Download the PDF deploying-scom-gateway-server2

Open and test ports

Put a change request into the Network group to open TCP port 5723 both ways from the Gateway server to the MS server.

To test if the ports are open. Log on to gateway server. From a command prompt type

telnet SRVNAME261 5723

If you get a cursor at the top left corner then the port is open. Any other errors indicate that the port is still closed.

Do the same from the management server back to the gateway server.

Certificates need to be deployed (2 types of certificates)

1. Root certificate

a. Import the root certificate for the management servers on the same domain as the CA server

i. Logon on the management server. Open a web Brower and navigate to http://SRVNAME342/certsrv/

ii. Click on Download a CA certificate, certificate chain, or CRL

iii. Click on Download CA Certificate chain

iv. Click on save. And save to a location of your choice. The default file name is certnew.p7b. This is fine. (you can use this cert for all your management servers and gateway server to skip the initial download on this servers if you like.

b. To import the downloaded cert open the certificate MMC

i. Open run and type MMC

ii. Click on file, add/remove snap-in

iii. Click on Add and select Certificates, and click on add again.

iv. Select computer account and say finish

v. Close the window and say ok to the add remove window.

vi. Expand certificates and right click on “Trusted Root Certification Authorities”

vii. When the wizard opens navigate to the downloaded cert is certnew.p7b . You will need to change the file type to PKCS #7

viii. Accept the defaults and finish

ix. Do this on all management servers inside the domain

c. Import the root certificate for the Gateway server that is not attached to the domain as the CA server.

i. Perform step one above to save certnew.p7b. Or use the same cert that was downloaded above. And copy to the gateway server. Then perform step 2 above.

2. Create the Custom OpsMgr Certificate

a. To create the cert. We will use two consoles to do this. Certification Authority mmc and certificate templates mmc

i. Open run and type MMC

ii. Click on file, add/remove snap-in

iii. Click on Add and select Certificate Templates and Certification Authority, and click on add again. And finish

b. Select Certificate Templates

c. In the Certificate Templates Console right click IPSec (Offline request) and then select duplicate template

i. General Tab

ii. Type a name

Request Handling

1. select Allow private key to be exported

2. Click on CSPs…

3. select Microsoft RSA SChannel Cryptographic provider for windows 2003 and Microsoft Enhanced Cryptographic provider 1.0 for windows 2000

iii. Extensions Tab

iv. select the Applications Policies and click on edit

1. remove IP security IKE intermediate

2. Click on add..

3. Select Client Authentication and Server Authentication, and clink on ok twice.

v. Security Tab

1. Users should have read

2. Say ok and close.

3. Add the new custom cert to the certificate authority

i. Open the Certification Authority mmc console

ii. Expand it and right click on certificate templates

iii. Select new, certificate template to issue

iv. Scroll through the list until you find the one you just created. Select it and say ok.

v. It should now show in the right window.

4. Deploy the Custom OpsMgr Certificate to the management servers on the same domain as the CA (need to do the full steps individually for each server)

a. Logon on the management server. Open a web Brower and navigate to http://SRVNAME342/certsrv/

b. Click on Request a certificate

c. Click on Create and submit a request to this CA

d. Select the custom Template

e. Enter a name for the template. This is the full unc name of the server that you are going to install the cert on.

f. Enter the rest of the identity info if you like.

g. Under Key options select the csp that fits your operating system. select Microsoft RSA SChannel Cryptographic provider for windows 2003 and Microsoft Enhanced Cryptographic provider 1.0 for windows 2000

h. Key size 1024

i. Mark keys as exportable

j. Check off Store cert in local computer cert store…

k. Use full unc path as friendly name.

l. Click on submit, say yes.

m. Click on Install this certificate

n. Open run and type MMC

o. Click on file, add/remove snap-in

p. Click on Add and select Certificates, and click on add again.

q. Select computer account and say finish

r. Close the window and say ok to the add remove window.

s. Expand certificates and right click on Personal certificates

t. You should see the new cert here.

5. Deploy the custom Certificate to the Gateway sever in the DMZ.

a. Because the gateway is not part of the same domain as the CA. We need to create the certificate on a different server and export it to a usb drive or other storage device. Then manually copy it to the gateway server and import it.

b. First create the cert from a server on the same domain as the CA. Follow the steps in step 4 first.

c. Next we will export the cert

i. Open run and type MMC

ii. Click on file, add/remove snap-in

iii. Click on Add and select Certificates, and click on add again.

iv. Select computer account and say finish

v. Close the window and say ok to the add remove window.

vi. Expand certificates and right click on Personal certificates

vii. You should see the new cert here.

viii. Right click on the cert and select All tasks, export

ix. The export wizard will open, say next

x. Select Yes, export private key

xi. Select enable strong protection

xii. Enter a password for the import. You will need this password when you export the cert.

xiii. Specify a location and name to save it too.

xiv. And finish

d. Import the cert.

i. Copy the cert to the gateway server. It will have a .pfx extension.

ii. Open run and type MMC

iii. Click on file, add/remove snap-in

iv. Click on Add and select Certificates, and click on add again.

v. Select computer account and say finish

vi. Close the window and say ok to the add remove window.

vii. Expand certificates and right click on Personal certificates

viii. Select All tasks, Import

ix. Browse to the cert you coppied over. You will need to change the file type to PFX to see the cert.

x. Select open, say next, enter password.

xi. Check off Mark this key as exportable.

xii. Say next, make sure the certificate store is personal , click next and finish.

6. Run the momcertimport utility

a. In this step we are going to use the same pfx certificate (the custom personal cert) that we created in step 4. This tool writes the certificate serial number to the registry. This will help OpsMgr components find the the proper certificate for authenticatin easily.

b. You will find the momcertimport utility on the install cd under supporttools\i386.

c. Copy momcertimport.exe and the pfs certificate into the same folder.

d. Open a command prompt, navigate to the folder with both files and type the following command

i. C:\>MOMCertImport.exe certfilename.pfx

ii. There is NO response after the command is successfully initiated.

e. So this on all SCOM management servers. RMS, MS, and Gateway

7. Approve the Gateway Server

a. We will use the gateway approval tool to achieve this. This will setup the gateway server as a management server in SCOM. Once done you can confirm this by looking in the SCOM console under administration, Device Management, Management Servers.

b. The tool has to be run from c:\program Files\System Center Operations Manager 2007

c. Copy Microsoft.EnterpriseManagement.GatewayApprovalTool.exe from the support tools directory to c:\program Files\System Center Operations Manager 2007

d. Open the command prompt and type the following command

i. microsoft.enterprisemanagement.gatewayapprovaltool.exe /managementservername=SRVNAME261.domainName.com /gatewayname=domainNamedmz22.domainNamedmz.com /action=create

8. Next you now ready to manually install the agents on the servers in the DMZ

9. Approve the agents in the SCOM console.

Tools needed…

1. Some knowledge of the netsh command
2. A text file with the ip address’s of the scopes to be modified
3. IP address’s of the DHCP servers to change
4. And a script of course.

The easiest way to obtain the ip address’s of the scopes to modify is to log onto the DHCP server itself and open your support tools command prompt

Step 1.

Go to netsh command line to understand more on this command. And make sure you create a test subnet to run my scripts agains to make sure this is right for you.

Step 2.

C:\Program Files\Support Tools>netsh dhcp server 172.x.x.x show scope > c:\scope.txt

At the command prompt enter the section above in red (insert the ip address of the DHCP server in place of 172.x.x.x. This will create a text file with the sope info on your c drive.

You will now want to open scope.txt and clean it up. You only want the IP address’s of the scopes to be changed. the text file should be in the following format

Step 3

for /f “tokens=1″ %%a in (c:\scope.txt) DO netsh dhcp server 172.x.x.x scope %%a set optionvalue 006 IPADDRESS DNS_Address_1 DNS_Address_2 DNS_Adress_3

172.x.x.x = Your DHCP server IP address

DNS_Address_#= DNS server IP address’s

Copy the above red text into a text file and save it as scope_edit.bat to the same folder as scope.txt. Run the bat file. This will run through each IP address changing the dns entires. does not append the scope option for DNS it overwrites it. However it will not effect any other options that are currently set.

You can now use the same script to change your wins optin by changing optioncalue 006 to optionvalue 044

 Good luck

note: the import and export command cannot be ran remotely

Replace 198.168.0.10  with your DHCP server IP address

Replace 198.168.1.0 198.168.2.0 198.168.3.0 with the IP scopes that you are exporting and importing.

Export the scopes for the DHCP server 1

Step 1

1. Log on to the server that you are exporting from.
2. open the command prompt
3. Run the following command from the command prompt on the DHCP server that have the scopes already created.

Netsh DHCP server 198.168.0.10 export c:\scope 198.168.1.0 198.168.2.0 198.168.3.0

Step 2

Import the scopes to DHCP server 2  

1. Copy the scope file to the second DHCP server. 
2. Log on locally to the second DHCP server, open the command prompts and run the following command to import the scopes

Netsh DHCP server 198.168.0.10 import c:\scope 198.168.1.0 198.168.2.0 198.168.3.0

Step 3

1. Confirm that the scopes are now on the second server.
2. Modify the Exclusions if you have any. If this is a split scope then the exclusions should be opposite of each other on the two servers.

Good luck.

 

 The following is from Technet http://technet2.microsoft.com/windowsserver/en/library/61427fbd-de1f-4c8a-b613-321f7a3cca6a1033.mspx?mfr=true

import

Imports a DHCP service configuration from a file to the local service.

Syntax

import [Path]FileName {all | ScopeList]

Parameters

[Path] FileName

Required. Specifies, by name, the file from which the DHCP configuration will be imported. If the path, the file name, or both contain spaces, quotation marks must be used.

{all | ScopeList}

Required. Specifies which scopes you want to import. The parameter all imports all scopes represented in the file you specify. The parameter ScopeList imports the scopes that correspond to the IP addresses you list. Each IP address in the list must be separated by spaces.

Remarks

•	This command works only on the local server.
•	While the import command runs, the DHCP service is stopped and does not respond to DHCP clients seeking new leases or lease renewals.
•	If the DHCP service has a large number of scopes or a large number of client address leases, this command can take a long time to run.

Examples

In the first example, this command imports the complete DHCP service configuration from the file c:\Temp\Dhcpdb.

In the second example, this command imports the DHCP configuration for scopes 10.0.0.0 and 192.168.0.0 from the file c:\Temp\Dhcpdb

In the third example, this command imports the complete DHCP service configuration from the file c:\My Folder\Dhcp Configuration. Note that both the path and file name contain spaces, so quotation marks are used.

import c:\Temp\Dhcpdb all

import c:\Temp\Dhcpdb 10.0.0.0 192.168.0.0

import “c:\My Folder\Dhcp Configuration” all