When you export the cert with the private key, you need to check "Include all certificates in the certification path if possible" as well.

If there is a Root Ca with a Sub CA beneath it, you will need that cert as well. After doing this, you will most likely be able to import the cert once again with MOMCertImport and then see the monitoring taking place.

See here, and especially number 6: https://technet.microsoft.com/en-us/library/cc754329.aspx

If the Edge server is outside of your Domain B, then you dont have to do anything with your GW server. Just import the complete certificate chain described above and then make sure port 5723 is open in both directions and you should be fine.

Hi All,

I have the following design in our SCOM environment,

SCOM 2012 R2 Management Server belongs to Domain A, Gateway belongs to Domain B. I dont have trust between Domain A and B, hence the authentication between MS and GW is done via Certificate and MOMCertImport. It is working fine, GW is able to relay all nodes connected to it to Management Server and I am able to view status/reports of all systems whose primary management server is gateway.

I have an edge server of lync, which does not belongs to domain B. I have installed manual agent, and did the certificate stuff on edge server. After adding the certificate to edge from ops manager template, the manual agent installed appears in pending management in the SCOM, I can approve it and it goes to "Agents Managed". But no heartbeat occurs.

On the edge server I can see below events/alerts:

20067, 20071, 21002 and 21016.

20067 says :  A device with IP GW:5723 attempted to connect but the certificate presented by the device was invalid. The connection from the device has been rejected. The failure code on the certificate was 0x800B010A (A certificate chain could not be build to a trusted root authority).

I can confirm that the Domain B CA certificate is installed in the Trusted root certificate authorities under Local Computer account on edge.

one thing which is confusing to me is, MOMCertImport has to run only on the Edge Server, but not on the gateway (again?).

Because while I was integrating GW and SCOM MS, I downloaded a certificate from Domain A CA (Ops manager template), imported into gateway and did the MOMCertImport for that certificate.

If I again do MOMCertimport for the certificate from Domain B on gateway, it simply breaks the communication between SCOM MS and Gateway.

• Edited by Hasnain_Raza Tuesday, September 08, 2015 6:47 AM

Hi Daniel,

from personal store of the edge/workgroup server, if we export the certificate with all included chain, the MOMCertImport shall through an error regarding "Catastrophic Failure".

The port 5723 is already open, as I can telnet on this to GW.

Hey Guys,

I was able to resolve, the issue was the certificate on the Gateway.

I have to re-enroll the Gateway with Domain B certificate authority, with client/server authentication, and did the MOMCertImport for this new certificate. Everything is fine now, Edge is in SCOM under Lync Servers. :) Great.

• Marked as answer by Hasnain_Raza 5 hours 56 minutes ago

Hey Guys,

I was able to resolve, the issue was the certificate on the Gateway.

I have to re-enroll the Gateway with Domain B certificate authority, with client/server authentication, and did the MOMCertImport for this new certificate. Everything is fine now, Edge is in SCOM under Lync Servers. :) Great.

• Marked as answer by Hasnain_Raza Wednesday, September 09, 2015 1:13 AM