This is SCOM 2007 R2 with CU5. I am getting the following EVENT IDs after an agent restart. 21023 103 102 2011 20063 20053 21023 2002 7006 7019 All of those are Informational, then the next four are Errors: 20057 21001 20070 21016 This is by no means the first time I've installed an agent into our SCOM environment, on an untrusted domain, using certificates. I have about 40 other agents without trusts reporting into the same management group. I've tripled checked certs, restarted the management server, used momcertimport over and over. But it is the first time this particular secondary management server is being used. I have tested it with an "on domain" agent and that worked fine. It shows as Healthy under Management Servers. Suggestions? I've read some articles regarding checking SPNs, but they were a bit vague on precisely what I was looking for. Thanks.

you expect us to know errorcodes by heart? maybe if you tell us what's wrong, we can help...Rob Korving http://jama00.wordpress.com/

20070 The OpsMgr Connector connected to <our secondary management server>, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect. 20016 OpsMgr was unable to set up a communications channel to <our secondary management server> and there are no failover hosts. Communication will resume when <our secondary management server> is available and communication from this computer is allowed. 20057 Failed to initialize security context for target MSOMHSvc/<our secondary management server> The error returned is 0x80090303(The specified target is unknown or unreachable). This error can apply to either the Kerberos or the SChannel package. 21001 The OpsMgr Connector could not connect to MSOMHSvc/<our secondary management server> because mutual authentication failed. Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

Perhaps I didn't use the right process, it's been a while since I installed my last certificate based agent. I logged onto the management server and hit the CA certsrv site. Used the SCOM template to request the certificate. I installed it on the management server. I then went into MMC Certificates and exported it as pfx. Copied pfx over to system I want to monitor. I imported the .cer file for this CA under trusted rooth certification authorities and imported the pfx into the Personal store. After that I momcertimport.exe and only the one cert I want is shown so I select it. When I go to the Operations Manager store and find the pfx i had imported, on the Certification Path tab it says: This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store. This seems odd because it's not supposed to be a root certificate. I'm pretty sure this was the process I had used before... with success many times. Anyone see what I did wrong? Thanks!

Hi You don't say what version or type of certificate server you have but the options are here: http://technet.microsoft.com/en-us/library/bb735408.aspx I'm not sure what process you are following? Why are you importing to the personal store when the error is "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store." Cheers GrahamRegards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Import chain of certs to Trusted Root Certificates and Intermediate Certificates stores (only public part of certs) on computer where agent installed.

It's an enterprise CA server that is located on the same domain as the SCOM environment. I was importing into the Personal store because some SCOM writeup I found said to do so. This certificate is the one I requested for the client (agent) server -- so I'm not sure why it thinks it's a CA root certificate. The CA root cert I have installed was the .cer file. Importing the pfx into the Trusted Root Certification Authorities store didn't help. I'll check that link, thanks.

So I am on page http://technet.microsoft.com/en-us/library/dd362553.aspx And reading this section: " To import the certificate into the certificate store On the computer hosting the Operations Manager component for which you are configuring the certificate, click Start, and then click Run. etc etc etc" Does this step need to be done on both the management server and the client server? What do they specifically mean by "computer hosting the Ops Mgr component"? I was under the impression I needed to put the Root CA cert on both Management Server and agent server, and also put the cert I create using the Operations Manager template, on BOTH the Management Server and on agent server. Is that correct? If yes, should I be installing the cert on the management server and then exporting it as pfx for import on agent server, OR, should I just save it as a .cer and install in both places?

See this page: http://blogs.technet.com/b/quenguyen/archive/2011/07/13/monitoring-non-domain-servers-using-scom.aspx Especially starting around the section titled On the management server, use the Certificates MMC and that is pretty much exactly what I did....

Hi This is the documentation I would follow - the only time I have seen it fail is when I mistype something: http://technet.microsoft.com/en-us/library/dd362553.aspx 1. Download the Trusted Root (CA) certificate. 2. Import the Trusted Root (CA) certificate.3. Create a certificate template.4. Add the template to the Certificate Templates folder.5. Create a setup information file for use with the CertReq command-line utility.6. Create a request file.7. Submit a request to the CA.8. Import the certificate into the certificate store.9. Import the certificate into Operations Manager using MOMCertImport. From your errors Step 2 seems to be missing Cheers Graham Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

See this page: http://blogs.technet.com/b/quenguyen/archive/2011/07/13/monitoring-non-domain-servers-using-scom.aspx Especially starting around the section titled On the management server, use the Certificates MMC and that is pretty much exactly what I did.... Import chain of certs to Trusted Root Certificates and Intermediate Certificates stores (only public part of certs) on computer where agent installed.

OK - I tried a couple more agents, same problems, started looking in the management server's event logs instead and I think the problem is the management server. I am getting an occasional 21024 which says: "OpsMgr's configuration may be out-of-date for management group <mgmt group>, and has requested updated configuration from the Configuration Service. The current(out-of-date) state cookie is "F1 6D C9 7A 37 0F F5 AD 77 18 A2 D0 01 D3 07 C8 B3 B5 9A DB "" Then I am getting TONS of 20022 referencing EVERY system involved with SCOM in some way... I see a 20022 referencing the SCOM DB server... the RMS.... one for every agent out there! "The health service {3BA81C69-0641-5FDA-6312-003FB3AE9474} running on host <somescomrelatedserver> and serving management group <mgmt group> with id {5BFAD2C0-1376-5083-C6FE-B692B13B17BD} is not heartbeating. So - somehow this server isn't properly tied into the deployment. This particular secondary management server has never had agents on it. It shows up as healthy under Management Servers in the scom console however. I am thinking of uninstalling SCOM on this server and just reinstalling -- any other advice/thoughts? The above errors are the only errors I get after a reboot of the server. Thanks everyone!!!

Since I think this has turned into a server issue rather than agent communication, I will close this thread and post a new topic, and mark an answer above. Thank you.