Thursday, September 1, 2011

Using Internal Certificates with SCOM on Windows Server 2008 Part 4

This is the final post in this 4 part series about 'Using Internal Certificates with SCOM on Windows Server 2008'. I recommend to read through the other 3 parts to this series first to ensure you have met all of the requirements needed to continue with the instructions contained in Part 4.

Here are the links to the other posts in this series:

Using Internal Certificates with SCOM on Windows Server 2008 Part 1

Using Internal Certificates with SCOM on Windows Server 2008 Part 2

Using Internal Certificates with SCOM on Windows Server 2008 Part 3

In this post I will detail how to manually install the SCOM agent, update it to the latest Cumulative Update 5 (CU5), and then how to import the certificate into SCOM for PKI authentication of your untrusted domain / DMZ or SCOM Gateway server.

To manually install the SCOM agent onto an untrusted domain / DMZ server

Firstly, you need to ensure that you can ping by using FQDN, the SCOM Management Server from the untrusted domain /DMZ or SCOM Gateway server and then also you must be able to ping the untrusted domain / DMZ or SCOM Gateway server from the SCOM Management Server too. You may need to use static host entries on the local computers to achieve this but it is imperative that this step is complete before moving onto the next steps.

You will also need to ensure that traffic is allowed over the relevant ports as per Microsoft Documentation (particularly TCP port 5723) - see link:

http://technet.microsoft.com/en-us/library/bb309428.aspx

Once communication between the SCOM Management Servers and the untrusted domain / DMZ or SCOM Gateway server has been established, on the SCOM Management Server, go to the ‘Administration’ tab and then select ‘Settings’ on the left hand side of the screen. From here, double click on the ‘Security’ option in the middle of the screen to open the ‘Global Management Server Settings – Security’ window as below


From the ‘Global Management Server Settings – Security’ window that opens, you need to select ‘Review new manual agent installations in pending management’ and then also decide whether or not you want SCOM to ‘Automatically approve new manually installed agents’

If you leave the ‘Automatically approve new manually installed agents’ tick box unchecked, then you will need to go to the ‘Pending Management’ queue after an agent is manually installed and allow it to be monitored within your SCOM environment

Once you have decided on your manual agent installation policy, log on to the computer in the untrusted domain / DMZ that you want SCOM to monitor with an account that is a member of the ‘Local Administrators’ group.
The SCOM agent needs to be manually installed on the server/computer that you wish to monitor before you can import the certificate into SCOM. To install the SCOM agent, create a folder on the C drive of the server to be monitored called something like ‘SCOM Agent Files’ and ensure you have copied the SCOM Agent installation folder from the original SCOM installation media here.

You will also need to copy the SCOM Agent update folder from the latest Cumulative Update version 5 (CU5) download to the server as the original SCOM agent installation will need to be upgraded to CU5 before you bring it into SCOM. Finally, you will need to copy the ‘Support Files’ folder from the original SCOM media to the ‘SCOM Agent Files’ folder that you created from the previous paragraph as this folder contains the ‘MOMCertImport.exe’ utility that is needed to import the certificate once the agent has been manually installed and updated to CU5.

See the screen below for an example of the folders needed to be copied:


Once the folders above have been copied to the local C:\ drive of the untrusted domain / DMZ server that you want to bring into SCOM, then open up a command prompt with Administrative privileges to continue.

Using the command line, browse to the AMD64 folder within the original SCOM installation ‘Agent’ folder (or the i386 folder if you are installing onto a 32Bit O/S) and run the ‘MOMAgent.msi’ installer to begin the installation.


Click ‘Next’ from the screen below to start the Agent installation wizard

 
Leave the default install location as it is and click ‘Next’

 
Ensure ‘Specify Management Group Information’ is selected, then click ‘Next’


Fill out the fields in the following screen with information relevant to your SCOM installation

 
Leave ‘Local System’ selected and then click ‘Next’

 
Click on the ‘Install’ button from the final screen to install the SCOM agent from the original installation media.

When the agent installation is completed, you should see the screen below

 
Once the original SCOM media agent installation is complete, open up a command prompt again with Administrative privileges and browse to the location that contains the CU5 Agent installation files

 
Run the ‘KB2495674-x64-Agent.msp’ file to begin the upgrade of the agent to CU5

Once complete, you should see the following window again


That completes the installation of the SCOM agent and also the upgrade of the orginal SCOM agent to CU5. All that's left to do now is to import the certificate into SCOM that was issued by the internal Certificate Authority to the untrusted domain / DMZ or SCOM Gateway server using the 'MOMCertImport.exe' utility.

Importing certificates using the 'MOMCertImport.exe' utility


If you have been following this blog series through to this point, you should now have the following implemented on your untrusted domain, DMZ or SCOM Gateway server:
  • CA Root certificate imported into ‘Trusted Root Certification Authorities’
  • Certificate requested from CA using SCOM Certificate Template
  • Requested certificate imported into the ‘Certificates – Local Computer’ store
  • SCOM agent manually installed and updated to CU5
If all of the above are true, then you can now open up the ‘Certificates – Local Computer’ store by following the instructions below:

On the Windows desktop, click Start, and then click Run.

In the Run dialog box, type mmc, and then click OK.

In the Console1 window, click File, and then click Add/Remove Snap-in.

In the Add/Remove Snap-in dialog box, click Add.

In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.

In the Certificates snap-in dialog box, select Computer account, and then click Next.

In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.

In the Add Standalone Snap-in dialog box, click Close.

In the Add/Remove Snap-in dialog box, click OK.

Expand the ‘Personal’ folder and then expand the ‘Certificates’ sub-folder under here to see the certificate that we requested and imported previously as below


 
Now open up a command prompt with Administrative privileges and browse to the location that you have copied the ‘Support Tools’ folder from the original SCOM media.

Browse to the ‘MomCertImport.exe’ utility in either the AMD64 or i386 subfolders  (depending on whether or not you are installing to an x64 or x32 bit machine) of the ‘Support Tools’ folder as below



Now add the /subjectname switch to the end of the ‘MOMCertImport.exe’ utility and specify the full subjectname of your imported certificate exactly as it displayed back in the ‘Certificates – Local Computer\Personal\Certificates’ store


If all is successful, then you should get the following message back


This should be all you need to do to get the untrusted / DMZ or SCOM Gateway server communicating with your SCOM Management Server using internal certificates. If there is any issues with the agent not becoming active within the ‘SCOM Agents’ window, make sure you don’t have the ‘Reject New Manual Agent Installations’ option selected from within the SCOM ‘Administration tab (this has been described further back in this blog series).

If you have allowed manual installation of the SCOM agents through the security settings and have followed everything in these posts correctly but the agent still doesn’t become active in SCOM, then it would be worth restarting the Health Service on firstly the untrusted domain /DMZ server and then secondly on the SCOM Management Server. This can sometimes be a final step needed to start the monitoring of your untrusted servers.

7 comments:

  1. Thanks Kevin, this helped me alot.
    First time I had to do a manual install and issue cert's.

    ReplyDelete
  2. No problem Barabbas - thanks for the great comments!

    Kevin.

    ReplyDelete
  3. Great summary...been doing this for awhile. Might you know of any tool or method to slightly (or fully!) automate this if you have a bunch to do? I've gotten this down to about 15 min per system but it's still really manual.

    trevor.miller at m-atp.com

    ReplyDelete
    Replies
    1. Hi Trevor,

      I firmly believe that if you can think of a manual task that needs to be automated, then System Center Orchestrator is the only product for the job!
      Anders Bengtsson wrote an excellent post on automating this very task using Opalis and you check it out here:
      http://contoso.se/blog/?p=2054
      Hope this helps!
      Kevin.

      Delete
  4. Hi Kevin,
    We've try all your documentation and all step are ok.
    When we lunch the Health service we receiving som errore. The first erro is:
    Failed to initialize security context for target MSOMHSvc/srv-scom01.dominio.local The error returned is 0x80090303(The specified target is unknown or unreachable). This error can apply to either the Kerberos or the SChannel package.
    Ha'veyou any idea why we receiving this error?

    ReplyDelete
  5. Hi Antonio,

    Try restarting the health service on the new agent first and then if that doesn't work, restart the health service on the management server that the agent is configured to report to.

    Also, check the Pending Management queue and the Application, Security and Operations Manager Event logs on both the management server and the agent computer for additional information.

    Kevin.

    ReplyDelete
  6. Hi, Kevin
    Congratulations for your post.
    I'm from Brazil and I'm following your blog daily.
    For SCOM 2012, the procedure is the same, right.
    My question is:
    Among the Gateway / Agent that is in another field and passes through a connection through the internet, do not have to create any VPN Gateway and Management Server?
    When installing the Gateway Server data management I put the FQDN'll be where my server?
    Of course, the firewall ports tera receive TCP packets 5723.
    Thanks for your attention.
    Rodrigo

    ReplyDelete