If you would like to read the other parts in this article series please go to:
- Monitoring Exchange 2007 With System Center Operations Manager 2007 (Part 1)
- Monitoring Exchange 2007 With System Center Operations Manager 2007 (Part 3)
- Monitoring Exchange 2007 With System Center Operations Manager 2007 (Part 4)
Installing the Agent on Edge Server
The Edge Transport server can be deployed as a standalone server or as a member of an Active Directory domain (for advantages and disadvantages of each configuration, please read Deployment Options for Edge Transport Servers).
If you remember the topology from Part 1, I decided to install the Edge Server as a standalone (workgroup) server. This means that authentication against the Operations Manager server must be done with certificates, because the agent in the workgroup cannot authenticate with the management server in the domain using the Kerberos protocol.
Figure 1: Certificate Authentication
In this scenario, the agent must be manually installed. Although the agent setup is available on the Operations Manager installation media, we’ll use the binaries from the Management Server, since the required hotfixes are already there.
From the Edge server, browse to the folder where you installed the OpsMgr binaries on the Management server. In my case this was \\OpsMgr\D$\Program Files\System Center Operations Manager 2007\ AgentManagement\AMD64\ (Figure 2). Double Click MOMAgent.msi to trigger the setup process (Figure 3). Click Next.
Figure 2: Agent installation binaries
Figure 3: Operations Manager Agent Setup
- On the Destination Folder window (Figure 4), accept the default installation path and click Next. On the next window (Figure 5), click Next to specify Management Group information.
Figure 4: Agent Setup: Destination Folder
Figure 5: Agent Setup: Management Group Configuration
- On the Management Group Configuration window (Figure 6), specify the Management Group Name, the Management Server and the Management Server Port. Click Next.
Figure 6: Agent Setup: Management Group Configuration (Cont.)
- On the Agent Action Account window (Figure 7), select Local System and click Next. Review the summary (Figure 8), click Install and them Finish (Figure 9).
Figure 7: Agent Setup: Agent Action Account
Figure 8: Agent Setup: Ready to Install
Figure 9: Agent Setup: Finish
- Go back to the folder where you installed the OpsMgr binaries on the Management server (\\OpsMgr\D$\Program Files\System Center Operations Manager 2007\AgentManagement\AMD64\) and run any hotfix that’s there (in my case I only had Q950853-x64.msp).
After these steps the agent will be installed, but it won’t be able to communicate with the Management Server, since it doesn’t have a certificate assigned yet.
Perform the following steps on both the computer hosting the agent and the Management Server using the same certification authority (CA) for each:
Request certificates from the CA
Approve the certificate requests on the CA
Install the approved certificates into the computer certificate stores
Use the MOMCertImport tool to configure Operations Manager 2007
You can use a private CA, you don’t need to buy public certificates. Depending on the kind of internal CA you have – Enterprise or Standalone – the procedures to issue the required certificates differ a little bit. The difference lies on the template needed for the certificate: the Stand-Alone CA will allow specifying the OID for the type of certificate needed, whereas the Enterprise has a very well defined template that you can use. That’s why for the Enterprise CA we’ll need to create and enable a new certificate template.
NOTE: In order to create and enable the required template, you must be running Windows Certificate Service on Windows Server Enterprise Edition. If you don’t have Enterprise Edition, my advice is to install a new Stand-Alone CA.
Since I had a Stand-Alone CA already installed on my DC, I’ll describe the steps for this kind of CA. If you’re interested in using an Enterprise CA, please read Operations Manager 2007 Security Guide.
Do these steps on Edge server and on the OpsMgr server (both require a certificate):
- Start Internet Explorer, and then connect to the computer hosting Certificate Services (Error! Hyperlink reference not valid.). On the Microsoft Certificate Services Welcome page, click Request a certificate. On the Request a Certificate page, click Or, submit an advanced certificate request. On the Advanced Certificate Request page, click Create and submit a request to this CA.
- On the Advanced Certificate Request page (Figure 10), do the following:
a) Under Identifying Information, in the Name field, enter the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. (Event ID 20052 of type Error is generated if the FQDN entered into the Name field does not match the computer name).
b) Under Type of Certificate Needed, click the list, and then select Other. In the OID field, enter 126.96.36.199.188.8.131.52.1,184.108.40.206.220.127.116.11.2
c) Under Key Options, click Create a new key set; in the CSP field, select Microsoft Enhanced Cryptographic Provider v1.0; Leave the other default options (Key Usage: Both, Key Size: 1024, Automatic key container name selected). Select Mark keys as exportable, clear Export keys to file, clear Enable strong private key protection and then click Store certificate in the local computer certificate store.
d) Under Additional Options, in the Friendly Name field, enter the FQDN of the computer that you are requesting the certificate for and click Submit. If a Potential Security Violation dialog box is displayed, click Yes.
e) When a Certificate Pending page displays, close the browser.
Figure 10: Requesting the certificate online
- To approve the pending certificate request, log on to the computer hosting Certificate Services as an administrator and open the Certification Authority administration console. Expand the node for your certification authority name, and then click Pending Requests. In the results pane, right-click the pending request from the previous procedure, point to All Tasks, and then click Issue.
- To retrieve the certificate, log on to the computer where you want to install the certificate (and from where you issued the request). Start Internet Explorer, and connect to the computer hosting Certificate Services (http://<servername>/certsrv).
a) On the Microsoft Certificate Services Welcome page, click View the status of a pending certificate request.
b) On the View the Status of a Pending Certificate Request page, click the certificate you requested.
c) On the Certificate Issued page, click Install this certificate. In the Potential Scripting Violation dialog box, click Yes.
d) On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser.
- Since both servers must trust the CA who issued the certificates, we must now import the CA certificate on both machines (Edge and OpsMgr). Start Internet Explorer, and connect to the computer hosting Certificate Services (http://<servername>/certsrv).
a) On the Welcome page, click Download a CA Certificate, certificate chain, or CRL.
b) On the Download a CA Certificate, Certificate Chain, or CRL page, click Download CA certificate chain.
c) On the File Download dialog box, click Save, specify a file name (.P7B) and then click Save again. Close the browser.
- Run MMC and add the Certificates snap-in (in the Certificates snap-in dialog box, select Computer account, and then click Next. Ensure that Local computer is selected, and then click Finish). Expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, select All Tasks and then click Import. Browse to the place where you saved the .P7B file and import the certificate.
- To import certificates using MOMCertImport, browse to the folder where the Operations Manager 2007 installation binaries are. The MOMCertImport utility is located on \SupportTools\i386 (for 64-bit computers \SupportTools\amd64). Run the following command:
MOMCertImport /SubjectName <Certificate Subject Name>
(You can also export the previously issued certificate to a .PFX file and run the command MOMCertImport <Certificate File Name>.pfx)
Figure 11: Running MOMCertImport
If you ever need to remove certificates imported with the MOMCertImport tool, just run MomCertImport /Remove.
Allow Manual Agent Installation
Before the first manual agent installation, the global setting must be changed from reject to “Review new manual agent installation in pending management view” in the operations console of OpsMgr 2007.
Open the Operations Console and on the Administration pane select Settings. On the right pane, expand Server and right pane click Security (Figure 12). Click Properties and on the General tab select Review new manual agent installation in pending management view (Figure 13). Click OK to finish.
Figure 12: Allowing manual agent installations
Figure 13: Global Management Server Settings - Security
After every manual agent installation the new agent must be approved in the System Center Operations Manager Console:
Open the Operations Console, on the Administration pane expand Device Management and select Pending Management. On the right pane, right click each server requiring approval and select Approve l(Figure 14).
To check if the agent is successfully approved look in the Agent Managed folder for the approved agent to see if it’s there.
Figure 14: Manual Agent Install Approval
This concludes Part 2. In the next part we will cover the configuration process within the System Center Operations Console required to monitor Exchange 2007 servers with Operations Manager 2007.
- How to Remove a Certificate that was Imported with the MOMCertImport Tool in Operations Manager 2007
- How to Remove Certificates Imported with MOMCertImport in Operations Manager 2007
- Operations Manager 2007 Security Guide
If you would like to read the other parts in this article series please go to: