Hello gurus
I have a question. I am relatively new to the product and thus I am lost. I want to do the following: I want to monitor a handful of servers in a domain that has a one way trust established between itself and the domain of the SCOM servers. I have a gateway server installed on the DMZ, I have a CA server in the production domain which also has the OpsMgr servers. I have followed the following procedure:
- Install the CA on a separate server on
- verify that https://<CA server FQDN> is reachable
- If you are using a CA follow the instructions below:
- Open the MMC console. Start > run > MMC > Enter
- When the MMC console opens Click on file, add/remove snap-in
- In the Add or Remove Snap-ins window opens, Add Certificate Templates and Certification Authority Click OK
- Expand Certificate Templates
- In the Certificate Templates Console Right Click IPSec (Offline request) and then select duplicate template
- On the General Tab type a name like SCOM Template
- On the Request Handling:
- Select Allow private key to be exported
- For 2000 & 2003 Domains:
- Click CSPs
- For Windows 2003 Check Microsoft RSA SChannel Cryptographic provider
- For Windows 2000 Check Microsoft Enhanced Cryptographic provider 1.0
- On the Extensions Tab:
- Select the Applications Policies and Click Edit
- Remove IP security IKE intermediate
- Add Client Authentication and Server Authentication
- On the Security Tab:
- Verify that Users should have read rights and enroll rights (this will be needed later).
- Now we need to add the Template to the Certificate Authority
- Expand Certification Authority
- Right Click on Certificate Templates then New then Certificate Template to Issue
- Select the template you just created and Click OK
- The template you just created should now show up in the Templates list
- Now we need to add the Template to the Certificate Authority
- Expand Certification Authority
- Right Click on Certificate Templates then New then Certificate Template to Issue
- Select the template you just created and Click OK
- The template you just created should now show up in the Templates list
- Now install this template on the SCOM management server using the local mmc snap-in and request it from personal certificates.
- From the GW server, the one that is not in the domain, you don’t trust the Enterprise CA by default.
- That’s why you first have to get and install the Root CA certificate from the AD CS.
- Add both My user account and Computer account – you’ll need both anyway
- Open a web browser on the gateway server, and go to the CA Web service: http://OM12DC1/certsrv
- Add the certsrv website to the Trusted Sites by going to internet options and under security choose Trusted Sites, and click on Sites to add this site
- Since the certsrv website uses ActiveX, change the security settings of Trusted Sites so that ActiveX is allowed.
- Download a CA certificate, certificate chain, or CRL
- Select base 64 and Download CA certificate chain, save the certificate
- Open MMC and add Certificates (Local Computer)
- import the certificate downloaded to Trusted Root CA
- Now we need to request a certificate for our gateway server
- go to https://<CA server fqdn>/certsrv
- request a certificate-->advanced certificate-->create and submit
- Select the template that was created earlier, and fill in the Name and Friendly Name fields with the FQDN of your gateway server.
- Request format PKCS10
- friendly name: GW server fqdn
- install the certificate
- Export the certificate from the current user to local computer as a pkcs#7 certificate
- We can also request certificates in another way: we can request a new certificate from our CA directly from the MMC.
- Click next
- Select the certificate that we’ve created earlier
- The extra information needed is the Common Name in the first box (OM12MS) and the FQDN in the bottom box with DNS.
- And click Enroll to finish this
- Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe and the corresponding Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.CONFIG file from the support tools directory on your installation media to the installation path of your OpsMgr installation, in my case that’s C:\Program Files\System Center 2012\Operations Manager\Setup
- Approve the gateway server: At the command prompt, run Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create
- If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully.
- Install the gateway server
- Run the SCOM setup.exe
- Give the management group name - this can be found in the title bar of the console on the
- management server - and the management server fqdn
- account name should be the domain admin of the DMZ domain
- Copy the MOMCertImport.exe tool to the gateway server, into the gateway installation path and on the management server.
- In my case, this is C:\Program Files\System Center Operations Manager\Gateway
- Run the tool and select the certificate created previously
I have not been able to monitor get the monitoring going.
1) do we need to approve the gateway on both management servers
2) In the section for momcertimport, do I do that on the mgmt server first and then the gateway server?
3) during export of the certificate I don't see the Personal Information
exchange PKCS#12 option
3) When I try to run the discovery for the DMZ servers using the gateway
server, i get the error, Health service "fqdn of the gateway server" in
which the location monitoring object is contained is not available. Make
sure that the computer hosting the Health Service is available and verify
that the health service is running.
I can install the agents manually on the DMZ servers, as the number is not large, but during installation, do I need to point the DMZ machines towards the gateway server or the management server?
As I said I am new to this and any help will be greatly appreciated :(
Thanks in advance.
Regards