SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Monitor Workgroup / DMZ servers in SCOM using Certificates In my previous article, we have learnt how to install the Root CA and create SCOM certificate template so we can discover and monitor Workgroup / cross-domain servers in our SCOM environment using those certificates. Today we will generate and install the certificates using the SCOM certificate template and discover Workgroup / cross-domain server in our SCOM environment. For our demo, we will be using a cross-domain server (testdomain.com) running on Windows Server 2012 R2. Our SCOM Management Server has SCMVP.COM domain. So, let’s start… 1: Login on to the SCOM Management Server and open Certificate Server Web site. 2: Click on Download a CA certificate, certificate chain, or CRL option.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 3: Click Yes button if you get Web Access Confirmation message.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 5: Provide the certificate an appropriate name and save the certificate.
TIP: Create a folder on the computer and save all the certificates in that folder.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Now, we need to request two certificates for:
• SCOM Management Server.
• Client Server. Which we are going to discover in SCOM (Workgroup / cross-domain server).
NOTE: Requesting a certificate for SCOM Management Server will be one time task. That means, you
don’t need to request the certificate for SCOM Management Server every time you are discovering a
Workgroup / cross-domain server. You just need to request one certificate for the Client Server.
Requesting certificate for SCOM Management Server
1: Click Home button and click on Request a certificate option.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 3: Click on Create and submit a request to this CA option.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Now here, it’s important. Provide required detail in the fields.
4: Select SCOM Template under Certificate Template field.
5: Provide SCOM Management Server FQDN under Name field.
6: Make sure Mark keys as exportable option is checked.
7: Provide SCOM Management Server FQDN under Friendly Name field.
8: Click Submit button.
Note: If you provide server hostname instead of FQDN, authentication will not happen and the
certificate will be useless. So, provide only full computer name of the target server for which you are
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 10: Click on Install this certificate option.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 11: You should get Certificate Installed message.
The certificate will be installed under user personal store.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Now, we need to request the certificate for Client Server (Workgroup / cross-domain server, which we
want to discover in SCOM).
Requesting certificate for Workgroup / cross-domain server.
1: Click Home button and click on Request a certificate option.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 3: Click on Create and submit a request to this CA option.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 9: Click on Install this certificate option.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 10: You should get Certificate Installed message.
The certificate will be installed under user personal store.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Now, we need to export the certificate from user personal store to the Certificate folder we created.
Exporting certificates
1: Login on to SCOM Management Server and open MMC (Microsoft Management Console).
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 6: Expand Certificates – Current User, Personal and click on Certificates folder.
Here you will find both the installed certificates. We need to export both the certificates from there to
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 7: Right click the SCOM Management Server certificate, click All Tasks and click Export.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 12: Provide a suitable name to the certificate and click Save button by selecting the preferred location.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Installing the certificate on SCOM Management Server
Now since we have got the certificates for both our SCOM Management Server and Client server, it’s
time to install them.
Note: Requesting and installing the certificate on SCOM Management server is a one time task. So, you
don’t need to install the certificate on SCOM Management server if you have already installed it before.
1: Login on to SCOM Management Server.
2: Copy the MOMCertImport application to the same location where we saved the certificates.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ You can find MOMCertImport application under Supported Tools in SCOM installation media.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 3: Open Command prompt with elevated privileges.
4: Navigate to the Certificates folder where we placed MOMCertImport application and SCOM
Management server certificate.
5: Execute below command:
MOMCertImport.exe <certificatename.pfx>
6: Enter certificate password.
You should get Successfully installed the certificate message.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Certificate installation on SCOM Management Server is done. Now let’s move to Client Server
(Workgroup / cross-domain server) and perform required tasks on the server.
Before we start, move the cert chain, Client Server certificate and MOMCertImport application to the
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ After running it, you can see the cert appear in the MMC within Trusted Root Certification Authorities.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ 6: Open SCOM console and check Pending Management. The Agent should be visible over there.
SHASHI BHUSHAN http://systemcentermvp.com/2017/09/26/installing-root-ca-creating-scom-certificate-template/ Discovered server should be visible under Agent Managed tab with healthy status.
That’s it.
This concludes the process to discover and monitor Workgroup / cross-domain servers in SCOM.
