Hello all, I have these questions about monitoring DMZ computers, can you help me in them: Can I use Win 2008 R2 Enterprise CA for issuing certificates for MS server and for DMZ servers in case I have OM 2012? the technet document applies only to OM 2007!Must the workgroup DMZ server have FQDN to be monitored? or no need to add the suffix of the domain name!Is the computer name of the DMZ server case sensative in case I will type it in the certificate? Regards,

Hi Anas 1. The certificate issuing for SCOM2012 and SCOM2007 is exactly the same there is no difference. You just have to be carefull in a Windows 2008 R2 CA there is issue if you use the web Interface of the CA http://thoughtsonopsmgr.blogspot.ch/2010/04/windows-server-2008-r2-ca-scom.html . 2. For Workgroup Servers use the NetBIOS Name. 3. I think it is case sensitive, but not 100% sure. Just use the name as it appears in typing the "hostname" command in the command shell. Regards, StefanBlog: http://blog.scomfaq.ch

Hi Anas 1. The certificate issuing for SCOM2012 and SCOM2007 is exactly the same there is no difference. You just have to be carefull in a Windows 2008 R2 CA there is issue if you use the web Interface of the CA http://thoughtsonopsmgr.blogspot.ch/2010/04/windows-server-2008-r2-ca-scom.html . 2. For Workgroup Servers use the NetBIOS Name. 3. I think it is case sensitive, but not 100% sure. Just use the name as it appears in typing the "hostname" command in the command shell. Regards, StefanBlog: http://blog.scomfaq.ch

yes, stefan is right. only for question 3, the name is NOT case sensitive. good luck connecting the dmz servers!

yes, stefan is right. only for question 3, the name is NOT case sensitive. good luck connecting the dmz servers!

I just checked back 3) it is not case sensitive, thanks @Mathijn. Stefan Blog: http://blog.scomfaq.ch

I just checked back 3) it is not case sensitive, thanks @Mathijn. Stefan Blog: http://blog.scomfaq.ch

Thanks guys for the great answers, I appreciate this but I am still confused about using single name or FQDN name of the DMZ servers? In case you want to monitor DMZ servers you have to request the certificate through special configurations file...one of the things required in the file is the FQDN of the DMZ server...so if I will add only the single name of DMZ server (ex. Web1), will that be correct? did you test it ? Regards,

Thanks guys for the great answers, I appreciate this but I am still confused about using single name or FQDN name of the DMZ servers? In case you want to monitor DMZ servers you have to request the certificate through special configurations file...one of the things required in the file is the FQDN of the DMZ server...so if I will add only the single name of DMZ server (ex. Web1), will that be correct? did you test it ? Regards,

fqdn must take place for any server which is in DMZ else certificate will fail to load... Thanks, Varun

Hi Nothing has changed on SCOM 2012 with regards to certificates so the 2007 documentation is fine. Specifically: 1) I don't know of any issues here. I would always recommend an enterprise CA rather than stand-alone. 2) From here - http://systemcentersolutions.wordpress.com/2009/07/13/troubleshooting-certificate-problems/ - "For a workgroup machine you need just the machine name. When you right click My Computer and select Properties, under the Computer Name tab it will tell you the Full Computer Name for the box, this is what goes in the subjectname for the cert." - Thanks to Lincoln Atkinson for that info. 3) I don't think it is case sensitive but if in doubt, copy and paste from "right click My Computer and select Properties, under the Computer Name tab " into the certificate request. I try to copy and paste as much as possible as typing mistakes (at least for me) are all too common. Cheers GrahamRegards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Thank you guys for the great replies so the final results are below: 1.CA: I can use enterprise CA with OM 2012. 2.FQDN: I will test this, I will try to add a machine in my DMZ that don't have FQDN and try to request and import the certificate. 3.Case Sensative name: I will copy/paste the name for every server. Thanks again buddies for the help, I appreciate this. Regards,

Yep - you can use an Enterprise CA with OM12. The main reason I suggest an Enterprise CA is that it is easier to manage the certificates. Some administrators have installed a stand-alone CA but this can be a problem longer term when you want to decommission the stand-alone certificate server. Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Hi, I would like to suggest you refer to the following methods: Monitoring non-domain members with OM 2012 http://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx Step by Step for using Certificates to communicate between agents and the OpsMgr 2007 server http://blogs.technet.com/b/operationsmgr/archive/2009/09/10/step-by-step-for-using-certificates-to-communicate-between-agents-and-the-opsmgr-2007-server.aspx Hope this helps. Thanks. Nicholas Li TechNet Community Support

@Graham: thanks man for the great advice, actually in the past in my testing lab I used a standalone CA for monitoring Edge servers and I can say that using standalone CA is easier than using Enterprise CA but the Enterprise CA is multifunction and more reliable as: supports more templates & templates duplication and I can decommission it in case I don't need it plus it supports Auto-enrollment. Thanks Regards,