This monitor checks for a valid database certificate on the site database server.
The database machine certificate is used provide authentication and to encrypt communications between most site system roles or the provider and the database. It is used for direct SQL Server calls to the database instance defined for that site. When the certificate is valid, normal authenticated and encrypted communication between the site system roles or the provider and the SQL Server is encrypted using this certificate. However, once the certificate is invalid, the communications between the site system roles or the provider and the SQL Server is not allowed. The database machine certificate is automatically created during installation of the Configuration Manager site server if a machine certificate does not already exist – it expires 30 years after the original creation. A database machine certificate could already exist because it was originally created through a corporate PKI dictated by corporate policy.
The database machine certificate becomes invalid in one of several ways:
The database machine certificate is manually deleted from the certificate store.
The database machine certificate has expired.
The security access for the database machine certificate has been altered such that Configuration Manager or the SQL Server is unable to access the certificate
Configuration manager automatically corrects this scenario by recreating a self-signed certificate, whether or not the original invalid certificate was created by PKI or Configuration Manager. The expiration date for the newly created self-signed certificate is 30 years after the creation date. Check the hman.log in the [Configuration Manager Installation folder]\Logs for further information.
Target | MECM.SiteServer | ||
Parent Monitor | System.Health.ConfigurationState | ||
Category | ConfigurationHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | MatchMonitorHealth | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | MECM.StatusMessage3State.MT | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="MECM.Database.SQLMachineCert.StatusMessage.Monitor" Accessibility="Public" Enabled="true" Target="MECM.SiteServer" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="MECM.StatusMessage3State.MT" ConfirmDelivery="true">
<Category>ConfigurationHealth</Category>
<AlertSettings AlertMessage="MECM.Database.SQLMachineCert.StatusMessage.Monitor.AlertMessage">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="UIGeneratedOpStateId538fea5689a64ed7b6fa6bd2a8203527" MonitorTypeStateID="Good" HealthState="Success"/>
<OperationalState ID="UIGeneratedOpStateId0ab3932367314e548f1921661f57577d" MonitorTypeStateID="Warning" HealthState="Warning"/>
<OperationalState ID="UIGeneratedOpStateId8aa931652b26481680f2c41cf94f4ea5" MonitorTypeStateID="Error" HealthState="Error"/>
</OperationalStates>
<Configuration>
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/PrincipalName$</ComputerName>
<ComponentName>SMS_HIERARCHY_MANAGER</ComponentName>
<RuleId>FBCA00DB-7C9D-4d6d-9F84-07C605B31191</RuleId>
<IntervalSeconds>360</IntervalSeconds>
<MatchCount>3</MatchCount>
</Configuration>
</UnitMonitor>