Their DMZ consists of workgroup based servers, which means each one needed certificates generating, installing and associating in order to work.
I was bored after doing the first one as it was so tedious so I took the time to write a couple of scripts to automate the process as much as possible.
So, script #1:
1.DMZAgentInstall.cmd
Running this script on the DMZ server will...
- Prompt for the name to be used for the certificate (preferably FQDN, but make sure it matches the full computer name)
- Create the certificate request file
- Upload the certificate request file to a folder on the RMS
- Pause for the "2.GenerateCertificate.cmd" script to be run on a server/workstation on the same domain as the certificate server
- Imports the Root CA certificate chain
- Imports the SCOM Agent Certificate
- Copies the agent install files locally (Doesn't have to be done but did in this environment due to IE7 stopping files being executed from a remote share)
- Installs the agent
- Installs the CU5 updates
- Runs MOMCertImport to associate the certificate to the Health Service
- Restarts the Health Service
So, script #2:
2.CreateCertificate.cmd
This script must be run on a domain computer than has access to the issuing certificate server and run using an account that has the auto enrolment rights on the certificate.
- Prompts for the full server name used during the 1.DMZAgentInstall.cmd script
- Submits the certificate request file to the certificate server
- Retrieves the certificate and stores it ready for import
Now a couple of things:
- I know this would have been better in PowerShell before someone says it, but the customer had mainly Windows 2003 Servers, without PowerShell installed.
- If you have access to the certificate server from the DMZ, you could probably streamline this to one script, but this customer didn't.
- This was a quick and dirty throw together, feel free to improve and post back the results ;)
Rename the downloaded files from .txt to .cmd
Share the agent management folder on the RMS
Create a Certs folder in the agent management folder on the RMS
Change the following highlighted variables to reflect your environment
The script assumes you're using a PKI environment with the SCOM Certificate Template setup ready
** Certificate Server Variables **
SET CERTPATH=\\<<SERVERNAME>>\<<SHARENAME>>\Certs
SET CATEMPLATE=<<SCOMGatewayAuthenticationTemplateName>>
SET CAFQDN=<<SERVERFQDN>>
SET CASERVER=<<CASERVER>>
** OpsMgr Agent Variables **
SET SOURCEFILES=\\<<SERVERNAME>>\<<SHARENAME>>
SET MGTGRP=<<SCOMMGTGRP>>
SET MGTSVRDNS=<<SERVERFQDN>>
SET SECPORT=5723
Scripts to Download:
No comments:
Post a Comment