You need to have:
1- Certificate Authority on same domain for Operations Manager.
2- Certificate Authority Chain certificate
3- Certificate for Work Group/Non Domain computer.
How to monitor a workgroup computer without using a gateway server
1- Import the Root CA certificates for the management server and for the Work Group/Non Domain computer. To do this, follow these steps.
a) From the server desktop, open a Web browser, and then point it at the certification authority server. For example, type the following address:
b) http://certification_authority_server/certsrv
c) Click Download a CA certificate, certificate chain, or CRL.
d) Click Download CA certificate chain.
Note A certificate that is named Certnew.p7b is downloaded. Save this certificate on the desktop.
e) When the download is finished, click Start, click Run, type mmc, and then click OK to open a Microsoft Management Console (MMC) instance.
f) On the File menu, click Add/Remove Snap-in, click Add, and then click Certificates.
g) Click Add, select Computer account, and then click Next.
h) Select Local computer, click Finish, click Close, and then click OK.
i) Under Trusted Root Certificate Authorities, right-click Certificates, point to All Tasks, and then click Import.
j) Click Import, and then click Next.
k) When you are prompted for the certificate file, click Browse.
l) Change Files of type to PKCS #7 Certificates (*.spc,*.p7b ).
m) Click the appropriate certificate file that you downloaded from the certification authority server, and then click Open.
n) Click Next, and then click Finish.
2- Configure the enterprise root certification authority server to support the Operations Manager certificates. To do this, follow these steps (Create Certificate template):
a) Use domain administrator credentials to log on to the enterprise certification authority server.
b) Click Start, click Run, type mmc, and then press ENTER.
c) On the File menu, click Add/Remove Snap-in.
d) Click Add.
e) Under Add Standalone Snap-in, click Certificate templates, and then click Add.
f) Click Certification Authority, and then click Add.
g) In the Certification Authority snap-in, select the Local computer (the computer this console is running on) option.
h) Click Finish.
i) Click Close, and then click OK.
j) In the Certification Authority snap-in, verify that the Certificate Templates snap-in and the Certification Authority snap-in appear.
k) Click Certificate Templates.
l) In the details pane, right-click Computer, and then click Duplicate Template.
m) On the General tab, change the template name to a meaningful name for your organization. For example, you can use OpsMgr2007 as the template name. Verify that the validity period meets your organization’s requirements.
n) Click the Request Handling tab, and then click Allow private key to be exported.
o) Click the Subject name tab, and then click Supply in the Request option.
p) Click the Security tab.
q) Grant Enroll and Auto enroll permissions for the following groups in all domains:
- Authenticated users
- Domain Admins
- Domain Computers
- Enterprise Admins
r) Click Apply, and then click OK.
s) To verify the settings, expand Certificate Templates.
t) In the details pane, right-click the template that you configured, click Properties, verify your settings, and then click OK.
u) Expand Certification Authority (local), and then expand your certification authority.
v) In the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.
w) Select the new template, and then click OK.
x) Verify that the new template appears in the details pane, and then verify that the Server Authentication entry and the Client Authentication entry appear under Intended Purpose.
y) Close the snap-in.
z) Click Start, click Run, type gpupdate /force in the Open field, and then press ENTER.
Note This step forces a Group Policy update on the domain controller and a replication of these changes throughout the forest.
aa) Click Start, click Run, type http://name_of_the_issuing_CA_Server/certsrv in the Open field, and then press ENTER.
bb) If you are prompted, enter the domain administrator account name and the password.
cc) On the Certificate Services Web page, click Request a certificate under Select a task.
dd) Click Advanced certificate request.
ee) Click Create and submit a request to this CA.
ff) In the Certificate template list, verify that your new certificate template appears.
3- Submit new certificate request to the certification authority server. To do this, follow these steps on the management server (Operation Manager Server) and on the Work Group/Non Domain computer:
Note: For Operations Manager will use FQDN for server name for Work Group/Non Domain computer will use the server name.
a) Click Start, click Run, type http://name_of_the_issuing_CA_Server/certsrv in the Open field, and then press ENTER.
b) If you are prompted, enter the domain administrator account name and password.
c) On the Certificate Services Web page, click Request a certificate under Select a task.
d) Click Advanced certificate request.
e) Click Create and submit a request to this CA.
f) In the Certificate Template field, select the template name that you configured in step 2m. For example, selectOpsMgr2007.
g) In the Name field, type the FQDN of the RMS server.
h) Select the Mark key as exportable check box. When you are using the Web certificate request UI, you must also check tng>Advanced certificate request.
e) Click Create and submit a request to this CA.
Note The certificate will be unusable if this is not done.
i) Click Submit to submit your request to the certification authority server, and then follow the instructions that appear on the screen.
j) Depending on the security configuration on the CA, you have to wait for an administrator to manually approve the request. It is not guaranteed that the CA can be downloaded immediately.
k) Verify the certificate. To do this, follow these steps:
- Click Start, click Run, type mmc, and then press ENTER.
- On the File menu, click Add/Remove Snap-in.
- Click Add.
- Select the Certificates snap-in, and then click Add.
- Select My user account, click Finish, click Close to close the snap-in list, and then click OK to close the Add/remove snap-in window.
- Expand Certificates – Current User, expand Personal, expand Certificates, and then select the server certificate.
- Double-click the certificate, and then select the Details tab.
- In the list, click Enhanced Key Usage. You should see the following entries:
- Client Authentication (1.3.6.1.5.5.7.3.2)
- Server Authentication (1.3.6.1.5.5.7.3.1)
4- Configure the Operations Manager server to use certificates that can be exported from the computer private store. To do this, follow these steps:
a) Click Start, click Run, type mmc, and then press ENTER.
b) On the File menu, click Add/Remove Snap-in.
c) Click Add.
d) Click Certificates, and then click Add.
e) Select Computer account, and then click Finish.
f) Select Local computer, click Finish, click Close to close the snap-in list, and then click OK to close the Add/remove snap-in window.
g) Expand Certificates (local computer), expand Personal, expand Certificates, and then select a suitable certificate.
h) Right-click the certificate, point to All tasks, and then click Export.
i) Click Next.
j) Select Yes, export private key, and then click Next.
k) Use the default setting for the file format.
l) Type a password for the file.
m) Type a file name, and then click Next. For example, type C:\RMS.pfx.
n) Click Finish.
- o) This will be done on Operations Manager server and Work Group/Non Domain computer
5- Install the agent on the Work Group/Non Domain computer. To do this, follow these steps.
Note Because you are performing a manual installation of the agent, you must use the agent setup executable file that is available in the \Agent\i386 “for 32 bit” and \Agent\AMD64 “for 64 bit” folder in the Operations Manager distribution location.
a) Run the MOMAgent.msi file.
b) On the Welcome screen, click Next.
Operations Manager server and Work Group/Non Domain computer
c) When you are prompted for a folder destination for the software, accept the default location, and then click Next.
d) When you are prompted to configure the management group information, accept the default settings, and then click Next.
e) Type the management group name, the management server name, and the port, and then click Next.
f) Accept the default settings, and then click Next.
g) Verify that all information that you have entered is correct, and then click Install to start the installation.
h) When the installation is complete, click Finished to exit the installation.
Note: Below command can be used for deploy agent thru CMD prompt:
Install Agent 32 bit:
msiexec.exe /i C:\Tools\I386\MOMAgent.msi USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=OperationsManager_GroupName MANAGEMENT_SERVER_DNS=OperationsManager_FQDN ACTIONS_USE_COMPUTER_ACCOUNT=1 USE_MANUALLY_SPECIFIED_SETTINGS=1 SET_ACTIONS_ACCOUNT=1
Install Agent 64 bit:
msiexec.exe /i C:\Tools\AMD64\ MOMAgent.msi USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=OperationsManager_GroupName MANAGEMENT_SERVER_DNS=OperationsManager_FQDN ACTIONS_USE_COMPUTER_ACCOUNT=1 USE_MANUALLY_SPECIFIED_SETTINGS=1 SET_ACTIONS_ACCOUNT=1
6- Use the Momcertimport tool to import the certificate. To do this, follow these steps.
Note The Momcertimport tool is used to enter the serial number of the specific certificate in the registry. You must follow these steps on the management server and on the workgroup computer. Make sure that the Operations Manager agent is installed on the workgroup computer. Otherwise, you will receive an error when you run the Momcertimport tool.
Momcertimport.exe file is available in the \SupportTools\i386 “for 32 bit” and \ SupportTools \AMD64 “for 64 bit” folder in the Operations Manager distribution location.
a) Click Start, and then click Run.
b) In the Open field, type cmd, and then click OK.
c) At the command prompt, type drive_letter:, and then press ENTER.
Note drive_letter is the drive on which the Operations Manager installation media is located.
d) Type cd \SupportTools\i386, and then press ENTER.
e) Type the following command, and then press ENTER:
MOMCertImport path_of_the_certificate .pfx_file_that_is_exported_in_step_4m
f) Restart the OpsMgr Health service.
7- Check Event viewer on Work Group/Non Domain computer under applications and Service Logs/Operations Manager you will got below error do not worry it is waiting for approval:
8- Wait for the management server to see the manual installation and to request approval. This should take some time (five to ten minutes). When you are prompted, approve the agent. The workgroup agent can now communicate with the server.