How to deploying SCOM Agents to the Workgroup clients
To configure manual agent installs settings
1.Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 Management Group.
2.In the Operations Console, click the Administration button.
Note
When you run the Operations Console on a computer that is not a Management Server the Connect To Server dialog box will display. In the Server name text box, type the name of the Operations Manager 2007 Management Server that you want the Operations Console to connect to.
3.In the Administration pane, expand Administration, and then click Settings.
4.In the Settings pane, expand Type: Server, right-click Security, and then click Properties.
5.In the Global Management Server Settings - Security dialog box, on the General tab, do one of the following:
To maintain a higher level of security, select Reject new manual agent installations, and then click OK.
To configure for manual agent installation, click Review new manual agent installations in pending management view, and then click OK.
How to deploying SCOM Agents to the Workgroup clients
Steps that were followed:
=====================
1. Request a certificate for the OpsMgr server using its FQDN
A. Browse to https://<CA_Server>/CertSrv from the OpsMgr server
B. Click the Request a Certificate link
C. Click the Advanced Certificate Request link.
D. Click the Create and submit a request to this CA link.
E. In the Name field, enter the FQDN of the Operations Manager server.
F. In the Type of Certificate Needed drop down select Other…
i. In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
G. Check Mark keys as exportable.
H. Check Store certificate in the local computer certificate store.
I. In the Friendly Name field enter the FQDN of the OpsMgr server (must exactly match the Name field).
J. Click Submit.
K. Click the Yes button in the security pop-up.
2. Get the certificate request approved by the appropriate authority
3. Install the new certificate on the OpsMgr server
A. Revisit https://<CA_Server>/CertSrv from the OpsMgr server
B. Click the View the status of a pending certificate request link.
C. Click the link for newly issued certificate.
D. Click the Install this certificate link.
E. Select Yes to Security Warning dialog.
F. You should now see Your new certificate has been successfully installed.
4. Export the new certificate on the OpsMgr server and import it with MOMCertImport.exe
A. Open the Certificates snap-in for Local Computer
i. Launch MMC.exe from the Run box
ii. Select Add/Remove Snap-in from the File menu
iii. Select the Certificates Snap-in and click Add
iv. Select the Computer Account radio button and click Next
v. Select the Local Computer radio button is selected and click Finish
vi. Click Close and then click OK
B. Export the certificate to a PFX file
i. In the MMC, expand the Certificates (Local computer) node
ii. Expand the Personal node and select Certificates
iii. Locate the certificate for the OpsMgr server FQDN
iv. Right-click on the certificate and choose All Tasks -> Export…
v. Click Next on the Welcome page
vi. Select Yes, export the private key and click Next
vii. Click Next on the Export File Format page
viii. Enter a secure password and click Next
ix. Enter a valid path and file name with a PFX extension and click Next
x. Click Finish and verify that The export was successful is displayed
C. Run MOMCertImport.exe to import the certificate PFX file
i. Open a CMD prompt and change directory to SupportTools\i386 on the SCOM 2007 CD
ii. Execute: MOMCertImport.exe <path to PFX file> /password <password specified during export of PFX file>
iii. Use the Services MMC to stop and restart the OpsMgr Health Service
5. Install the Certificate Authority Certificate Chain on each intended agent and the Management Server.
NOTE: Instead of executing step 5 on each agent, you can download and save the chain to a .p7b file .
Copy to each agent and install. Then proceed to step 6.
A. Browse to https://<CA_Server>/CertSrv from the intended agent
B. Click the Download a CA certificate, certificate chain, or CRL link
C. Click the Install this CA certificate chain link.
D. Select Yes to the security dialog popup.
i. Select Yes if presented with a second security dialog popup
E. You should now see The CA certificate chain has been successfully installed
F. Open the Certificates snap-in for Local Computer
i. Launch MMC.exe from the Run box
ii. Select Add/Remove Snap-in from the File menu
iii. Select the Certificates Snap-in and click Add
iv. Leave My user account selected and click Finish
v. Select the Certificates Snap-in and click Add again
vi. Select the Computer Account radio button and click Next
vii. Select the Local Computer radio button is selected and click Finish
viii. Click Close and then click OK
G. Copy the Trusted Root Certificate from Current User to Local Computer
i. Expand the Certificates - Current User node
ii. Expand the Trusted Root Certification Authorities node
iii. Select Certificates and locate the new trusted Root CA
iv. Right-click the certificate and choose Copy
v. Expand the Certificates (Local Computer) node
vi. Expand the Trusted Root Certification Authorities node
vii. Right-click on Certificates and select Paste
6. Obtain and import a certificate for the intended agent using its NetBIOS name
A. Browse to https://<CA_Server>/CertSrv from the intended agent
B. Click the Request a Certificate link
C. Click the Advanced Certificate Request link.
D. Click the Create and submit a request to this CA link.
E. In the Name field, enter the NetBIOS name of the intended agent
F. In the Type of Certificate Needed drop down select Other…
i. In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
G. Check Mark keys as exportable.
H. Check Store certificate in the local computer certificate store.
I. In the Friendly Name field enter the NetBIOS name of the intended agent (must exactly match the Name field).
J. Click Submit.
K. Click the Yes button in the security pop-up.
7. Get the certificate request approved by the appropriate authority
8. Install the new certificate on the intended agent
A. Revisit https://<CA_Server>/CertSrv from the OpsMgr server
B. Click the View the status of a pending certificate request link.
C. Click the link for newly issued certificate.
D. Click the Install this certificate link.
E. Select Yes to Security Warning dialog.
F. You should now see Your new certificate has been successfully installed.
9. Export the new certificate on the intended agent and import it with MOMCertImport.exe
A. Open the Certificates snap-in for Local Computer
i. Launch MMC.exe from the Run box
ii. Select Add/Remove Snap-in from the File menu
iii. Select the Certificates Snap-in and click Add
iv. Select the Computer Account radio button and click Next
v. Select the Local Computer radio button is selected and click Finish
vi. Click Close and then click OK
B. Export the certificate to a PFX file
i. In the MMC, expand the Certificates (Local computer) node
ii. Expand the Personal node and select Certificates
iii. Locate the certificate for the intended agent NetBIOS name
iv. Right-click on the certificate and choose All Tasks -> Export…
v. Click Next on the Welcome page
vi. Select Yes, export the private key and click Next
vii. Click Next on the Export File Format page
viii. Enter a secure password and click Next
ix. Enter a valid path and file name with a PFX extension and click Next
x. Click Finish and verify that The export was successful is displayed
C. Manually install the SCOM 2007 agent on the intended agent machine
i. Install MSXML 6.0
ii. Install MOMAgent.msi
D. Run MOMCertImport.exe to import the certificate PFX file
i. Open a CMD prompt and change directory to SupportTools\i386 on the SCOM 2007 CD
ii. Execute: MOMCertImport.exe <path to PFX file> /password <password specified during export of PFX file>
iii. Use the Services MMC to stop and restart the OpsMgr Health Service
E. Check Pending Management
F. Check Agent Managed
Comments
- Anonymous
January 01, 2003
Does this procedure als work on OpsMgr 2012? What about my existing domain joined agents? Will they still function or does that brake?