Wednesday, 11 March 2015

Manually adding a SCOM agent to a non-domain member

Environment: Internal Domain sitting behind a firewall - this internal domain also has a CA we will use for issuing certificates for SCOM - the external server is not a member of the domain and is connecting via the internet.

Firstly we need to create a certificate request via Active Directory Certificate Services on the CA.

Load up ADCS in your web browser and go to "Request a certificate" >> "Advanced Certificate Request".

For the name we will enter the hostname, also replicate this for the "Friendly Name". "Type of Certificate Needed" should be set to "Other" - the OID should be,

We also want to make sure that the "Mak keys as exportable" is checked.

We will then go to the Certificate Auhority mmc snapin >> "Pending Requests" and approve the request we made earlier.

We can now head back to Active Directory Certificate Services >> "View the status of a pending certificate request" and then click on "Install certificate" - this will install it in our the local certificate store for the user within the personal branch. So we will export the certificate from the local certificate store on the CA (along with it's private key!)

We should install the SCOM client:
and then import our PFX we exported on the server we wish to add to SCOM. ** The certificate generated MUS be installed with the MOMCertImport utility:
MOMCertImportAMD64.exe my-exported-cert.pfx
We should also import the root certificate to the host that we want to install the SCOM client on - the root certificate can also be requested from Active Directory Certificate Services - although this can simply be imported under the "Local System" certificate store under "Trust Root Certificates".

And then finally restart the SCOM Agent Health Service:
sc stop healthservice
sc start healthservice

Now review the event log and make sure that the SCOM agent is now successfully communicating with the SCOM server.


Post a Comment