Share via


SCOM 2012 R2/SCOM 2016: How to add additional management server when TLS1.2 is enabled

Introduction

TLS 1.2 is the secure way of communication suggested by Microsoft with best-in class encryption. SSL and early TLS are not considered strong cryptography and cannot be used as a security control. Microsoft has added official support for TLS1.2 security protocols in SCOM 2012 R2 with UR14 and SCOM 2016 with UR4 and later version of SCOM.

You can find more details in the System Center 2016 TLS1.2 Configuration article.

SCOM configuration

We will discuss here about the following configuration in SCOM.

  1. SCOM is running with SCOM 2016 with UR4
  2. TLS1.2 is enabled for SCOM 2016 environment to use only TLS1.2.

Now we have a requirement to add an additional management server in SCOM 2016 running with UR4 where TLS1.2 is enabled.

Before proceeding with adding an additional management server, please make sure that you have the full backup of the following databases.

OperationsManager

OperationsManagerDW

Error message indicators

  • Error while connecting to management server: The Data Access service is either not running or not yet initialized. Check the event log for more information.
  • Exception Error Code: 0x80131500
  • The Data Access service is either not running or not yet initialized.
  • TCP error code 10061

Error details

And when we have tried to add the additional management server, we got the following error.

  

When we have look at the OpsMgrSetupWizard.logs we could see the following.

[21:17:50]: Info: :Info:trying to connect with server SCOMMS12016.MAHARAJ.COM

[21:17:53]: Info: :Info:Error while connecting to management server: The Data Access service is either not running or not yet initialized. Check the event log for more information.

[21:17:53]: Error: :Couldn't connect to mgt server stack: : Threw Exception.Type: Microsoft.EnterpriseManagement.Common.ServiceNotRunningException, Exception Error Code: 0x80131500, Exception.Message: The Data Access service is either not running or not yet initialized. Check the event log for more information.

[21:17:53]: Error: :StackTrace: at Microsoft.EnterpriseManagement.Common.Internal.ExceptionHandlers.HandleChannelExceptions(Exception ex)

 at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.CreateEndpoint[T](EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)

 at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.ConstructEnterpriseManagementGroupInternal[T,P](EnterpriseManagementConnectionSettings connectionSettings, ClientDataAccessCore clientCallback)

 at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.RetrieveEnterpriseManagementGroupInternal[T,P](EnterpriseManagementConnectionSettings connectionSettings, ClientDataAccessCore callbackDispatcherService)

 at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.Connect[T,P](EnterpriseManagementConnectionSettings connectionSettings, ClientDataAccessCore callbackDispatcherService)

 at Microsoft.EnterpriseManagement.ManagementGroup.InternalInitialize(EnterpriseManagementConnectionSettings connectionSettings, ManagementGroupInternal internals)

 at Microsoft.EnterpriseManagement.ManagementGroup.Connect(ManagementGroupConnectionSettings connectionSettings)

 at Microsoft.EnterpriseManagement.OperationsManager.Setup.ReportingComponent.GetExistingManagementServerFromOMDB(String omSQLServer, Nullable`1 omSqlPort, String omDatabaseName, String& firstWorkingManagementServer)

[21:17:53]: Error: :Inner Exception.Type: System.ServiceModel.EndpointNotFoundException, Exception Error Code: 0x80131500, Exception.Message: Could not connect to net.tcp://server.domain.root:5724/DispatcherService. The connection attempt lasted for a time span of 00:00:01.0022881. TCP error code 10061: No connection could be made because the target machine actively refused it xxx.xxx.xxx.xxx:5724.

[21:17:53]: Error: :InnerException.StackTrace:

Server stack trace:

We got the above errors because when we have tried to install SCOM 2012 R2 management server or SCOM 2016 management server in existing SCOM management group, it uses the setup file which doesn’t have TLS1.2 supportability functionality. As in SCOM, Microsoft has added official support for TLS1.2 security protocols in SCOM 2012 R2 with UR14 and SCOM 2016 with UR4 and later version of SCOM.

 So, if you want to add additional management server in existing SCOM management group, we need to enable the TLS1.0 protocol in all the SCOM management server and SCOM SQL database servers.

How to Enable TLS1.0:

  1. Start Registry Editor. To do this, right-click Start, type regedit in the Run box, and then click OK.
  2. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

**\TLS1.0 **

To enable a protocol, create the DWORD value under each Client and Server key as follows:

DisabledByDefault [Value = 0]

Enabled [Value = 1]

  1. Restart the system.

Now select Management server and click next.

You can keep the default directory, or you can change it to a different directory and click next.

Now click next.

Select Add a management server to an existing management group and click next.

Accept the license agreement.

Now provide the SQL server instance name and select the SCOM OperationsManager database and click next.

Now provide the management server action account and SDK account details and click next.

Click next.

Select Off and click next.

Now click on install after verifying all the inputs we have provided earlier.

Once the installation done successfully, please make sure that TLS1.2 is enabled for SCOM 2012 R2/2016 environment to use only TLS1.2 if needed. You can follow the System Center 2016 TLS1.2 Configuration article to configure TLS1.2.