Installing SCOM 2012 agent on a workgroup or DMZ machine using Certificate

How to Install SCOM Agent on an Un-trusted machine

In order for SCOM to communicate with an un-trusted machine like in a WorkGroup / DMZ / different forest, you will have to import a certificate so that SCOM will trust the foreign machine and will be able to communicate with it. The most common example is a SCOM Gateway.
This topic is a bit complicated but if you use a guide like this you should be OK.

I added the files that you will need as well so you dont have to copy-paste it. Additional files: REQconfig.inf certreq

First thing you will need is an inf file that contains the request.

  • Create a REQconfig.inf file in this format:

[NewRequest]

Subject=”CN=<servername>,OU=<Organizational unit>,O=<organization>,L=<state>,S=<city>,C=<country>”

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2


 

  • On the SCOM Server, Use certreq utility to create a request for certificate from your organization CA.
    Run certreq (available on your SCOM installation library) utility to accomplish this: certreq -new -f REQconfig.inf binreq.req
  • Send the .req file to your CA admin in order to create a .cer file. http://support.microsoft.com/kb/228821
  • Import the .cer file you receive from your organization CA admin into MS SCOM server to create a pfx file using mmc snap-in:
    1. Open mmc (run>mmc>enter)
    2. Click file > Add/remove snap-in > certificates > add > computer account > local computer.
    3. right click container > All tasks > import > Next > browse >  select the .cer file from your CA admin > Place the certificate in personal store.

cer import

  • Create a .pfx file:
  • In Certificates > right click the certificate you need to export > all tasks >export…

export to pfx

  • Click next
  • Select yes
  • Mark the two check boxes as seen below

export to pfx4

  • Enter a simple password

export to pfx5

  • Save the .pfx file

export to pfx6

  • Finish

export to pfx7

  • Import the .pfx you created in to the Workgroup machine using mmc snap-in:
  • personal container > all tasks > import

mmc1

  • click NEXT > Click browse > Select pfx

saveas

  • Select the the pfx file
  • Click open

saveas1

  • Click next

cert import

  • Enter a simple password
  • Select ‘mark this key as exportable’.

pass

  •  Click Next
  • select place all certificates…

cert import wiz

  • Click finish

cert import wiz1

  • Certificate was imported to Workgroup machine

mmc2

  • Install SCOM 2012 agent on the WorkGroup machine.

The SCOM healthservice must be started to proceed to the next step. You might get this error if the SCOM agent is not installed:


MOMCertImport.exe

Please restart the healthservice to complete this process.

Error description: The specified service does not exist as an installed service.

Error code:80070424


 

  • Copy MOMCertImport.exe from <Drive>:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server to the workgroup machine.
  • Open CMD with admin rights and run MOMCertImport.exe:
  • Select the certificate you just imported and click OK.

win sec

cmd

 

The end!

I hope this has been helpful.

 

Leave a Reply