While the rest of the System Center community is in Vegas for MMS2012 I’m helping customers with their questions about System Center Operations Manager 2012. To be honest I’m little jealous on all the people who are in Vegas right now.
So I created some more detailed documentation on how to start monitoring your non-domain members (workgroup servers in your DMZ) in OM2012.
It are still the same steps as in OM 2007 so if you already familiar with those steps it would be easy for you.
I created a simple Diagram to have a high-level overview on which steps are being executed on which machines.
Some important notes:
Guide info: http://technet.microsoft.com/en-us/library/dd362655.aspx
It is assumed that you have AD CS installed, an HTTPS binding is being used, and its associated certificate has been installed. Information about creating an HTTPS binding is available in the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA.
Step 1. Download the Trusted Root (CA) certificate
Download a CA Certificate, certificate chain, or CRL
Step 2. Import the Trusted Root (CA) Certificate
Open Certificates Local Computer account MMC:
Import Certificate TrustedCA.p7b
Step 3. Create a setup information file to use with the CertReq command-line utility.
Step 4. Create a request file to use with a stand-alone CA
Step 5. Submit a request to a stand-alone CA
Request a certificate
Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Step 6. approve the pending certificate request
Click Pending Request in Certificate Authority
Click on Issue
Step 7. retrieve the certificate
View status of pending certificate request
Step 8. import the certificate into the certificate store
Step 9. import the certificate into Operations Manager using MOMCertImport
On 64-bit computers, type cd\SupportTools\amd64
MOMCertImport /SubjectName OM12MS02.demo.stranger
Check if everything is ok
Open the certificate that you installed on management/gateway server. Click on Details Tab and check the Serial Number.
Now navigate to HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings and check the value of ChannelCertificateSerialNumber. Serial number of certificate should be listed backwards here in registry.
Pre-reqs on DMZ server:
Make sure you have installed the OM12 Agent first before starting.
Let's check the eventlog
Repeat steps for OM12DWZ01 server in workgroup
Step 1. Download the Trusted Root (CA) certificate.
Step 2. Import the Trusted Root (CA) certificate
CertReq –New –f RequestConfig.inf CertRequest.req
MOMCertImport /SubjectName OM12DMZ01.demo.dmz
Final step is approving agent
Check Security Settings in Operations Console.
Wait for Agent to turn up in Pending Approval folder
Have fun at MMS for those who are in Vegas, and for those who are not, well…
Nice to see the steps so fully itemised.
And don't worry about Vegas....Think of all the money u saved :)
Thanks for the excellent guide Stefan :)
This is a great blog post. Thank you very much for the fantastic insight and we really appreciate the time you took to write this. Thanks again.<a href="http://www.rangatel.com">internet phone service providers</a>
Thanks for the post. I get that security is important hence the use of certs but is it only me that thinks that this approach by MS is utterly ridiculous, over complicated and onerous, especially if you have many distinct DMZs or client sites to monitor. Maybe in this case its the wrong tool to use. Surely they can come up with a better option.
Excellent guide, thank you.
In step 7, you download a certificate with cer extention and then import it on step 8. In step 9, you use the MomCertImport tool to import to certificate, but as you know you cannot import cer file with the tool; the certificate must be in pfx format [the error you will get is "Certificate file name should have pfx extension."]
Am I missing something?
Excellent guide! This works like charm...Great work!!!
Glad you like it. Thanks for the feedback.
Thanks so much for this. It worked
This is the best guide I have come across to explain this and boost confidence. Also helps with a little troubleshooting of the certificates.
Thanks for the feedback. Appreciate it!
I understand the part about creating the certificate for the MS and the DMZ server and importing them. But, do you import the MS cert to the DMZ server and the DMZ cert to the MS server?
Excellent article. Thanks for it. I wanted to ask a quick question, can I use this procedure to monitor domain joined machines? The domain I want to monitor has only got a one way trust with the domain that has the SCOM management server. The SCOM management server domain's credentials work in the other domain but not vice versa. I am relative newby to SCOM and will appreciate any help.
Please check this discussion on TechNet. social.technet.microsoft.com/.../crossdomain-agent-monitoring-with-scom-2007-r2-oneway-forest-trusts
"The OpsMgr Connector could not connect to MSOMHSvc/scommgmt.DomainA.local because mutual authentication failed. Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.
Don't forget that after the (push)install of the agent, the agent initiates the communication. So the agent is connecting to the MS (in domain A), and there is no trust (A doesn't trust B), how can the MS verify with Kerberos that the agent is really who it says it is.... it can't
If you don't want to use Certificates, then you need a full trust model (this can be done through setting up two one-way trusts)
So yes you need to use the procedure I described here.
Hey Stefan... the steps need to be performed on both the Management server and the Server you want to monitor in DMZ?
Hi Stefan Thanks once again for your blog and response. I have one quick question. I want to manage one workgroup machine using SCOM 2012, and used this procedure. However I still get the error that the client is untrusted. I noticed one thing though that
as per the procedure, Step 5. Submit a request to a stand-alone CA, in my environment, on the page to paste the copied key, I get an additional option to choose a certificate template. I have left is as the default, which is "User". This is the same for both
my management server and my workgroup server. However on my management server I can see under my personal store the certificate has been issued to my userid whereas on the workgroup server I get issued with a personal certificate which is issued to my management
server. I think this is the discrepancy that is causing the error. I tried manually copying the certificate from my management server to the workgroup server and then run "Momcertimport.exe /SubjectName " from the workgroup server. But this didn't help.I am
using Windows 2012 server OS on both the management server and the workgroup machine. Any help will be greatly appreciated!!! Thanks