SCOM / SCCM – Script install on DMZ or Workgroup Machine

This is a very rough and ready script to install Microsoft SCCM 2012 R2 and SCOM 2012 R2 on a non-domain joined Windows Server 2012 R2 (e.g. DMZ).  The script is provided “As is” so please test it thoroughly on your environment.  You will need to modify the script to suit your environment, you will notice there are no variables configured etc.

On this environment SCOM and SCCM were both configured to use certificates (HTTPS), this script will generate the CSR and uses the same Certificate for SCOM and SCCM.  They both require a Client and Server Authentication Certificate where the Subject Name matches the FQDN of the server.  You need to configure your server name and DNS suffix before running this script.

Firewall Ports required:

SCCM – TCP/443 and TCP/8531
SCOM – TCP/5723

The script requires a few files to work, here is an example folder structure:

scom-sccm_script

  • RootCerts – Contains all of your internal root and intermediate CA’s
  • SCCM – Contains SCCM Client Installation
  • SCOM – Contains SCOM Agent Installation
  • SupportTools – Folder from SCOM Install Media (MOMCertImport.exe required)

The script works as follows (Again you will need to modify to suit your needs):

  • Gets FQDN of computer
  • Gets the current directory (So we know where to get the installation media and certs from)
  • Imports root certificates into the local machines root store (root) and intermediate certificates into the local machines intermediate store (CA)
  • Creates Host file entries for SCOM and SCCM servers (assumes no DNS)
  • Generates a certificate request file in C:\_Temp.  (Change template to suit your environment)
  • Opens Notepad for user to copy the CSR and generate Certificate via internal CA’s
  • Waits for user to place the new certificate in C:\_Temp\
  • Installs SCCM Client (With your site settings – this example uses HTTPS)
  • Installs SCOM Agent (With your management server settings)
  • Installs SCOM CU, assigns SCOM certificate and restarts SCOM service.

Here is the script, again it’s very much a draft and suited my customer.  Please amend and test thoroughly before running it on your production systems.

<#
Author:  Chris Hayward, chrishayward.co.uk
Purpose: Script to part automate SCCM client and SCOM agent installs on DMZ and Workgroup machines
Version: 1.0
Changes: DATE - Change
        22/12/2015 - Release 1.0

Known Errors:

Limitations:
            Compatible with PowerShell 4.0 only (Windows Server 2012 R2)

#>

Function Pause{
    Read-Host "Press any key to continue"
}

Write-Host "Script to part automate SCCM client and SCOM agent installs on DMZ and Workgroup machines"
Write-Host ""
Write-Host "Please ensure that the machine name and DNS suffix are correct before proceding" -ForegroundColor Yellow
Write-Host ""
Write-Host "Ensure Firewall ACLs and routing is in place to allow connectivity to SCOM and SCCM servers " -ForegroundColor Yellow 
Pause

# Get machine name and FQDN
$Machine = get-content env:Computername 
$FQDN = [system.net.dns]::GetHostEntry($Machine).HostName

# Get the current directory
$scriptpath = $MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath

# Import root certificates into correct stores
Import-Certificate -FilePath "$dir\RootCerts\MyRootCert.p7b" -CertStoreLocation Cert:\LocalMachine\Root
Import-Certificate -FilePath "$dir\RootCerts\MyIntermediateCert.p7b" -CertStoreLocation Cert:\LocalMachine\CA


# Create HOSTS file entries
$hosts = "C:\windows\System32\drivers\etc\hosts"
add-content $hosts ""
add-content $hosts ""
add-content $hosts "#Specific entries for SCCM and SCOM" 
add-content $hosts "10.10.10.101 SCOM-Server.yourdomain.local"
add-content $hosts "10.10.10.102 SCCM-Server.yourdomain.local"

# Create certificate request"
$ReqDir = "c:\_Temp\"
$ReqFile = "certrequest.inf"
$ReqCSR = "BinaryRequest.req"
$Cert = "NewCertificate.cer"

$ReqFile = $ReqDir + $ReqFile
$ReqCSR = $ReqDir + $ReqCSR
$Cert = $ReqDir + $Cert
New-Item $ReqDir -type directory -force


   If(Test-Path $ReqFile){
        Remove-Item $ReqFile -Force
    }

add-content $ReqFile "[NewRequest]"
add-content $ReqFile "Subject=`"CN=$FQDN`""
add-content $ReqFile "KeySpec=1"
add-content $ReqFile "KeyUsage=0xf0"
add-content $ReqFile "KeyLength=2048"
add-content $ReqFile "MachineKeySet=TRUE"
add-content $ReqFile "[RequestAttributes]"
add-content $ReqFile "CertificateTemplate=`"SCOMTemplate`""

certreq -new -f $ReqFile $ReqCSR

# Prompt user to copy certificate
cls
Write-Host "Please follow instructions"
Write-Host "Notepad is about to open, please copy and paste the CSR into the Certificate Enrollment Web Service from a Domain Joined machine" -ForegroundColor Magenta
Write-Host "You need to select SCOMTemplate when requesting the certificate" -ForegroundColor Yellow
Write-Host "You need to download the certificate in BASE64 format" -ForegroundColor Yellow
Pause

NOTEPAD.EXE /A $ReqCSR

# Prompt user to copy certificate to temp directory
cls
Write-Host "Please follow instructions"
Write-Host "Please copy the certificate to the temp directory c:\_temp\ and name it NewCertificate.cer" -ForegroundColor Magenta
Pause

Function TestCertPath {
   If(!(Test-Path $cert)){
        Write-Warning "Could not find certificate file"
        Write-Warning "Ensure that you have requested a certificate and saved it in $cert"
        Pause
        TestCertPath
    }
}
TestCertPath

certreq -accept $Cert


# Install SCCM 2012 R2 Client (Latest CU will be pushed by SCCM server)
cls
Write-Host "Installing SCCM Client"
.\SCCM\ccmsetup.exe /UsePKICert /NoCRLCheck SMSSITECODE=ABC SMSMP=https://SCCM-Server.yourdomain.local 
Write-Host "Waiting 3 minutes"
Start-Sleep 180

# Install SCOM 2012 R2 Client and latest CU
Write-Host "Installing SCOM Client"
msiexec.exe /i `"$dir\SCOM\MOMAgent.msi`" USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=MG01 MANAGEMENT_SERVER_DNS=SCOM-Server.yourdomain.local ACTIONS_USE_COMPUTER_ACCOUNT=1 USE_MANUALLY_SPECIFIED_SETTINGS=1 AcceptEndUserLicenseAgreement=1 /qn
Write-Host "Waiting 3 minutes"
Start-Sleep 180
Write-Host "Installing SCOM Client CU"
msiexec.exe /i `"$dir\SCOM\KB2965445-amd64-Agent.msp`" /qn
Write-Host "Waiting 3 minutes"
Start-Sleep 180


# Run MOMCERTIMPORT
Write-Host "Registering Certificate with SCOM"
.\SupportTools\AMD64\MOMCertImport.exe /subjectname $FQDN
Write-Host "Waiting 30 seconds"
Start-Sleep 30


Write-Host "Restarting SCOM Health Service"
Restart-Service -Name HealthService


Write-Host "Complete!"

 

6 Replies to “SCOM / SCCM – Script install on DMZ or Workgroup Machine”

  1. Pingback: Weekly IT Newsletter – December 28-January 1st, 2016 | Just a Lync Guy

  2. Pingback: NeWay Technologies – Weekly Newsletter #180 – December 31, 2015 | NeWay

  3. Pingback: NeWay Technologies – Weekly Newsletter #180 – January 1st, 2016 | NeWay

  4. Pingback: Weekly IT Newsletter – December 28-January 1st, 2016 – Guy UC World

  5. Hi @Chris, thanks a lot for the detailed steps in the guide and script. I have already installed certificate for SCOM and SCOM agent on a DMZ server. Though I did not use your script directly but the steps I followed comply with your guide. The issue I am facing is to install SCCM on the same DMZ server. I am using the command “ccmsetup.exe……..” with exactly the same parameters but nothing getting installed as aresult. Can you please advise where is this failing. The ccmsetup logs indicate there is an issue with client upgrade policy….

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.