OpsMgr 2007: Monitoring an Agent in a non-trusted domain
There may be times when you want to monitor an agent computer that resides in a domain which is not trusted by the domain where the RMS or MS server resides. You may also not want to use the Gateway Server option because you only have one or two agents in the remote domain. So what do you do? You can use Certificate based authentication between that remote agent and Management Server and here's how it's done:
Step 1: Requesting Certificate for Operations Manager Management Server
Scenario: Create the Certificate used by the Management Server.
Tasks
1. On the Management server, open your web browser to open the Web enrollment tool at https://CertificateServer/certsrv
a. Click the Request a Certificate link
b. Click the Advanced Certificate Request link.
c. Click the Create and submit a request to this CA link.
d. In the Name field, enter the FQDN of the Operations Manager server.
e. In the Type of Certificate needed drop down. Select Other and in the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
f. Click the Mark keys as exportable check box.
g. Click the Store certificate in the local computer certificate store check box.
h. In the Friendly Name field enter the FQDN of the Operations Manager server (the same as you entered in the Name field).
i. Click Submit.
j. Click the Yes button in the security pop-up.
2. Open the Certification Authority MMC from the Administrative Tools program group on the certificate server
a. Navigate to Start>Administrative Tools>Certification Authority
b. Expand the Certificate Authority name in the navigation and tree and click on the Pending Request node.
c. Right click the Pending Request, select All Tasks then click Issue.
d. Verify the certificate now shows up in Issued Certificates.
e. On the Management Server, open your web browser to open the Web enrollment tool at https://CertificateServer/certsrv
f. Click the View the status of a pending certificate request link. Click the link for newly issued certificate.
g. Click the Install this certificate link and select Yes to the Security Warning dialog. You should now see Your new certificate has been successfully installed in the web page.
Step 2 Exporting Certificates on the Management Server
Scenario: Export the Certificate used by the Management Server.
Tasks
1. On the Management server open the Microsoft Management Console by navigating to Start -> Run and typing MMC.exe
a. Select File on the Menu bar select Add/Remove Snap-in
b. In the Add/Remove Snap-in dialogue click the Add button
c. Select the Certificates Snap-in and click Add.
d. Select the Computer Account radio button and click Next.
e. Select the Local Computer radio button is selected and click Finish.
f. Select Close.
g. Click OK.
2. In the MMC, expand the Certificates (Local computer) node in the navigation tree.
a. Expand the Personal node.
b. Click on Certificates.
c. Verify that there is a certificate issued to FQDN of the Operations Manager server, issued by the stand-alone root CA.
d. Right click this certificate, select All Tasks, and click Export.
e. Click Next.
f. Select the option of Yes, export the private key and click Next
g. Select default options on Export File Format page, click Next
h. Type a Password of your choice and click Next
i. On the File to export dialog box, enter a filename for the certificate (i.e. c:\momcert.pfx) and click Next.
j. Click Finish.
k. Click OK.
Step 3: Deploy the MOMCertImport.exe Tool
Scenario: Copy the MOMCertImport tool to the Management Server.
Tasks
1. The MOMCertImport tool, MOMCertImport.exe, is available on the OpsMgrCDmage\SupportTools\i386 folder.
2. Copy this file to the same location that the certificate was exported to (by default C:\Documents and Settings\Username, but if you followed the steps above off the root of C:\)
Step 4: Using the MOMCertImport Tool on the Management Server
Scenario: Use the MOMCertImport tool on the Management Server.
Tasks
1. To use the MOMCertImport tool on the Management Server
a. On the Management Server
b. Open a command prompt by going to Start -> Run and typing CMD.
c. Navigate to the location where the MOMCertImport.exe tool was copied.
d. Type in MomCertImport <nameofcertexport>.pfx /password <password> (Type the password you typed while exporting the certificate)
e. Hit Enter.
f. Once completed running this tool you will need to restart the Health Service on the Management Server and this can be done by going to the services snap-in.
Step 5: Requesting certificates for the Non-Trusted domain computer
Scenario: Import the Certificate Chain and then create the Certificate used by the Non-trusted domain computer.
Tasks
1. On the non-trusted domain computer, open your web browser to open the Web enrollment tool at https://CertificateServer/certsrv
a. Click the Download a CA certificate, certificate chain, or CRL link
b. Click the Install this CA certificate chain link.
c. Select Yes to the security dialog popup.
d. Select Yes to the second security dialog popup (if this occurs)
e. You should get a web page that states The CA certificate chain has been successfully installed
2. Open a Microsoft Management Console by navigating to Start -> Run and typing MMC.exe and clicking OK.
a. Select File on the Menu bar and select Add/Remove Snap-in
b. In the Add/Remove Snap-in dialogue click the Add button
c. Select the Certificates Snap-in and click Add
d. Select the Computer Account radio button and click Next.
e. Select the Local Computer radio button
f. Click Finish.
g. In the Add/Remove Snap-in dialogue click the Add button
h. Select the Certificates Snap-in and click Add
i. Select the My User Account radio button
j. Click Finish
k. Click Close
l. Click OK.
3. Expand the Certificates (Current User) node in the navigation tree.
a. Expand the Trusted Root Certification Authorities node.
b. Click on Certificates.
c. Find the certificate for the stand-alone root CA you installed on the Operations Manager server.
Tip The certificate should be the same name you gave the certificate in the previous exercises.
d. Right click this certificate and select Copy.
e. Expand the Certificates (Local Computer) node in the navigation tree.
f. Expand the Trusted Root Certification Authorities node.
g. Right click on Certificates
h. Select Paste.
4. On the non-trusted domain computer, open your web browser to open the Web enrollment tool at https://CertificateServer/certsrv
a. Click the Request a certificate link.
b. Click the Advanced Certificate Request link.
c. Click Create and submit a request to this CA link.
d. In the Name field, enter the FQDN of the non-trusted domain computer.
e. In the Type of Certificate Needed drop down, select Other
f. In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
g. Click the Mark keys as exportable check box.
h. Click the Store certificate in the local computer certificate store check box.
i. In the Friendly Name field enter the FQDN of the Non-trusted domain computer (the same as you entered in the Name field).
j. Click Submit.
k. Click the Yes button in the security pop-up.
5. Sign onto the certificate server, open the Certification Authority MMC from the Administrative Tools program group. You can do this by going to Start -> Administrative Tools -> Certification Authority.
a. Expand the Certificate Authority name in the navigation and tree.
b. Click on the Pending Request node.
c. Right click the Pending Request.
d. Select All Tasks and click Issue.
e. Verify the certificate now shows up in Issued Certificates (there should be two certificates now).
6. On the non-trusted domain computer, open your web browser to open the Web enrollment tool at https://CertificateServer/certsrv
a. Click the View the status of a pending certificate request link.
b. Click the link for newly issued certificate.
c. Click the Install this certificate link.
d. Click Yes to security warning dialog.
e. You should now see Your new certificate has been successfully installed in the web page.
Step 6: Exporting Certificates on the non-trusted domain computer
Scenario: Export the Certificate used by the non-trusted domain computer.
Tasks
1. On the non-trusted domain computer navigate to Start -> Run and type MMC.exe and click OK.
a. Select File on the Menu bar select Add/Remove Snap-in
b. In the Add/Remove Snap-in dialogue click the Add button
c. Select the Certificates Snap-in and click Add
d. Select the Computer Account radio button and click Next
e. Select the Local Computer radio button is selected and click Finish
f. Click Close
g. Click OK.
2. Expand the Certificates (Local computer) node in the navigation tree.
a. Expand the Personal node.
b. Click on Certificates.
c. Verify that there is a certificate issued to FQDN of the non-trusted domain computer, issued by the stand-alone root CA.
d. Right click this certificate, select All Tasks, and click Export.
e. Click Next.
f. Select the option of Yes, export the private key and click Next
g. Select default options on Export File Format page, click Next
h. Type a Password of your choice and click Next
i. On the File to export dialog box, enter a filename for the certificate (i.e. c:\computercert.pfx) and click Next.
j. Click Finish.
k. Click OK.
Step 7: Deploy the MOMCertImport.exe Tool
Scenario: Copy the MOMCertImport tool to the non-trusted domain computer.
Tasks
1. The MOMCertImport tool, MOMCertImport.exe, is available on the OpsMgrCDmage\SupportTools\i386 folder.
2. Copy this file to the same location that the certificate was exported to (by default C:\Documents and Settings\Username, but if you followed the steps above off the root of C:\)
Step 8: Installing the Agent on non-trusted domain computer
Scenario: Install and configure the Agent computer.
Tasks
Important - If MSXML 6 is already installed, skip Step 1 and proceed to Step 2.
1. Log on to the non-trusted domain computer
2. Install the prerequisite MSXML 6.0
a. Browse to CDImage\msxml\i386
b. Double click the msxml6.msi file
c. Click Next
d. Check I accept the terms in the license agreement and select Next.
e. Select Next.
f. Select Install.
g. Select Finish completing the installation.
3. Deploying the Agent using MOMAgent.msi
a. Browse to CDImage\Agent\i386 folder, and then double-click the MOMAgent.msi file.
b. On the Welcome to the System Center Operations Manager Agent Setup Wizard page, click Next.
c. On the Destination Folder page, click Next to accept the default location.
Optionally, you can select Change to specify the location of Operations Manager.
d. On the Management Group Configuration page, under Management Group Name, type the name of the Management Group.
e. Under Management Server, type the FQDN of principal management server.
f. Under Management Server Port, type the port number if not using default of 5723.
g. Click Next.
h. On the Action Account page, Select Local System, and then click Next.
i. On the Ready to Install page, review the installation settings, and then click Install.
j. On the Completing the System Center Operations Manager Agent Setup Wizard page, click Finish.
Step 9: Using the MOMCertImport Tool on the Non-trusted domain computer.
Scenario: Use the MOMCertImport tool on the non-trusted domain computer.
Tasks
1. On the non-trusted domain computer open a command prompt by going to Start -> Run and typing CMD.
a. Navigate to the location where the MOMCertImport.exe tool was copied.
b. Type in MomCertImport <nameofcertexport>.pfx /password <password> (Type the password you typed while exporting the certificate)
c. Hit Enter
2. Open the services.msc by clicking on Start -> All Programs -> Administrative Tools -> Services
3. Find and restart the Mom Health Service
Notes:
1. In the operations console, under Administration – Settings you have to change the server security settings to not reject the new manual agent installations. You can select “Review new manual agent installations in pending management view” and optionally select “Auto-approve new manually installed agents”.
2. After installing agents and once the certificates are installed, the newly installed agent on the non-trusted domain computer will appear under Pending management view. You have to approve it manually. After a few minutes the agent will start showing as Healthy.
3. If the certificate authority is not installed on the management server and is located on some other server. Then you have to install the certificate chain on the management server using the steps below:
a. On the Management Server, open your web browser to open the Web enrollment tool at https://CertificateServer/certsrv
b. Click the Download a CA certificate, certificate chain, or CRL link
c. Click the Install this CA certificate chain link.
d. Select Yes to the security dialog popup.
e. Select Yes to the second security dialog popup (if this occurs)
f. You should get a web page that states The CA certificate chain has been successfully installed
g. Also follow Task 2 and 3 of Step 5 in this document to copy the certificate chain.
Milan Jajal | Manageability Support Engineer