Manual SCOM Agent Installation Server Core – Different Forest, No Gateway

Maybe you face a situation where you must install a SCOM agent on a Windows server core e.g. Hyper-V host. Let’s assume the server core is in a different forest and in the target forest you don’t have a gateway server in place. This means you have to get a certificate for each machine/agent and install this by using the command shell…wh00h00…

I won’t talk about getting the certificates from the CA here is a excellent article about getting the certificate using a batch file or if you use bing.com you will find many hints.

I assume you have a copy of Windows 2008 R2 x64 server core and also got all certificates from your PKI. In the first place I would copy all certificates (*.pfx, Root CA / SubCa Cert) and momcertimport.exe to the c:\Program Files\System Center Operations Manager 2012\Server\AgentManagement\amd64 directory. This is the place where the x64 SCOM agent placed. Of course you could copy all the stuff to another directory but for simplicity I’ll abuse this directory Smiley

There are just a few commands you need to know.

The first step is to map your directory containing all your certs, momcertimport and the agent files from the SCOM directly (you will be ask for domain user1 password):

   1: net use z: "\\SCOMRC.domain.com\c$\Program Files\System Center Operations Manager 2012\Server\AgentManagement\amd64" /user:domain\user1 <Enter>

Change to the mapped network drive z: by entering:

   1: z: <Enter>

After that you could call msiexec.exe to install the SCOM agent manually:

   1: z:\msiexec.exe /i z:\MOMAgent.msi USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=<ManagementGroupName> MANAGEMENT_SERVER_DNS=<FQDNSCOM z.B SCOMRC.domain.com> ACTIONS_USE_COMPUTER_ACCOUNT=1 <Enter>

Now import the *.pfx agent certificate for that particular server by calling certutil (Note: you can not import a PFX file from a GUI based server by calling the certificates mmc and connecting to the server core server ):

   1: z:\certutil -importpfx server.domain.com.pfx

Next import the Root CA certificate and if you have a Subordinate CA import also the certificate from the Subordinate CA into the “Trusted Root Certification Authorities” local computer store:

   1:  

   2: certutil -f -addstore "Trusted Root Certification Authorities" RootCA.cer <Enter>

   3:  

   4: certutil -f -addstore "Trusted Root Certification Authorities" SubCA.cer <Enter>

Register/Import the server certificate using the momcertimport.exe utility:

   1:  

   2: z:\momcertimport.exe server.domain.com.pfx <Enter>

As last step restart the SCOM Agent Service (HealthService):

   1:  

   2: net stop healthservice <Enter>

   3:  

   4: net start healthservice <Enter>

After you see your agent in SCOM remove the z: drive from your monitored server by running this command:

   1:  

   2: z:\net use z: /delete <Enter>

 

Don’t forget to remove the certificates and momcertimport.exe from the agent \amd64 directory on the SCOM Server .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s