------------------------------
    Cert subjectname
    Private key
    Expiration
    Enhanced Key Usage Extension
    Key Usage Extensions
    KeySpec
    Serial number written to registry
    Certification chain
    There is a valid certification chain installed for this cert,
    but the remote machines' certificates could potentially be issued from
    different CAs. Make sure the proper CA certificates are installed
    for these CAs.

    ***This certificate is properly configured and imported for Ops Manager use.***

     

    Server

    Examining cert - Serial number 4700000030448E47C0EE3B67E3000000000030
    ---------------------------------------------------
    Cert subjectname
    The SubjectName of this cert does not match the FQDN of this machine.
    Actual - CN=Client
    Expected (case insensitive)- CN=xxxx.domain.com
    Private key
    Expiration
    Enhanced Key Usage Extension
    Key Usage Extensions
    KeySpec
    Serial number written to registry
    The serial number written to the registry does not match this certificate
    Expected registry entry: 300000000000E3673BEEC0478E443000000047
    Actual registry entry: 020000000000FD43FC6260FBCF620200000047
    Certification chain
    There is a valid certification chain installed for this cert,
    but the remote machines' certificates could potentially be issued from
    different CAs. Make sure the proper CA certificates are installed
    for these CAs.

     

     

     

    • Leon Laude's avatar
      Leon Laude
      Iron Contributor
      Oct 14, 2020

      I suggest you double check this one:

      There is a valid certification chain installed for this cert,
      but the remote machines' certificates could potentially be issued from
      different CAs. Make sure the proper CA certificates are installed
      for these CAs.

      • SamTech's avatar
        SamTech
        Copper Contributor
        Oct 18, 2020

        Leon Laude 

         

        I have re-installed the CA certificate which made progress 

         

        Although the Agents in SCOM console shows Healthy, unfortunately there health are Critical

        The event log on SCOM Server indicate the following:

        "A device which is not part of this management group has attempted to access this Health Service. Requesting Device Name : XXXXXXXXX"

        SCOM is set for Manual approval at the global level with no override on Management server but nothing is displayed in the Pending List. I have restarted the server and services. Also I have attempted to Clear the Health cache via the SCOM Console.

         

        Is there a way I can force SCOM to re-evaluate all Agent connections and display non-approved agents in Pending List? Or is there any other approach to fixing this issue?

Resources