Friday, March 25, 2016

How to Multihome a SCOM Agent and make it report to 2 different management groups which are in 2 different AD forest with no AD trust


Hey Guys !

A few weeks back we had a requirement from a customer who wanted to use the Multihoming feature in SCOM.

He wanted an Agent to report to 2 different management groups which are there in 2 different AD forests which do not have any type of Trusts.

So for example we had Agent named SCOM_2012.Mydomain.com  which we had to make it report to MG1 & MG2  which are there in 2 different AD forests which do not have any type of Trusts.

It is said by Microsoft that we can make the newer SCOM 2012 agents report to 4 Management groups at the same time.

I could have just added the Management group name , Management server name & port in the Microsoft Monitoring Agent control panel if both the Management groups were in the same AD Forest,

Unfortunately as they were different i had to figure out a way to make this work.

So i checked the below possibilities additionally which may be used by me or others if they get this kind of requirement.

Possibilities:

1. We can multihome a Workgroup Agent in SCOM and make it report to 4 management groups at the same time by using certificates.
2. I have multihomed a Agent which is a part of ABC Domain and SCOM Server located as well in ABC Domain & Also made it report to MG2 in XYZ Domain using certificates.

NOTE: - The main thing to understand about certificates here is Either Windows or SCOM does not care which certificate authority you use to generate the certificate, It just trusts the certificate once you import the ROOT certificate provided by the CA which generated the certificate.

So you can use any CA in the organization not necessarily it should be issued from a CA which is in ABC domain or XYZ domain, or but the certificate from a vendor if you do not have a CA

I have explained the scenario of a SCOM agent which in abc.com domain and reporting to MG1 abc.com and i will be making it to report to MG2 which is in xyz.com domain which does not have any type of AD trust with abc.com

So lets get started :-)Ensure your agent is able to Telnet to ALL the MS FQDN of the management group MG2 to port 5723.



1. Get 5 certificates generated using a certificate authority with the FQDN of the Agent name & Management server name 

Now why 5 certificates ? - Because 2 management servers in one management group & 2 management servers in the other management group & 1 cert is for the agent.
If one management server in a Management group fails the agent should be able to authenticate to the next available management server in the management group, If you do not import / generate a cert for the other then the Agent will not be able to failover to the next available management server in the management group if the primary management server fails.

If your environment has only 1 MS per management group then 1 certificate each can be generated.

NOW - If you already have certificated imported in the management servers issued by the same CA or any other CA then you can skip this step and generate a certificate only for the Agent.

To find out if there is already a certificate being used by the MS
Open command prompt and paste the below command which will query the certificate serial number used by SCOM

Command: Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings"

So your output will look something like this as in the below screenshot: (If the Image is not visible please open it in a new Window)


If you see the output like the above in the Management servers one you paste the command that indicates there is already a certificate being used by Healthservice for Server authentication, Verify the output on all the management servers and you can skip generating certificates if you have the key.

You can use the below OID to generate the certificate to the management server or the agent as the OID is specific for Client / Server authentication.
OID: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

Make sure you check the box "Mark Private key Exportable" while generating the certificate or the certificate will not work.

If you are still not sure on how do Generate the certificate, You can use the following article and it is for Gateway but the certificate part is same and should work
Certificate generation Step by Step article : 
http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx

Now assuming you have generated the certificate, Ensure to have the ROOT certificate as well ready.

Login to the SCOM Agent which you wish to multihome and for which you generated the certificate.

Assuming you have already Installed the SCOM 2012 /2012 SP1 / 2012 R2 agent.
Now Go to Control panel --> Select Microsoft Monitoring Agent as in the below screenshot,


Here Add all the management groups you require the agent to report. By default you should see one already added and you will be allowed to Add 3 more.

NOTE: - You cannot add 2 management servers of the same management group and the Microsoft monitoring Agent will not allow that to be added.

In my example i had only 2 management groups for which i had to make it report and i added them as in the below screenshot:


Now after adding the management groups click on "OK" so the Healthservice will be restarted for the configuration to take effect.

Now comes the main part of importing the certificates.

NOTE - If you have already imported the certificates on the management servers / or already had them imported earlier then that is good you can ignore that step, As i had the certificates imported so i will just need to import this in the Agent.

For those who are importing the certificate for the 1st time the process for Agents & MS is same till running MOMCertimport.exe below. Just ensure you use the correct certificates you generated for each MS 7 Agent.

1st thing is to import the ROOT certificate of the Certificate authority which you used to generate the Agent / Management server certificate on the  Agent & Management server.If you used the same certificate authority to generate the certificate for the MS earlier if you already had then assuming you should have imported the ROOT cert and is not required to the imported again in the Management servers.

If you have used a different certificate certificate authority now to generate the Agent certificate then the new ROOT certificate must be imported on All the management servers of all the management group you want to multihome this agent so when the Agent presents the certificate to the MS it should trust the certificate if it has been issued by a valid certificate authority. If you skip this then your agents will not report to the other Management group present in the other AD forest which is not trusted.

So you can double click on the root certificate as in the below screenshot:


Now click on Install certificate option as in the above screenshot.

Now select in which account you want to import the cert and here select Local Machine and click next as in the below screenshot:



Now select the option on where to place the Root certificate as in my screenshot and click browse:


Now select the Trusted Root Certification Authority Store and click Ok



Once you have selected the store click OK and click Next as in the below screenshot:


Now confirm the steps you performed earlier and it should look like the below and click Finish



Now it should show certificate has been imported successfully:


NOTE - If you management server is using the certificate generated by the same certificate authority as the Agent then it is fine, If your management server is using a certificate which is generated by other CA then the other CA's ROOT certificate must be imported in the Agent as well so the Agent can trust the certificate and verify the issuer durign the authentication is taking place.

Now it is time to import the Agent certificate on the Local Machine account / Computer account of the Agent.

Copy the Momcertimport.exe  from the Installation media from the support tools folder for X86 OS use the one which is in X86 container, For X64 Bit OS use the one in AMD64 folder and copy it to the Agent in one of the directories which is comfortable for you.

Now also copy the Agent certificate in the same folder as well where you copied the Momcertimport.exe my certificate name is SCOM_2012_Lab_Cert.pfx

Now Open command prompt as Administrator --> Navigate to the folder where you copied the Momcertimport.exe file in the command prompt.

Now type Momcertimport.exe <Drag and drop the .pfx certificate after the space >  So it should look like the below.
As my location where i placed both are c:\drift so :
c:\drift>MOMCertImport.exe SCOM_2012_Lab_Cert.pfx

Now it will prompt for the password you set while exporting the certificate, enter the same and press enter.

Once you enter the password you will see the message Certificate imported successfully please check the Opmanager Event log

In the Operations manager Event log you should see a Event logged with Event id 20053.

Now the certificate will be used to communicate to the new XYZ management group and the management group in abc domain with use kerberos as the Agent is already in abc.com.

So now open the SCOM console in xyz domain --> Go to Administration --> Pending management and approve the Agent.
If you do not see the Agent wait for some time and analyse the Operations Manager Event log to see if authentication is happening or not.


If you do not see the Agent in Pending management then ensure you have not set the option to reject the manually installed Agents you settings should like the below:

Open the SCOM console of the MS located in XYZ domain --> Got Administration --> Go to Settings --> Select security and your setting should look like the below
Below is the screenshot of how it reported healthy in both the places.



If you still do not see the Agent showing there after some time then check the below on the Agents Operationamanager Event log:

Now the real trick is also to analyse the Operationsmanager Event log in the Management servers as well, If there is come certificate issue it will be showing that there, Below are the events generated in the Agents:

If you see Event id 20070 + 20016 then it should work and may be you did not approve the agent from pending management you will see the error.
If you see Event id 20071 + 20016 then there is some authentication issue and you will need to check if the certificate import was done properly and if the certificate name matches with the computer FQDN or You would have missed to import the ROOT certificate on the Agent or MS or Both. If you used different CA's to generate certificate for the Agent & MS then Both the ROOT certs must be imported on both the Agent & MS and the other management group to verify the cert during the authentication process.

In the Management server you will see events saying Mutual authentication failed from the device IP, This can indicate certificates were missed or not generated properly with there name or ROOT certificates were missed to be imported.

Also Go to MMC --> Add / remove Snap Ins --> Select Certificates --> Select Computer Account  - (The below  verification Procedure is same for MS & Agent)

Now go to personal store / folder and you will see the certificate you binded using momcertimport.exe. Double click on the certificate and go the last Tab Certification Path  on the bottom you should see the Certificate is OK as in my screenshot:

Check the above certificate step on Both the Agent and th management servers in XYZ domain, As a certificate mismatch from either end will cause this not to work.

Once you see the Agent on Pending management, Right click on the Agent in pending management and click Approve, After 10 - 15 min you should see the Agent healthy in Agent managed of both the management groups as in the below screenshot.


I also tested the same machine on a Workgroup scenario and by using the same above steps i was able to make that as well work as in the below Screenshot:



If any has any questions please post them below so i can clarify them.

No comments:

Post a Comment