SCOM 2012 agent or gateway certificate issue

After we were stuck for several weeks, the resolution to this problem was actually found by my colleague Jens Van Hove, so all credit goes to him😉

Special thanks to Kurt Van Hoecke for providing a wall to bounce some ideas off

To start from the beginning: we had a problem adding a Windows Server 2012 machine to our SCOM 2012 SP1 monitoring environment when using a certificate based trust. Whether as an agent-monitored machine or a SCOM gateway, if the managed server is located in a different domain than the management server, the problem was identical in both cases. Deploying the agent and installing the SCOM agent certificate goes well but when you try to add the server to the environment to effectively start monitoring, you get an error stating that the certificate is not trusted. Using a browser to verify the certificate trusts reveals no issues. The chain is trusted and all root and intermediary certificates are in place. After we tried re-installation, renewing certificate templates and even temporarily bypassing the Cisco firewall between both machines, we still came no closer to a solution.

But by accident when searching on the different event id’s in the event logs, we came across a Read more of this post

HyperV Server 2012 R2 – Shared VHDX (TechEd Europe part 3)

When building Windows Clusters, one of the least flexible requirements has always been the centralised storage. iSCSI disks f.e. were needed as a quorom / witness resource and to put your application data on. In modern scenario’s with multi-tenant environments that is however not something a storage admin gets happy or excited about. LUNs have to be masked, storage firewalls have to be used (to avoid a client machine from using other ports than only the allowed iSCSI ports f.e.) or even CHAP-authentication had to be implemented.

In our own hosting environment there’s a storage firewall cluster in place with its own frontend and backend VLANs and physically dedicated ethernet cabling (to make sure storage traffic would never be able to impact frontend applicative traffic and client request performance). A costly investment… Read more of this post

Windows Server 2012 R2 – Storage tiering (TechEd Europe – part 2)

One of the features I told you about earlier is the new storage tiering. Since the near death of fileservers in favour of storage area networks the use-cases in which an environment would draw its storage from a serverfarm has been limited except for the lower part of the SMB segment. Understandably Microsoft wants to get back onto that market and comes up with new features to get Windows storage server farms back in the picture.

The first feature is the automatic storage tiering. When having to cope with increased IOPS there are a few options:

  • Increasing the number of disk spindles, preferrably without increasing the amount of data on those disks so you’re going to use smaller capacity disks or leaving a lot of diskspace unused.
  • Buying more expensive disks (f.e. moving from SATA to SAS to FC to SSD)
  • Buying some expensive disks and using them only for Read more of this post

Windows Server 2012 R2 – User centric IT and BYOD (TechEd Europe – part 1)


In the bring-your-own-device trend, there were still a few disadvantages over domain joined machines. Access to resources had to be very well thought of. In the R2 release of Windows Server 2012 there’s now an interesting new feature called “workspace join”. In combination with products like Windows Intune or System Center Configuration Manager 2012 R2 it is now possible to add workgroup devices to Active Directory without needing a domain join. So the original user is still full owner of the device. Home-pc’s, tablets or smartphones, devices can be added to the Active Directory by using the workspace join to create a certificate based secure trust. Those certificates can be organised into multiple certificate templates and managed centrally.

To make sure that a device being added is not in malicious hands, a 2nd factor authentication request is sent to the Read more of this post

SCOM alert – Max concurrent API reached

EDIT (11/03/2014): 2nd possible cause found for the SCOM alert and added to the article (at the bottom).

If you got a recently patched Operations Manager environment then the current version of the basic OS management pack includes new intelligence to check for problems due to the maximum amount of NTLM or Kerberos PAC password validations a particular server can handle at a time.


Performance issues; these can be veeery hard to troubleshoot due to the large amount of variables in your environment (from storage to networking to server hardware or virtualization performance etc etc). If you had your storage engineers, your network specialists and your HyperV or Vmware gurus run all the tests they can think of, try to look at the following as well (or better: SCOM could have done it preventively already😉

Besides performance issues which are not only difficult but also often subjective, you can see some strange application behaviour. Read more of this post

Windows Server 2012 R2 – what’s new?

Microsoft just announced the R2 update of Windows Server 2012. Although 2012 was already another big step from 2008R2 and very feature complete, there’s always room for improvement… and the previous 3 releases I must admit I have been very pleasantly surprised each time with more ease of use, features and stability.

So what can we look forward to? These are my favorites:

1. Further stability and performance progress with HyperV

  • Some annoying shortcomings compared to market leader Vmware are finally getting crushed: previously memory thin provisioning was already a major jump forward but now we’re also getting live virtual disk expansion and shared ISOs should no longer block live migration.
  • Shared VHDX is paving the way for virtual clusterdisks. Finally we can backup clusters through the hypervisor with products like Veeam as the current setup with iSCSI disks still had to be backed up through pain-in-the-ass agent-based backups or storage snapshotting while the rest of all your servers were nicely snapshotted and backed–up with a 100% success ratio. Read more of this post

(work in progress)


I just launched this blog on 3 june 2013. Only a few finished posts but bear with me: there’s a lot more in the pipeline😉