Thursday, 1 March 2012

SCOM DMZ/Workgroup Agent Deployment Script(s)

I've been working for a customer tidying up their System Center installation this week and as part of that I was showing them how to deploy OpsMgr agents to their DMZ.

Their DMZ consists of workgroup based servers, which means each one needed certificates generating, installing and associating in order to work.

I was bored after doing the first one as it was so tedious so I took the time to write a couple of scripts to automate the process as much as possible.

So, script #1:
1.DMZAgentInstall.cmd
Running this script on the DMZ server will...
  1. Prompt for the name to be used for the certificate (preferably FQDN, but make sure it matches the full computer name)
  2. Create the certificate request file
  3. Upload the certificate request file to a folder on the RMS
  4. Pause for the "2.GenerateCertificate.cmd" script to be run on a server/workstation on the same domain as the certificate server
  5. Imports the Root CA certificate chain
  6. Imports the SCOM Agent Certificate
  7. Copies the agent install files locally (Doesn't have to be done but did in this environment due to IE7 stopping files being executed from a remote share)
  8. Installs the agent
  9. Installs the CU5 updates
  10. Runs MOMCertImport to associate the certificate to the Health Service
  11. Restarts the Health Service

So, script #2:
2.CreateCertificate.cmd
This script must be run on a domain computer than has access to the issuing certificate server and run using an account that has the auto enrolment rights on the certificate.
  1. Prompts for the full server name used during the 1.DMZAgentInstall.cmd script
  2. Submits the certificate request file to the certificate server
  3. Retrieves the certificate and stores it ready for import
And there you have it, a quick two step process to setup a DMZ/Workgroup client easily.

Now a couple of things:
  1. I know this would have been better in PowerShell before someone says it, but the customer had mainly Windows 2003 Servers, without PowerShell installed.
  2. If you have access to the certificate server from the DMZ, you could probably streamline this to one script, but this customer didn't.
  3. This was a quick and dirty throw together, feel free to improve and post back the results ;)
Things that need changing before running the scripts:
Rename the downloaded files from .txt to .cmd
Share the agent management folder on the RMS
Create a Certs folder in the agent management folder on the RMS
Change the following highlighted variables to reflect your environment
The script assumes you're using a PKI environment with the SCOM Certificate Template setup ready

** Certificate Server Variables **
SET CERTPATH=\\<<SERVERNAME>>\<<SHARENAME>>\Certs
SET CATEMPLATE=<<SCOMGatewayAuthenticationTemplateName>>
SET CAFQDN=<<SERVERFQDN>>
SET CASERVER=<<CASERVER>>

** OpsMgr Agent Variables **
SET SOURCEFILES=\\<<SERVERNAME>>\<<SHARENAME>>
SET MGTGRP=<<SCOMMGTGRP>>
SET MGTSVRDNS=<<SERVERFQDN>>
SET SECPORT=5723

Scripts to Download:


7 comments:

Martin Martinec said...

Thanks for the scripts, they look pretty useful.

Just few questions:

SET CERTPATH=\\<>\<>\Certs <- is this on the SCOM or the CA server? Above you ask to Create the Certs server in the Agents directory on the SCOM server, is this where you point to?


** OpsMgr Agent Variables **
SET SOURCEFILES=\\<>\<> <- guessing thsi si the same directory where the Certs is located under?

Thanks in advance

Steve Beaumont said...

The CERTPATH can be on any server, as long as the accounts running the scripts have access to it.

The SOURCEFILES path is to the SCOM agent files.


Which actually has just highlighted a problem with the script as the line:
certutil -f -addstore root "%SOURCEFILES%\Certs\RootCertificate.p7b"

Should read:
certutil -f -addstore root "%CERTPATH%\Certs\RootCertificate.p7b"

Cheers,
SB

Martin Martinec said...
This comment has been removed by the author.
Martin Martinec said...
This comment has been removed by the author.
Martin Martinec said...

Thank you for that, appreciate your help

Few other things if you don't mind:
- Where do i get the SCOMGatewayAuthenticationTemplateName? Is this from the CA? how do I know which one to choose?
- what si the difference between the CAFQDN and the CASErver? I don't have the CA published externally, this would mean they are both the same?

Thank you again

M.

Martin Martinec said...

Ok, so I think I worked out the Template setting, I have copied a computer template and set it all up for auto enrollment, then published it. But when i run the 1st script I get Template not found. Do you wish to continue anyway? prompt.

Do I have to do anything else with the template after adding it to the CA?

Thanks again

Puca said...

Please, What is:

SET CATEMPLATE=<>

??