Step-by-step walkthrough: Installing an Operations Manager 2012 Gateway


 

Step-by-step walkthrough: installing an Operations Manager 2012 Gateway Server

clip_image002

To make this document, I installed 3 test servers; the evaluation image of Windows Server 2008 R2 can be downloaded from the Microsoft site here: http://technet.microsoft.com/en-us/evalcenter/dd459137.aspx

This installation was done on a generation 1 Core i7 portable with 1 SSD drive and 8GB of memory. The ISO image and the 3 Hyper-V VMs are on that 1 SSD drive. All at the same time installing, while opening Microsoft OneNote and Microsoft Word and creating this document – it’s not slow at all!

Windows 8 is great!!! Smile

And so is OneNote – Windows+S gives you a really nice integrated screenshotting tool!

 

The setup will be as follows:

- OM12DC: Active Directory, including AD CS (Certificate Services) to generate the certificates for the gateway server. AD CS will be installed as an online enterprise root CA.

- OM12MS: management server, including Operations Manager Reporting, the Operational database and the Data Warehouse database

- OM12GW: a separate server in a workgroup. This one is the reason we need to have AD CS.

This document is meant to further clarify the TechNet article http://technet.microsoft.com/en-us/library/hh456447.aspx Deploying a gateway server which links to a further explanation http://technet.microsoft.com/en-us/library/hh212810.aspx Authentication and Data Encryption for Windows Computers

More about certificates can also be found here:

Win2008 Enterprise CA: http://technet.microsoft.com/en-us/library/dd362553.aspx

Win2008 Standalone CA: http://technet.microsoft.com/en-us/library/dd362655.aspx

 

After the Windows Update process is finished, you can start installing Active Directory on the DC.

When you have installed and configured AD DS, add the AD CS role + the web site to request certificates.

image

image

image

image

image

And the rest is NNF (Next-Next-Finish).

image

image

image

image

 

image

Remove PKI and add Client / Server Authentication to Application Policies

image

image

image

From the GW server, the one that is not in the domain, you don’t trust the Enterprise CA by default.

That’s why you first have to get and install the Root CA certificate from the AD CS.

image

image

Add both My user account and Computer account – you’ll need both anyway

image

image

The certificate from the Root CA needs to be added in this list.

Open a web browser on the gateway server, and go to the CA Web service: http://OM12DC1/certsrv

Add the certsrv website to the Trusted Sites by going to internet options and under security choose Trusted Sites, and click on Sites to add this site.

image

image

Since the certsrv website uses ActiveX, change the security settings of Trusted Sites so that ActiveX is allowed.

clip_image074

Here we need to request the CA chain

image

image

If you don’t see these 2 popups, you need to enable ActiveX first.

image

image

image

image

image

image

The certificate is in the list now, meaning our workgroup gateway server will trust certificates issued by the Enterprise Root CA.

Now we need to request a certificate for our gateway server

image

Advanced request

image

Create and submit

image

Select the template that was created earlier, and fill in the Name and Friendly Name fields with the FQDN of your gateway server.

Since mine is in a workgroup, the NetBIOS name is sufficient.

image

image

And now the certificate is generated and we can install it

image

Done Smile

clip_image121

But wait a minute… Installed, where???

We need to authenticate computers, and the certificate is imported in the personal certificate store.

So we need to open the Certificates MMC and copy the certificate from the personal store to the local computer store.

image

image

The certificate is now installed and you can verify everything is installed correctly by opening the certificate and checking if the certification path is ok.

image

On the Management Server, we also need to install a certificate. Since we have an Enterprise Root CA, integrated with AD, the root CA certificate is already trusted by our MS who is a domain member.

image

We can also request certificates in another way: we can request a new certificate from our CA directly from the MMC.

image

image

Click next

Select the certificate that we’ve created earlier

image

The extra information needed is the Common Name in the first box (OM12MS) and the FQDN in the bottom box with DNS.

image

image

And click Enroll to finish this

NOW we’re done Smile

image

image

Now we have to approve the gateway to be able to communicate with the management server.

Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe and the corresponding Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.CONFIG file from the support tools directory on your installation media to the installation path of your OpsMgr installation, in my case that’s C:\Program Files\System Center 2012\Operations Manager\Setup

image

1. Approve the gateway server: At the command prompt, run Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create

image

If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully.

Now you can install the gateway software by clicking the Gateway Management Server link in the setup splash screen

image

clip_image174

We did this, so we can continue the setup

Give the management group name - this can be found in the title bar of the console on the management server - and the management server name

image

The port number can be changed if desired. Only this 1 port needs to be open on the firewall, that’s the big advantage of using a gateway server!

Copy the MOMCertImport.exe tool to the gateway server, into the gateway installation path.

In my case, this is C:\Program Files\System Center Operations Manager\Gateway

image

Export

image

image

image

image

You’ll get a message that the action succeeded, and you can check progress in the Operations Manager event log.

Do the same for the gateway server:

image

Troubleshooting:

If you get event 21006, make sure the firewalls on the gateway and/or on the management server are not blocking communication

image

Don‘t forget to enable Agent Proxy for the gateway, as this one will act as a proxy for other systems connecting through the gateway server!

image

To check if it’s working, go to the Operations Manager Console – you should see something similar to this!! Smile

image

HTH and a big thank you to my colleague Ingo for double-checking the certificate part!

/Danny

Comments (22)

  1. Hi Pete,

    Thanks for using my article 🙂 I asked for help from my colleagues, and I will get back to you as soon as I have an answer.

    /Danny

  2. Some information I got:

    Generally speaking, be aware that you need to have EndPoints opened to let the VM speak outsite Azure with non “well-known” protocols.

    In addition, take in account that DNS names resolution is a little bit tricky from what inside Azure and what’s outside. This can lead to certificate problem because the CN must be the same.

  3. @Filip: In OM12 there is no RMS anymore 🙂

    All OM12 Management Servers are equals now, they are all running the SDK+config service. The only difference is that one of the servers has a RMS emulator role, for backwards compatibility.

  4. Anonymous says:

    Hi Danny,

    I resolved my issue – it was pretty simple, but odd.  I went into Control Panel -> System on the server and saw the CPU type was Intel so I grabbed the i386 version of the ApprovalTool and that worked.  So based on that I grabbed the i386 version of the MOMCertImport tool but that didn't work.  So just for grins and giggles I tried the AMD version of the MOMCertImport tool and that worked.

    Like I said – odd, but it is now working.  Great blog!

  5. @Pete: That configuration is not supported.

    We support installing OM in Azure to monitor VMs in Azure or OM on premise monitoring VMs in Azure but not OM in Azure monitoring resources outside of Azure.

  6. Thanks Geert – or should I say bedankt 😉

  7. Pete Barbuto says:

    I used your walkthrough to deploy my Gateway, but I am having some issues.  Here is a link to my thread in the Technet forums: social.technet.microsoft.com/…/f6d5ab3f-558a-451c-81db-c2f789129cee

    If you have a moment, would you mind taking a loook and offering some advice? Thanks.  

  8. filip says:

    Hi Danny,

    Thank you for this article.

    Shouldn't I however also import a certificate on my RMS as well to allow the GW to communicate with my RMS?

    In 2007 this was the case if I'm not mistaken..

    Many thanks

    Filip

  9. Clark K says:

    Can you clarify the following:

    After the "In my case, this is C:Program FilesSystem Center Operations ManagerGateway"

    You document the Certificate Export Wizard:  What servers are you exporting the certificate from? You do this twice it seems.

    Thanks,

    Clark

  10. MRMO says:

    Hi Danny,

    I followed your guide and all went well until I got to the MOMCertImport.  No matter what I try I just cannot get the command to work.  I just keep getting the Help output.

  11. Geert says:

    Thanks for this tutorial. When trying to add some new Windows 2012 machines to SCOM 2012 SP1 however I came across a particularly strange error with eventids 20070, 20071, 21016 and 36888.

    Got it sorted out though and I made the following article about it:

    geertbaeten.wordpress.com/…/scom-agent-or-gateway-certificate-issue

  12. sonia says:

    Hi all

    I am running with Management server does not exit error, while running the gateway approval tool.. any comment or suggestion.

    Environment : 1 DC, 1 MS  1 GW (Workgroup)

    Ruing approval tool on MS server .

  13. mnatives says:

    It is Really great post. we just looking RSS FEEd.

  14. Omari says:

    Thank you for this article.

    one additional step was needed for me for the gateway to run properly, that to Import the certificate into the Management Server too using the MOMCertImport.exe tool.

  15. faizan says:

    Awesome post Danny….

  16. Brian says:

    Perfect thanks

  17. Anonymous says:

    This is a post I wrote in 2012, and since it has been helpful for a lot of people this is the link:

  18. Simon Craner says:

    Hi All,
    I am having this issue after the recent October release of MS patches, have rolled back all updates and still get the same issue.
    have a main mgmt. server that talks to production gateway servers, gateways refusing to comms back in now.
    Have a secondary mgmt server that talks in a lab via another gateway and its fine with same set of updates, so am very confused.
    All prod gateways report grey in console, but eventvwr in prod gateway says is validates run as accounts so even more baffling. No idea how to log this to MS Prem support, any ideas?
    Regards

Skip to main content