Run a runbook with a specific account
Find the Orchestrator Administrators groupI installed a gateway server on Windows server 2008 X64 this week. Here are some steps from what I did. I started with installing a new standalone root certificate authority on a Windows Server 2008 X64 domain controller (DC01) with the following steps.
1. Add role
2. Active Directory Certificate Services
3. Certification Authority and Certification Authority Web Enrollment
4. Standalone, this CA does not use Directory Service data to issue or manage certificates
5. Root CA
6. Create a new private key
7. Default values on cryptography, CA Name, validity period (5 years), certificate database, web server (IIS), Role services
8. Confirm and install, the close the wizard
After that installed the root CA certificate and a certificate on both my management server (corp-R2) and on the gateway server (DMZ01).
1. From both the gateway server and the management server, browse to http://dc01/certsrv
2. Add http://dc01 to your trusted sites in IE
3. Download a CA certificate, certificate chain, or CRL
4. Download CA Certificate chain
5. Once the cert is downloaded, open a MMC with the Certificates (Local Computer) snap-in and import the certificate under Trusted Root Certification Authorities
There is a tool, certificate generation wizard, that you can download here, it can make gateway scenarios easier.
CertGenWizard.exe is a wizard tool which will take your CA information as input (it isn’t required if you are running the wizard on the box with the CA), take in the computer names (has to be FQDNs), and send out a request for the certificates you need. Now, you no longer have to fill out the Certificate Request form or enter parameters or connect to the web enrollment service. Once the certificates are approved, there is a Retrieve button in the CertGenWizard which will allow you to retrieve the certificates that you have requested. On top of the personal certificates, the wizard will retrieve the root CA certificate.
The next step is to request and install the proper certificate from the root CA server, this needs to be done on both the gateway and the management server.
1. From both the gateway server and the management server, browse to http://dc01/certsrv
2. Request a certificate
3. Advanced certificate request
4. Create and submit a request to this CA
5. If you get a error saying that the CA must be configured to use HTTPS authentication, change the security settings for trusted sites zone, enable Initialize and script ActiveX controls not marked as safe for scripting. Then reload the page
6. Input
Name, needs to be FQDN of the machine, for example dc01.corp.contoso.local
Type of certificate needed: Other
OID: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
CSP: Microsoft Enhanced Cryptographic Provider v1.0
Check Mark keys as exportable
Name: needs to be FQDN of the machine, for example dc01.corp.contoso.local
7. Submit the request
8. On your root CA, open the Certification Authority console, issue the certificate under pending requests
9. On the machine that request a certificate, browse to http://dc01/certsrv
10. View the status of a pending certificate request
11. Install the certificate by clicking on it
12. Open a MMC with the Certificates snap-in, for “my user account”. Under Personal certificates, export the certificate including the private key.
13. Open a MMC with the Certificates snap-in, for “local computer”. Import the certificate under personal certificates.
When both your gateway machine and your management server has each two certificates, the next step will be to run the MOMCertImport.exe tool on your management server. This tool will import the certificate into Operations Manager, writes the serial number of the certificate to use to the registry so Operations Manager components can determine which certificate to use for authentication. Run the tool and select the certificate to use. Then restart the System Center Management service on the management server.
Now it is time to approve the new gateway server. This is done with the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe. This tool depends on a dll file in the Operations Manager installation folder, copy the approval tool to that folder. Run the tool and approve your gateway, for example
Microsoft.EnterpriseManagement.GatewayApprovalTool.exe /ManagementServerName=corp-r2.corp.contoso.local /GatewayName=DMZ01 /SiteName=DMZ /Action=Create
Next step is to install the gateway server. You need to copy the MOMCertImport.exe and the suitable gateway folder (for example AMD64) from the installation source to your gateway server. You need the whole gateway folder, including MOMGateway.msi and tree cabinet files named OMGW, SCXAGTS and OMAGTMGT). The run the MOMGateway.msi as administrator. It will fail if you not run it as administrator. Input the FQDN of the management server and the name of the management group. Select a action account, if you unsure, select local system and click next. When the installation of the gateway server is complete, run MOMCertImport.exe and import the certificate. Then restart the System Center Management service (HealthService).
Open the Operations Manager console and verify that your new gateway server is green and healthy. You can now move on and start install agents.
[…] Ops Mgr R2 and server 2008 in a gateway scenario (Microsoft System Center by Anders Bengtsson) […]
Hi, could it be that you don’t export the cert including the private key? As you can see in http://contoso.se/blog/?p=706 we need to export with private key.
When using CertGenWizard.exe on cert server that is Standalone CA i am able to generate cert but once i import the cert on agent machine i cannot locate private key in it. The CertGenWizard.exe doe snot give you option to request private key and because the CA server is standalone not Enterprise CA i cannot create any template to workaround it. Can you advise?
Hi Anders,
Thanks for your reply! It works perfectly!
Cheers,
Erik.
Hi Erik, thanks for reading my blog. I think the issue here is that you have installed the gateway server before you approved it. Then the gateway server will show up as a agent, instead of showing up as a managemet server. You will need to delete it again. Then run the gateway approval tool and make sure you get a entry under management servers for your gateway server. Then install the gateway server again.
I’ve completed all the steps that you mentioned.
My gateway is showing up “healthy” in the “Agent Managed” list.
Though I still cannot discover any servers that are in the same domain as the gateway server.
Do you have any suggestions on what I am doing wrong?
All servers (RMS, GW and other servers in the untrusted domain) can be pinged.
Thanks,
Erik.
When I run the MOMCertImport tool, we see three identically named subjectnames. Is this normal? We’re concerned that we may not select the correct certificate, or would it even matter?
Each machine will have local machine certificate and the CA certificate as trusted root CA. They dont need to have the remote computer certificate.
>When both your gateway machine and your management server has each two certificates,
which two — local machine and CA, or local machine and remote machine?
[…] time ago I posted an article about gateway servers, Ops Mgr R2 and Server 2008. This week I have extended that scenario by […]