~ Brian McDermott | Escalation Engineer

ToolsHi everyone, Brian McDermott here with some info on how to remove a System Center 2012 Operations Manager (OpsMgr 2012) Gateway server that is associated with a site.

When you install a Gateway server into OpsMgr, it is possible to associate it with a site so that any alerts coming via that gateway server will have their site property tagged. This is really useful for building site-specific alert views and controlling site-specific notifications. The association of the Gateway server with a site is done at install time when you run Microsoft.EnterpriseManagement.GatewayApprovalTool.exe which Rob Kuehfus blogged about this here:

http://blogs.technet.com/b/momteam/archive/2009/03/05/using-sitename-when-deploying-gateways-to-help-manage-alerts.aspx

So all is well and good until it comes to the time when you need to decommission the Gateway and/or the site. While we have documented how to remove a Gateway server (see http://technet.microsoft.com/en-us/library/hh456430.aspx) we have not covered the scenario whereby you need to remove a Gateway server associated to a site. This requires an additional step and an updated version of Microsoft.EnterpriseManagement.GatewayApprovalTool.exe which was released with Operations Manager 2012 R2. Do not use any prior version of this tool as it will not be able to remove the Gateway object correctly. I will list all the steps below in one place to complete the picture for you on how you remove a site-associated Gateway server from an OpsMgr 2012 management group.

Overview of Decommissioning a Gateway Server

1. Configure all objects that are being managed by the gateway server to use a different primary management server. For an agent-managed computer, this means using either another Gateway server or a management server.

2. Uninstall the Gateway server software from the server.

3. Delete the Gateway server from the management group.

Configure Managed Objects to Use an Alternate Primary Management Server

Gateway servers can manage three different types of objects: Agent-managed computers, agentless-managed computers and network devices acting as a proxy agent.

To configure agent-managed computers to use a different primary management server using the Operations console

1. Log on to a management server with an account that is a member of the Administrators role for the Operations Manager management group.

2. In the Operations console, click the Administration button.

3. In the Administration pane, expand Administration, expand Device Management, and then click Agent Managed.

4. In the Agent Managed pane, select the computers for which you want to change the primary management server, right-click them, and then select Change Primary Management Server.

NOTE The Change Primary Management Server option will be unavailable if Active Directory Domain Services was used to assign any of the selected computers to the management group.

5. In the Change Management Server dialog box, select the new management server from the list and then click OK. The change takes effect on the agent after its next update interval.

Alternatively, this configuration can be changed on the agent-managed computer itself using either of the following two procedures.

To change the primary management server for agent-managed computers by using the MOMAgent.msi setup wizard

1. Log on to the agent-managed computer with an account that is a member of the Administrators security group for the computer.

2. In Add or Remove Programs, click Change for System Center Operations Manager 2012 Agent.

NOTE The Agent Setup Wizard can also be run by double-clicking MOMAgent.msi, which is located on the Operations Manager installation media.

3. In the System Center 2012 Operations Manager Agent Setup Wizard, click Next.

4. On the Program Maintenance page, select Modify, and then click Next.

5. On the Management Group Configuration page, leave Specify Management Group information selected, and then click Next.

6. In the next Management Group Configuration page, do the following:

a. Type the name of the Management Server.
b. Type in a value for Management Server Port, or leave the default 5723.
c. Click Next.

7. On the Ready to Install page, review the settings, and then click Install to display the Installing the System Center 2012 - Operations Manager Agent page.

8. When the Completing the System Center 2012 - Operations Manager Agent Setup wizard page displays, click Finish.

To change the primary management server for agent-managed computers using MOMAgent.msi from the command line

1. Log on to the agent-managed computer with an account that is a member of the Administrators security group for the computer.

2. Open the command window.

3. At the prompt, run the following command: 

%WinDir%\System32\msiexec.exe /i \\path\Directory\MOMAgent.msi
/qn USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=MG1
MANAGEMENT_SERVER_DNS=MS2.Domain1.net

NOTE The command above is a single line. It was been wrapped here for readability reasons.

This command reconfigures the agent to use MS2.Domain1.net as its primary management server for management group MG1.

NOTE Microsoft Windows Installer public properties must be uppercase, such as PROPERTY=value. For more information about Windows Installer, see Windows Installer in the Microsoft Developer Network library.

If the Domain Name System (DNS) and Active Directory names for the management server differ, the MANAGEMENT_SERVER_AD_NAME property also needs to be set to the fully qualified Active Directory Domain Services name.

Redirecting Agentless-Managed Computers and Network Devices

To change the proxy agent for agentless-managed computers and network devices

1. Log on to a management server computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager management group.

2. In the Operations console, click the Administration button.

3. In the Administration pane, expand Administration, expand Device Management, and then click Agentless Managed. If you are working with a network device, select Device Management and then Network Devices.

4. In the Agentless Managed pane, select the agentless-managed computers for which you want to change the proxy agent, right-click them, and then select Change Proxy Agent. Or if you are working with a network device, in the Network Devices pane, select the network devices for which you want to change the proxy agent, right-click them, and then select Change Proxy Agent.

5. In the Change Proxy Agent dialog box, select the computer you want to be the new proxy agent, and then click OK.  

The final steps in removing a gateway server from a management group are straightforward:

  • Log on to the gateway server with an account that has administrative rights.
  • In Add or Remove Programs, select System Center Operations Manager 2012 Gateway, and then click Remove.

Deleting the Gateway Server (Do this with the OpsMgr 2012 R2 tool!!!)

First locate the OpsMgr 2012 R2 version of Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.

Do not use any prior version of this tool as it will not be able to remove the Gateway object correctly!

Then in order to delete the Gateway server that has a Site association from Operations Manager you need to run Microsoft.EnterpriseManagement.GatewayApprovalTool.exe with the /Action=delete switch. That will remove the Gateway correctly, and if you are decommissioning the site by removing the last Gateway server in the site then it will remove the site object too.

Too late – I’ve already deleted the Gateway using the OpsMgr console

That means your groups are all messed up like Daniele Grandini so expertly explains here:

http://nocentdocent.wordpress.com/2012/05/25/the-road-to-operations-manager-2012-sites-and-gateways/

So how do we recover this in a supported way? First, you need to add a dummy Gateway back to the “orphaned” site before removing it as above.

1. Identify the Orphaned Sites

You can identify the “orphaned” site(s) with the following SQL query against the OperationsManager 2012 DB.

--List Orphaned Sites

select SiteName_A2408544_CF45_824D_B319_285FA91A34DC As [Orphaned Site]

from MT_Microsoft$SystemCenter$Site MSCS

LEFT join MT_Microsoft$SystemCenter$SiteManagementServer MSCSMS

on MSCS.BaseManagedEntityId = MSCSMS.SiteId_04AA9779_125D_CDD9_18C6_FB1CA1E7F1C7

WHERE MSCSMS.BaseManagedEntityId IS NULL

2. Add in a dummy gateway server

Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
/ManagementServerName=<RealmanagementserverFQDN>
/GatewayName=<DummyGatewayFQDN> /SiteName=<SiteName>
/Action=CreateyFQDN> /SiteName=<SiteName> /Action=Create

NOTE The command above is a single line. It was been wrapped here for readability reasons.

3. Delete the Gateway server using the new OpsMgr 2012 R2 GatewayApprovalTool using the steps above.

Microsoft.EnterpriseManagement.GatewayApprovalTool.exe
/ManagementServerName=<RealmanagementserverFQDN>
/GatewayName=<DummyGatewayFQDN> /Action=Delete

NOTE The command above is a single line. It was been wrapped here for readability reasons.

Hope this helps!

Brian McDermott | Escalation Engineer | Microsoft CTS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/