Thursday, 1 March 2012

SCOM DMZ/Workgroup Agent Deployment Script(s)

I've been working for a customer tidying up their System Center installation this week and as part of that I was showing them how to deploy OpsMgr agents to their DMZ.

Their DMZ consists of workgroup based servers, which means each one needed certificates generating, installing and associating in order to work.

I was bored after doing the first one as it was so tedious so I took the time to write a couple of scripts to automate the process as much as possible.

So, script #1:
1.DMZAgentInstall.cmd
Running this script on the DMZ server will...
  1. Prompt for the name to be used for the certificate (preferably FQDN, but make sure it matches the full computer name)
  2. Create the certificate request file
  3. Upload the certificate request file to a folder on the RMS
  4. Pause for the "2.GenerateCertificate.cmd" script to be run on a server/workstation on the same domain as the certificate server
  5. Imports the Root CA certificate chain
  6. Imports the SCOM Agent Certificate
  7. Copies the agent install files locally (Doesn't have to be done but did in this environment due to IE7 stopping files being executed from a remote share)
  8. Installs the agent
  9. Installs the CU5 updates
  10. Runs MOMCertImport to associate the certificate to the Health Service
  11. Restarts the Health Service

So, script #2:
2.CreateCertificate.cmd
This script must be run on a domain computer than has access to the issuing certificate server and run using an account that has the auto enrolment rights on the certificate.
  1. Prompts for the full server name used during the 1.DMZAgentInstall.cmd script
  2. Submits the certificate request file to the certificate server
  3. Retrieves the certificate and stores it ready for import
And there you have it, a quick two step process to setup a DMZ/Workgroup client easily.

Now a couple of things:
  1. I know this would have been better in PowerShell before someone says it, but the customer had mainly Windows 2003 Servers, without PowerShell installed.
  2. If you have access to the certificate server from the DMZ, you could probably streamline this to one script, but this customer didn't.
  3. This was a quick and dirty throw together, feel free to improve and post back the results ;)
Things that need changing before running the scripts:
Rename the downloaded files from .txt to .cmd
Share the agent management folder on the RMS
Create a Certs folder in the agent management folder on the RMS
Change the following highlighted variables to reflect your environment
The script assumes you're using a PKI environment with the SCOM Certificate Template setup ready

** Certificate Server Variables **
SET CERTPATH=\\<<SERVERNAME>>\<<SHARENAME>>\Certs
SET CATEMPLATE=<<SCOMGatewayAuthenticationTemplateName>>
SET CAFQDN=<<SERVERFQDN>>
SET CASERVER=<<CASERVER>>

** OpsMgr Agent Variables **
SET SOURCEFILES=\\<<SERVERNAME>>\<<SHARENAME>>
SET MGTGRP=<<SCOMMGTGRP>>
SET MGTSVRDNS=<<SERVERFQDN>>
SET SECPORT=5723

Scripts to Download:


No comments:

Post a Comment