Hello, I've 4 Domain Controller's behind a firewall, where I've manually installed SCOM Agents R2. I've opened the following ports 137/UDP, 138/UDP, 139/TCP, 445/TCP, 135/TCP, and 5723/TCP between RMS and Agents bidirectionally. The agents showed up in Pending Management. I approved them. They show as not monitored in the discovered inventory. Any idea why ? In my Active Alerts I see a Failed to Connect and Heartbeat Failure alert for these servers. Ping is not allowed so I can understand these two alerts. However what I cannot understand is why they are showing as not monitored ? I've seen all blogs/previous posts related to monitoring agents behind firewall, and opened the ports accordingly. Am I missing something. These DC's are in the same AD.Thanks, Harry :-)

For SCOM the only port you need for manually installed agents is port 5723 from the agents (DC's) to the management servers. I suppose this is open so I'm guessing you have a problem with mutual authentication. You can easily see this by restarting an agent on a dc and look at the opsmgr log on the DC. it will show an authentication failure (if that's not the issue, probably another cause is mentioned here).Rob Korving http://jama00.wordpress.com/

Hi Harry Have you manually installed ooMads.msi (AD Helper object) and also run HSLockdown on the manually installed domain controllers? http://thoughtsonopsmgr.blogspot.com/2009/09/hslockdown-explained.html http://thoughtsonopsmgr.blogspot.com/2010/10/eventid-10-active-directory-helper.html - for push installs through a Management Server, the AD Helper object automatically gets installed. But for manual agent installs you need to copy oomads.msi to the server and run it manually. Cheers GrahamView OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Hi Harry Have you manually installed ooMads.msi (AD Helper object) and also run HSLockdown on the manually installed domain controllers? http://thoughtsonopsmgr.blogspot.com/2009/09/hslockdown-explained.html http://thoughtsonopsmgr.blogspot.com/2010/10/eventid-10-active-directory-helper.html - for push installs through a Management Server, the AD Helper object automatically gets installed. But for manual agent installs you need to copy oomads.msi to the server and run it manually. Cheers Graham View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/ Actually, oomads isn't needed for the discovery of a DC (in fact a dc discovery is done at a way lower level anyway) and you dont have to manual install it. Just place it in a certain directory (at least for "system" profiles). But it might also be DC's not belonging to the same forest, so "AD" discovery will always fail: http://jama00.wordpress.com/2010/01/26/monitoring-multiple-active-directory-forests-without-a-trust/ Rob Korving http://jama00.wordpress.com/

Hi Rob I'm not sure that Discovery as such is failing - the agents show up in Discovered inventory. The agents also showed up in pending install and were approved so that, to me, suggests the same Forest. Especially as the original poster states - "These DC's are in the same AD." Harry - can you telnet <RMS> 5723 (you might well not have telnet installed on the domain controllers but if you have it is a good check of the firewall configuration although I suspect it is fine as you could approve the agent installs). Make sure you run HSLockdown to allow the agent action account (local system by default) to have sufficient rights on the Domain Controllers. http://thoughtsonopsmgr.blogspot.com/2009/09/hslockdown-explained.html Also, could you confirm if there are any errors inthe operationsmanager event logs on any of the Domain Controllers. Or errors in the operations manager event log on the RMS that relate to these domain controllers (a device that is not part of this management group has tried to connect). Finally, do you have any secondary management servers? Are the firewall rules also configured for these? Cheers Graham PS If you want to do AD monitoring, then you will need to run through this regarding ooMads.msi http://thoughtsonopsmgr.blogspot.com/2010/10/eventid-10-active-directory-helper.html View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

for manual installed agents (assuming the ad profile has sufficient rights) only step 3 is needed. Rest will be done automatically.Rob Korving http://jama00.wordpress.com/

Telnet not installed so couldn't check. I did workaround for HS Lockdown by creating Priviliged monitoring account and run as profile and adding these DC's into it. recycled System Center Management and they are showing Healthy :-) Am still not sure if I need AD monitoring so did not run ooMads.msi yet. Thanks Graham and Rob.Thanks, Harry :-)