One of the larger projects I’ve been working on is a revamp of the SCOM platform we use for monitoring Windows servers. An annoying problem which we’ve always had is getting the agent installed on any particular server. You would think this would actually be the easiest part, but no, its actually quite a long winded process! It basically boils down to how the SCOM agent authenticates to the RMS. If the agent and RMS are in the same domain then Kerberos can be used and theres no issue. For us though all the servers are going to be on different domains or member servers so we cant use Kerberos. This means we have to use a gateway server and certificates.
The steps to installing the agent are roughly:
Install either 32bit or 64bit agent on target server
Configure agent with target SCOM server and management group name
Request certificate from SCOM CA using server’s FQDN and SCOM OID’s
Export that certificate to the SCOM agent
This seemed a perfect opportunity to do a small powershell project. The following are some tips to get the crucial parts of the process scripted, ive not gone into every detail or mentioned all the parts but this will hopefully get you on your way. The script first needs to grab some information:
We can install the agent by calling MSIEXEC from inside powershell and pass it what to install. Pass it the correct location dependent on if its 32 or 64bit and pass it the necessary arguments (gateway address and management group):
Next we can start worrying about certificates. First step is to import the CA Chain for the SCOM CA. Here is a script for installing a certificate. I wont go into it here but there is various information online:
We use certreq again to submit our request file to the CA. An interesting problem occurs here. The CA is set to allow specific users the ability to request certificates however within the scope of powershell your identity is that of whoever is logged in, this user isn’t going to exist on the CA and so the request is always going to fail. Having tried and failed to get a way of using impersonation directly in powershell I ended up going about this in a rather round about method. I used psexec to execute certreq to submit the request, this way we can specify credentials and effectively execute it outside of the powershell scope. Its messy but does work. We also use the script to create an install user which exists on the CA and then set PSEXEC to use that account:
net user /add install-account password psexec –u install-account –p password -w certreq.exe -submit -config "CA address" c:certrequest.req c:$FQDN.cer
Next we install the certificate we receive back, certreq can also do this:
certreq.exe -accept c:dedipower$FQDN.cer
Lastly we set the SCOM agent to use that certificate by using momcertimport. With momcertimport you can you use either an actual certificate file or it can search for a certificate straight out of the local store:
momcertimport /subjectname $FQDN
After this step you should be communicating to your RMS via the gateway, you can then approve the new server in the SCOM console. If you are trying to get a script going to automate your deployment of the SCOM agent I hope this has been helpful and given you some tips.
Want to know more?