Tuesday, March 19, 2013

Manage Workgroup Servers with SCOM 2012

This is a very high level steps how to have your workgroup servers to be managed by SCOM 2012.
I have this task to have my Exchange Edge Transport server sitting on DMZ to be managed by SCOM

For them to be able to communicate and authenticate each other, they must be using a certificate.
I have my internal CA (lucky me)

1. Make sure your Workgroup server trusts your CA.
You can browse to your https://internal-ca.domain.com/certsrv URL and download the CA certificate and import this to the Workgroup server's Trusted Root CA (Computer store)

2. Make sure you have a certificate template that has Server and Client Authentication purposes 
If you don't have one, duplicate one from the "Computer" template with Windows 2003 version. Make sure "allow export private key" is selected and "subject name" is supplied in the request.

3. Request a certificate from your Workgroup server to your internal CA 
Use the template you created on step 2

4. Move certificate from user store to computer store 
After request the certificate, it will automatically install the certificate on the user store. You need to export this (along with the private key) and import it back to the computer store

5. Install SCOM 2012 Agent 
Insert SCOM installation ISO/DVD and install SCOM Agent. Make sure you are using FQDN for the SCOM server during the installation wizard

6. Firewall port need to be allowed on TCP 5723 inbound and outbound 
SCOM Agent is using TCP 5723 port number to communicate with SCOM Server, open this on your firewall inbound and outbound

7. Import the certificate to SCOM Agent
On the installation ISO/DVD, navigate to SupportTools\AMD64 and run MOMCertImport.exe. It then asks you to select which certificate to use. Select the one that you created on step 3

8. Restart the System Center Management service

9. Request a certificate from your SCOM Management Server
Do exactly the same thing like step 3-4, but now do this from the SCOM Management Server

10. Import the certificate to SCOM Management Server
Do exactly the same thing like step 7-8, but now do this from the SCOM Management Server

11. Wait
Your agent should come out on the Pending Management section of your SCOM Administration console

No comments: