cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SCOM 2019 agent communication error in workgroup due to certificate issue

SamTech
Copper Contributor

‎Oct 11 2020 01:11 PM

‎Oct 11 2020 01:11 PM

SCOM 2019 agent communication error in workgroup due to certificate issue

Any help to fix the above will be appreciated:

 

Background:

SCOM 2016 was successfully upgraded to SCOM 2019.

Newly connected client require approval on SCOM Manager

The workgroup clients were manually upgraded to the provided SCOM 2019 agent but there is communication error due to certificate error.

Certificates were re-imported without any error (MOMCertImport.exe /SubjectName) but the error still exists. The root CA certificate was imported into the Trusted Root Certification Authorities folder

 

Also,  a new Client was installed on a new workgroup server but experienced the same error. 

 

Questions:

Any idea how to fix the above on SCOM 2019

Is there a MOMCertImport64.exe

 

Error on SCOM Manager

The OpsMgr Connector negotiated the use of mutual authentication with x.x.x.x:64332, but Active Directory is not available and no certificate is installed. A connection cannot be established.

 

Error on Client

OpsMgr was unable to set up a communications channel to xx.domain.com and there are no failover hosts. Communication will resume when xx.domain.com is available and communication from this computer is allowed.

5,015 Views
0 Likes
5 Replies
Reply
5 Replies
Leon Laude

‎Oct 12 2020 01:18 PM

‎Oct 12 2020 01:18 PM

Re: SCOM 2019 agent communication error in workgroup due to certificate issue

Hi @SamTech,

 

How did you upgrade your SCOM 2016 to SCOM 2019? Was it an in-place upgrade or a side-by-side migration? In other words, are you using existing servers or did you install new servers?


Here's a great script to check if your certificates are OK or not:
Troubleshooting OpsMgr SCOM Certificate Issues with PowerShell Script

 

Best regards,
Leon

0 Likes
Reply
SamTech

‎Oct 12 2020 02:25 PM - edited ‎Oct 12 2020 02:27 PM

‎Oct 12 2020 02:25 PM - edited ‎Oct 12 2020 02:27 PM

Re: SCOM 2019 agent communication error in workgroup due to certificate issue

@Leon Laude Thank you for provide the link to this script.  I did an in-place upgrade.

 

Please have at a look at the below output

The script provided the below output from both agent and CA/server:

 

Client/Agent

Examining cert - Serial number 4700000030448E47C0EE3B67E3000000000030
---------------------------------------------------
Cert subjectname
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.

***This certificate is properly configured and imported for Ops Manager use.***

 

Server

Examining cert - Serial number 4700000030448E47C0EE3B67E3000000000030
---------------------------------------------------
Cert subjectname
The SubjectName of this cert does not match the FQDN of this machine.
Actual - CN=Client
Expected (case insensitive)- CN=xxxx.domain.com
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: 300000000000E3673BEEC0478E443000000047
Actual registry entry: 020000000000FD43FC6260FBCF620200000047
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.

 

 

 

0 Likes
Reply
Leon Laude

‎Oct 14 2020 01:51 AM

‎Oct 14 2020 01:51 AM

Re: SCOM 2019 agent communication error in workgroup due to certificate issue

I suggest you double check this one:

There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.

0 Likes
Reply
SamTech

‎Oct 18 2020 07:30 AM

‎Oct 18 2020 07:30 AM

Re: SCOM 2019 agent communication error in workgroup due to certificate issue

@Leon Laude 

 

I have re-installed the CA certificate which made progress 

 

Although the Agents in SCOM console shows Healthy, unfortunately there health are Critical

The event log on SCOM Server indicate the following:

"A device which is not part of this management group has attempted to access this Health Service. Requesting Device Name : XXXXXXXXX"

SCOM is set for Manual approval at the global level with no override on Management server but nothing is displayed in the Pending List. I have restarted the server and services. Also I have attempted to Clear the Health cache via the SCOM Console.

 

Is there a way I can force SCOM to re-evaluate all Agent connections and display non-approved agents in Pending List? Or is there any other approach to fixing this issue?

0 Likes
Reply
Leon Laude

‎Oct 20 2020 07:05 AM

‎Oct 20 2020 07:05 AM

Re: SCOM 2019 agent communication error in workgroup due to certificate issue

@SamTech:

Clearing the agent cache (Health Service State folder) will make the SCOM agents to re-initiate a communication to the SCOM Management server to attempt and fetch the information.

 

You can check my scripts in my SCOM GitHub repository, they may be able to assist you:

 

0 Likes
Reply