To clarify:

The CN must match the FQDN that the *other* server is using to access the server in question. So, if the MS is using gw1.yourdomain.com to access the gateway, then the gateway must have a CN= set to gw1.yourdomain.com

Cheers

Ken

Hi,

What three steps? Your reply isn't making a lot of sense...

I'm using self-sign certs and I copied to the RMS Trusted Root CA store

If you are using self-signed certs, then you need to copy the Gateway's cert to the MS' Trusted Root CA store, and you need to copy the MS' cert to the Gateway's Trusted root store. I'm unsure how the RMS is involved here.

I verified that both servers are using same CN.

How can they be using the same CN? The CN must match the FQDN that the *other* server Is using. By definition you must have two, different, CNs - one for the gateway and one for the MS.

Cheers

Ken

Thanks Ken

I confirmed all three steps. I'm using self-sign certs and I copied to the RMS Trusted Root CA store. I verified that both servers are using same CN.

Hmm -  MSOMHSvc/1vscom01 looks like a Kerberos SPN.

If you are going to use certificates then:

a)      The CA (Certificate Authority) that issues the certificates needs to be trusted by both servers (e.g. placed into the Trusted Root Certification Authorities store)

b)      The Common Name (CN) field for each certificate you install on the MS and GW needs to match whatever the other is using to reach that server. E.g. if you put gw1.yourdomain.com into the CN for your gateway's certificate, then your MS must be using gw1.yourdomain.com to reach your GW

c)       If you are using self signed certificates (i.e. not issued by a CA), then you need to put the each certificate into the other server's Trusted Root CA store. But only do this if you are using self-signed certs (because in this case the issuer is also the same as the other server)

Cheers

Ken

I'm having issues with the  SCOM R2 gateway installation on a non-trust domain. I only open port 5723 from the Gateway to RMS. I exported the gateway certificate  and imported to the RMS Operation Manager Certificates folder and Trusted root certificate authority. The gateway server is showing in the Management Server as not monitored.

I followed the documentation below:

Here is the errors on the Gateway server:

OpsMgr has no configuration for management group BrowardCTY and is requesting new configuration from the Configuration Service

Failed to initialize security context for target MSOMHSvc/1vscom01 The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.

Any suggestions? Do I need to import the RMS certificate to the gateway server? I'm not getting any certificate errors and I verified that I can communicate through port 5723.

Before you start

1.            Deployment of gateway servers requires certificates. You need to have access to a certification authority (CA). This can be a public CA such as VeriSign, or you can use Microsoft Certificate Services. This procedure provides the steps to request, obtain, and import a certificate from Microsoft Certificate Services.

2.            Reliable name resolution must exist between the agent-managed computers and the gateway server and between the gateway server and the management servers. This name resolution is typically done through DNS. However, if it is not possible to get proper name resolution through DNS, it might be necessary to manually create entries in each computer's hosts file.

 Note

The hosts file is located in the \Windows\system32\drivers\etc directory, and it contains directions for configuration.

Obtaining Computer Certificates from Microsoft Certificate Services

For more information, see the sections How to Obtain a Certificate Using a Stand-Alone CA in Operations Manager 2007 and How to Obtain a Certificate Using an Enterprise CA in Operations Manager 2007 in the Security Guide at http://go.microsoft.com/fwlink/?LinkId=97878.

Distributing the Microsoft.EnterpriseManagement.GatewayApprovalTool

The Microsoft.EnterpriseManagement.GatewayApprovalTool.exe tool is needed only on the management server, and it only has to be run once.

 To copy Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to management servers

1.            From a target management server, open the installation media \SupportTools directory.

2.            Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the installation media to the Operations Manager 2007 installation directory, which is typically c:\Program Files\System Center Operations Manager 2007.

Registering the Gateway with the Management Group

This procedure registers the gateway server with the management group, and when this is completed, the gateway server appears in the Discovered Inventory view of the management group.

 To run the gateway Approval tool

1.            On the management server that was targeted during the gateway server installation, log on with the Operations Manager Administrator account.

2.            Open a Command Prompt window, and navigate to the \Program Files\System Center Operations Manager 2007 directory or to the directory that you copied the Microsoft.EnterpriseManagement.gatewayApprovalTool.exe to.

3.            At the command prompt, run Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create

4.            If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully.

5.            If you need to remove the gateway server from the management group, run the same command, but substitute the /Action=Delete flag for the /Action=Create flag.

6.            Open the Operations console to the Monitoring view. Select the Discovered Inventory view to see that the gateway server is present.

Installing Operations Manager 2007 Gateway Server

This procedure installs the gateway server. The server that is to be the gateway server should be a member of the same domain as the agent-managed computers that will be reporting to it.

 Tip

An installation will fail when starting Windows Installer (for example, installing a gateway server by double-clicking MOMGateway.msi) on a computer running Windows Server 2008 if the local security policy User Account Control: Run all administrators in Admin Approval Mode is enabled (which is the default setting on Windows Server 2008).

 To run Operations Manager 2007 Gateway Windows Installer from a command prompt for Windows Server 2008

1.            On the Windows desktop, click Start, point to Programs, point to Accessories, right-click Command Prompt, and then click Run as administrator.

2.            In the Administrator: Command Prompt window, navigate to the local drive that hosts the Operations Manager 2007 installation media.

3.            Navigate to the directory where the .msi file is located, type the name of the .msi file, and then press ENTER.

 To install Operations Manager 2007 gateway server

1.            Log on to the gateway server with Administrator rights.

2.            From the Operations Manager 2007 installation media, start SetupOM.exe.

3.            In the Install area, click the Install Operations Manager 2007 R2 Gateway link.

4.            On the Welcome screen, click Next.

5.            On the Destination Folder page, accept the default, or click Change to select a different installation directory, and then click Next.

6.            On the Management Group Configuration page, type  the target management group name in the Management Group Name field, type  the target management server name in the Management Server field, check that the Management Server Port field is 5723, and then click Next. This port can be changed if you have enabled a different port for management server communication in the Operations console.

7.            On the Gateway Action Account page, select the Local System account option, unless you have specifically created a domain-based or local computer-based gateway Action account. Click Next.

8.            On the Microsoft Update page, optionally indicate if you want to use Microsoft Update, and then click Next.

9.            On the Ready to Install page, click Install.

10.          On the Completing Installation page, click Finish.

Importing Certificates with the MOMCertImport.exe Tool

Perform this operation on each gateway server, management server, and computer that will be agent-managed and that is in a domain that is not trusted.

 To import computer certificates by using MOMCertImport.exe

1.            Copy the MOMCertImport.exe tool from the installation media \SupportTools\<platform> (i386 or ia64) directory to the root of the target server or to the Operations Manager 2007 installation directory if the target server is a management server.

2.            Open a Command Prompt window and change the directory to the directory where MOMCertImport.exe is, and then run momcertimport.exe /SubjectName <certificate subject name>. This makes the certificate usable by Operations Manager.

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/