You need a SCOM 2012 R2 Management Group up and running and ready to deploy agents to your VMs. You also need Certificates on your MS from a CA that will also issue certificates for your manually installed agents so they can authenticate.
Monitoring in the same Domain uses Kerberos for authentication. Monitoring across different Domains with no trusts require Certificate Based authentication. In this instance we are monitoring between Domains (different Azure Subscriptions) that have no trust in place (no VPN/Tunnel connectivity) so we will need to use certificates. Monitoring VMs in Azure will make sense after reading through.
Monitoring VMs in the Different Domains (Subscriptions):
Installing agents to monitor Azure VMs in the different domains is the same as it would be if you were installing agents on physical or virtual servers in your AD environment that were located in a different Domain than the Domain where the SCOM MG resides. You need to install the agent manually on the servers to be monitored and then install a certificate for authentication.
Manually Install the SCOM Agent:
You will need to manually install the agent on the server to be monitored. You can find the agent in the following location on one of your MS (your location may be different depending on where you installed SCOM) C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\AgentManagement\amd64 or x86 folder depending on the OS of the server you are installing to.
Click I Agree to the license terms.
Accept the defaults or change the directory where you want the agent installed, click Next >
On the Agent Setup Options page make sure Connect the agent to System Center Operations Manager is checked. Once the agent is installed you can modify the agent and deselect Use Active Directory or collect IntelliTrace Logs. Click Next >
Input your management Group Name, the Management Server you want the agent to report to and accept the default Management Server Communications Port (unless you changed it during installation of your SCOM infrastructure, then substitute your custom port configuration here) and click Next >
Select Local System or Domain/local Computer Account as appropriate, then click Next >
Confirm all your selections and click Install
Once the agent is installed you will need to install a certificate on the server to allow the agent to authenticate to the MS.
Obtain Certificates for Authentication:
This example uses a standalone CA to obtain the Root and the client certificates.
Importing Trusted Root Certificate:
1. Navigate to the certificate server web site with http://standaloneCAroot/cersrv
2. Click on “Download a CA certificate, certificate chain or CRL”
3. Click on “Download Ca certificate chain”
4. Save the “certnew.p7b” to the “c:\” (or some place you want)
5. Click start run “MMC”; from the file menu “Add/remove Snap-in..” select
- Click “Add”
- Select “Certificates”
- Click “Add”
- Select “Computer account”
- Click “Next”
- Select “local computer”
- Click “Finish”
6. Click “Close” and “Ok” to access the Certificates console.
7. Navigate to the folder “Trusted Root Certification Authorities”
8. Right click the “Certificates” folder and select “All Tasks” and “Import”
- In the wizard click “Next”
- Click “Browse” and browse to the “certnew.p7b” on the “c:\” (or some place you put it)
- Click “Next”
- Select “Place all certificates in the following store” and make sure the Certificate store is “Root Certification Authorities” and click “Next”
- Click “Finish” to complete the import
9. Delete the “certnew.p7b”
10. The import of the trusted root certificate is finished
Creating and Installing Server (Client, Server) Certificates:
1. Navigate to the certificate CA server web site with http://standaloneCAroot/cersrv
2. Click “Request a certificate”
3. Click “advanced certificate request”
4. Click “Create and submit a request to this CA”
5. Use the following for the certification request:
- Name: Managementserver.domain.com
- Type: Other
- OID: 18.104.22.168.22.214.171.124.1, 126.96.36.199.188.8.131.52.2
- Select: Mark key as exportable
- Select: Store certificate in the local computer certificate store
- Friendly name: Managementserver.domain.com
- Click “Submit”
- Close Internet explorer
6. Let the certificate be issued on the Standalone Root CA
7. Navigate to http://standaloneCAroot/cersrv
8. Click “View status of a pending certificate request”
9. Click the Issued certificate
10. Install the issued certificate
Running MOMcertimport.exe on the servers
Open an elevated command prompt and navigate to where you have the SCOM installation bits, typically that will be C:\SC2012 R2 SCOM\SupportTools\AMD64 and copy MOMCertimport.exe to the server where you installed the certificates. Make sure you use the correct version of the MOMCertimport.exe that matches the OS; 32 bit or 64 bit.
Lastly once the agent and certificates are installed you will need to approve the agent before monitoring can begin.
Find the agent under Administration – Pending Management. Right click the server and approve it.
Actions Needed to Perform in SCOM Servers:
• Cross Platform Extensions uses an SSL Certificate for WS-Management Communication between the Operations Manager management server and the remote UNIX or Linux computer.
• For this certificate to be valid, the common name (CN) that is used in the certificate must match the fully qualified domain name (FQDN) that is resolved by Operations Manager.
• In order to monitor Linux servers, certificate name should match with the following requirement hostname.cloudapp.net
• In Linux, by default certificate will be created with hostname only and not with the domain name.
To Change the Name on the Certificate:
• If the certificate was created with an incorrect name, you can change the host name and re-create the certificate and private key. To do this, run the following command on the UNIX or Linux computer:
/opt/microsoft/scx/bin/tools/scxsslconfig -f -h <hostname> -d <domain.name>
In our case domain name is “cloudapp.net”
• Restart the agent by running the following command:
Discovery of Linux Server and Deploy Agents:
• In the Operations Manager console navigate to Administration then expand Administration and then expand Device Management. Select UNIX/Linux Computers and right click and select Discovery Wizard.
• When the discovery wizard opens select UNIX/Linux Computers and select Next.
• Under Discovery Criteria add the discover scope. The scope can be the FQDN of a system, a single IP, or a range of IPs. Please specify the Public IP address as well full FQDN of that Virtual Machine (hostname.cloudapp.net)
• Next select the Discovery type and finally the credentials that will be used to contact and install the agent on the system. Select Save when finished.
• In the next wizard, select a target resource pool and select Discover.
• Once the UNIX/Linux systems are discovered check the systems, you want to install the agent on and select Manage.
• Since we have already installed the agent manually, it will sync with the server and gather all the necessary information. Once all of the actions are completed, we will be able to see the status as successful in the Discover wizard.
Post Agent Deployment:
• Once the agents are installed, wait a few minutes for data to populate.
• In the Operations Manager console, select Monitoring from the bottom left and select the UNIX/Linux Computers view to see the current status of the Linux server.
Hopefully monitoring vms in Azure is less confusing after reading this post.