Installing SCOM 2012 agent on a workgroup or DMZ machine using Certificate

How to Install SCOM Agent on an Un-trusted machine

In order for SCOM to communicate with an un-trusted machine like in a WorkGroup / DMZ / different forest, you will have to import a certificate so that SCOM will trust the foreign machine and will be able to communicate with it. The most common example is a SCOM Gateway.

This topic is a bit complicated but if you use a guide like this you should be OK.

I added the files that you will need as well so you dont have to copy-paste it. Additional files: REQconfig.inf certreq

First thing you will need is an inf file that contains the request.

  • Create a REQconfig.inf file in this format:

[NewRequest]

Subject=”CN=<servername>,OU=<Organizational unit>,O=<organization>,L=<state>,S=<city>,C=<country>”

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2


 

  • On the SCOM Server, Use certreq utility to create a request for certificate from your organization CA.
    Run certreq (available on your SCOM installation library) utility to accomplish this: certreq -new -f REQconfig.inf binreq.req
  • Send the .req file to your CA admin in order to create a .cer file. http://support.microsoft.com/kb/228821
  • Import the .cer file you receive from your organization CA admin into MS SCOM server to create a pfx file using mmc snap-in:
    1. Open mmc (run>mmc>enter)
    2. Click file > Add/remove snap-in > certificates > add > computer account > local computer.
    3. right click container > All tasks > import > Next > browse >  select the .cer file from your CA admin > Place the certificate in personal store.

cer import

  • Create a .pfx file:
  • In Certificates > right click the certificate you need to export > all tasks >export…

export to pfx

  • Click next
  • Select yes
  • Mark the two check boxes as seen below

export to pfx4

  • Enter a simple password

export to pfx5

  • Save the .pfx file

export to pfx6

  • Finish

export to pfx7

  • Import the .pfx you created in to the Workgroup machine using mmc snap-in:
  • personal container > all tasks > import

mmc1

  • click NEXT > Click browse > Select pfx

saveas

  • Select the the pfx file
  • Click open

saveas1

  • Click next

cert import

  • Enter a simple password
  • Select ‘mark this key as exportable’.

pass

  •  Click Next
  • select place all certificates…

cert import wiz

  • Click finish

cert import wiz1

  • Certificate was imported to Workgroup machine

mmc2

  • Install SCOM 2012 agent on the WorkGroup machine.

The SCOM healthservice must be started to proceed to the next step. You might get this error if the SCOM agent is not installed:


MOMCertImport.exe

Please restart the healthservice to complete this process.

Error description: The specified service does not exist as an installed service.

Error code:80070424


 

  • Copy MOMCertImport.exe from <Drive>:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server to the workgroup machine.
  • Open CMD with admin rights and run MOMCertImport.exe:
  • Select the certificate you just imported and click OK.

win sec

cmd

 

The end!

I hope this has been helpful.

 

Memory leak

Memory leak – when the Available MegaBytes (memory\% available Mbytes) for the system has exceeded the threshold, system performance may be significantly diminish, this results in low OS and applications performance. End users will usually complain about slow computer performance and you probably get a help-desk call like: ‘My computer is running slow’, or server is running slow.

Memory leaks can be caused by:

  • Too many applications running simultaneously on the computer.
  • An application may be leaking memory over time.

To view the history for the memory\% available Mbytes, start memory available Mbytes in performance monitor or event task manager\performance.

Continue reading “Memory leak” »

Public Desktop Icons are Deleted After Logon in Windows 7

I think I that a suitable name for  this post might be ‘The case of the missing desktop shortcuts’.  I spent nearly an hour or more resolving the so it will be the right thing to share it with you.

The Problem

In Windows 7,  Users can’t view objects and icons published on “C:\Users\Public\Desktop” .

Users cannot read data from “C:\Users\Public\Desktop”.

You suspect that a GPO – Group policy object, prohibit users from viewing icons on “C:\Users\Public\Desktop” folder.

Continue reading “Public Desktop Icons are Deleted After Logon in Windows 7” »

Windows update fails with Error 0x80072efd

Windows update is one of the more important features of SCCM. Keeping all servers and workstations in your environment up to date is most important.

I met the following error while SCCM 2012 was trying to update one of my servers.

The problem

You try to push Windows security updates to a remote machine, but Windows update fails.

Continue reading “Windows update fails with Error 0x80072efd” »

Create SCCM Distribution Point with Powershell

Hi Sysadmins

You need to create multiple SCCM 2012 Distribution points fast and accurate!

Maybe you decided on upgrading your  environment to SCCM 2012 or your company purchased another organisation. In any case,

The reasonable way will be to use a script, and not use the GUI to do the task over and over.

The preferred scripting environment is Powershell, since it already has many Configuration Manager commandlets that can be helpful.

You do have to work with at least SCCM 2012 sp1 version for the following script to work.

The below Powershell script will read the names of the Distribution points servers from a file. See example for the file Here 

Continue reading “Create SCCM Distribution Point with Powershell” »

SCCM 2012 clients’ log files not created

Hi SysAdmins

In this post I am writing about a minor problem that occurs while installing a SCCM 2012 client, and how to solve it.

The Problem

You install a SCCM client on a machine.

After the installation finishes, you notice that not all logs are populated in the clients’ machine C:\windows\CCM\Logs directory.

If you check ClientIDManagerStartup.log  file, you notice the following error message:

RegTask: Failed to get certificate. Error: 0x80004005

Continue reading “SCCM 2012 clients’ log files not created” »

How to install IIS features on SCCM 2012 Distribution Point with command line

Hi SysAdmins

Did you ever wonder how SCCM 2012 install a DP remotely from the CM console?

DISM.exe (Deployment Image Servicing and Management tool) is a command line tool that you can use to enable or disable Windows features.

In this case we use it to install all the necessary IIS features for a SCCM 2012 DP.

Command line to install IIS on DPs:

Continue reading “How to install IIS features on SCCM 2012 Distribution Point with command line” »

A Place For IT System Administrators