Archive

Archive for September, 2011

Issue with the SCOM Agent authentication against the SCOM Management Server If you have multi-domain environment

September 13, 2011 8 comments

You have successfully installed SCOM Agent manually or by discovery wizard on managed computer. However, managed computer doesn’t appear in the Agent Managed or Pending Management list in the Operations Console.

The following event is logged in the Operations Manager event log on Agent-managed computer:

Event Type: Error

Event Source: OpsMgr Connector

Event Category: None

Event ID: 20057

Description: Failed to initialize security context for target MSOMHSvc/ The error returned is 0×80090311(No authority could be contacted for authentication.). This error can apply to either the Kerberos or the SChannel package.

The following event is logged in the Operations Manager event log on SCOM Management Server:

Event Type: Information

Event Source: Health Service Modules

Event Category: None

Event ID: 10616
Description:
The Operations Manager Server successfully completed the operation Agent Install on remote computer doc.contoso.msft.
Install account: CONTOSO\administrator
Error Code: 0
Error Description: The operation completed successfully.

How to confirm the problem?

To troubleshoot the issue, Microsoft Network Monitor can be used:
■Stop HealthService on managed computer to stop the SCOM Agent (open the Command Prompt and type the net stop HealthService).
■Start Microsoft Network Monitor.
■Click on the New capture tab.
■In the Capture Filter, enter the following filter:

KerberosV5
OR KerberosV5_Struct
OR NLMP
OR NLMP_Struct
OR GssAPI
OR SpnegoNegotiationToken
OR GssapiKrb5
OR LDAP

■Click on the Apply button to apply the Capture Filter.
■Click on the Start button to start the new capture.
■Now, quickly start the HealthService to start the SCOM Agent (net start HealthService).
■Wait (usually 10-15 seconds) until event 20057 appears in the Operations Manager event log on the affected computer.
■In Network Monitor, click on the Stop button to stop the capture.
■Now carefully revise capture frames in the Frame Summary window. You should see KerberosV5 and LDAP protocol traffic against the Active Directory Domain Controllers.

NOTE: Above applies in case that you are not using certificate-based authentication.

To resolve this issue, make sure that TCP/UDP 88 port (Kerberos) and TCP/UDP 389 port (LDAP) is open against the Domain Controllers in your Active Directory environment.

These ports are not documented in the TechNet’s article Using a Firewall with Operations Manager 2007.

What happens under the hub?

kerb

When SCOM Agent Management Server communication starts, authentication takes place (Kerberos). If you have multi-domain environment, things are bit more complicated. Before the authentication protocols can follow the forest/domain trust path, the service principal name (SPN) of the SCOM Management Server must be resolved (LDAP).

When a managed computer (SCOM Agent) in one domain attempts to access resource computer (SCOM Management Server) in another domain, it contacts the domain controller for a service ticket to the SPN of the resource computer. Once the domain controller queries the global catalog and identifies that the SPN is not in the same domain as the domain controller, the domain controller sends a referral for its parent domain back to the workstation. At that point, the workstation queries the parent domain for the service ticket and follows the referral chain until it gets to the domain where the resource is located.

If you have SCOM Management Server in child domain A of the Active Directory Forest infrastructure and the SCOM Agent in child domain B, make sure that SCOM Agent is able to access all DC’s in the referral chain which are required to get to the domain where SCOM Management Server is located.

For more information about the ports required for the System Center Operations Manager, and the authentication in Operations Manager, refer to the following TechNet articles:

Authentication and Data Encryption for Windows Computers in Operations Manager 2007, available at the: http://technet.microsoft.com/en-us/library/bb735408.aspx

Using a Firewall with Operations Manager 2007, available at the:
http://technet.microsoft.com/en-us/library/cc540431.aspx

Free eBook: Microsoft Office 365

September 7, 2011 1 comment

365
We are very excited to announce that we are able to offer Microsoft Office 365: Connect and Collaborate Virtually Anywhere, Anytime (ISBN 9780735656949), by Katherine Murray, as a free eBook.

For details on this book, including the Table of Contents

To download your free PDF eBook, click here. Updates to this eBook, as well as additional eBook formats, will become available in the future, so check this blog for updates.