Request a Certificate from the Root CA Server
Each
of the management servers and the servers in the DMZ (that is, the Edge
Transport servers) need to be issued certificates to use for
communication.
Perform the following steps to request a certificate:
1. | Log in as an administrator, open a web browser, and point it to the certificate server (in this case, https://dc1.companyxyz.com/certsrv).
|
2. | Click the Request a Certificate link.
|
3. | Click the advanced certificate request link.
|
4. | Click the Create and Submit a request to this CA link.
|
5. | In the Type of Certificate Template field, select Operations Manager.
|
6. | In the Name field, enter the FQDN (Fully Qualified Domain Name) of the target server.
Note
Go to the actual server to get the name. On the
server, go to Computer Properties > Computer Name. Copy the full
computer name and paste it into the Name field of the form.
|
7. | Click Submit.
|
8. | Click Yes when you get the warning pop-up box.
|
9. | Click Install this certificate.
|
10. | Click Yes when you see the warning pop-up box. The certificate is now installed in the user certificate store.
Note
The certificate was installed in the users’
certificate store but needs to be in the local computer store for
Operations Manager. The capability to use the web enrollment to directly
place the certificate into the local computer store was removed from
the Windows Server 2008 web enrollment, so the certificate must be moved
manually.
|
11. | Select Start, Run, and enter mmc to launch an MMC console.
|
12. | Select File and Add/Remove Snap-In.
|
13. | Select Certificates and click Add.
|
14. | Select My User Account and click Finish.
|
15. | Select Certificates again and click Add.
|
16. | Select Computer account and click Next.
|
17. | Select the Local computer, click Finish, and OK.
|
18. | Expand the Certificates—Current User, Personal, and select the Certificates folder.
|
19. | In the right pane, right-click the certificate issued earlier (in this example, EX3.companyxyz.com) and select All Tasks, Export. The certificate can be recognized by the certificate template name Operations Manager.
|
20. | At the Certificate Export Wizard, select Next.
|
21. | Select Yes, export the private key. Click Next.
|
22. | Click Next.
|
23. | Enter a password and click Next.
|
24. | Enter a directory and filename (such as c:\EX1cert.pfx) and click Next.
|
25. | Click Finish to export the certificate. Click OK in the pop-up box.
|
26. | Expand the Certificates (Local Computer), Personal, and select the Certificates folder.
Note
If this is the first certificate in the local
computer store, the Certificates folder will not exist. Simply select
the Personal folder instead, and the Certificates folder will be created
automatically.
|
27. | Right-click in the right pane and select All Tasks, Import.
|
28. | In the Certificate Import Wizard, select Next.
|
29. | Click Browse to locate the certificate file saved earlier. Change the file type to Personal Information Exchange (pfx) to view the file. Click Next.
|
30. | Enter the password used earlier, select Mark This Key as Exportable, and click Next.
|
31. | Click Next.
|
32. | Click Finish and OK in the pop-up box to complete the import.
|
The previous steps need to be completed for each Edge Component server and for each management server.
Install the Agent on the Lync Edge Server
The agent needs to be installed manually on each Lync
Edge server. Normally agents are pushed by the Operations Manager
console, but Edge servers typically reside in the DMZ and are not
members of the domain.
Perform the following steps to manually install the agent:
1. | Log on as an administrator and insert the OpsMgr 2007 R2 installation media.
|
2. | At the AutoPlay menu, select Run SetupOM.exe.
|
3. | Select Install Operations Manager 2007 R2 Agent from the menu.
|
4. | Click Next.
|
5. | Click Next to accept the default directory.
|
6. | Click Next to Specify Management Group Information.
|
7. | Type in the Management Group Name and FQDN of the Management Server. Keep the default Management Server port as 5723. The example shown in Figure 2 has COMPANYXYZ as the management group name and scom1.companyxyz.com as the management server.
|
8. | Click Next.
|
9. | Click Next at the Agent Action Account page to leave the Local System as the action account.
|
10. | Click Install to complete the installation.
|
11. | When the installer finishes, click Finish.
|
Complete the previous steps for each Lync Server 2010 Edge server.
The agent is installed but will not communicate
correctly with the management server. This is because the agent has not
been configured to use the certificate for mutual authentication. This
task is discussed in the next section.
Configure the Agent to Use the Certificate
After the agent is installed, it still needs to be
configured to use the correct certificate. The OpsMgr installation
includes a utility called MOMCertImport.exe that configures the agent to
use certificates for authentication and which certificate in the local
computer store to use. The tool does not do any validation checking of
the certificate itself, so care needs to be taken that the correct
certificate is selected.
Perform the following steps to configure the agent to use a certificate:
1. | Log on as an administrator on the Edge Transport server and insert the OpsMgr 2007 R2 installation media.
|
2. | At the AutoPlay menu, select Run SetupOM.exe.
|
3. | Select Browse This CD from the menu.
|
4. | Select the SupportTools directory and the AMD64 directory.
Note
Lync Server 2010 is a 64-bit application, so AMD64 is
the correct folder for the 64-bit binaries. If the procedure is run for
other servers, select the appropriate directory for the binaries, such
as i386.
|
5. | In the directory, double-click MOMCertImport.exe.
|
6. | In the pop-up window, select the certificate issued previously and click OK. Use the View Certificate button to view the certificate details if the correct certificate is not obvious.
|
The Operation Manager service restarts automatically
to have the selected certificate take effect. The preceding steps need
to be repeated for each Edge Transport server and for each management
server.
The Operations Manager event log can be viewed with
the Windows Event Viewer. It is named Operations Manager and is located
in the Applications and Services Logs folder in the tool. Any problems
with the certificate are shown in the log immediately following the
start of the System Center Management service.
