Oct 11 2020 01:11 PM
Any help to fix the above will be appreciated:
Background:
SCOM 2016 was successfully upgraded to SCOM 2019.
Newly connected client require approval on SCOM Manager
The workgroup clients were manually upgraded to the provided SCOM 2019 agent but there is communication error due to certificate error.
Certificates were re-imported without any error (MOMCertImport.exe /SubjectName) but the error still exists. The root CA certificate was imported into the Trusted Root Certification Authorities folder
Also, a new Client was installed on a new workgroup server but experienced the same error.
Questions:
Any idea how to fix the above on SCOM 2019
Is there a MOMCertImport64.exe
Error on SCOM Manager
The OpsMgr Connector negotiated the use of mutual authentication with x.x.x.x:64332, but Active Directory is not available and no certificate is installed. A connection cannot be established.
Error on Client
OpsMgr was unable to set up a communications channel to xx.domain.com and there are no failover hosts. Communication will resume when xx.domain.com is available and communication from this computer is allowed.
Oct 12 2020 01:18 PM
Hi @SamTech,
How did you upgrade your SCOM 2016 to SCOM 2019? Was it an in-place upgrade or a side-by-side migration? In other words, are you using existing servers or did you install new servers?
Here's a great script to check if your certificates are OK or not:
Troubleshooting OpsMgr SCOM Certificate Issues with PowerShell Script
Best regards,
Leon
Oct 12 2020 02:25 PM - edited Oct 12 2020 02:27 PM
@Leon Laude Thank you for provide the link to this script. I did an in-place upgrade.
Please have at a look at the below output
The script provided the below output from both agent and CA/server:
Client/Agent
Examining cert - Serial number 4700000030448E47C0EE3B67E3000000000030
---------------------------------------------------
Cert subjectname
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.
***This certificate is properly configured and imported for Ops Manager use.***
Server
Examining cert - Serial number 4700000030448E47C0EE3B67E3000000000030
---------------------------------------------------
Cert subjectname
The SubjectName of this cert does not match the FQDN of this machine.
Actual - CN=Client
Expected (case insensitive)- CN=xxxx.domain.com
Private key
Expiration
Enhanced Key Usage Extension
Key Usage Extensions
KeySpec
Serial number written to registry
The serial number written to the registry does not match this certificate
Expected registry entry: 300000000000E3673BEEC0478E443000000047
Actual registry entry: 020000000000FD43FC6260FBCF620200000047
Certification chain
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.
Oct 14 2020 01:51 AM
I suggest you double check this one:
There is a valid certification chain installed for this cert,
but the remote machines' certificates could potentially be issued from
different CAs. Make sure the proper CA certificates are installed
for these CAs.
Oct 18 2020 07:30 AM
I have re-installed the CA certificate which made progress
Although the Agents in SCOM console shows Healthy, unfortunately there health are Critical
The event log on SCOM Server indicate the following:
"A device which is not part of this management group has attempted to access this Health Service. Requesting Device Name : XXXXXXXXX"
SCOM is set for Manual approval at the global level with no override on Management server but nothing is displayed in the Pending List. I have restarted the server and services. Also I have attempted to Clear the Health cache via the SCOM Console.
Is there a way I can force SCOM to re-evaluate all Agent connections and display non-approved agents in Pending List? Or is there any other approach to fixing this issue?
Oct 20 2020 07:05 AM
Clearing the agent cache (Health Service State folder) will make the SCOM agents to re-initiate a communication to the SCOM Management server to attempt and fetch the information.
You can check my scripts in my SCOM GitHub repository, they may be able to assist you: