Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

The following posts are based on how to monitor SCOM clients which are not member of the Kerberos domain. To monitor these “non-domain member” servers it requires some steps. This is the third of my series about monitoring.
The description which is provided ‘from the ground up’.

This section explains how to install SCOM certificates, configure SCOM and monitor an untrusted agent.

In this serie of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012 
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM
 
Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

Five steps to complete this operation:
1. Open TCP ports 5723 from the target server to the MS server.
2. Install the Root CA certificates
3. Install the Client certificates
4. Manual install of agents and run the momcertimport on servers to be monitored
5. Import the Certificate on the Management servers
6. Approve agents in SCOM console

– Rollout an agent to a untrusted server; without a gateway server.
This scenario describes how to install an untrusted agent on Windows 2008 R2 X64 The environment is an un-trusted domain.

Step 1. Open TCP ports 5723 from the target server to the management server
-1. Open the port 5723 from the client machine to the Management server
-2. Go to the untrusted machine and open the command prompt
-3. In the command prompt type telnet x.x.x.x 5732 (note that x.x.x.x must be the ip address of the management server)
If everything is working continue to the next step, if not, be sure that the firewall is open and is passing port 5723 to the SCOM server.

Step 2. On the unmanaged Server – Lets install the Root CA certificate
This step has only be executed the first time if you have ran this in the past skip this step
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Download CA certificate, certificate chain, or CRL
4. Click Download CA Certificate chain and save it on the machine.
-5. Once the certificate is downloaded, Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)
-6. Go to Trusted Root Certification Authorities right click, all tasks, import and import the Root CA.

Step 3. On the unmanaged Server – Install the client certificates
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Request a certificate, choose Advanced certificate request next click Create and submit a request to this CA
4. Choose the OpsMgr Certificate template, in the name tab choose the FQDN  name of the machine and fill in the same name in the friendly name.


-5. Click Finish and Install the Certificate

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:

-6. Click Start, click Run, type MMC,
-7. On the File menu, click Add/Remove Snap-in Click Add Click Certificates, and then click Add Select Personal Store and Computer account, and then click Finish
-8. Export the certificate from the personal store and import it to the Local Computer Store (NO DRAG AND DROP)
-9. Remove the certificate from the local user store.
-10. Make sure that both the agent managed machine and the SCOM server are reachable on hostname (just ping). If it’s not working add the machines in DNS or in the Hostfile (C:\Windows\System32\Drivers\ETC\Host).
-11. From the host which you are going to monitor make sure port 5723 is open to the SCOM management server

Step 4. Lets install the Root CA certificate
– This step has to be executed on every non domain monitored server.
– NOTE: Also run this step (Step 4) once – on all the SCOM management servers this because the SCOM management servers need an client certificate.

This step has only be executed the first time if you have ran this in the past skip this step
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)
-3. Click on Download CA certificate, certificate chain, or CRL
4. Click Download CA Certificate chain and save it on the machine.
-5. Once the certificate is downloaded, Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)
-6. Go to Trusted Root Certification Authorities right click, all tasks, import and import the Root CA.

-7. From the untrusted agent start the Internet Explorer
-8. Go to the certificate server website (in our case http://demo-dc01/certsrv)
-9. Click on Request a certificate, choose Advanced certificate request next click Create and submit a request to this CA
-10. Choose the OpsMgr Certificate template, in the name tab choose the FQDN  name of the machine and fill in the same name in the friendly name.
-11. Click Finish and Install the Certificate

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:

-12. Click Start, click Run, type MMC,
-13. On the File menu, click Add/Remove Snap-in Click Add Click Certificates, and then click Add Select Personal Store and Computer account, and then click Finish
-14. Export the certificate from the personal store and import it to the Local Computer Store (NO DRAG AND DROP)
-15. Remove the certificate from the local user store.
-16. Make sure that both the agent managed machine and the SCOM server are reachable on hostname (just ping). If it’s not working add the machines in DNS or in the Hostfile (C:\Windows\System32\Drivers\ETC\Host).
-17. From the host which you are going to monitor make sure port 5723 is open to the SCOM management server
-18. Next step is make sure new agents are not rejected. We go to the SCOM console, Administration, Settings, Security

Import the Certificate on the SCOM Management servers
-20. Go to the copied support tools directory and run MOMCertimport.exe
-21. Select the imported certificate and click OK
-22. Make sure the import was successful

Step 5. On the unmanaged Server – Manual install of agents and run the momcertimport on servers to be monitored
-1. From the Windows untrusted machine go to the OpsMgr agent installation directory (Default) \\DISK\Program Files\System Center 2012\Operations Manager\Server\AgentManagement\ in the AMD64 or i386 or if not available copy the directory to the untrusted machine. Open Momagent.MSI and install the agent.
-2. Also copy the support tools directory from the SCOM ISO to the local machine.
-3. Fill in the proper settings for the monitoring group (we used the settings below.

-3. We prefer using the Local System account. Choose Next and Install
4. If necessary update the agent with the required updates.
-5. Next on the client machine open the Command Prompt (Run As Administrator)
-6. Go to the copied support tools directory and run MOMCertimport.exe

-7. Select the imported certificate and click OK
8. Make sure the import was successful


Step 6. Approve agents in SCOM console
Just a quick note that it can take a while before the machine shows op in the console
-1. Open the SCOM Console, Administration, Pending Management
-2. Right click the machine and click Approve

That’s it; the server/workstation is now monitored.

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server