Monitoring non-domain members with OM 2012


While the rest of the System Center community is in Vegas for MMS2012 I’m helping customers with their questions about System Center Operations Manager 2012. To be honest I’m little jealous on all the people who are in Vegas right now. Winking smile 

So I created some more detailed documentation on how to start monitoring your non-domain members (workgroup servers in your DMZ) in  OM2012.

It are still the same steps as in OM 2007 so if you already familiar with those steps it would be easy for you.

I created a simple Diagram to have a high-level overview on which steps are being executed on which machines.

Certificates_Workflow

    Environment:

    • OM12 RTM
    • Stand-Alone Windows Server 2008 CA (w2k8r2dc1.demo.stranger)
    • Two OM12 Management Servers (OM12MS01.demo.stranger and OM12MS02.demo.stranger)
    • Workgroup server in "DMZ" (OM12DMZ01.demo.dmz)

    Some important notes:

    • Server must have a FQDN, so if it is in a workgroup add a domain suffix manually.
    • The server being monitored must be able to resolve the FQDN of the OM2012 Management Server server.
    • Check if non-domain member server can connect to port 5723 from Management Server. (use telnet client)

    Guide info: http://technet.microsoft.com/en-us/library/dd362655.aspx

    Pre-reqs:

    It is assumed that you have AD CS installed, an HTTPS binding is being used, and its associated certificate has been installed. Information about creating an HTTPS binding is available in the topic How to Configure an HTTPS Binding for a Windows Server 2008 CA.

     

    High-Level steps:

  1. Download the Trusted Root (CA) certificate.
  2. Import the Trusted Root (CA) certificate
  3. Create a setup information file to use with the CertReq command-line utility.
  4. Create a request file.
  5. Submit a request to the CA using the request file.
  6. Approve the pending certificate request.
  7. Retrieve the certificate from the CA.
  8. Import the certificate into the certificate store.
  9. Import the certificate into Operations Manager using MOMCertImport.

    Step 1. Download the Trusted Root (CA) certificate

    • Log on to the computer where you installed a certificate; for example, the gateway server or management server.
    • Start Internet Explorer, and connect to the computer hosting Certificate Services; for example, https://<servername>/certsrv.
    • On the Welcome page, click Download a CA Certificate, certificate chain, or CRL.
    • On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain.
    • In the File Download dialog box, click Save and save the certificate; for example, Trustedca.p7b.
    • When the download has finished, close Internet Explorer.

    [OM12MS02.demo.stranger]

    Download a CA Certificate, certificate chain, or CRL

    clip_image002

    clip_image003

    clip_image004

    clip_image005

    Step 2. Import the Trusted Root (CA) Certificate

    • On the Windows desktop, click Start, and then click Run.
    • In the Run dialog box, type mmc, and then click OK.
    • In the Console1 window, click File, and then click Add/Remove Snap-in.
    • In the Add/Remove Snap-in dialog box, click Add.
    • In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
    • In the Certificates snap-in dialog box, select Computer account, and then click Next.
    • In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
    • In the Add Standalone Snap-in dialog box, click Close.
    • In the Add/Remove Snap-in dialog box, click OK.
    • In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
    • Right-click Certificates, select All Tasks, and then click Import.
    • In the Certificate Import Wizard, click Next.
    • On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, TrustedCA.p7b, select the file, and then click Open.
    • On the File to Import page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.
    • On the Completing the Certificate Import Wizard page, click Finish.

    [OM12MS02.demo.stranger]

    Open Certificates Local Computer account MMC:

    clip_image006

    Import Certificate TrustedCA.p7b

    clip_image007

    clip_image008

    clip_image009

    Step 3. Create a setup information file to use with the CertReq command-line utility.

    • On the computer hosting the Operations Manager component for which you are requesting a certificate, click Start, and then click Run.
    • In the Run dialog box, type Notepad, and then click OK.
    • Create a text file containing the following content:
      [NewRequest]
      Subject="CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>"
      Exportable=TRUE
      KeyLength=2048
      KeySpec=1
      KeyUsage=0xf0
      MachineKeySet=TRUE
      [EnhancedKeyUsageExtension]
      OID=1.3.6.1.5.5.7.3.1
      OID=1.3.6.1.5.5.7.3.2
    • Save the file with an .inf file name extension, for example, RequestConfig.inf.
    • Close Notepad.

    [OM12MS02.demo.stranger]

    clip_image010

    Step 4. Create a request file to use with a stand-alone CA

    • On the computer hosting the Operations Manager component for which you are requesting a certificate, click Start, and then click Run.
    • In the Run dialog box, type cmd, and then click OK.
    • In the command window, type CertReq –New –f RequestConfig.inf CertRequest.req, and then press ENTER.
    • Open the resulting file (for example, CertRequest.req) with Notepad. Copy the contents of this file onto the clipboard.

    [OM12MS02.demo.stranger]

    clip_image011

    Step 5. Submit a request to a stand-alone CA

    • On the computer hosting the Operations Manager component for which you are requesting a certificate, start Internet Explorer, and then connect to the computer hosting Certificate Services (for example, https://<servername>/certsrv).
    • On the Microsoft Active Directory Certificate Services Welcome screen, click Request a certificate.
    • On the Request a Certificate page, click advanced certificate request.
    • On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
    • On the Submit a Certificate Request or Renewal Request page, in the Saved Request text box, paste the contents of the CertRequest.req file that you copied in step 4 in the previous procedure, and then click Submit.
    • Close Internet Explorer.

    [OM12MS02.demo.stranger]

    Request a certificate

    clip_image012

    Advanced

    clip_image013

    Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

    clip_image014

    clip_image015

    clip_image016

    Step 6. approve the pending certificate request

    • Log on as a certification authority administrator to the computer hosting Active Directory Certificate Services.
    • On the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
    • In Certification Authority, expand the node for your certification authority name, and then click Pending Requests.
    • In the results pane, right-click the pending request from the previous procedure, point to All Tasks, and then click Issue.
    • Click Issued Certificates, and confirm the certificate you just issued is listed.
    • Close Certification Authority.

    [W2K8R2DC1.demo.stranger]

    Click Pending Request in Certificate Authority

    clip_image017

    Click on Issue

    clip_image018

    clip_image019

    Step 7. retrieve the certificate

    • Log on to the computer where you want to install a certificate; for example, the gateway server or management server.
    • Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, https://<servername>/certsrv).
    • On the Microsoft Active Directory Certificate Services Welcome page, click View the status of a pending certificate request.
    • On the View the Status of a Pending Certificate Request page, click the certificate you requested.
    • On the Certificate Issued page, select Base 64 encoded, and then click Download certificate.
    • In the File Download – Security Warning dialog box, click Save, and save the certificate; for example, as NewCertificate.cer.
    • On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser.
    • Close Internet Explorer.

    [OM12MS02.demo.stranger]

    View status of pending certificate request

    clip_image020

    Save certificate

    clip_image021

    clip_image022

    Download certificate

    clip_image023

    clip_image024

    Step 8. import the certificate into the certificate store

    • On the computer hosting the Operations Manager component for which you are configuring the certificate, click Start, and then click Run.
    • In the Run dialog box, type cmd, and then click OK.
    • In the command window, type CertReq –Accept NewCertificate.cer, and then press ENTER

    [OM12MS02.demo.stranger]

    clip_image025

    Step 9. import the certificate into Operations Manager using MOMCertImport

    • Log on to the computer where you installed the certificate with an account that is a member of the Administrators group.
    • On the Windows desktop, click Start, and then click Run.
    • In the Run dialog box, type cmd, and then click OK.
    • At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Operations Manager 2007 installation media is located), and then press ENTER.
    • Type cd\SupportTools\i386, and then press ENTER.

    clip_image026

    Note

    On 64-bit computers, type cd\SupportTools\amd64

    • Type the following:
      MOMCertImport /SubjectName <Certificate Subject Name>
    • Press ENTER.

    [OM12MS02.demo.stranger]

    MOMCertImport /SubjectName OM12MS02.demo.stranger

    clip_image027

    Check if everything is ok

    Open the certificate that you installed on management/gateway server. Click on Details Tab and check the Serial Number.

    Now navigate to HKLM\Software\Microsoft\Microsoft Operations Manager\3.0\Machine Settings and check the value of ChannelCertificateSerialNumber. Serial number of certificate should be listed backwards here in registry.

    clip_image028

    clip_image029

    Open registry

    clip_image030

    clip_image031

    Tada!

    Pre-reqs on DMZ server:

    Make sure you have installed the OM12 Agent first before starting.

     

    clip_image039

     

    Let’s check the eventlog

    clip_image041

    Repeat steps for OM12DWZ01 server in workgroup

    High-Level steps:

    • Download the Trusted Root (CA) certificate.
    • Import the Trusted Root (CA) certificate
    • Create a setup information file to use with the CertReq command-line utility.
    • Create a request file.
    • Submit a request to the CA using the request file.
    • Approve the pending certificate request.
    • Retrieve the certificate from the CA.
    • Import the certificate into the certificate store.
    • Import the certificate into Operations Manager using MOMCertImport.

    [OM12DWZ01.demo.dmz]

    Step 1. Download the Trusted Root (CA) certificate.

    clip_image042

    clip_image043

    Step 2. Import the Trusted Root (CA) certificate

    clip_image044

    Step 3. Create a setup information file to use with the CertReq command-line utility.

    clip_image045

    Step 4. Create a request file to use with a stand-alone CA

    CertReq –New –f RequestConfig.inf CertRequest.req

    clip_image046

    Step 5. Submit a request to a stand-alone CA

    clip_image047

    clip_image048

    Step 6. approve the pending certificate request

    [W2K8R2DC1.demo.stranger]

    clip_image049

    clip_image050

    Step 7. retrieve the certificate

    [OM12DMZ01.demo.dmz]

    clip_image051

    clip_image052

    Step 8. import the certificate into the certificate store

    clip_image053

    Step 9. import the certificate into Operations Manager using MOMCertImport

    MOMCertImport /SubjectName OM12DMZ01.demo.dmz

    clip_image054

    Final step is approving agent

    Check Security Settings in Operations Console.

    clip_image055

    clip_image056

    Wait for Agent to turn up in Pending Approval folder

    clip_image057

    clip_image058

    End result:

    clip_image059

 

Have fun at MMS for those who are in Vegas, and for those who are not, well…

Comments (30)

  1. Anonymous says:

    Hi Stefan,

    Excellent guide, thank you.

    In step 7, you download a certificate with cer extention and then import it on step 8. In step 9, you use the MomCertImport tool to import to certificate, but as you know you cannot import cer file with the tool; the certificate must be in pfx format [the error you will get is "Certificate file name should have pfx extension."]

    Am I missing something?

    Thanks!

  2. Anonymous says:

    Hi Stefan

    Solved the problem mentioned before :) The following are the only deviation from this blog that enabled me to do this:

    1) Creating a certificate template using computer as a duplicate
    2) From the SCOM server, importing the certificate remotely on the workgroup machine
    3) After running the momcertimport, restarting the health service on both the SCOM server and the workgroup server.

    Thanks again for a wonderfully helpful page. Next time I bump into you, in Vegas or somewhere else, drinks are on me!!!!

    Thanks
    DG

  3. Anonymous says:

    Hi FoRo,

    In the blogpost I tried to show on which machines you need to execute which activities. The Yellow squares show where you need to execute the different steps.

    SCOM01 – My scom Server (this is what I called Management Server)
    FTP01 – server that is not part of the domain and needs to be monitored (This is which I called the server in the workgroup (server in DMZ)
    NPS01 – CA server that hosts certificated

    Does this help?

  4. Anonymous says:

    Hi DG,

    Please check this discussion on TechNet. social.technet.microsoft.com/…/crossdomain-agent-monitoring-with-scom-2007-r2-oneway-forest-trusts

    "The OpsMgr Connector could not connect to MSOMHSvc/scommgmt.DomainA.local because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

    Don't forget that after the (push)install of the agent, the agent initiates the communication. So the agent is connecting to the MS (in domain A), and there is no trust (A doesn't trust B), how can the MS verify with Kerberos that the agent is really who it says it is…. it can't

    If you don't want to use Certificates, then you need a full trust model (this can be done through setting up two one-way trusts)

    "

    So yes you need to use the procedure I described here.

    /Stefan

  5. Anonymous says:

    Hi,
    In your environment, there are two OM12 Management Servers (OM12MS01.demo.stranger and OM12MS02.demo.stranger).
    In mine, I have only one SCOM server located in the Production Zone, can I still follow your instruction ?

  6. Anonymous says:

    Hi Stefan Thanks once again for your blog and response. I have one quick question. I want to manage one workgroup machine using SCOM 2012, and used this procedure. However I still get the error that the client is untrusted. I noticed one thing though that
    as per the procedure, Step 5. Submit a request to a stand-alone CA, in my environment, on the page to paste the copied key, I get an additional option to choose a certificate template. I have left is as the default, which is "User". This is the same for both
    my management server and my workgroup server. However on my management server I can see under my personal store the certificate has been issued to my userid whereas on the workgroup server I get issued with a personal certificate which is issued to my management
    server. I think this is the discrepancy that is causing the error. I tried manually copying the certificate from my management server to the workgroup server and then run "Momcertimport.exe /SubjectName " from the workgroup server. But this didn’t help.I am
    using Windows 2012 server OS on both the management server and the workgroup machine. Any help will be greatly appreciated!!! Thanks

  7. Anonymous says:

    Hi Stefan,

    I was in trouble that after installed agent manually. I can see the agent turn up in the Pending Management and approve.
    But the final result of mine was not the same with yours. The Health State keep "Not monitored"

    Check log on the agent I can see this:

    "The OpsMgr Connector connected to SCOM SERVER, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.
    Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect."

    Do you have experience this ?

    Thanks

  8. Anonymous says:

    Hi Quang Mo,

    Yes even your environment only has one Management Server you can still follow the steps I described.

    /Stefan

  9. Anonymous says:

    Hi Greg,

    Thanks for the feedback. Appreciate it!

    /Stefan

  10. Anonymous says:

    Hi Stefan

    Excellent article. Thanks for it. I wanted to ask a quick question, can I use this procedure to monitor domain joined machines? The domain I want to monitor has only got a one way trust with the domain that has the SCOM management server. The SCOM management server domain's credentials work in the other domain but not vice versa. I am relative newby to SCOM and will appreciate any help.

    Regards

    DG

  11. Anonymous says:

    Stefan,
    I will not take too much of space, so that we keep the article short and clean. Just wanted to give you BIG THANKS for your hard work. The steps are very much to the point that absolutely no one could make mistake here. Thanks again. Very useful for Scom Admins…Fahim

  12. John Bradshaw says:

    Nice to see the steps so fully itemised.

    thx Stefan.

    And don't worry about Vegas….Think of all the money u saved :)

    JB

  13. Joshua op 't Eijnde says:

    Thanks for the excellent guide Stefan :)

  14. Neil Morgan says:

    This is a great blog post. Thank you very much for the fantastic insight and we really appreciate the time you took to write this. Thanks again.<a href="http://www.rangatel.com">internet phone service providers</a>

  15. Rob Risetto says:

    Thanks for the post. I get that security is important hence the use of certs but is it only me that thinks that this approach by MS is utterly ridiculous, over complicated and onerous, especially if you have many distinct DMZs or client sites to monitor. Maybe in this case its the wrong tool to use. Surely they can come up with a better option.

  16. Sarav says:

    Excellent guide! This works like charm…Great work!!!

  17. Stefan says:

    Sarav,

    Glad you like it. Thanks for the feedback.

    Stefan

  18. Fantastic says:

    Thanks so much for this. It worked

  19. Greg Royle says:

    This is the best guide I have come across to explain this and boost confidence. Also helps with a little troubleshooting of the certificates.

    Brilliant!

    thanks

  20. CZed says:

    I understand the part about creating the certificate for the MS and the DMZ server and importing them. But, do you import the MS cert to the DMZ server and the DMZ cert to the MS server?

  21. Faisal S says:

    Hey Stefan… the steps need to be performed on both the Management server and the Server you want to monitor in DMZ?

  22. Jake says:

    This is a nice tutorial. Good job and thanks for taking the time to do this. We just acquired another site and they will not approve a trust. This will make my job a little easier.

  23. Reece says:

    We have a Windows 2k3 server in a DMZ that we are configuring for monitoring. Certreq.exe is not available and only seems available in the 2003adminpak. DO I need to have certreq installed on the server that is to be monitored?

    thanks,

  24. FoRo says:

    Hello, Thank you for the great guide. I followed all the steps but for some reason i still get confused. What I really confused is where exactly those steps need to be executed.
    Could anyone point me out to the right direction.

    What I have

    SCOM01 – My scom Server
    FTP01 – server that is not part of the domain and needs to be monitored
    NPS01 – CA server that hosts certificated.

    I’m confused what steps to execute where. I would really appreciate your help i’ve been struggling with it for quite some time. Even if you could point out the steps where it needs to be executed that would be great.

    I’m new to scom so please don’t judge me :)

  25. FoRo says:

    Hello Stefan, thank you for your clarification. I did follow all the steps and everything was successful, how ever, in our environment i had to enter host entries to the host file for the scom server and for the ftp server in order for them to work, Thanks
    again for such a detailed guide.

  26. Ryan D. says:

    The one thing that I would like to clarify is that when you are setting hte FQDN for the server name in the text file template that you create, do you specify the name of the machine which you are installing the certificate on? or the name of the machine
    that the server you are installing the cert on is intended to connect to?

  27. Rahul says:

    Can i use muti homing for DMZ servers? if yes then how?

  28. Anonymous says:

    This is not the order of installation of a GW or agent by a certificate, as it exists on other blogs

  29. Enrique says:

    Stefan,
    I installed a Gateway server on the DMZ to monitor all the servers that belong to other domains and workgroup servers, in my Management Server the gateway server shows green and not errors meaning that all the MP were downloading to the gateway. my questions
    is do I need to have a chain and a certificate for every single workgroup/non-domain server that are in the DMZ or the gateway is enough. The Gateway is on a workgroup as well.

  30. Gleb says:

    Hello Stefan, I have followed all the steps and was successful adding up the computer and it’s certificates, but when I try to install Agent manually on the DMZ computer that is not on a domain I get the following error "Error 25372. setup failed to enumerate
    trusted domains, please verify the user has access to active directory". I was also unable to telnet to the server from my scom server using the telnet port. Any advise on what I can check or configure? I have also created a host entry on the computer that
    is not part of the domain so it can ping the scom server.