Part 1. Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012; the complete story

Part 1. Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012

The following posts are based on how to monitor SCOM clients which are not member of the Kerberos domain.
To monitor these “non-domain member” servers require some steps. This is the first of my series blogs about monitoring untrusted clients.
The description which is provided is ‘from the ground up’. If you have already steps installed you can skip and go to the next section.

NOTE: If there is already a Enterprise CA in place continue to Part 2!

In this serie of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM
Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server
Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server


– Install a Root Certification Authority
For most organizations, a root certification authority (CA) certificate is the first Active Directory Certificate Services (AD CS) role service that you install.
These steps describe how to install a Enterprise Root Certificate Authority on Windows 2012.

– To install a root CA 
1. Open Server Manager,click Add Roles and Features, click Next,and click Active Directory Certificate Services. Click Next two times.
2. Select the server where you want to install the role on; click Next

3. On the Select Role Services page, click Active Directory Certification Authority. Click Next three times.
4. Choose the following Features; Certificate Authority, Certificate Enrollment Web Service and Certificate Authority Web Enrollment. Click Next three times

5. On the last page check settings and choose Install
6. After the installation finished successfully restart the machine
– To Configure the root CA 
1. Open Server Manager, click AD CS
2. On the Configuration Required for AD Certificate Services; choose More
3. Choose Configure Active Directory Certificate Service on the destination server

4. Check the credentials and click Next
5. Select Certificate Authority and Certification Authority Web Enrollment end click Next(we will cover the web enrollment later)

6. Choose Enterprise Root CA, click Next
7. On the CA Type section choose Root CA and click Next
8. Choose Create a new private key and click Next
9. Specify the Certificate Server Cryptographic options (we left if default and click Next

10. Fill in the Common name for this CA; tip use a logical name. (we used Enterprise-CA), click Next
11. Choose the Validity Period and choose Next two times (we left it default)
12. Check the Confirmation page and choose Configure
13. In the “Do you want to configure additional Role Services” choose Yes
14. Choose Next and now choose the Certificate Enrollment Web Service
15. Click Next three times and on the Specify the Service account section choose the service user which is member of the IIS_IUSRS group (this group is in the Active Directory) and choose Next
16. Select the Enterprise CA and click Next
17. Check the Confirmation page and choose Configure
OK we finished installing the Enterprise Root CA.
Now we are going to make the certificate site secure because it’s necessary for web enrolment.
18. Click on Server Certificates, Create self signed certificate

19. Give it a friendly name (in our case we used demo-dc01) and click OK

We now can continue to the second part:
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM