SystemCenter

All about System Center Articles and Tutorials

Monitor Workgroup / cross-domain servers in SCOM

Posted by on Sep 28, 2017 in SCOM, SCOM 2012, SCOM 2016

Monitor Workgroup / cross-domain servers in SCOM

In my previous article, we have learnt how to install the Root CA and create SCOM certificate template so we can use them to discover and monitor Workgroup / cross-domain / DMZ servers in our SCOM environment using certificates.

Today  I will show you how to generate and install the certificates using the SCOM certificate template so we can discover Workgroup / cross-domain / DMZ server in our SCOM environment.

For our demo, we will be using a cross-domain server (testdomain.com) running on Windows Server 2012 R2. Our SCOM Management Server has SCMVP.COM domain.

So, let’s start…

1: Login on to the SCOM Management Server and open Certificate Server Web site.

2: Click on Download a CA certificate, certificate chain, or CRL option.

3: Click Yes button if you get Web Access Confirmation message.

4: Click on Download CA certificate chain option.

5: Provide the certificate an appropriate name and save the certificate.

TIP: Create a folder on the computer and save all the certificates in that folder.

Now, we need to request two certificates for:

  • SCOM Management Server.
  • Client Server. Which we are going to discover in SCOM (Workgroup / cross-domain server).

NOTE: Requesting a certificate for SCOM Management Server will be one time task. That means, you don’t need to request the certificate for SCOM Management Server every time you are discovering a Workgroup / cross-domain server. You just need to request one certificate for the Client Server.

Requesting certificate for SCOM Management Server

1: Click Home button and click on Request a certificate option.

2: Click on advanced certificate request option.

3: Click on Create and submit a request to this CA option.

Now here, it’s important. Provide below required detail in the fields.

4: Select SCOM Template under Certificate Template field.

5: Provide SCOM Management Server FQDN under Name field.

6: Make sure Mark keys as exportable option is checked.

7: Provide SCOM Management Server FQDN under Friendly Name field.

8: Click Submit button.

Note: If you provide server hostname instead of FQDN, authentication will not happen and the certificate will be useless. So, provide only full computer name of the target server for which you are requesting the certificate.

9: Click Yes button.

10: Click on Install this certificate option.

11: You should get Certificate Installed message.

The certificate will be installed under user personal store.

Now, we need to request the certificate for Client Server (the cross-domain server, which we want to discover in SCOM).

Requesting certificate for Workgroup / cross-domain server.

1: Click Home button and click on Request a certificate option.

2: Click on advanced certificate request option.

3: Click on Create and submit a request to this CA option.

Provide below required detail in the fields.

4: Select SCOM Template under Certificate Template field.

5: Provide Client Server (Workgroup / cross-domain server) FQDN under Name field.

6: Make sure Mark keys as exportable option is checked.

7: Provide Client Server (Workgroup / cross-domain server) FQDN under Friendly Name field.

8: Click Submit button.

9: Click on Install this certificate option.

10: You should get Certificate Installed message.

The certificate will be installed under user personal store.

Now, we need to export the certificate from user personal store to the Certificate folder we created.

Exporting certificates

1: Login on to SCOM Management Server and open MMC (Microsoft Management Console).

2: Click File and click on Add/Remove Snap-in…

3: Select Certificates and click Add button.

4: Select My user account and click Finish.

5: Click OK button.

6: Expand Certificates – Current User, Personal and click on Certificates folder.

Here you will find both the installed certificates. We need to export both the certificates from there to the Certificate folder we created.

7: Right click the SCOM Management Server certificate, click All Tasks and click Export.

8: Click Next.

9: Select Yes, export the private key option and click Next.

10: Select Export all extended properties option and click Next.

11: Set password and click Next.

12: Provide a suitable name to the certificate and click Save button by selecting the preferred location.

13: Click Next button.

14: Click Finish button.

The export was successful message should be displayed.

15: Click OK button.

Now, follow the same process to export the second certificate we installed for Client server (cross-domain server).

The exported certificates should be visible under the destination folder we selected while exporting the certificate.

Installing the certificate on SCOM Management Server

Now since we have got the certificates for both our SCOM Management Server and Client server, it’s time to install them.

Note: Requesting and installing the certificate on SCOM Management server is a one time task. So, you don’t need to install the certificate on SCOM Management server if you have already installed it before.

1: Login on to SCOM Management Server.

2: Copy the MOMCertImport application to the same location where we saved the certificates.

You can find MOMCertImport application under Supported Tools in SCOM installation media.

3: Open Command prompt with elevated privileges.

4: Navigate to the Certificates folder where we placed MOMCertImport application and SCOM Management server certificate.

5: Execute below command:

MOMCertImport.exe <certificatename.pfx>

6: Enter certificate password.

You should get Successfully installed the certificate message.

Certificate installation on SCOM Management Server is done. Now let’s move to Client Server (cross-domain server) and perform required tasks on the server.

Before we start, move the cert chain, Client Server certificate and MOMCertImport application to the Client Server.

Import cert chain

1: Open PowerShell with elevated privileges.

2: Run below cmdlet:

Import-Certificate -FilePath C:\Certs\certchain.p7b -CertStoreLocation Cert:\LocalMachine\Root

In our case, we have saved the certificate file certchain.p7b under C:\Certs\

After running it, you can see the cert appear in the MMC within Trusted Root Certification Authorities.

Installing SCOM Agent on Client Server

Once the cert chain import is done. It’s time to install the SCOM Agent so we may discover the server in SCOM.

I will skip this part in this article has I have already installed SCOM Agent on the server.

You can refer below article which covers the process to install SCOM Agent on Server.

INSTALL SCOM AGENT

Installing Certificate on Client Server

1: Open Command prompt with elevated privileges.

2: Navigate to the Certificates folder where we placed MOMCertImport application and Client Server certificate.

3: Execute below command:

MOMCertImport.exe <certificatename.pfx>

4: Enter certificate password.

You should get Successfully installed the certificate message.

5: Restart HealthService by running below command

net stop healthservice && net start healthservice

6: Open SCOM console and check Pending Management. The Agent should be visible over there.

7: Click on Approve option.

Discovered server should be visible under Agent Managed tab with healthy status.

That’s it…

This concludes the process to discover and monitor Workgroup / cross-domain servers in SCOM.

Hope this helps.

3 Comments

  1. The certificate exported in step5 should be manually imported to Trusted Root Certificate store.

  2. Thank you soo much. I wasted a week to figure this part out until I read your post. FYI this is valid for SCOM 2016 for agents on Server 2008 R2.

    ijaved

  3. Simple and precise, good work, keep it up.

Submit a Comment

Your email address will not be published. Required fields are marked *