This is a very rough and ready script to install Microsoft SCCM 2012 R2 and SCOM 2012 R2 on a non-domain joined Windows Server 2012 R2 (e.g. DMZ). The script is provided “As is” so please test it thoroughly on your environment. You will need to modify the script to suit your environment, you will notice there are no variables configured etc.
On this environment SCOM and SCCM were both configured to use certificates (HTTPS), this script will generate the CSR and uses the same Certificate for SCOM and SCCM. They both require a Client and Server Authentication Certificate where the Subject Name matches the FQDN of the server. You need to configure your server name and DNS suffix before running this script.
Firewall Ports required:
SCCM – TCP/443 and TCP/8531
SCOM – TCP/5723
The script requires a few files to work, here is an example folder structure:
- RootCerts – Contains all of your internal root and intermediate CA’s
- SCCM – Contains SCCM Client Installation
- SCOM – Contains SCOM Agent Installation
- SupportTools – Folder from SCOM Install Media (MOMCertImport.exe required)
The script works as follows (Again you will need to modify to suit your needs):
- Gets FQDN of computer
- Gets the current directory (So we know where to get the installation media and certs from)
- Imports root certificates into the local machines root store (root) and intermediate certificates into the local machines intermediate store (CA)
- Creates Host file entries for SCOM and SCCM servers (assumes no DNS)
- Generates a certificate request file in C:\_Temp. (Change template to suit your environment)
- Opens Notepad for user to copy the CSR and generate Certificate via internal CA’s
- Waits for user to place the new certificate in C:\_Temp\
- Installs SCCM Client (With your site settings – this example uses HTTPS)
- Installs SCOM Agent (With your management server settings)
- Installs SCOM CU, assigns SCOM certificate and restarts SCOM service.
Here is the script, again it’s very much a draft and suited my customer. Please amend and test thoroughly before running it on your production systems.
<# Author: Chris Hayward, chrishayward.co.uk Purpose: Script to part automate SCCM client and SCOM agent installs on DMZ and Workgroup machines Version: 1.0 Changes: DATE - Change 22/12/2015 - Release 1.0 Known Errors: Limitations: Compatible with PowerShell 4.0 only (Windows Server 2012 R2) #> Function Pause{ Read-Host "Press any key to continue" } Write-Host "Script to part automate SCCM client and SCOM agent installs on DMZ and Workgroup machines" Write-Host "" Write-Host "Please ensure that the machine name and DNS suffix are correct before proceding" -ForegroundColor Yellow Write-Host "" Write-Host "Ensure Firewall ACLs and routing is in place to allow connectivity to SCOM and SCCM servers " -ForegroundColor Yellow Pause # Get machine name and FQDN $Machine = get-content env:Computername $FQDN = [system.net.dns]::GetHostEntry($Machine).HostName # Get the current directory $scriptpath = $MyInvocation.MyCommand.Path $dir = Split-Path $scriptpath # Import root certificates into correct stores Import-Certificate -FilePath "$dir\RootCerts\MyRootCert.p7b" -CertStoreLocation Cert:\LocalMachine\Root Import-Certificate -FilePath "$dir\RootCerts\MyIntermediateCert.p7b" -CertStoreLocation Cert:\LocalMachine\CA # Create HOSTS file entries $hosts = "C:\windows\System32\drivers\etc\hosts" add-content $hosts "" add-content $hosts "" add-content $hosts "#Specific entries for SCCM and SCOM" add-content $hosts "10.10.10.101 SCOM-Server.yourdomain.local" add-content $hosts "10.10.10.102 SCCM-Server.yourdomain.local" # Create certificate request" $ReqDir = "c:\_Temp\" $ReqFile = "certrequest.inf" $ReqCSR = "BinaryRequest.req" $Cert = "NewCertificate.cer" $ReqFile = $ReqDir + $ReqFile $ReqCSR = $ReqDir + $ReqCSR $Cert = $ReqDir + $Cert New-Item $ReqDir -type directory -force If(Test-Path $ReqFile){ Remove-Item $ReqFile -Force } add-content $ReqFile "[NewRequest]" add-content $ReqFile "Subject=`"CN=$FQDN`"" add-content $ReqFile "KeySpec=1" add-content $ReqFile "KeyUsage=0xf0" add-content $ReqFile "KeyLength=2048" add-content $ReqFile "MachineKeySet=TRUE" add-content $ReqFile "[RequestAttributes]" add-content $ReqFile "CertificateTemplate=`"SCOMTemplate`"" certreq -new -f $ReqFile $ReqCSR # Prompt user to copy certificate cls Write-Host "Please follow instructions" Write-Host "Notepad is about to open, please copy and paste the CSR into the Certificate Enrollment Web Service from a Domain Joined machine" -ForegroundColor Magenta Write-Host "You need to select SCOMTemplate when requesting the certificate" -ForegroundColor Yellow Write-Host "You need to download the certificate in BASE64 format" -ForegroundColor Yellow Pause NOTEPAD.EXE /A $ReqCSR # Prompt user to copy certificate to temp directory cls Write-Host "Please follow instructions" Write-Host "Please copy the certificate to the temp directory c:\_temp\ and name it NewCertificate.cer" -ForegroundColor Magenta Pause Function TestCertPath { If(!(Test-Path $cert)){ Write-Warning "Could not find certificate file" Write-Warning "Ensure that you have requested a certificate and saved it in $cert" Pause TestCertPath } } TestCertPath certreq -accept $Cert # Install SCCM 2012 R2 Client (Latest CU will be pushed by SCCM server) cls Write-Host "Installing SCCM Client" .\SCCM\ccmsetup.exe /UsePKICert /NoCRLCheck SMSSITECODE=ABC SMSMP=https://SCCM-Server.yourdomain.local Write-Host "Waiting 3 minutes" Start-Sleep 180 # Install SCOM 2012 R2 Client and latest CU Write-Host "Installing SCOM Client" msiexec.exe /i `"$dir\SCOM\MOMAgent.msi`" USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=MG01 MANAGEMENT_SERVER_DNS=SCOM-Server.yourdomain.local ACTIONS_USE_COMPUTER_ACCOUNT=1 USE_MANUALLY_SPECIFIED_SETTINGS=1 AcceptEndUserLicenseAgreement=1 /qn Write-Host "Waiting 3 minutes" Start-Sleep 180 Write-Host "Installing SCOM Client CU" msiexec.exe /i `"$dir\SCOM\KB2965445-amd64-Agent.msp`" /qn Write-Host "Waiting 3 minutes" Start-Sleep 180 # Run MOMCERTIMPORT Write-Host "Registering Certificate with SCOM" .\SupportTools\AMD64\MOMCertImport.exe /subjectname $FQDN Write-Host "Waiting 30 seconds" Start-Sleep 30 Write-Host "Restarting SCOM Health Service" Restart-Service -Name HealthService Write-Host "Complete!"
Technical Architect at Symity
Pingback: Weekly IT Newsletter – December 28-January 1st, 2016 | Just a Lync Guy
Pingback: NeWay Technologies – Weekly Newsletter #180 – December 31, 2015 | NeWay
Pingback: NeWay Technologies – Weekly Newsletter #180 – January 1st, 2016 | NeWay
Pingback: Weekly IT Newsletter – December 28-January 1st, 2016 – Guy UC World
Is it possible to install SCOM (not the agent) in a workgroup environment? Why is it mandatory to join a domain to install scom?
Hi @Chris, thanks a lot for the detailed steps in the guide and script. I have already installed certificate for SCOM and SCOM agent on a DMZ server. Though I did not use your script directly but the steps I followed comply with your guide. The issue I am facing is to install SCCM on the same DMZ server. I am using the command “ccmsetup.exe……..” with exactly the same parameters but nothing getting installed as aresult. Can you please advise where is this failing. The ccmsetup logs indicate there is an issue with client upgrade policy….