SCOM Monitoring Agents stopped once IPv6 Direct Access policy was set
We have SCOM 2007 R2 on 2008 R2 and it was monitoring everything fine. We have recently implemented Microsoft UAG with Direct Access which sets policies in AD and the IPv6 address for tunneling takes over as the primary when you ping a server so I am thinking it is an IPv6 issue becuase all 2003 Servers still report in fine it is just all servers with IPv6 like 2008 and 2008 R2 where the agents are not connecting. What do I have to do in order to get SCOM to work when Direct Access policies are in effect?
February 15th, 2010 10:58pm

Hi Dan,2008 servers prefer IPv6 over IPv4. You need to make sure that your DNS support AAAA records so that DNS works OK. I have checked on my 2008 servers and the Operations Manager services listen on both IPv4 and IPv6 addresses.How have you targetted the DirectAccess policies? Can you list the security filtering of the two DA GPOs (Client & DAServer)Have you intentionally enabled IPv6 on your internal network? What addressing scheme did you use?When you ping the RMS from a 2008 server, what IPv6 address do you get?Can you run the following command on the 2008 R2 RMS/MS?netstat -p TCPv6 -n -aYou should see the following lines in the output: Proto Local Address Foreign Address State TCP [::]:5723 [::]:0 LISTENING TCP [::]:5724 [::]:0 LISTENING (RMS only) Sorry for all the questions :)Matt Matt White( http://systemcenterblog.hardac.co.uk/ )
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2010 11:21pm

Hello - me again :)I have just done some testing and found that SCOM works fine over IPv6 (I suspected that it would).So, it must be something in your IPv6 or name resolution configuration.What I do not know for sure, is if reverse DNS is absolutely required for Kerberos to work - I suspect that it is. Therefore, if you use IPv6 internally, you will require an internal IPv6 reverse DNS zone...MattMatt White ( http://systemcenterblog.hardac.co.uk/ )
February 15th, 2010 11:59pm

reverse dns is not needed for kerberos.more likely it has something to do with the network. Any routers/firewall (lvl3 devices) between your management servers and the agent managed computers? They can all route ipv6 and are configured to do so?Rob Korving http://jama00.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
February 16th, 2010 3:23pm

Hi Dan,How are you getting on with this, have you made any progress?Matt.Matt White ( http://systemcenterblog.hardac.co.uk/ )
February 18th, 2010 2:02am

Sorry got busy on some other project. The clients are being monitored and the SCOM server can still communicate with all but a couple. Some of them loose communication after a couple days and I have to reboot the SCOM Server for them to start communicating again. I haven't really looked into this yet. The Microsoft UAG server SCOM agent cannot communicate with the SCOM server at all. I have gone through monitoring in TMG and it appears that since the TMG server sets a computer based on IPv4 and with DA enabled the client and SCOM server use IPv6 by default so the TMG server blocks the communications because the IPv4 rule doesn't take affect which is supposed to allow SCOM communication. I am trying to create an IPv6 rule in TMG right now.
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2010 8:31pm

Hi Dan,I had a similar issue on a UAG DA server. I could not change the system policy, but I added a hosts file entry for the IPv4 address of the SCOM server. This worked a treat.Matt White ( http://systemcenterblog.hardac.co.uk/ )
March 8th, 2010 11:23pm

Hello, I recently implemented SCOM 2007 R2 in my environment. I am having a similar problem with IPv6 except we have it "disabled" through the network adapter properties. The server 2008 machines all put a IPv6 DNS entry in wether it is enabled or disabled. I deleted all of them from both dns servers but they soon return. Any thoughts on this? Id rather not have to put a host file on every 2008 machine, but if that is what needs to happen then cool. I just wanted to know if I correctly "disabled" ipv6 or is it still broadcasting for some reason. Thanks for your help. Jeremy
Free Windows Admin Tool Kit Click here and download it now
December 20th, 2010 1:34pm

you'd need to disable ipv6 it in the registry.Rob Korving http://jama00.wordpress.com/
December 20th, 2010 1:55pm

Hi Jeremy, As Rob says. If you want to disable IPv6 then you need to do it in the registry, unbinding the protocol from the adaptor is not enough and can cause problems. http://support.microsoft.com/kb/929852 However - In the default configuration, IPv6 is rarely a problem, and should be left enabled! The default config configures the the adapter with a link local address (FE80::), this is nothing to worry about and does not normally cause issues since the link local network range cannot be routed and the addresses are not registered in DNS. MattMatt White ( http://systemcenterblog.hardac.co.uk/ )
Free Windows Admin Tool Kit Click here and download it now
December 20th, 2010 8:12pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics