SCOM uses mutual authentication between the health service (Agent) and the RMS /MS servers .Mutual authentication requires Active Directory as a backbone to issue kerberos tickets . In case you have servers in another un-trusted domains , you can use a new role in SCOM 2007 named (Gateway) and this gateway will have certificate and will act as a bridge for the authentication pipeline.
This blog is to show how to monitor a single stand alone server using SCOM 2007
1. Create a Certificate Template and named it OpsManagerCer . This certificate template should have two main extensions
· Client Authentication.
· Server Authentication.
Enroll the SCOM Server and the standalone machine with this certificate. Then use the new tool named (MOMCertImport.exe) to choose the newly enrolled certificate.
This tool (MOMCertImport.exe) can be found in the SCOM SP1 Installation files under [ SupportTools\i386 ] and it has an easy GUI. You have to restart the health service after using this tool.
2. Now install the SCOM Agent manually on the stand alone server .You can find the installation files in the SCOM SP1 installation files under [agent\i386 ] .Before installing the agent , make sure to manually install MSXML 6.0.
After you install the agent, Copy AD helper (OOMADS.msi) and ASP.net (MOMAspNet.msi) from SCOM SP1 Installation files (under HelperObjects>) to <InstallDir>\HelperObjects dir.
3. You may receive events in the event viewer that the agent is not able to connect to the management server (21016 ,20070) .This is an SPN registration problem, to fix it , install the windows 2003 support tool in the stand alone server and do the following:
a. List the SPNs registered to the computer :
setspn -L computername
This is to list the SPNs registered to the computer account ( in case the heath service is running under the local system account)
A healthy output should include:
b. If the SCOM SPNs are not registered, you have to manually register them. Suppose that the server name is PC1 and the RMS name is SCOM.Contoso.com , then you have to do the following from the stand alone server :
setspn -A MSOMHSvc/SCOM.CONTOSO.COM PC1
setspn -A MSOMHSvc/SCOM PC1