17th October – Microsoft released Windows Server 2012 R2 & System Center 2012 R2

Today Microsoft released the newest release of the new R2 wave for the System Center suite.
The software is ready to download from the official Microsoft sites like Techned and MSDN.

System Center R2 Released

System Center R2 Released

The following links take you to the What’s New topics for System Center 2012 R2.

System Center 2012 R2 App Controller
System Center 2012 R2 Configuration Manager
System Center 2012 R2 Data Protection Manager
System Center 2012 R2 Operations Manager
System Center 2012 R2 Orchestrator
System Center 2012 R2 Service Manager
System Center 2012 R2 Virtual Machine Manager

Furthermore Windows 8.1 and Windows Server 2012 R2 are also released today and ready for download.

System Center 2012 R2 Release Date (SCOM, SCCM)

In 2012 Microsoft made public that they are going to release new versions of their major products at least once per year.
Because of their cloud based service they develop much faster as in the past.

Microsoft has already evaluation versions of System Center R2 available to eligible customers.
But the official release  available through the TechNet Evaluation Center. System Center 2012 R2 is available from TechNet and for new purchases on November 1st, 2013.

There’s even more good news:
Microsoft announced that Windows 8.1 will be available to consumers and businesses worldwide on October 18, 2013.

 

Step-by-step configuring the Native Exchange 2007 MP for Operations Manager

Just an old one but still good for a blog; Exchange 2007 monitoring.

-To Enable agent proxy on managed Exchange 2007 servers NOTE :Ok, as you now first roll out the OpsMgr agent to all Exchange servers and make sure they work properly before following the next steps.

  1. Click the Administration button in the Operations console, and then in the navigation pane, click Agent Managed.
  2. In the Agent Managed pane, right-click an Exchange server, click Properties, click the Security tab, and ensure that the Allow this agent to act as a proxy and discover managed objects on other computers check box is selected.
  3. Repeat the process for every managed Exchange 2007 server in the list.

  

-Create a New Management Pack for Customizations The overrides and customizations for management packs like Exchange 2007 are usually saved in the default management pack. Best practice is to create a new separate management pack for Exchange overrides.

  1. Click the Administration button in the Operations console, right-click Management Packs and then click Create Management Pack. The Create a Management Pack wizard displays.
  2. Type a name for the management pack in Name, the correct version number in Version, and a short description in Description. Click Next and then Create.
  3. Click next and create

 

– Import the Exchange 2007 management packs Next step is import the Exchange 2007 management packs

  1. In the Operations Console, click the Administration button.
  2. Right-click the Management Packs node and then click Import Management Pack(s)
  3. Click add and choose from catalog
  4. Search for Exchange and expand Microsoft Corporation, Exchange Server, Exchange Server 2007
  5. Import all Exchange 2007 Management packs
  6. After the import process is complete, and the dialog box displays an icon next to each Management Pack indicating success or failure of the importation, click the Close button.

-Enable Exchange 2007 Server Role Discovery After importing the Exchange 2007 MP, it will not start discovering Exchange machines immediately. This behavior is by design so that you can first test the management pack on a limited set of servers. To verify that Discovery Helper has discovered your Exchange 2007 servers:

  1. Ensure that you have not scoped your views.
  2. Go to the Discovered Inventory view in the Monitoring section of the Operations console.
  3. Right-click and choose Select Target Type.
  4. In the Look for field, type Exchange 2007 Discovery Helper, select it, and then click OK. A list of Exchange 2007 servers appears with a status of “Not Monitored.”

To enable Exchange 2007 Server Role Discovery

  1. Go to the Object Discoveries node located under Authoring in the Operations console.
  2. In the Look for field, type Exchange 2007 Server Role and click Enter. A list of Exchange 2007 server role discoveries appears. You need to enable the following server role discoveries to monitor the respective server role: ! Notice the Enabled by default column, most of the role discoveries are disabled Exchange 2007 CCR Clustered Mailbox Server Role Discovery  -Discovers CCR and SCC clustered Mailbox serversExchange 2007 CCR Node Role Discovery  -Discovers CCR node servers in a CCR cluster (the physical nodes)Exchange 2007 Standalone CCR Node Discovery  -Discovers stand-alone CCR node roles (nodes that are participating in log shipping but are not part of an active Mailbox server) and stand-alone mailbox rolesExchange 2007 CAS Role Discovery  -Discovers Client Access server rolesExchange 2007 Hub Transport Role Discovery  -Discovers Hub Transport server rolesExchange 2007 Edge Role Discovery  -Discovers Edge Transport server rolesExchange 2007 UM Role Discovery  -Discovers Unified Messaging (UM) roles
  3. ! Note: – To discover standalone Exchange Mailbox servers you have to enable Exchange 2007 Standalone CCR Node Discovery. – To discover active/pasive cluster Mailbox servers  you have to enable Exchange 2007 CCR Clustered Mailbox Server Role DiscoveryThe process for enabling every role is identical, for example, to enable discovery of all Hub Transport servers, right-click the Exchange 2007 Hub Transport Role Discovery and select Overrides\Enable the Object Discovery\for all objects of type Exchange 2007 Discovery Helper.
  4. In the Override Properties dialog box, set the Enabled parameter to True, choose a destination management pack and click OK

  

-Disk monitoring Because the Windows (the Server Operating System MP) is imported the disk usage is also monitort in the MP, causing duplication of disk space alerts.

To disable disk monitoring for Exchange servers from the Windows Server Operating System Management Pack

  1. In the Authoring section of the Operations console, go to the Monitors node.
  2. Click Change Scope. The Scope Management Pack Objects by target(s) dialog box appears.
  3. In the Monitors pane, in the Look for field, type Logical Disk, and then click Find Now. Select logical disk classes from all operating system versions where you are running Exchange 2007 servers (for example, Windows Server 2003 Logical Disk and Windows Server 2008 Logical Disk). Click OK.
  4. Expand Windows Server 2003 Logical Disk, expand Entity Health, and then expand Availability to see the Logical Disk Availability and Logical Disk Free Space monitors.
  5. Right-click the Logical Disk Free Space monitor, click Overrides, click Override the Monitor, and then click For a group.
  6. Select the Exchange 2007 Computer Group, and click OK.
  7. In the Override Properties dialog box, set the Enabled parameter to False, and then choose a destination management pack. ! Note Save the changes in de newly created Exchange management pack.
  8. Perform the same procedure for the enabled monitors under Performance (Average Disk Seconds Per Read, Average Disk Seconds Per Transfer, Average Disk Seconds Per Write).
  9. Repeat the same procedure for the Logical Disk Availability Monitor as well as logical disk monitors belonging to other operating system versions.

-Configuring Exchange 2007 Disk Monitoring

  1. In the Operations console, click Authoring and then click Monitors.
  2. Click the Scope button, and ensure that View all targets is selected. In the Look for field, type Disk. Select Exchange 2007 Mailbox Database Disk, Exchange 2007 Mailbox Log Disk, and Exchange 2007 Queue Disk, and then click OK.
  3. For Exchange 2007 Mailbox Database Disk, expand Availability, right-click the Exchange 2007 MDB Disk Free Space Monitor, click Overrides, click Override the Monitor, and then click For all objects of type: Exchange 2007 Mailbox Database Disk.
  4. Examine the monitor parameters. This monitor works in the same way as Windows Server operating system disk monitoring, except that it handles only Exchange 2007 disks. Note that you can set a megabyte warning or error threshold, as well as a percentage free space threshold. By applying overrides to this monitor, you can do it once for all Exchange 2007 disks with mailbox databases on them. Important This monitor raises an alert only if both the megabyte and percentage thresholds are exceeded.NOTE: Safe the changes in the newly created Exchange management pack
  5. Perform the same steps for the disk monitors for the Exchange 2007 Mailbox Log Disk and Exchange 2007 Queue Disk classes.

-Configuring IIS Monitoring The Exchange Server 2007 Management Pack contains service monitors for the WWW and IIS Admin Services on Client Access servers. If you are already monitoring IIS with the IIS Management Pack, you can disable these monitors in the Exchange Server 2007 Management Pack. To disable WWW and IIS Admin Service monitors

  1. Go to the monitors node in the Authoring section of the Operations console.
  2. Set your scope to Exchange 2007 Client Access Role.
  3. Expand Entity Health\Availability for the Exchange 2007 Client Access Role.
  4. Disable the Exchange 2007 IIS Admin Service Monitor on the Client Access server and the Exchange 2007 WWW Publishing Service Monitor for all instances of objects of type Exchange 2007 Client Access Role.

-Configure Synthetic Transactions The Exchange Server 2007 Management Pack supports local mail flow synthetic transactions on Mailbox servers, in which the server sends mail to itself.  By default, this occurs every 15 minutes; you can override the interval.

Mail flow synthetic transactions on Mailbox servers. It is possible to configure the following: -Local mail flow (a server sends mail to itself) -Intra-site mail flow (a server sends mail within a site) -Inter-site mail flow (a server sends mail between sites) -Inter-organization mail flow (a server sends mail to another organization/mailbox, which could also be used to send mail via the Internet as long as the recipient is able to generate a delivery receipt)

Client Access Server Synthetic Transactions tt is possible to configure the following: -Applies The Microsoft Exchange Server 2007 Management Pack supports a number of synthetic transactions that run on Client Access servers and perform transactions against the Client Access server itself and also the back-end Mailbox servers within the same site as the Client Access server. Examples of these transactions are to check Exchange ActiveSync, Outlook Web Access, and Web Services connectivity. The transactions are implemented using Windows PowerShell cmdlets built into the Exchange 2007 product. Documentation for the Client Access server synthetic transactions supported by the management pack can be found here: -Test-OwaConnectivity (http://go.microsoft.com/fwlink/?LinkId=137732) -Test-ActiveSyncConnectivity (http://go.microsoft.com/fwlink/?LinkId=137733) -Test-WebServicesConnectivity (http://go.microsoft.com/fwlink/?LinkId=137734) -Test-PopConnectivity (http://go.microsoft.com/fwlink/?LinkId=137735) -Test-ImapConnectivity (http://go.microsoft.com/fwlink/?LinkId=137736)

-Configure Client Access Server monitoring Configure client access monitoring

  1. click the Authoring button in the Operations Console, right click Add monitoring Wizard, Exchange 2007 Client Access Server Monitoring
  2. Give the rule a name like “Client Access Server Monitoring for source server “webmail01” and choose the custom ExchangeMP
  3. Select the source server
  4. Select the tests; we’ve checked the all
  5. Select the target servers; we’ve checked the all
  6. Do this for every CAS Server

-Exchange 2007 Intra-Organisation Mail Flow Monitoring Configure mail flow synthetic transactions

  1. click the Authoring button in the Operations Console, right click Add monitoring Wizard, Exchange 2007 Intra-Organisation Mail Flow Monitoring Give the rule a name like “Exchange 2007 Intra-Organisation Mail Flow Monitoring “ExchMB01″ and choose the custom ExchangeMP
  2. Select the source server
  3. Select the frequency
  4. Select the target servers; we’ve checked the all
  5. Do this for every Mailbox Server

 

-Configuring Exchange Servers to Support Client Access Synthetic Transactions To use the Client Access server synthetic transaction, you must first configure each agent-managed Mailbox server that you want to use as a target server for the Client Access server synthetic transactions. The Test-OwaConnectivity cmdlet requires a test mailbox.

To create the test mailbox, log on to each agent-managed Exchange Server 2007 Mailbox server with a user account that is both an Exchange administrator and an Active Directory administrator with permissions to create users.

  1. Open the Exchange Management Shell, locate the Scripts directory under the installation path for Exchange Server 2007 (usually \Program Files\Microsoft\Exchange Server\Scripts), and execute the script New-TestCasConnectivityUser.ps1.
  2. Repeat this process on each agent-managed Exchange Server 2007 Mailbox server that is to be tested. Note that if you have several organizational units named “Users” in your directory, you will need to specify the organizational unit in which to store the user.

-Possible issues Time The management pack needs time to discover and find the Exchange organization. If you are not sure configure the MP and let it rest for a while.

Exchange 2007 Test Active Sync Connectivity Alert Check from the source servers if items like Active Sync are reachable; browse to the virtual directory: https://webmail001.site.nl/Microsoft-Server-ActiveSync it can be an access issue.

 

System Center 2012 SP1 – SCOM 2012 – Evaluation (VHD)

Microsoft launched the public VHD’s for System Center 2012 SP1.
The VHD’s enables System Center customers to jointly evaluate System Center 2012 and Windows Server 2012.
The download consists of files that you extract into a single pre-configured VHD file for this System Center component.

No MSDN or TechNet subscription is required for this download.

System Center 2012 Service Pack 1 components that ship Evaluation VHDs can be found at the following locations:

System Center 2012 SP1 Released

System Center 2012 Service Pack 1 has reached its “release-to-manufacturing” (RTM) milestone, Microsoft announced recently.
ScreenHunter_162 Dec. 21 08.33

RTM typically refers to feature-complete products, although the final “general availability” release of System Center 2012 SP1 is scheduled for early January.
The “release candidate” version of the product had been issued previously, but was just available to Microsoft’s Technology Adoption Program testers. The last public release announcement seems to have been a beta delivered in September.

The software is now available on the MSDN site for partners and customers with SA.
It’s available on http://msdn.microsoft.com/en-us/subscriptions/downloads/.

A list of what’s new in SP1 for System Center 2012:
1. There are new Monitoring Capabilities under APM functionality:
                         o Monitoring of Windows Services Built on the .NET Framework.
                         o Automatic Discovery of ASP.NET MVC3 and MVC4 Applications.
                         o New Transaction Types: MVC Pages and WCF Methods.
2. Enabled APM of SharePoint 2010.
3. Integration with Team Foundation Server 2010 and Team Foundation Server 2012.
4. New monitoring capability allows for opening of APM exception events from Visual Studio IDE as if the exception was captured during the IntelliTrace historical debugging session. Developers can stay within their familiar environment to examine complete exception call stack.
5. New Management Packs and Support for Windows Server 2012 and IIS 8.
6. The System Center 2012 Service Pack 1 (SP1) Beta version of Operations Manager can show you different perspectives of application health in one place—360 .NET Application Monitoring Dashboards. The 360 .NET Application Monitoring Dashboards displays information from Global Service Monitor, .NET Application Performance Monitoring, and Web Application Availability Monitoring to provide a summary of health and key metrics for 3-tier applications in a single view.
7. ACS support is now added for Dynamic Access Control – new feature in Windows Server 2012, where business data owners to easily classify and label data allowing access policies to be defined for data classes that are critical to business.
8. Support is added for CentOS, Debian, and Ubuntu Linux.

The arrival of SP1 for System Center 2012 is a big deal because it will add management support for Windows Server 2012 and Windows 8 and SQL 2012.

Without this service pack, there’s no management support for those operating systems in System Center 2012.

Nice!

Antivirus exclusions for Operations Manager 2012; Management, Gateway and SQL servers

SCOM 2012 Antivirus exclusions; Management, Gateway and SQL servers

For information on exclusions on the SCOM 2012 and 2007 agents click here.

This question comes up all of the time in new environments; so I decided to make a blog about exclusions to let the SCOM 2012 and the SQL 2008 R2 servers run efficiently.

Note: replace %programfiles% to the fysical location like C:\Program Files\System Center Operations…. do this for all entries below. Make also sure the path you use is correct ! !

Excluded Processes
Forefront – Excluded processes
McAfee – On Access Low risk processes
SCOM 2012
%programfiles%\System Center Operations Manager\Agent\HealthService.exe
%programfiles%\System Center Operations Manager\Agent\MonitoringHost.exe
-%programfiles%\Microsoft\Exchange Server\v14\Bin\Microsoft.Exchange.Monitoring.CorrelationEngine.exe
-%programfiles%\System Center 2012\Operations Manager\Console\Microsoft.EnterpriseManagement.Monitoring.Console.exe

C:\Windows\system32\AdtAgent.exe
%programfiles%\System Center 2012\Operations Manager\Server\Microsoft.Mom.Sdk.ServiceHost.exe
%programfiles%\System Center 2012\Operations Manager\Server\APMDOTNETAgent\InterceptSvc.exe
-%programfiles%\System Center 2012\Operations Manager\Server\cshost.exe

SQL 2008 R2
-%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\SQLServr.exe
-%ProgramFiles%\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
-%ProgramFiles%\Microsoft SQL Server\MSAS10_50.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe

 

Excluded Directory’s
Forefront – Excluded files and locations
McAfee – Exclusions
SCOM 2012
-%programfiles%\System Center Operations Manager\Agent\Health Service State\*

SQL 2008 R2
-%ProgramFiles%\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\DATA\*
-%ProgramFiles%\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\BACKUP\*
-%ProgramFiles%\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\FTDATA\*

Excluded file types
Forefront – Excluded File Types
McAfee – Exclusions
SCOM 2012
.EDB
.CHK
.LOG

SQL 2008 R2 Server data and backup files
.mdf
.ldf
.ndf
.bak
.trn

Antivirus exclusions for Operations Manager / SCOM 2012 and 2007 Agents

SCOM 2012 and 2007 Antivirus exclusions; Agents

For information on exclusions on the SCOM 2012 management, gateway and SQL servers click here.

This question comes up all of the time in new environments; so I decided to make a blog about exclusions to let the SCOM 2012 agents run efficiently.

Note: replace %programfiles% to the fysical location like C:\Program Files\System Center Operations…. do this for all entries below. Make also sure the path you use is correct ! !

SCOM 2012 Agent Exclusions:

-SCOM 2012 Agent – Excluded Processes
Forefront – Excluded processes
McAfee – On Access Low risk processes
  -%programfiles%\System Center Operations Manager\Agent\HealthService.exe
  -%programfiles%\System Center Operations Manager\Agent\MonitoringHost.exe

-SCOM 2012 Agent – Excluded Directory’s
Forefront – Excluded files and locations
McAfee – Exclusions
  -%programfiles%\System Center Operations Manager\Agent\Health Service State\*

-SCOM 2012 Agent – Excluded file types
Forefront – Excluded File Types
McAfee – Exclusions
  .EDB
  .CHK
  .LOG
____________________________

SCOM 2007 R2 Agent Exclusions:

-SCOM 2007 R2 Agent – Excluded Processes
Forefront – Excluded processes
McAfee – On Access Low risk processes
  -%programfiles%\System Center Operations Manager 2007\HealthService.exe
  -%programfiles%\System Center Operations Manager 2007\MonitoringHost.exe

-SCOM 2007 R2 Agent – Excluded Directory’s
Forefront – Excluded files and locations
McAfee – Exclusions
  -%programfiles%\System Center Operations Manager 2007\Health Service State\*

-SCOM 2007 R2 Agent – Excluded file types
Forefront – Excluded File Types
McAfee – Exclusions
  .EDB
  .CHK
  .LOG

Troubleshooting performance SCOM 2012 and SCOM 2007 agent with McAfee Antivirus

I got quite a number of questions on performance of the SCOM and related processes (Heathservice.exe, monitoringhost.exe and CSCRIPTS). High CPU load on the SCOM process is mostly related to antivirus software.

In most cases the culprit ends up being the incorrect setup of the antivirus software; specially McAfee is very tricky when it’s not configured well and when the exclusions are not in the right place.
See my blogpost on antivirus exclusions for SCOM 2012 management, gateway and SQL servers or SCOM 2012 and 2007 agents

Here is how to troubleshoot antivirus in combination with the SCOM agent. In this case we monitor McAfee in combination with SCOM. To troubleshoot I used Procmon from Sysinternals.
In my later post I will make a list of recommended exclusions.
Lot’s of servers with high CPU load specially on the SCOM process; healthservice.exe, cscripts and more.

Troubleshooting the process with “Sysinternals Process Monitor”
1. Lets start with downloading the Process Monitor on http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
2. Stop the monitoring, go to Filter, Enable Advanced Output

3. Go to Filter, Process name, is, Mcshield.exe and click Add, OK

4. Click on the magnifyingglass to start the capture
Ok, we see that the McShield.exe process is scanning the OpsMgr data. This is not good.
After checking we noticed that the antivirus exclusions aren’t configured properly.

We’ve changed the exclusions to the best practice settings.
See my post for the working best practice for Antivirus Exclusions in combination with SCOM 2012 and 2007.

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

The following post are based on how to monitor SCOM clients which are not member of the Kerberos domain. To monitor these “non-domain member” servers it requires some steps. This is the first of my series about monitoring.

Use the procedures in this topic to obtain a certificate from a stand-alone Windows Server 2008–based computer hosting Active Directory Certificate Services (AD CS). You will use the CertReq command-line utility to request and accept a certificate, and you will use a Web interface to submit and retrieve your certificate.

In this serie of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

The high-level process to obtain a Gateway server is as follows:
1. Copy Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to management servers
2. Registering the Gateway with the Management Group
3. Installing Gateway Server
5. On the Gateway Server – Lets install the Root CA certificate
6. On the Gateway Server – Install the client certificates
7. Optional Configuring Gateway Servers for Failover Between Management Servers

Step 1. To copy Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to SCOM management servers
1. From a target management server, open the Operations Manager installation media \SupportTools directory.
2. Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the installation media to the Operations Manager installation directory.

Step 2. Registering the Gateway with the Management Group on the SCOM management servers
This procedure registers the gateway server with the management group, and when this is completed, the gateway server appears in the Discovered Inventory view of the management group.

To run the gateway Approval tool
-1. On the management server that was targeted during the gateway server installation, log on with the Operations Manager Administrator account.
-2. Open a command prompt, and navigate to the Operations Manager installation directory or to the directory that you copied the Microsoft.EnterpriseManagement.gatewayApprovalTool.exe to.
-3. At the command prompt, run
Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create
-4. If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully.
-5. If you need to remove the gateway server from the management group, run the same command, but substitute the /Action=Delete flag for the /Action=Create flag.
-6. Open the Operations console to the Monitoring view. Select the Discovered Inventory view to see that the gateway server is present.

Step 3. Installing Gateway Server
This procedure installs the gateway server. The server that is to be the gateway server should be a member of the same domain as the agent-managed computers that will be reporting to it.
Note: An installation will fail when starting Windows Installer (for example, installing a gateway server by double-clicking MOMGateway.msi) if the local security policy User Account Control: Run all administrators in Admin Approval Mode is enabled.

To run Operations Manager Gateway Windows Installer from a Command Prompt window
-1. On the Windows desktop, click Start, point to Programs, point to Accessories, right-click Command Prompt, and then click Run as administrator.
-2. In the Administrator: Command Prompt window, navigate to the local drive that hosts the Operations Manager installation media.
-3. Navigate to the directory where the .msi file is located, type the name of the .msi file, and then press ENTER.
-4. From the Operations Manager installation media, start Setup.exe.
-5. In the Install area, click the Gateway management server link.
-6. On the Welcome screen, click Next.
-7. On the Destination Folder page, accept the default, or click Change to select a different installation directory, and then click Next.
-8. On the Management Group Configuration page, type the target management group name in the Management Group Name field, type the target management server name in the Management Server field, check that the Management Server Port field is 5723, and then click Next.
-9. On the Gateway Action Account page, select the Local System account option, unless you have specifically created a domain-based or local computer-based gateway Action account. Click Next.
-10. On the Microsoft Update page, optionally indicate if you want to use Microsoft Update, and then click Next.
-11. On the Ready to Install page, click Install.
-12. On the Completing page, click Finish.

 

Step 4. On the Gateway Server – Lets install the Root CA certificate
This step has only be executed the first time if you have ran this in the past skip this step
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Download CA certificate, certificate chain, or CRL
4. Click Download CA Certificate chain and save it on the machine.
-5. Once the certificate is downloaded, Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)
-6. Go to Trusted Root Certification Authorities right click, all tasks, import and import the Root CA.

 

Step 5. On the Gateway Server – Install the client certificates
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Request a certificate, choose Advanced certificate request next click Create and submit a request to this CA
4. Choose the OpsMgr Certificate template, in the name tab choose the FQDN name of the machine and fill in the same name in the friendly name.
-5. Click Finish and Install the Certificate

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:

-6. Click Start, click Run, type MMC,
-7. On the File menu, click Add/Remove Snap-in Click Add Click Certificates, and then click Add Select Personal Store and Computer account, and then click Finish
-8. Export the certificate from the personal store and import it to the Local Computer Store (NO DRAG AND DROP)
-9. Remove the certificate from the local user store.
-10. Make sure that both the agent managed machine and the SCOM server are reachable on hostname (just ping). If it’s not working add the machines in DNS or in the Hostfile (C:\Windows\System32\Drivers\ETC\Host).
-11. From the host which you are going to monitor make sure port 5723 and 5724 is open to the SCOM management server

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:
Import the Certificate on the SCOM Management servers
-12. Go to the copied support tools directory and run MOMCertimport.exe
-13. Select the imported certificate and click OK
-14. Make sure the import was successful

Step 6. Optional Configuring Gateway Servers for Failover Between Management Servers
Although gateway servers can communicate with any management server in the management group, this must be configured. In this scenario, the secondary management servers are identified as targets for gateway server failover.

Use the Set-ManagementServer-gatewayManagementServer command in Operations Manager Shell, as shown in the following example, to configure a gateway server to failover to multiple management servers. The commands can be run from any Command Shell in the management group.

To configure gateway server failover between management servers
1. Log on to the management server with an account that is a member of the Administrators role for the management group.
2. On the Windows desktop, click Start, point to Programs, point to System Center Operations Manager, and then click Command Shell.
3. In Command Shell, follow the example that is described in the next section.

The following example can be used to configure gateway server failover to multiple management servers.

Copy
$GatewayServer = Get-SCOMGatewayManagementServer –Name “ComputerName.Contoso.com”
$FailoverServer = Get-SCOMManagementServer –Name “ManagementServer.Contoso.com”,”ManagementServer2.Contoso.com”
Set-SCOMParentManagementServer -GatewayServer $GatewayServer -FailoverServer $FailoverServer

That’s it; you can now rollout agents with the gateway server

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

The following posts are based on how to monitor SCOM clients which are not member of the Kerberos domain. To monitor these “non-domain member” servers it requires some steps. This is the third of my series about monitoring.
The description which is provided ‘from the ground up’.

This section explains how to install SCOM certificates, configure SCOM and monitor an untrusted agent.

In this serie of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012 
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM
 
Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

Five steps to complete this operation:
1. Open TCP ports 5723 from the target server to the MS server.
2. Install the Root CA certificates
3. Install the Client certificates
4. Manual install of agents and run the momcertimport on servers to be monitored
5. Import the Certificate on the Management servers
6. Approve agents in SCOM console

– Rollout an agent to a untrusted server; without a gateway server.
This scenario describes how to install an untrusted agent on Windows 2008 R2 X64 The environment is an un-trusted domain.

Step 1. Open TCP ports 5723 from the target server to the management server
-1. Open the port 5723 from the client machine to the Management server
-2. Go to the untrusted machine and open the command prompt
-3. In the command prompt type telnet x.x.x.x 5732 (note that x.x.x.x must be the ip address of the management server)
If everything is working continue to the next step, if not, be sure that the firewall is open and is passing port 5723 to the SCOM server.

Step 2. On the unmanaged Server – Lets install the Root CA certificate
This step has only be executed the first time if you have ran this in the past skip this step
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Download CA certificate, certificate chain, or CRL
4. Click Download CA Certificate chain and save it on the machine.
-5. Once the certificate is downloaded, Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)
-6. Go to Trusted Root Certification Authorities right click, all tasks, import and import the Root CA.

Step 3. On the unmanaged Server – Install the client certificates
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Request a certificate, choose Advanced certificate request next click Create and submit a request to this CA
4. Choose the OpsMgr Certificate template, in the name tab choose the FQDN  name of the machine and fill in the same name in the friendly name.


-5. Click Finish and Install the Certificate

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:

-6. Click Start, click Run, type MMC,
-7. On the File menu, click Add/Remove Snap-in Click Add Click Certificates, and then click Add Select Personal Store and Computer account, and then click Finish
-8. Export the certificate from the personal store and import it to the Local Computer Store (NO DRAG AND DROP)
-9. Remove the certificate from the local user store.
-10. Make sure that both the agent managed machine and the SCOM server are reachable on hostname (just ping). If it’s not working add the machines in DNS or in the Hostfile (C:\Windows\System32\Drivers\ETC\Host).
-11. From the host which you are going to monitor make sure port 5723 is open to the SCOM management server

Step 4. Lets install the Root CA certificate
– This step has to be executed on every non domain monitored server.
– NOTE: Also run this step (Step 4) once – on all the SCOM management servers this because the SCOM management servers need an client certificate.

This step has only be executed the first time if you have ran this in the past skip this step
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)
-3. Click on Download CA certificate, certificate chain, or CRL
4. Click Download CA Certificate chain and save it on the machine.
-5. Once the certificate is downloaded, Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)
-6. Go to Trusted Root Certification Authorities right click, all tasks, import and import the Root CA.

-7. From the untrusted agent start the Internet Explorer
-8. Go to the certificate server website (in our case http://demo-dc01/certsrv)
-9. Click on Request a certificate, choose Advanced certificate request next click Create and submit a request to this CA
-10. Choose the OpsMgr Certificate template, in the name tab choose the FQDN  name of the machine and fill in the same name in the friendly name.
-11. Click Finish and Install the Certificate

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:

-12. Click Start, click Run, type MMC,
-13. On the File menu, click Add/Remove Snap-in Click Add Click Certificates, and then click Add Select Personal Store and Computer account, and then click Finish
-14. Export the certificate from the personal store and import it to the Local Computer Store (NO DRAG AND DROP)
-15. Remove the certificate from the local user store.
-16. Make sure that both the agent managed machine and the SCOM server are reachable on hostname (just ping). If it’s not working add the machines in DNS or in the Hostfile (C:\Windows\System32\Drivers\ETC\Host).
-17. From the host which you are going to monitor make sure port 5723 is open to the SCOM management server
-18. Next step is make sure new agents are not rejected. We go to the SCOM console, Administration, Settings, Security

Import the Certificate on the SCOM Management servers
-20. Go to the copied support tools directory and run MOMCertimport.exe
-21. Select the imported certificate and click OK
-22. Make sure the import was successful

Step 5. On the unmanaged Server – Manual install of agents and run the momcertimport on servers to be monitored
-1. From the Windows untrusted machine go to the OpsMgr agent installation directory (Default) \\DISK\Program Files\System Center 2012\Operations Manager\Server\AgentManagement\ in the AMD64 or i386 or if not available copy the directory to the untrusted machine. Open Momagent.MSI and install the agent.
-2. Also copy the support tools directory from the SCOM ISO to the local machine.
-3. Fill in the proper settings for the monitoring group (we used the settings below.

-3. We prefer using the Local System account. Choose Next and Install
4. If necessary update the agent with the required updates.
-5. Next on the client machine open the Command Prompt (Run As Administrator)
-6. Go to the copied support tools directory and run MOMCertimport.exe

-7. Select the imported certificate and click OK
8. Make sure the import was successful


Step 6. Approve agents in SCOM console
Just a quick note that it can take a while before the machine shows op in the console
-1. Open the SCOM Console, Administration, Pending Management
-2. Right click the machine and click Approve

That’s it; the server/workstation is now monitored.

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server