Upgrading System Center Configuration Manager 2012 to Service Pack 1

After upgrading my test (Beta SP1) environment to SP1 went smoothly we rolled out SCCM 2012 SP1 to one of our customers (because of a running issue which should be solved in SP1).

It caused me some sweat but got it running eventually.
The scenario:
– Windows 2008 R2
– SQL 2008 R2
– SCCM 2012 CU2

Note: To install ConfigMgr 2012 SP1 with Windows Server 2012 and SQL 2012 SP1 see http://www.toolzz.com/?p=602

Here are the steps I took:
1. Install the WADK (Windows Assessment and Deployment Kit)
First of all there are some extra requirements to take for the upgrade. In SCCM 2012 SP1 you no longer use WAIK, we’re now on WADK.
– Go to http://go.microsoft.com/fwlink/?LinkID=252874and download the ADK Setup.
– Run the ADKSetup.exe as an administrator

– I left the path’s default and choose Next
– Choose if you want to join CEIP and choose Next
Accept the Licence Agreement and choose Accept
– Check Deployment Tools, Windows Preinstallation Environment (Windows PE) and User State Migration Tools (USMT)

– Choose Next and install the Software

2. Installing the SCCM 2012 SP1 software.
– I Downloaded the SP1 software from the Microsoft TechNet Site. It’s a little bit confusing but
System Center 2012 Configuration Manager and Endpoint Protection with sp1 x86 x64″
and “System Center 2012 Configuration Manager and Endpoint Protection x86 x64” with the date of 12 December are both valid.
– Start the Splash.hta on the disk
– Choose the Install option
SCCM SP1 Setup
– Choose “Upgrade this Configuration Manager site” and choose Next
SCCM SP1 Update 1
-Just note that there are more languages available then prior to SP1. Choose Next to continue
SCCM SP1 Update 2
– Check the prerequisite check. Because we implemented step 1 already we can continue by clicking Begin Install.
SCCM SP1 Update 3_1
In my case the installation took about one hour. The SQL database which was running on a different server was automatically updated.

3. The console issue
After starting up the console I bumped into an issue which was not very clear:

After upgrading to SP1 my console disappeared from my management server.
SCCM 2012 SP1 Console
After some troubleshooting I tried starting up the console from the directory; but it could not connect to the server.
Console issue SCCM 2012 SP1
This was strange, but after some investigating I discovered that the Console is not automatically updated with SP1 which causes this issue.
– Restarting the SP1 Splash.HTA and running Install Configuration Manager console solved the issue for me!
Update Console SCCM 2012 SP1
Checked the installation and we are indeed running on SP1 !!
SCCM SP1 Update 4
Henk Hoogendoorn posted a blog on what features are updated in the SP1 HERE.

System Center 2012 SP1 Released

System Center 2012 Service Pack 1 has reached its “release-to-manufacturing” (RTM) milestone, Microsoft announced recently.
ScreenHunter_162 Dec. 21 08.33

RTM typically refers to feature-complete products, although the final “general availability” release of System Center 2012 SP1 is scheduled for early January.
The “release candidate” version of the product had been issued previously, but was just available to Microsoft’s Technology Adoption Program testers. The last public release announcement seems to have been a beta delivered in September.

The software is now available on the MSDN site for partners and customers with SA.
It’s available on http://msdn.microsoft.com/en-us/subscriptions/downloads/.

A list of what’s new in SP1 for System Center 2012:
1. There are new Monitoring Capabilities under APM functionality:
                         o Monitoring of Windows Services Built on the .NET Framework.
                         o Automatic Discovery of ASP.NET MVC3 and MVC4 Applications.
                         o New Transaction Types: MVC Pages and WCF Methods.
2. Enabled APM of SharePoint 2010.
3. Integration with Team Foundation Server 2010 and Team Foundation Server 2012.
4. New monitoring capability allows for opening of APM exception events from Visual Studio IDE as if the exception was captured during the IntelliTrace historical debugging session. Developers can stay within their familiar environment to examine complete exception call stack.
5. New Management Packs and Support for Windows Server 2012 and IIS 8.
6. The System Center 2012 Service Pack 1 (SP1) Beta version of Operations Manager can show you different perspectives of application health in one place—360 .NET Application Monitoring Dashboards. The 360 .NET Application Monitoring Dashboards displays information from Global Service Monitor, .NET Application Performance Monitoring, and Web Application Availability Monitoring to provide a summary of health and key metrics for 3-tier applications in a single view.
7. ACS support is now added for Dynamic Access Control – new feature in Windows Server 2012, where business data owners to easily classify and label data allowing access policies to be defined for data classes that are critical to business.
8. Support is added for CentOS, Debian, and Ubuntu Linux.

The arrival of SP1 for System Center 2012 is a big deal because it will add management support for Windows Server 2012 and Windows 8 and SQL 2012.

Without this service pack, there’s no management support for those operating systems in System Center 2012.

Nice!

Office 2013 deployment with SCCM 2012 SP1 (Beta)

Just another tutorial on how to deploy Office 2013 using Configuration Manager 2012 SP1.

Extracting the Office installation and customizing the installation
First I started to get the Office 2013 software from the MSDN site and extracted it into my demo lab share file.
1. In my case it was on \\demo-sccm01\Sources\Software\Office\Office 2013 Pro NL x64.


Second step is to customize the Office 2013 installation using the “Office Customization Tool”;
2. Go to a DOS prompt, go the Office 2013 folder and run setup.exe /admin
If the setup /admin runs well go to step 3, otherwise go to step 2.1
2.1 – Optional
If you run the setup.exe /admin you can receive the following error:

Files necessary to run the Office Customization Tool were not found. Run Setup from the installation point of a qualifying product.

To solve this issue, click HERE and extract the admin files in the root of the Office 2013 directory.

3. Choose Ok to create a new Setup Customization file

4. On Default File Types, I selected Office Open XML formats

5. On the Licensing and user interface check the I Accept terms and choose Display Level – none

6. Customize the further installation of Office 2013 to you’re needs.
7. Save it where the setup.exe is located. I used the name Office2013NLD_x64_Custom.msp

Next step is do deploy Office 2013 to the SCCM 2012 SP1 environment
1. Open the Configuration Manager 2012 console, Software Library, Application Management, right-click Applications
2. Create an folder named Office and a subfolder called Office 2013
3. Right Click Create application

4. Browse to proplusww.msi (location where you extract the Office, subfolder proplusrww) and click Next
5. On view imported information, click next
6. On the General information, make adjustments/notes and click next

7. Summary, click Next and choose Close
8. Select the Microsoft Professional Plus 2013 application, and select the Deployment Type tab, click Properties
9. In the Deployment Type properties, of the Microsoft Professional Plus 2013 application, go to content tab and change the Content location from “\\demo-sccm01\Sources\Software\Office\Office 2013 Pro NL x64\proplusr.ww” to “\\demo-sccm01\Sources\Software\Office\Office 2013 Pro NL x64”
10. Go to programs tab, Installation program, type setup.exe /adminfile Office2013NLD_x64_Custom.msp

11. If necessary you can go to the requirements section and add requirements like
– 1 gigahertz (Ghz) or faster
– 1 gigabyte (GB) RAM (32 bit);
– 2 gigabytes (GB) RAM (64 bit)

12. Select the Microsoft Office Professional Plus 2013 x64 – NLD, change to Home tab and click Properties

13. Select “Allow this application to be installed form the install application task sequence action without being deployed”; this is necessary if you want to use it during the Operating System Deployment.

14. Select the Microsoft Professional Plus 2013 application and click Distribute Content

15. On the General, Click Next
16. On Content, click Next
17. On Content Destination, add the Distribution Point and click Next
18. Summary, click Next and choose Close
19. Right click on the Office App and choose Deploy, select All systems as collection (because we use it as an OSD deployment.

20. Just click next until completion, if you want to make adjustments it’s possible.
21. On the client force the machine policy retrieval

22. Open the Software Center, select Microsoft Professional Plus 2013 x64 NLD and click Install and the installation will start. After a minute of ten the installation is completed.
23. To check the deployment on the server, open the ConfigMgr console, go to monitoring, Deployments.
24. Select Microsoft Professional Plus 2013 and confirm the completion statistics

 

Step by Step: ConfigMgr 2012 SP1 Beta, Windows Server 2012 and SQL 2012 SP1

NOTE THIS IS FOR BETA; See http://www.toolzz.com/?p=793 for installing ConfigMgr 2012 SP1 RTM

Well, after some testing with SCCM 2012 SP1 I decided to reinstall everything in my lab to the latest software. So Windows 2012, SQL 2012 RTM and of course System Center Configuration Manager 2012 SP1 (Beta).

In this blog I used my laptop:
-Intel(R) i5-2410M CPU @ 2.30GHz, 2 Core(s)
-8 Gb of internal memory
-Two SSD disk (C:\ for OS and D:\ for Hyper-V)

Lab setup:
Domain Controller: Windows 2012 Enterprise; DC, DNS and certificate server
SCCM 2012; Windows 2012 Enterprise, SQL 2012 Enterprise, IIS and SCCM components

1. SQL 2012 installation
ConfigMgr 2012 SP1 Beta supports SQL 2012 RTM with a minimum of CU 2. ConfigMgr has very strict SQL collation requirement, pretty much across the entire System Center range, essentially only SQL_Latin1_General_CP1_CI_AS collation is supported.
This has to be selected during installation if you are running a non-USA regional\system OS.

– Login as the SQL admin on the SQL Server
– Launch the SQL 2012 RTM installer
Select Installation on the left navigation pane
Select New SQL Server stand-alone installation or add features to an existing installation
– Ok, Next,
and choose Accept the license terms, Next
We will open the Firewall later, so skip the warning
– Choose Next
– Select SQL Server Feature Installation


Select the following
– Database Engine Services
– Reporting Services – Native
– Management Tools – Basic
– Management Tools – Complete
Because I’m in a test environment I didn’t change the path’s. In production it’s recommended to choose alternative path’s
Next, Next

– Choose the default Default instance, and change the path’s if necessary and choose Next, Next
By default each of the services will be configured using a service-specific user account, we used NT AUTHORITY\SYSTEM

Do this for the SQL Server Agent, the SQL Server Database Engine and the SQL Server Reporting Services services
– Click Account Name, Browse, Browse locally for SYSTEM and accept
– Set the services Start-up Type to automatic
– 
Select the Collation tab

– Double check
If SQL_Latin1_General_CP1_CI_AS is shown, otherwise Customize this, Next
Add the current user and a domain user at this point. I add the SQL admin and the local administrator, Next
– Select Install and configure, Next
Set Send Windows and SQL Server Error Reports to Microsoft, choose Next, Next
Alrighty then SQL is Ready, lets rock.

– Next we will run SQL 2012 SP1 (SCCM 2012 requires minimal CU2 to have an successful install)
Download link SP1 http://www.microsoft.com/en-us/download/details.aspx?id=35575
Note If you do not install CU2 (or SP1) you’ll receive SQL Server Version Error in the Perquisites.

The Advanced logging says that the SQL server Version is not supported. So patch you’re SQL Server.
FIREWALL EXEPTIONS

 2. Installing the SCCM 2012 Perquisites
Open Server Manager
– Select Add Roles and features, click Next
– Choose Role Based or Feature based installation
– Select the local server, Next
Open Web Server (IIS) and ADD select the following features
Common
HTTP Features  
Static Content  
Default Document  
Directory Browsing  
HTTP Errors  
HTTP Redirection

Application
Development  
ASP.NET  
.NET Extensibility  
ASP  
ISAPI Extensions  
ISAPI Filters

Health and Diagnostics
HTTP logging  
Logging tools  
Request Monitor  
Tracing

Security  
Basic Authentication  
Windows Authentication  
URL Authorization  
Request Filtering  
IP and Domain Restrictions

Performance
Static Content
Compression

Management Tools  IIS Management Console  IIS Management Scripts and Tools  Management Service  IIS 6 Management Compatibilty  IIS 6 Metabase Compatibility  IIS 6 WMI Compatibility  IIS 6 Scripting Tools  IIS 6 Management Console
– Select Windows Server Update Services, Add features
– Select Windows Deployment Services, Add Features

– Choose Background Intelligent Transfer Service (BITS), Add features
– Choose Remote Differential Compression
– Telnet Client (not necessary but it’s useful), Next
– On the WSUS section choose next.
– On the Role Services choose WSUS Services and Database, Next
– Choose Store updates and choose a location (This is a testlab, in production it is not recommended to save these files to the C:\ drive), Next

– Type the SQL Server name and choose Check connection

– Next, Next,
– Choose Deployment Server and Transport Server
– Next, Install

3. Install the WADK (Windows Assessment and Deployment Kit)
In Windows 2012 you no longer use WAIK, we’re now on WADK for Windows 8.
– Go to http://go.microsoft.com/fwlink/?LinkID=252874 and download the ADK Setup.
– Run the ADKSetup.exe as an administrator

– I left the path’s default and choose Next
– Choose if you want to join CEIP and choose Next
Accept the Licence Agreement and choose Accept
– Check Deployment Tools, Windows Preinstallation Environment (Windows PE) and User State Migration Tools (USMT)

– Choose Next and install the Software

3. Next step is to install SCCM 2012 SP1 Beta
Ok, we are now ready to install ConfigMgr 2012 SP 1 Beta
– Launch the spash.HTA from the installation media

– First check the server is ready before we get any further into the installer Select Assess server readiness

Some minor issues but no show stoppers so lets continue
– Go back to the Splash.hta screen and click Install, Choose Next
– Because we are on one demo server we choose Install a Configuration Manager Primary Site and check the Use typical installation… Choose Next.

– Choose yes and I Agree, Next
– Accept all the licence therms and choose next

– Download the files to a folder you choose and click Next

-Choose a site code, Site name and installation folder for SCCM 2012 SP1, Next

– Hit next a couple of times and then choose Begin Install

That’s it, we are now up and running.

SP1 brings a lot of nice new stuff like the cross-platform clients, Azure Cloud DP, mobile device management through Microsoft Exchange ActiveSync amongst others.
Check out what’s new in SP1 here for a list of fun things to play around with and get to know in preparation for the actual SP1 release, as well as the release notes detailing what is knowing to be in a broken state during the Beta. You can also provide feedback to Microsoft for anything quirky that you may find during the evaluation.

Have Fun!

Antivirus exclusions for Operations Manager 2012; Management, Gateway and SQL servers

SCOM 2012 Antivirus exclusions; Management, Gateway and SQL servers

For information on exclusions on the SCOM 2012 and 2007 agents click here.

This question comes up all of the time in new environments; so I decided to make a blog about exclusions to let the SCOM 2012 and the SQL 2008 R2 servers run efficiently.

Note: replace %programfiles% to the fysical location like C:\Program Files\System Center Operations…. do this for all entries below. Make also sure the path you use is correct ! !

Excluded Processes
Forefront – Excluded processes
McAfee – On Access Low risk processes
SCOM 2012
%programfiles%\System Center Operations Manager\Agent\HealthService.exe
%programfiles%\System Center Operations Manager\Agent\MonitoringHost.exe
-%programfiles%\Microsoft\Exchange Server\v14\Bin\Microsoft.Exchange.Monitoring.CorrelationEngine.exe
-%programfiles%\System Center 2012\Operations Manager\Console\Microsoft.EnterpriseManagement.Monitoring.Console.exe

C:\Windows\system32\AdtAgent.exe
%programfiles%\System Center 2012\Operations Manager\Server\Microsoft.Mom.Sdk.ServiceHost.exe
%programfiles%\System Center 2012\Operations Manager\Server\APMDOTNETAgent\InterceptSvc.exe
-%programfiles%\System Center 2012\Operations Manager\Server\cshost.exe

SQL 2008 R2
-%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\SQLServr.exe
-%ProgramFiles%\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
-%ProgramFiles%\Microsoft SQL Server\MSAS10_50.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe

 

Excluded Directory’s
Forefront – Excluded files and locations
McAfee – Exclusions
SCOM 2012
-%programfiles%\System Center Operations Manager\Agent\Health Service State\*

SQL 2008 R2
-%ProgramFiles%\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\DATA\*
-%ProgramFiles%\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\BACKUP\*
-%ProgramFiles%\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\FTDATA\*

Excluded file types
Forefront – Excluded File Types
McAfee – Exclusions
SCOM 2012
.EDB
.CHK
.LOG

SQL 2008 R2 Server data and backup files
.mdf
.ldf
.ndf
.bak
.trn

Antivirus exclusions for Operations Manager / SCOM 2012 and 2007 Agents

SCOM 2012 and 2007 Antivirus exclusions; Agents

For information on exclusions on the SCOM 2012 management, gateway and SQL servers click here.

This question comes up all of the time in new environments; so I decided to make a blog about exclusions to let the SCOM 2012 agents run efficiently.

Note: replace %programfiles% to the fysical location like C:\Program Files\System Center Operations…. do this for all entries below. Make also sure the path you use is correct ! !

SCOM 2012 Agent Exclusions:

-SCOM 2012 Agent – Excluded Processes
Forefront – Excluded processes
McAfee – On Access Low risk processes
  -%programfiles%\System Center Operations Manager\Agent\HealthService.exe
  -%programfiles%\System Center Operations Manager\Agent\MonitoringHost.exe

-SCOM 2012 Agent – Excluded Directory’s
Forefront – Excluded files and locations
McAfee – Exclusions
  -%programfiles%\System Center Operations Manager\Agent\Health Service State\*

-SCOM 2012 Agent – Excluded file types
Forefront – Excluded File Types
McAfee – Exclusions
  .EDB
  .CHK
  .LOG
____________________________

SCOM 2007 R2 Agent Exclusions:

-SCOM 2007 R2 Agent – Excluded Processes
Forefront – Excluded processes
McAfee – On Access Low risk processes
  -%programfiles%\System Center Operations Manager 2007\HealthService.exe
  -%programfiles%\System Center Operations Manager 2007\MonitoringHost.exe

-SCOM 2007 R2 Agent – Excluded Directory’s
Forefront – Excluded files and locations
McAfee – Exclusions
  -%programfiles%\System Center Operations Manager 2007\Health Service State\*

-SCOM 2007 R2 Agent – Excluded file types
Forefront – Excluded File Types
McAfee – Exclusions
  .EDB
  .CHK
  .LOG

Troubleshooting performance SCOM 2012 and SCOM 2007 agent with McAfee Antivirus

I got quite a number of questions on performance of the SCOM and related processes (Heathservice.exe, monitoringhost.exe and CSCRIPTS). High CPU load on the SCOM process is mostly related to antivirus software.

In most cases the culprit ends up being the incorrect setup of the antivirus software; specially McAfee is very tricky when it’s not configured well and when the exclusions are not in the right place.
See my blogpost on antivirus exclusions for SCOM 2012 management, gateway and SQL servers or SCOM 2012 and 2007 agents

Here is how to troubleshoot antivirus in combination with the SCOM agent. In this case we monitor McAfee in combination with SCOM. To troubleshoot I used Procmon from Sysinternals.
In my later post I will make a list of recommended exclusions.
Lot’s of servers with high CPU load specially on the SCOM process; healthservice.exe, cscripts and more.

Troubleshooting the process with “Sysinternals Process Monitor”
1. Lets start with downloading the Process Monitor on http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
2. Stop the monitoring, go to Filter, Enable Advanced Output

3. Go to Filter, Process name, is, Mcshield.exe and click Add, OK

4. Click on the magnifyingglass to start the capture
Ok, we see that the McShield.exe process is scanning the OpsMgr data. This is not good.
After checking we noticed that the antivirus exclusions aren’t configured properly.

We’ve changed the exclusions to the best practice settings.
See my post for the working best practice for Antivirus Exclusions in combination with SCOM 2012 and 2007.

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

The following post are based on how to monitor SCOM clients which are not member of the Kerberos domain. To monitor these “non-domain member” servers it requires some steps. This is the first of my series about monitoring.

Use the procedures in this topic to obtain a certificate from a stand-alone Windows Server 2008–based computer hosting Active Directory Certificate Services (AD CS). You will use the CertReq command-line utility to request and accept a certificate, and you will use a Web interface to submit and retrieve your certificate.

In this serie of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

The high-level process to obtain a Gateway server is as follows:
1. Copy Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to management servers
2. Registering the Gateway with the Management Group
3. Installing Gateway Server
5. On the Gateway Server – Lets install the Root CA certificate
6. On the Gateway Server – Install the client certificates
7. Optional Configuring Gateway Servers for Failover Between Management Servers

Step 1. To copy Microsoft.EnterpriseManagement.GatewayApprovalTool.exe to SCOM management servers
1. From a target management server, open the Operations Manager installation media \SupportTools directory.
2. Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the installation media to the Operations Manager installation directory.

Step 2. Registering the Gateway with the Management Group on the SCOM management servers
This procedure registers the gateway server with the management group, and when this is completed, the gateway server appears in the Discovered Inventory view of the management group.

To run the gateway Approval tool
-1. On the management server that was targeted during the gateway server installation, log on with the Operations Manager Administrator account.
-2. Open a command prompt, and navigate to the Operations Manager installation directory or to the directory that you copied the Microsoft.EnterpriseManagement.gatewayApprovalTool.exe to.
-3. At the command prompt, run
Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create
-4. If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully.
-5. If you need to remove the gateway server from the management group, run the same command, but substitute the /Action=Delete flag for the /Action=Create flag.
-6. Open the Operations console to the Monitoring view. Select the Discovered Inventory view to see that the gateway server is present.

Step 3. Installing Gateway Server
This procedure installs the gateway server. The server that is to be the gateway server should be a member of the same domain as the agent-managed computers that will be reporting to it.
Note: An installation will fail when starting Windows Installer (for example, installing a gateway server by double-clicking MOMGateway.msi) if the local security policy User Account Control: Run all administrators in Admin Approval Mode is enabled.

To run Operations Manager Gateway Windows Installer from a Command Prompt window
-1. On the Windows desktop, click Start, point to Programs, point to Accessories, right-click Command Prompt, and then click Run as administrator.
-2. In the Administrator: Command Prompt window, navigate to the local drive that hosts the Operations Manager installation media.
-3. Navigate to the directory where the .msi file is located, type the name of the .msi file, and then press ENTER.
-4. From the Operations Manager installation media, start Setup.exe.
-5. In the Install area, click the Gateway management server link.
-6. On the Welcome screen, click Next.
-7. On the Destination Folder page, accept the default, or click Change to select a different installation directory, and then click Next.
-8. On the Management Group Configuration page, type the target management group name in the Management Group Name field, type the target management server name in the Management Server field, check that the Management Server Port field is 5723, and then click Next.
-9. On the Gateway Action Account page, select the Local System account option, unless you have specifically created a domain-based or local computer-based gateway Action account. Click Next.
-10. On the Microsoft Update page, optionally indicate if you want to use Microsoft Update, and then click Next.
-11. On the Ready to Install page, click Install.
-12. On the Completing page, click Finish.

 

Step 4. On the Gateway Server – Lets install the Root CA certificate
This step has only be executed the first time if you have ran this in the past skip this step
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Download CA certificate, certificate chain, or CRL
4. Click Download CA Certificate chain and save it on the machine.
-5. Once the certificate is downloaded, Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)
-6. Go to Trusted Root Certification Authorities right click, all tasks, import and import the Root CA.

 

Step 5. On the Gateway Server – Install the client certificates
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Request a certificate, choose Advanced certificate request next click Create and submit a request to this CA
4. Choose the OpsMgr Certificate template, in the name tab choose the FQDN name of the machine and fill in the same name in the friendly name.
-5. Click Finish and Install the Certificate

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:

-6. Click Start, click Run, type MMC,
-7. On the File menu, click Add/Remove Snap-in Click Add Click Certificates, and then click Add Select Personal Store and Computer account, and then click Finish
-8. Export the certificate from the personal store and import it to the Local Computer Store (NO DRAG AND DROP)
-9. Remove the certificate from the local user store.
-10. Make sure that both the agent managed machine and the SCOM server are reachable on hostname (just ping). If it’s not working add the machines in DNS or in the Hostfile (C:\Windows\System32\Drivers\ETC\Host).
-11. From the host which you are going to monitor make sure port 5723 and 5724 is open to the SCOM management server

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:
Import the Certificate on the SCOM Management servers
-12. Go to the copied support tools directory and run MOMCertimport.exe
-13. Select the imported certificate and click OK
-14. Make sure the import was successful

Step 6. Optional Configuring Gateway Servers for Failover Between Management Servers
Although gateway servers can communicate with any management server in the management group, this must be configured. In this scenario, the secondary management servers are identified as targets for gateway server failover.

Use the Set-ManagementServer-gatewayManagementServer command in Operations Manager Shell, as shown in the following example, to configure a gateway server to failover to multiple management servers. The commands can be run from any Command Shell in the management group.

To configure gateway server failover between management servers
1. Log on to the management server with an account that is a member of the Administrators role for the management group.
2. On the Windows desktop, click Start, point to Programs, point to System Center Operations Manager, and then click Command Shell.
3. In Command Shell, follow the example that is described in the next section.

The following example can be used to configure gateway server failover to multiple management servers.

Copy
$GatewayServer = Get-SCOMGatewayManagementServer –Name “ComputerName.Contoso.com”
$FailoverServer = Get-SCOMManagementServer –Name “ManagementServer.Contoso.com”,”ManagementServer2.Contoso.com”
Set-SCOMParentManagementServer -GatewayServer $GatewayServer -FailoverServer $FailoverServer

That’s it; you can now rollout agents with the gateway server

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

The following posts are based on how to monitor SCOM clients which are not member of the Kerberos domain. To monitor these “non-domain member” servers it requires some steps. This is the third of my series about monitoring.
The description which is provided ‘from the ground up’.

This section explains how to install SCOM certificates, configure SCOM and monitor an untrusted agent.

In this serie of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012 
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM
 
Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

Five steps to complete this operation:
1. Open TCP ports 5723 from the target server to the MS server.
2. Install the Root CA certificates
3. Install the Client certificates
4. Manual install of agents and run the momcertimport on servers to be monitored
5. Import the Certificate on the Management servers
6. Approve agents in SCOM console

– Rollout an agent to a untrusted server; without a gateway server.
This scenario describes how to install an untrusted agent on Windows 2008 R2 X64 The environment is an un-trusted domain.

Step 1. Open TCP ports 5723 from the target server to the management server
-1. Open the port 5723 from the client machine to the Management server
-2. Go to the untrusted machine and open the command prompt
-3. In the command prompt type telnet x.x.x.x 5732 (note that x.x.x.x must be the ip address of the management server)
If everything is working continue to the next step, if not, be sure that the firewall is open and is passing port 5723 to the SCOM server.

Step 2. On the unmanaged Server – Lets install the Root CA certificate
This step has only be executed the first time if you have ran this in the past skip this step
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Download CA certificate, certificate chain, or CRL
4. Click Download CA Certificate chain and save it on the machine.
-5. Once the certificate is downloaded, Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)
-6. Go to Trusted Root Certification Authorities right click, all tasks, import and import the Root CA.

Step 3. On the unmanaged Server – Install the client certificates
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)

-3. Click on Request a certificate, choose Advanced certificate request next click Create and submit a request to this CA
4. Choose the OpsMgr Certificate template, in the name tab choose the FQDN  name of the machine and fill in the same name in the friendly name.


-5. Click Finish and Install the Certificate

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:

-6. Click Start, click Run, type MMC,
-7. On the File menu, click Add/Remove Snap-in Click Add Click Certificates, and then click Add Select Personal Store and Computer account, and then click Finish
-8. Export the certificate from the personal store and import it to the Local Computer Store (NO DRAG AND DROP)
-9. Remove the certificate from the local user store.
-10. Make sure that both the agent managed machine and the SCOM server are reachable on hostname (just ping). If it’s not working add the machines in DNS or in the Hostfile (C:\Windows\System32\Drivers\ETC\Host).
-11. From the host which you are going to monitor make sure port 5723 is open to the SCOM management server

Step 4. Lets install the Root CA certificate
– This step has to be executed on every non domain monitored server.
– NOTE: Also run this step (Step 4) once – on all the SCOM management servers this because the SCOM management servers need an client certificate.

This step has only be executed the first time if you have ran this in the past skip this step
1. From the untrusted agent start the Internet Explorer
2. Go to the certificate server website (in our case http://demo-dc01/certsrv)
-3. Click on Download CA certificate, certificate chain, or CRL
4. Click Download CA Certificate chain and save it on the machine.
-5. Once the certificate is downloaded, Open an MMC connect to Local Computer and load the certificates snap-in (Local Computer)
-6. Go to Trusted Root Certification Authorities right click, all tasks, import and import the Root CA.

-7. From the untrusted agent start the Internet Explorer
-8. Go to the certificate server website (in our case http://demo-dc01/certsrv)
-9. Click on Request a certificate, choose Advanced certificate request next click Create and submit a request to this CA
-10. Choose the OpsMgr Certificate template, in the name tab choose the FQDN  name of the machine and fill in the same name in the friendly name.
-11. Click Finish and Install the Certificate

Once the certificate it is stored in the personal certificate store. The OpsMgr certificate need to be in the Computer store so we have to do the following steps:

-12. Click Start, click Run, type MMC,
-13. On the File menu, click Add/Remove Snap-in Click Add Click Certificates, and then click Add Select Personal Store and Computer account, and then click Finish
-14. Export the certificate from the personal store and import it to the Local Computer Store (NO DRAG AND DROP)
-15. Remove the certificate from the local user store.
-16. Make sure that both the agent managed machine and the SCOM server are reachable on hostname (just ping). If it’s not working add the machines in DNS or in the Hostfile (C:\Windows\System32\Drivers\ETC\Host).
-17. From the host which you are going to monitor make sure port 5723 is open to the SCOM management server
-18. Next step is make sure new agents are not rejected. We go to the SCOM console, Administration, Settings, Security

Import the Certificate on the SCOM Management servers
-20. Go to the copied support tools directory and run MOMCertimport.exe
-21. Select the imported certificate and click OK
-22. Make sure the import was successful

Step 5. On the unmanaged Server – Manual install of agents and run the momcertimport on servers to be monitored
-1. From the Windows untrusted machine go to the OpsMgr agent installation directory (Default) \\DISK\Program Files\System Center 2012\Operations Manager\Server\AgentManagement\ in the AMD64 or i386 or if not available copy the directory to the untrusted machine. Open Momagent.MSI and install the agent.
-2. Also copy the support tools directory from the SCOM ISO to the local machine.
-3. Fill in the proper settings for the monitoring group (we used the settings below.

-3. We prefer using the Local System account. Choose Next and Install
4. If necessary update the agent with the required updates.
-5. Next on the client machine open the Command Prompt (Run As Administrator)
-6. Go to the copied support tools directory and run MOMCertimport.exe

-7. Select the imported certificate and click OK
8. Make sure the import was successful


Step 6. Approve agents in SCOM console
Just a quick note that it can take a while before the machine shows op in the console
-1. Open the SCOM Console, Administration, Pending Management
-2. Right click the machine and click Approve

That’s it; the server/workstation is now monitored.

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

The following posts are based on how to monitor SCOM clients which are not member of the Kerberos domain. To monitor these “non-domain member” servers it requires some steps. This is the second of my series about monitoring.

The description which is provided ‘from the ground up’. If you have already steps installed you can skip and go to the next section.

This section explains how to make a SCOM certificate template in Windows 2012 Server.

In this series of posts we cover the following steps:
Part 1. – Monitor Untrusted Agents with SCOM 2012: Install the Enterprise CA on Windows 2012
Part 2. – Monitor Untrusted Agents with SCOM 2012: Configure a certificate template for SCOM

Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server

Part 4. – Monitor Untrusted Agents with SCOM 2012: Implementation of a gateway server

1. To Configure the SCOM Certificate Template
In my Lab I installed the Root CA on the Domain Controller
-1. Open Server Manager, click Tools, click Certificate Authority

-2. Select the Enterprise CA, right click Certificate Templates, Right click Manage,
-3. Console click with right click on IPSec (Offline request) and select Duplicate Template
4. Leave the default to Windows Server 2003 and Windows XP/ Server 2003. This way we are always backwards compatible

-5. Go to the General tab and type a logical Template Display name and Template Name (we used OpsMgr Certificate and OpsMgrCertificate) and we changed the validity period to 5 years

-6. Go to the tab Request Handling.   Checkmark the option Allow private key to be exported

7. Go to Cryptography and choose the minimum key size we selected 2048. This is sufficient and takes less cpu time to process. Further check the Microsoft Enhanced Cryptographic Provider v1.0 button.


8. Go to the tab Extensions. Select the option Applications Policies and click Edit. Remove IP security IKE intermediate and add the following policies: Client Authentication and Server Authentication and click OK

9. Go to the tab Security. Authenticated Users need to have Read access. Click Apply and OK, the template is now created.

10. Click Apply and OK, the template is now created.

Now that we have created the template it’s time to make it available

-11. Open Server Manager, click Tools, click Certificate Authority, Right click Certificate Templates, New, Certificate Template to Issue

-12. Choose the OpsMgr Certificate, and click OK

After these steps the OpsMgr Certificate template is displayed in the certificate templates.
Part 3. – Monitor Untrusted Agents with SCOM 2012: Rollout a certificate to a untrusted server