In order to monitor servers not in a trusted domain, System Center Operations Manager uses certificates to authenticate agent communication. Therefore, you'll need a certificate authority server to submit the certificate request and then download the certificate. You can use either a domain Certificate Authority (CA) server or a standalone CA if your environment already has that in place. I used a standalone.
Requirements
Certificate Authority Server
Port 5723 open from Server01 to the Management Server
- Create the request *.inf file.
- From the command prompt (server01) create the request file. *Must be done on the computer the certificate is for
certreq -new -f server01.inf server01.req - Copy the request file to the CA server and submit request file
certreq -submit -f server01.req - Click OK to the dialogue box that pops up.
- Take note of the RequestId
- On the CA Server - launch the Certificate Authority MMC (certsrv.msc) - Select Pending Requests, right-click the certificate request with the RequestId from the previous step select All Tasks - Issue
- Retrieve the certificate (CA Server)
certreq -retrieve -f 4 server01.cer - Click OK
- Copy the certificate file (server01.cer) to the server you are installing the agent on (server01)
- On Server01 - Install the certificate in the Local Computer - Personal Certificate store
- On Server01 - Export the certificate you just imported with the Private Key (server01-exported.pfx)
- Retrieve the CA certificate - This certificate will need to be installed in the Trusted Root Certification Authorities store on the Agent computer (server01)
- On the CA Server navigate to http://localhost/certsrv/
- Click on Download a CA certificate, certificate chain, or CRL
- Click on Download CA certificate
- Save this file (cacert.cer) and copy it over to the server the agent will be installed on (server01)
- On Server01 - Install the CA Certificate in the Trusted Root Certification Authorities
- Launch an MMC console and add the Certificates snap-in| for the local computer
- Right-click the Certificates folder under Trusted Root Certification Authorities select All Tasks -> Import
- Browse to the CA certificate saved from the previous step (cacert.cer)
- Click on Next, Next, and Finish
- Install the System Center Operations Manager Agent
- The files can be found on the Management folder
C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\AgentManagement\
64 bit agent - amd64 folder
32 bit agent - x86 folder - Run the MOMCertImport.exe to import the certificate from step 7
MOMCertImport.exe server01-exported.pfx - Enter the password set from step 7
- If you're updating the certificate run the remove command first
MOMCertImport.exe /Remove - Restart the Microsoft Monitoring Agent service