Overcast » Blog Archives

Author Archives: admin

Uncategorized

Installing Windows Features using PowerShell 3.0

Published by:

Here’s a nice trick I’ve learned the other day. Have you ever been in a situation where you quickly needed to install a windows feature or role? Namely, telnet, for example? I wonder why the telnet client is not there anymore by default. Go figure.
Anywho, Powershell 3 makes it very easy and convenient! No, no need to memorize all the feature names. You’re no savant, right?
Well, here’s the magic:
Open a PS prompt and type:

Get-WindowsFeature | out-gridview –passthru | Install-WindowsFeature

And there you go:
You can even add a filter:
(mine was already installed).

Select the features you want, click OK and there you have it:

Easy, right? Don’t you think this is even better than the normal GUI option?

Cheers!

Uncategorized

New Home

Published by:

Dear followers, I have decided to finally move away from Blogger. It works fine, but I wanted a bit more control.

I hope you enjoy my System Center blog!

The old blog is still alive at scomandplus.blogspot.com

Thank you for the support!

Jose Fehse

Uncategorized

Issues after migrating SCOM 2012 Database

Published by:

As this post is being written, the official MS procedure to migrate a SCOM 2012 operational Database is incomplete. See the official procedure here: http://technet.microsoft.com/en-us/library/hh278848.aspx
There are two extra steps that you have to do. One I’ve documented in a previous post:

You need to change the values in the key below. Otherwise, you’ll have issues and trying to apply SP1, for example. It tries to talk to you old server and can’t figure out the upgrade scenario.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftMicrosoft Operations Manager3.0SetupDatabaseServerNameclip_image002
This used to be documented in the original 2007 database move guide. Don’t know why it was removed.

On step seven, Microsoft mentions one occurrence of the server name under the Cmdb tag:clip_image004

Actually, the server name also appears in the ConfigStore tag and if you don’t change it, you’ll keep getting errors in the login with invalid login attempts against the old server.clip_image005

Update: there is actually another step you should do avoid the funky (useless)SQL messages you see when something SQL related happens. Please see the article below from Marnix Wolf:
http://thoughtsonopsmgr.blogspot.ca/2012_10_01_archive.html

Hope this helps!

Uncategorized

Upgrading SCSM 2012 to SP1

Published by:

Upgrading my System Center Service Manager 2012 Lab to 2012 SP1

Pre-requisites

Before you start anything, make sure you have at least Service Manager CU2 applied to your installation.clip_image002

SP1 Preparations

http://technet.microsoft.com/en-us/library/jj900186.aspx

I have used the Microsoft original steps as a reference and added my comments when I found necessary.

——————————————————–

This topic describes how to prepare your System Center 2012 – Service Manager environment for an upgrade. To do this, perform the following procedures for upgrading the data warehouse management server:

1.List the data warehouse jobs that are running.

2. Disable the data warehouse job schedules.

3. Confirm that the data warehouse jobs have stopped running.

When the data warehouse jobs have completed, start the upgrade of the data warehouse management server.

After the data warehouse has been upgraded, perform the following procedures on the first Service Manager management server:

1. Wait 10 minutes, and then start the upgrade of the Service Manager management server.

Detailed Steps

To list the data warehouse jobs by using Windows PowerShell cmdlets

1.On the computer that hosts the data warehouse management server, click Start , click All Programs , click Microsoft System Center 2012 , and then click Service Manager Shell .

There doesn’t seem to be a Service Manager shell on the DW server. I may have not installed it, it’s been a while and I can’t be sure. However, you can open a regular Powershell console and the steps work.

2.Type the following commands, and then press ENTER after each command:

Set-ExecutionPolicy –force RemoteSigned

cd ‘C:Program FilesMicrosoft System Center 2012Service Manager’

Import-Module .Microsoft.EnterpriseManagement.Warehouse.Cmdlets.psd1

Get-SCDWJob | ft Name, Status

(I added the “| ft Name, Status”, otherwhise you get a lot of unnecessary information).clip_image004

3.A list of the data warehouse jobs appears. Use this list in the next procedure, “To disable data warehouse job schedules by using Windows PowerShell cmdlets.”

To disable data warehouse job schedules by using Windows PowerShell cmdlets

1.Type the following commands, and then press ENTER after each command:

Disable-SCDWJobSchedule –JobName Extract_<SCSM_ManagementGroupName>

Disable-SCDWJobSchedule –JobName Extract_DW_< SCSM_ManagementGroupName >

Disable-SCDWJobSchedule –JobName Transform.Common

Disable-SCDWJobSchedule –JobName Load.Common

Disable-SCDWJobSchedule –JobName DWMaintenance

Disable-SCDWJobSchedule –JobName MPSyncJob

Start-SCDWJob –JobName MPSyncJob

clip_image006

The last command to start the MPSyncJob will enable the extraction, transformation, and load (ETL) jobs to run to completion. After that, because all the schedules have been disabled, the jobs will stop. To close the Windows PowerShell window, type exit .

To confirm that the data warehouse jobs have stopped running

1.In the Service Manager console, click Data Warehouse .

2.In the Data Warehouse pane, expand Data Warehouse , and then click Data Warehouse Jobs .

3.In the Data Warehouse Jobs pane, observe the Status column for each data warehouse job. When the status for each job is listed as Not Started , proceed to the next procedure to stop the Self-Service Portal. If no Self-Service Portal exists in your environment, you can start the upgrade process in How to Upgrade to System Center 2012 SP1 – Service Manager.

clip_image007

Stopping the service portal

Since I couldn’t find the exact procedure, I assumed that shutting down the server completely could do the trick. We will see.

Data Warehouse Management Server

Use the following procedure to upgrade the data warehouse management server.

 

*Important

Make sure that you have stopped the data warehouse jobs before you continue. For more information, see How to Prepare Service Manager 2012 for Upgrade to SP1.

 

To upgrade the data warehouse management server

1. Log on to the computer that will host the data warehouse management server by using an account that is a member of the Administrators group. This account must also be a local administrator.

2. On the Service Manager installation media, double-click the Setup.exe to start the Service Manager Setup Wizard.

clip_image009

Here’s what I’ve got:

clip_image010

Now, what is that?!?

Found this article. It may help, but it didn’t seem to be my case:

http://donnystyle.wordpress.com/2011/02/14/upgrade-service-manager-2010-sp1-system-center-service-manager-is-not-in-avalid-state/

Ok. Started over. Moved my VM to a better host and restarted the DW Server. It seems to be moving:

1. On the Microsoft System Center 2012 page, click Upgrade Service Manager data warehouse management server .

1. On the Prepare for upgrade page, select the two items indicating that you have read the appropriate sections in the System Center 2012 – Service Manager Upgrade Guide, and then click Next . clip_image012

2. On the Product registration page, type the appropriate information in the boxes. Read the Microsoft Software License Terms; if applicable, click I have read, understood, and agree with the terms of the license agreement ; and then click Next .clip_image014

3. On the System check results page, ensure that the prerequisite check passed or at least passed with warnings, and then click Next .clip_image016

It’s a lab, guys! 😉

4. On the Configure Analysis Service for OLAP cubes page, in the Database server box, type the computer name of the server that will host the SQL Server Analysis Services (SSAS) database, and then press the Tab key. When Default appears in the SQL Server instance box, click Next .

Well, this question didn’t show up for me. Let’s see how it goes.

 

clip_image017*Important

If you are installing SSAS on a computer other than the computer that hosts the data warehouse management server and there is a firewall in your environment, you must make sure that the proper firewall ports are opened. For more information, see “Port Assignments for System Center 2012 – Service Manager” in the Planning Guide for System Center 2012 – Service Manager.

 

5. On the Configure Analysis Services credential page, specify the user name, password, and domain for the account, and then click Test Credentials . After you receive a message saying “The credentials were accepted,” click Next .

6. On the Help improve System Center page, indicate your preference for participation in the Customer Experience Improvement Program and in Error Reporting. As an option, click Tell me more about the program , and then click Next .

Nope…

7. On the Use Microsoft Update to help keep your computer secure and up-to-date page, indicate your preference for using Microsoft Update to check for Service Manager updates, and then click Next

Nope….

8. On the Configuration Summary page, read the information that is provided, and, if it is accurate, click Install . clip_image019

9. On The upgrade was completed successfully page, if you have already backed up the encryption key, clear the Open the Encryption Backup or Restore Wizard check box, and then click Close .

Well, surprisingly fine!clip_image021

Let see how the Management Server goes:

Service Manager Management Server

Use the following procedure to upgrade the Service Manager management server.

To upgrade the Service Manager management server

1. Log on to the computer that will host the Service Manager management server by using an account that is a member of the Administrators group.

2. On the Service Manager installation media, double-click the Setup.exe to start the Service Manager Setup Wizard.

3. On the Microsoft System Center 2012 page, click Upgrade Service Manager management server .clip_image022

4. On the Prepare for upgrade page, select the two items indicating that you have read the appropriate sections in the Upgrade Guide for System Center 2012 – Service Manager, and then click Next .clip_image024

5. On the Product registration page, type the appropriate information in the boxes. Read the Microsoft Software License Terms, and, if applicable, click I have read, understood, and agree with the terms of the license agreement , and then click Next .clip_image026

6. On the System check results page, ensure that the prerequisite check passed or at least passed with warnings, and then click Next .

Got this:clip_image028

I was pretty sure I had this installed earlier, but let’s try to install it again.

Well, I had the 2008 objects but not the 2012 ones. So, point to the setup program!

Rebooted…

I will I could say exactly why it worked now, but there you go!clip_image030

7. On the Configuration Summary page, read the information that is provided, and, if it is accurate, click Install .clip_image032

8. On the The upgrade was completed successfully page, if you have already backed up the encryption key, clear the Open the Encryption Backup or Restore Wizard check box, and then click Close .clip_image034

Success! It works.

Service Manager Console

Use the following procedure to upgrade the Service Manager console, if you have any consoles besides the one on the server.

To upgrade the Service Manager Console

1. Log on to the computer that will host the Service Manager console by using an account that is a member of the Administrators group.

2. On the Service Manager installation media, double-click the Setup.exe to start the Service Manager Setup Wizard.

3. On the Microsoft System Center 2012 page, click Upgrade Service Manager console .clip_image035

4. On the Prepare for upgrade page, select the two items indicating that you have read the appropriate sections in the Upgrade Guide for System Center 2012 – Service Manager, and then click Next .clip_image024[1]

5. On the Product registration page, read the Microsoft Software License Terms, and, if applicable, click I have read, understood, and agree with the terms of the license agreement , and then click Next .

6.

7.

On the System check results page, ensure that the prerequisite check passed or at least passed with warnings, and then click Next .

0. Make sure you have the SQL Server 2012 Analysis Management Objects installed and the machine is rebooted after you install it, otherwise the setup won’t recognize it.

8. On the Configuration Summary page, read the information that is provided, and, if it is accurate, click Install .

9. On The upgrade was completed successfully page, click Close .

Upgrading the Self-Service Portal

Although I couldn’t find an upgrade document from MS right now, I thought it would make sense to upgrade the Self-Service portal as well. Here’s how I did it:

1. Log on to the computer that will host the Service Manager Self-Service Portal by using an account that is a member of the Administrators group.

2. On the Service Manager installation media, double-click the Setup.exe to start the Service Manager Setup Wizard.clip_image037

3. On the Microsoft System Center 2012 page, click Upgrade Service Manager console .

4. On the Prepare for upgrade page, select the two items indicating that you have read the appropriate sections in the Upgrade Guide for System Center 2012 – Service Manager, and then click Next .clip_image024[2]

5. On the Product registration page, read the Microsoft Software License Terms, and, if applicable, click I have read, understood, and agree with the terms of the license agreement , and then click Next .clip_image039

6. On the System check results page, ensure that the prerequisite check passed or at least passed with warnings, and then click Next .clip_image041

7. On the Configuration Summary page, read the information that is provided, and, if it is accurate, click Install .clip_image043

9. On The upgrade was completed successfully page, click Close .. clip_image045

No big issues with the upgrade!

Hope it helps!

Addendum:

Noticed a few side effects: I’ve left the machine with unlimited memory (1TB, although I only have 48 on my HV host). After 24 hours, the SC msmdsrv.exe service is taking 15 Gb of memory, although there is basically no activity. It seems to be going up and up, nonstop. Memory leak?

After a reboot and limiting the memory on the machine, it seems things are normal. However, the services failed to start initially. I had to do some exercise in starting the data access and restarting the Management and configuration management services, otherwise the Lfx service would refuse to start properly.

Uncategorized

Failed RMS promotion

Published by:

Last week, at a customer site, I needed to promote an MS server to RMS, in order to reuse the old RMS and the main SCOM 2012 server.
It is supposed to be a simple procedure, but, famous last words… (Oh, boy, I’m so glad all that RMS/MS went away with 2012).
The customer had the RMS, 3 MS and 3 gateway servers. The environment, although complex enough, is not being used too heavily, but I still took all the needed precautionary actions: DB backups, MP backups, etc.
 
So, here we go for the actual command:
C:Program FilesSystem Center Operations Manager 2007>ManagementServerConfigTool.exe PromoteRMS /DeleteExistingRMS:True
 
Everything going ok, till:
Adjusting DW old RMS: ROOTMANAGEMENTSERVER.domain.tld new RMS: MANAGEMENTSERVER.domain.tld
Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index.

Well, after recovering from the shock, I start to check the current state of things.
The old MS (RMS to be ) be shows as being the RMS now. Ok.
Services in the new RMS, not all started. Services at the old RMS, all started. Not good.


Since this environment is not fully operational and not heavily used (and I was not feeling like restoring the DB), I decided to dig a bit more.
So, I first fixed the services. Stopped and the services in the old RMS and started them in the new RMS. Looking good.
Then I noticed the 2 other management servers were grayed out. Not good. Why? They were still trying to talk to the old RMS. I then went straight to the registry and changed some keys (basically looked up the old RMS name). No luck after the restart.. Then I’ve found up the article on how to change the gateway server primary server and followed the same procedure (http://blogs.technet.com/b/operationsmgr/archive/2009/05/22/opsmgr-2007-how-to-configure-a-gateway-to-communicate-with-a-different-management-server-without-moving-agents.aspx), not exactly expecting it would work, since one would think that an MS would be more complicated than a gateway. Well, it did the trick. After I renamed the Health Service State  the MS went back to green and so did its agents.
The gateways themselves had to be fixed, but that was expected.
After that, I’ve configured what was left to be configured (Reporting) according to this article and I’m back in business. http://scomskills.com/blog/?p=59
I think that if this was a heavily used (real) production environment, I wouldn’t proceed exactly like this, but it was good learning.
Hope it helps,

 
Jose Fehse
Uncategorized

Syncing only non-disabled users with Service Manager 2012 Active Directory Connector

Published by:

Syncing only non-disabled users with Service Manager 2012 Active Directory Connector

Today at a customer implementation, we started importing users from AD into the Service Manager 2012 CMDB.
After the first sync, we noticed all users, including disabled ones, were synched.

After some digging, it seems the LDAP query below does the trick:

 
 

Only the enabled users were imported.

Uncategorized

SCOM 2012 Extended Agent Info

Published by:

 
SCOM 2012 Extended Agent Info – a SCOM 2012 migration companion MP

I don’t know about you, but I have been performing migrations of several SCOM 2007 R2 environments to SCOM 2012 and I could sure use some help. Since I don’t believe in in place migrations, I have decided to do all of them side by side. It has its issues, but I believe the resulting environment is cleaner.

I have started with the excellent post from Andreas Zuckerhut and from there I have developed my own methodology. I first started by automating some processes, like adding and removing management groups from the console: http://scomandplus.blogspot.ca/2012/07/adding-scom-agent-task-to-update.html. I have also added a task on the console to show the Management group info, but I always thought that it could be nicer. Then I decided to get serious, put the kids to sleep and wrote this little piece of SCOM authoring: a management pack that connects both the old and the new SCOM worlds.
 
A little background: when you do the side-by-side approach, the agents get a double personality disorder: they report to both SCOM MGs and one side doesn’t know about the other. So, during the process, you need to know:
 
                – Which agent has received the new management group configuration;
 
                – The agent version (that is available already, but not in the same view)
 
You’ll also need a tool to remove the old MG info from the console and a view to observe the results.
 
Say no more! Here it is! That’s what the MP does!
 
Now for some documentation:
 
Management Pack Elements
 
Discovery
 
It has a discovery, which creates the new extended agent class. It is based on the Windows Computer class and adds two properties:
 
                – Management Group Info
 
                                This field shows:  MGName;Primary Server;TCP Port##
 
                                In case you have more than one MG, it will show something like this:
 
                                MGName;Primary Server;TCP Port## MGName;Primary Server;TCP Port##
 
                – AgentVersion
 
Agent Tasks
 
We also have now three agent tasks, targeted to the Extended agent class:
 
                Remove MG info from Agent – it will require an override (the MG name) and will remove the MG info and restart the HealthService service.
Make sure you run the task as a Domain Admin or a local administrator on the server, otherwise the service may stop but may not start back, and you’ll have a dead agent. Be careful with DMZ or servers in other domains. This tasks restarts the scom agent after it is finished. I have notes that around 15% of the agents won’t start after the restart. This is due the way the agent works, since it is call a restart to itself. That’s why I have added a version of the same task that won’t restart the agent:
              Remove MG info (No Restart) – same as above, but no agent restart. You can use SC or psexec to restart the agents afterwards.
              Add MG info to agent – it can be used to fix a mistake or from any MP, add a second MG reference.
 
View
 
Extended Agents View – > All Agents – where you’ll be able to see the agents and their management group info.
 
Installation
 
                To install the MP, simply import the file through the SCOM console. To remove it, simply remove the management pack from the console. Make sure you install it in the NEW environment (2012).
 
Known issues
 
                The discovery runs on all windows computers. So, you may want to disable it and override it just for some computers. Another consequence of that is that it will run also on management servers and the script will potentially fail, generating some warnings, which can be safely ignored. The MG shouldn’t be there forever, so, as soon as you remove it, the warnings will disappear.
 
Download the MP here and please let me know of any problems you face.
 
Thank you! 
 
 
 
 
Uncategorized

Adding an Agent Task to Fix the Active Directory 2008 Management Pack Console Tasks

Published by:

Hi fellow SCOMmers, a quick tip on how to create a task to add a symbolic link to the C:Program Files to all your domain controllers. Why?
First a little background:
In the Active Directory 2008 Management pack, it will still try to run some of the console tasks from the wrong folder:


 
You can always Override the parameter temporarily, but if you do it very frequently, will be a pain. Of course, ideally, Microsoft would fix this at some point, but since we can’t change the management pack permanently, a quick way to fix it is to create a symbolic link to the Support Tools folder pointing to C:WindowsSystem32, where most of these tools like DCDIAG.EXE are.
So, the steps:
  1. Open the SCOM console
  2. Select the Authoring Area and select Management Pack Objects
  3. Right Click Tasks and select Create a new Task
  4. Name the task, select a target (Active Directory Domain Controller Server 2008), select a proper management pack and configure the command as below and click Create:
 
Here is the command line parameters text, so you don’t yell at me that you can’t copy and paste it:
      /c mklink /d “C:Program FilesSupport Tools” %windir%system32
 
5.To use the task, select the server in the Monitoring view, under the Windows Active Directory Server state view and click on the task from the Tasks panel on the right:
 
Hope it helps!
 
Happy SCOMming

Uncategorized

Error in SCOM 2012 ACS Report: Sensitive Security Groups Changes

Published by:

A customer of mine always had an issue with an ACS Audit report called “Sensitive Security Groups Changes”. The information shown there didn’t make a lot of sense. It would show the same user as the one being added to the group and the one being the one adding the user. Just some crazy stuff that could be fixed in report builder. But I was hired to upgrade the 2007 R2 structure to 2012, hoping that it would be fixed and maybe improved.
Nothing like that. In the end, it was even worse. For some reason, the information shown was completely wrong.
To fix the issue, I’ve opened an Incident with Microsoft, which didn’t fix the problem, but lead me to fix it in the end.
It happens that the C:WindowsSystem32securityadtservereventschema.xml seems to be broken from the installation media.
The section for event 4728 seems to be broken:
        <Event SourceId=”4728″ SourceName=”SE_AUDITID_ETW_GLOBAL_GROUP_ADD”>
          <Call Name=”AppendString” Param1=”1″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”2″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”3″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”4″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”5″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”6″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”7″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”8″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”9″ Param2=”0″ />
          <Call Name=”AppendNamesFromSid” Param1=”2″ Param2=”0″ />
          <Param TypeName=”typeUser” />
          <Param TypeName=”typePrimarySid” />
          <Param TypeName=”typeTargetUser” />
          <Param TypeName=”typeTargetDomain” />
          <Param TypeName=”typeTargetSid” />
          <Param TypeName=”typeClientSid” />
          <Param TypeName=”typeClientUser” />
          <Param TypeName=”typeClientDomain” />
          <Param TypeName=”typeClientLogonId” />
          <Param TypeName=”typePrivileges” />
          <Param TypeName=”typePrimaryUser” />
          <Param TypeName=”typePrimaryDomain” />
        </Event>
The correct code (copied from 4729):
        <Event SourceId=”4728″ SourceName=”SE_AUDITID_ETW_GLOBAL_GROUP_ADD”>
          <Call Name=”AppendString” Param1=”1″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”2″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”3″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”4″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”5″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”6″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”7″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”8″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”9″ Param2=”0″ />
          <Call Name=”AppendString” Param1=”10″ Param2=”0″ />
          <Call Name=”AppendNamesFromSid” Param1=”2″ Param2=”0″ />
          <Param TypeName=”typeUser” />
          <Param TypeName=”typePrimarySid” />
          <Param TypeName=”typeTargetUser” />
          <Param TypeName=”typeTargetDomain” />
          <Param TypeName=”typeTargetSid” />
          <Param TypeName=”typeClientSid” />
          <Param TypeName=”typeClientUser” />
          <Param TypeName=”typeClientDomain” />
          <Param TypeName=”typeClientLogonId” />
          <Param TypeName=”typePrivileges” />
          <Param TypeName=”typePrimaryUser” />
          <Param TypeName=”typePrimaryDomain” />
        </Event>
Make sure you make a copy of the file before changing. When you’re done editing the file, restart the Collector service and you should be ok.

Uncategorized

SCOM Agents using certificates

Published by:

Many times you’ll need SCOM agents to communicate to the RMS using certificates. This process, although considerably simple after doing it a few times, is very frequently not well documented. When I needed to do it, I had to check on a lot of different sources and bits and pieces. My intention here is to document the whole process.

A few assumptions: you have a functional SCOM server, a certificate authority on the same domain (in this example, an enterprise one) and a server on a another domain or workgroup.

Step-by-step, oh baby!
So, here it goes and don’t be scared. After you repeat the steps a few times, you’ll be very comfortable with it.

1.       Creating SCOM certificate templates
a.       Go to the certificate authority machine and run mmc.exe
b.      Click on the Add/Remove Snap-in option
c.       Add the certificate temples Snap-in
d.      Right Click on the IPSec (Offiline Request) certificate and click Duplicate Template:
 
e.      Select the appropriate version of Windows Server (pick 2003 if you still have any 2003 on your network)
f.        Name the Certificate SCOM Template (or anything you want) and configure as follows:
Click CSPs…
Click on Application Policies and configure as below:
 
g.       Open the Certification Authority Configuration, right click on Certificate Templates and select new->Certificate Template to issue:
h.      Select the SCOM Template you’ve just created and click OK
i.         Close the Certification Authority Console
2.       Creating the certificates
For this part of the configuration, we’ll need to export the certificate for the Root CA itself, generate a certificate for the SCOM RMS and generate certificates for each server that will communicate with the RMS.
a.       Open the URL for you ceritification authority server. In my case, http://dc1/certsrv .
 
b.      Click on Download a CA certificate, certificate chain, or CRL and Click on Download CA certificate Chain and save the file to a folder. The file will be called certnew.p7b by default. You can rename it. I’m using rootca.p7b.

c.       Go back to the home page (http://dc1/certsrv) and Click on Request a certificate->advanced certificate request->Creante and submit a request to this CA
If you have issues opening this website (complains about the ActiveX not being loaded or HTTPS needs to be enabled), add the website to the trusted websites and configure the security level as custom for the trusted sites with the option below:
d.      Select yes to the next prompt:
e.      Select the SCOM Template you created on step 1 from the Dropdown list:
f.        Set the name of the server:
g.       And set the friendly name:
h.      Make sure the Mark keys as exportable is selected:
i.         Click yes on the next prompt:
j.        Click on Install certificate
Don’t worry about where to install the certificate yet. It will be installed on you user account and under the personal folder. We’ll later export the certificate to be usable by the computer
k.       Repeat steps c through j of the certificate generation process for the agent, in my case, dmz1 is the name of the server
l.         After you generated all necessary certificates, let’s export them from your local store:
m.    Open a mmc.exe and add the certificates snap-in for “My user account” and click Ok.
n.      Expand the Certificates tree till you see the contents of the personal certificates:
You should see the certificates you’ve just created there.
o.      Right click the scom server certificate and select the Export option:
p.      Click Next
q.      Click on Yes to export the private key
r.        Click Next
s.       Type a password for the import process
t.        Select the filename for the file and click Next, then Finish.
u.      Repeat steps o to t for each servers.
3.       Installing certificates on the computers
a.       Go to the scom RMS and open a MMC.exe application
b.      Add the Certificates Snap-in for the Computer account
c.       Click Next and Select Local Computer and Click Finish
d.      Click Ok
e.      Expand the left tree and click on the option below:
f.        Click Next
g.       Browse to the location of the scom certificate generated and exported before:
h.      Click Next and provide the password  you previously set.
i.         Make sure the certificate will be saved in the Personal store
j.        Click Next and finish
k.       Right Click the Trusted Root Certificates as below and select import:
l.         Click next and browse to the Root CA certificate file generated in the first part of the tutorial:
m.    Click Next
n.      Make sure the certificate is saved in the Trusted Root Certification Authorities store:
o.      Click Finish
p.      Repeat steps above on the agents computers
4.       Installing the agents
a.       Before you start installing the agent, check connectivity to the server. If you DNS cant’ resolve the name of the scom server, create an entry in the hosts file on the server to be manager.
b.      Make sure port tcp/5723 is open between the server and the SCOM server.
c.       Check connectivity by using “telnet <scomServerNameInTheCertificate> 5723”
In my case: “telnet scom.fehse.local 5723”. If you can get a connection (black screen with blinking cursor, you’re good.
d.      On the server to be managed, access the scom installation files. If you can logon remotely to your server, they will be on:
\<ScomServer>c$ Program FilesSystem Center Operations Manager 2007AgentManagement
If you can’t access it remotely, copy the files to a location accessible from the server to be managed.
e.      Start scom installation by running the MSXML6.msi, OomADs (if the server is a DC) and then MomAgent.msi
f.        Click Next

g.       Select
h.      Click Next and then Install
i.         Click Finish when installation is finished
5.       Importing certificates with momcertimport.exe
In this step, you’ll need a tool called momcertimport.exe. It can be found on SCOM installation DVD or image, under the SupportTools folder. There’s a 32 and a 64 bit version.
a.       On the Scom server, run the momcerimpot.exe tool:
b.      Select the appropriate certificate from the store and click OK
c.       Restart the “System Center Management” service.
d.      Repeat the steps on all servers to be managed.
6.       Approving and checking agent status
a.       On the SCOM console, under administration, check the Pending Agents:
b.      Approve the agent
c.      
 
A few points:
The steps performed on the RMS itself don’t need to be repeated for each agent. They will be done once only.
Eventually, the certificates will expire and the process will need to be repeated, so I advise you to change the duration of the certificates by following the instructions on this URL: http://support.microsoft.com/kb/254632
The process for a Standalone Root CA is basically the same. The difference is that you won’t use Certificate templates. The (complicated version) of the process is documented here: http://technet.microsoft.com/en-us/library/dd362655.aspx and a simpler version here: http://blogs.technet.com/b/operationsmgr/archive/2009/09/10/step-by-step-for-using-certificates-to-communicate-between-agents-and-the-opsmgr-2007-server.aspx
 
Hope you enjoy it!