Ok, I'm banging my head against the wall here...can someone please tell me if this is even possible? We have SCOM 2007 R2 installed in our 2003 domain working fine,discovery works fine, agents deploy no problem and monitoring is all good. We have a legacy NT 4 domain due to some legacy apps. We need to monitor Windows 2000 SP4 machines in this NT 4 domain, there is a two-way trust in place. We have certificates in place on both the client and management server but the agent does not show as pending. Event logs show the following: Event ID:21016 - OpsMgr was unable to set up a communication channel to the ManagementServer Event ID:21007 The OpsMgr connector cannot create a mutually authenticated connection to the ManagementServer because it is not in a trusted domain. I am not a cert expert but one of my colleague is and he is confident the certs are good, before I go back to him and try to suggest there may be a cert issue I'd like to know if this is even possible? I know for AD integration the domain functional level must be Window 2000 Native minimum, obviously my NT 4 domain would not meet this and does not support AD....so...... Can SCOM 2007 R2 manage clients in a different domain if it is an NT 4 domain, has anyone ever had to do this, can anyone offer an suggestions on where to focus our efforts? Cheers

Hi, When you use certificates it does not mather if it is a NT4 domain. It uses the certifcate for authentication. You have to "tell the agent service" that it should use a certificate for authentication. This is done by running the momcertimport tool on the server that needs to be managed. Before you run this make sure that you can resolve the name of the management server and thath port TCP 5723 TO the management server is open. You will find the tool in your source files. All you need to do is run it and it will suggest the certificate you imported. Also check your global security settings for manual installation. If it is configured to automaticly reject you won't have success. Hope this helps,

Hi As Marthijn says - you'll need certificates for NT4 (doesn't support kerberos) and if you have certs loaded, they will be used before kerberos. On the windows 2000 SP4 machine - restart the System Center Management Service and look for either of the following INFORMATIONAL events: 1) Look for event id 20052 on the agent stating that the Specified certificate could not be loaded because the subject name on the certificate does not match the local computer name. 2) Look for event id 20053 after running MomCertImport this indicates the cert was loaded properly. That will tell you straight away if the certificates are ok. For a domain machine the FQDN is needed in the subjectname of the certificate. For a workgroup machine you need just the machine name. When you right click My Computer and select Properties, under the Computer Name tab it will tell you the Full Computer Name for the box, this is what goes in the subjectname for the cert. Cheers GrahamRegards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Hi Adding to what Graham said, below are some generic troubleshooting steps for certificate issues in SCOM verify connectivity from agent to rms and rms to agent using ping Verify if certificate exist on Local Computer / Personal / Certificates on the RMS server and Agent Root certificate of CA should be there in Local Computer / Personal / Trusted Root Certificates / Certificates on the RMS server and Agent Verify that the certificate exists in Local Computer / Operations Manager / Certificates on the RMS server and agent Verify the existence of the HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settin\ChannelCertificateSerialNumber with the value of the certificate (from the Local Computer / Personal / Certificates folder within the details in the Serial number field) reversed within it on the agent and RMS ~Cheers, Rohit Kochher