Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

The following post are based on how to monitor SCOM clients which are not member of the Kerberos domain. To monitor these “non-domain member” servers it requires some steps. This is the first of my series about monitoring.

Use the procedures in this topic to obtain a certificate from a stand-alone Windows Server 2008–based computer hosting Active Directory Certificate Services (AD CS). You will use the CertReq command-line utility to request and accept a certificate, and you will use a Web interface to submit and retrieve your certificate.

In this serie of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

The high-level process to obtain a Gateway server is as follows:
1. Copy Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to management servers
2. Registering the Gateway with the Management Group
3. Installing Gateway Server
5. On the Gateway Server – Lets install the Root CA certificate
6. On the Gateway Server – Install the client certificates
7. Optional Configuring Gateway Servers for Failover Between Management Servers

Step 1. To copy Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to SCOM management servers
1. From a target management server, open the Operations Manager installation media \SupportTools directory.
2. Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the installation media to the Operations Manager installation directory.

Step 2. Registering the Gateway with the Management Group on the SCOM management servers
This procedure registers the gateway server with the management group, and when this is completed, the gateway server appears in the Discovered Inventory view of the management group.

To run the gateway Approval tool
-1. On the management server that was targeted during the gateway server installation, log on with the Operations Manager Administrator account.
-2. Open a command prompt, and navigate to the Operations Manager installation directory or to the directory that you copied the Microsoft.EnterpriseManagement.gatewayApprovalTool.exe to.
-3. At the command prompt, run
Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create
-4. If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully.
-5. If you need to remove the gateway server from the management group, run the same command, but substitute the /Action=Delete flag for the /Action=Create flag.
-6. Open the Operations console to the Monitoring view. Select the Discovered Inventory view to see that the gateway server is present.

Step 3. Installing Gateway Server
This procedure installs the gateway server. The server that is to be the gateway server should be a member of the same domain as the agent-managed computers that will be reporting to it.
Note: An installation will fail when starting Windows Installer (for example, installing a gateway server by double-clicking MOMGateway.msi) if the local security policy User Account Control: Run all administrators in Admin Approval Mode is enabled.

To run Operations Manager Gateway Windows Installer from a Command Prompt window
-1. On the Windows desktop, click Start, point to Programs, point to Accessories, right-click Command Prompt, and then click Run as administrator.
-2. In the Administrator: Command Prompt window, navigate to the local drive that hosts the Operations Manager installation media.
-3. Navigate to the directory where the .msi file is located, type the name of the .msi file, and then press ENTER.
-4. From the Operations Manager installation media, start Setup.exe.
-5. In the Install area, click the Gateway management server link.
-6. On the Welcome screen, click Next.
-7. On the Destination Folder page, accept the default, or click Change to select a different installation directory, and then click Next.
-8. On the Management Group Configuration page, type the target management group name in the Management Group Name field, type the target management server name in the Management Server field, check that the Management Server Port field is 5723, and then click Next.
-9. On the Gateway Action Account page, select the Local System account option, unless you have specifically created a domain-based or local computer-based gateway Action account. Click Next.
-10. On the Microsoft Update page, optionally indicate if you want to use Microsoft Update, and then click Next.
-11. On the Ready to Install page, click Install.
-12. On the Completing page, click Finish.

 

Step 4. On the Gateway Server – Lets install the Root CA certificate
This step has only be executed the first time if you have ran this in the past skip this step
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Download CA certificate, certificate chain, or CRL
4. Click Download CA Certificate chain and save it on the machine.
-5. Once the certificate is downloaded, Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)
-6. Go to Trusted Root Certification Authorities right click, all tasks, import and import the Root CA.

 

Step 5. On the Gateway Server – Install the client certificates
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Request a certificate, choose Advanced certificate request next click Create and submit a request to this CA
4. Choose the OpsMgr Certificate template, in the name tab choose the FQDN name of the machine and fill in the same name in the friendly name.
-5. Click Finish and Install the Certificate

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:

-6. Click Start, click Run, type MMC,
-7. On the File menu, click Add/Remove Snap-in Click Add Click Certificates, and then click Add Select Personal Store and Computer account, and then click Finish
-8. Export the certificate from the personal store and import it to the Local Computer Store (NO DRAG AND DROP)
-9. Remove the certificate from the local user store.
-10. Make sure that both the agent managed machine and the SCOM server are reachable on hostname (just ping). If it’s not working add the machines in DNS or in the Hostfile (C:\Windows\System32\Drivers\ETC\Host).
-11. From the host which you are going to monitor make sure port 5723 and 5724 is open to the SCOM management server

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:
Import the Certificate on the SCOM Management servers
-12. Go to the copied support tools directory and run MOMCertimport.exe
-13. Select the imported certificate and click OK
-14. Make sure the import was successful

Step 6. Optional Configuring Gateway Servers for Failover Between Management Servers
Although gateway servers can communicate with any management server in the management group, this must be configured. In this scenario, the secondary management servers are identified as targets for gateway server failover.

Use the Set-ManagementServer-gatewayManagementServer command in Operations Manager Shell, as shown in the following example, to configure a gateway server to failover to multiple management servers. The commands can be run from any Command Shell in the management group.

To configure gateway server failover between management servers
1. Log on to the management server with an account that is a member of the Administrators role for the management group.
2. On the Windows desktop, click Start, point to Programs, point to System Center Operations Manager, and then click Command Shell.
3. In Command Shell, follow the example that is described in the next section.

The following example can be used to configure gateway server failover to multiple management servers.

Copy
$GatewayServer = Get-SCOMGatewayManagementServer –Name “ComputerName.Contoso.com”
$FailoverServer = Get-SCOMManagementServer –Name “ManagementServer.Contoso.com”,”ManagementServer2.Contoso.com”
Set-SCOMParentManagementServer -GatewayServer $GatewayServer -FailoverServer $FailoverServer

That’s it; you can now rollout agents with the gateway server