PKI Certificates for Configuration Manager 2012 R2 – Part 4/4 (Converting Roles)

February 21, 2014 Leave a comment

Welcome to part 4 of 4 in PKI Certificates for ConfigMgr 2012 and converting the environment from http to https. In this Post I will continue to show the Step-by-Step process (found here) for configuring and requesting the certificates that will be used with the Configuration Manager 2012 R2 environment and the clients.

For the links to all the parts of this series see below

Part 1 – Web Server Certificate

Part 2 – Client Certificate for Windows Computers

Part 3 – Distribution Points

Part 4 – Converting Roles (You are here)

 

Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority

Now that we have the certificates in place, we can convert the roles from HTTP to HTTPS for that added layer of security.  From the administration pane browse to Site Configuration. Under Site Configuration, select Servers and Site System Roles.

Click the server(s) that have roles that will need to be converted. In this example I have only one server.

The roles that I will be converting are:

Application Catalog Web Service Point

Application Catalog Website Point

Distribution Point

Management Point

Software Update Point

 

 Application Catalog web service point

 

The option to change this from HTTP to HTTPS is grayed out. Uninstall and reinstall the role selecting HTTPS. Doing so will not convert the Application Catalog Website Point role. You will need to repeat this procedure for that role as well.

 

image

Application Catalog website Point

The option to change this from HTTP to HTTPS is grayed out. Uninstall and reinstall the role selecting HTTPS.

Distribution Point 

Open the General tab of the Distribution Point Properties.

image

Click Import Certificate. Specify the certificate for the distribution point and its password. Click Ok.

image

 

Management Point

The Option to change from HTTP to HTTPS is grayed out. I had to uninstall and reinstall the role.

image

Software Update Point

Open the Software update point properties. The ports should already be listed. Click Require SSL communication to the WSUS server. Choose the Client Connection Type that best fits your organization.

image

 

Converting the Site to HTTPS

Click on Site Configuration then Sites. Click on your server and choose properties. Click on the Client Computer Communication tab. Select HTTPS only.

image

Your environment should now be configured to use HTTPS.

Categories: Uncategorized

PKI Certificates for Configuration Manager 2012 R2 – Part 3/4 (Distribution Points)

December 12, 2013 Leave a comment

Welcome to part 2 of 4 in PKI Certificates for ConfigMgr 2012 and converting the environment from http to https. In this Post I will continue to show the Step-by-Step process (found here) for configuring and requesting the certificates that will be used with the Configuration Manager 2012 R2 environment and the clients.

For the links to all the parts of this series see below

Part 1 – Web Server Certificate

Part 2 – Client Certificate for Windows Computers

Part 3 – Distribution Points (You are here)

Part 4 – Converting Roles

 

Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority

1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

clip_image002

2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.

clip_image004

3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

clip_image006

4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client authentication certificate for distribution points, such as ConfigMgr Client Distribution Point Certificate.

clip_image008

5. Click the Request Handling tab, and select Allow private key to be exported.

clip_image010

6. Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group.

clip_image012

7. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.

clip_image014

8. Select the Enroll permission for this group, and do not clear the Read permission. Click OK and close Certificate Templates Console.

clip_image016

9. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

clip_image018

10. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Distribution Point Certificate, and then click OK.

clip_image020

11. If you do not have to create and issue any more certificates, close Certification Authority.

Requesting the Custom Workstation Authentication Certificate

 

This procedure requests and then installs the custom client certificate on to the member server that runs IIS and that will be configured as a distribution point.

1. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

clip_image022

  1. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

clip_image024

  1. In the Certificate snap-in dialog box, select Computer account, and then click Next.

clip_image026

  1. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

clip_image028

  1. In the Add or Remove Snap-ins dialog box, click OK.

clip_image030

  1. In the console, expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.

clip_image032

  1. On the Before You Begin page, click Next.

clip_image034

  1. If you see the Select Certificate Enrollment Policy page, click Next.

clip_image036

  1. On the Request Certificates page, select the ConfigMgr Client Distribution Point Certificate from the list of displayed certificates, and then click Enroll.

clip_image038

  1. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

clip_image040

  1. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Distribution Point Certificate is displayed in the Certificate Template column.

clip_image042

  1. Do not close Certificates (Local Computer).

Exporting the Client Certificate for Distribution Points

1. In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export.

clip_image044

2. In the Certificates Export Wizard, click Next.

clip_image046

3. On the Export Private Key page, select Yes, export the private key, and then click Next.

clip_image048

clip_image049Note
If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format. You must reconfigure the certificate template to allow the private key to be exported, and then request the certificate again.

4. On the Export File Format page, ensure that the option Personal Information Exchange – PKCS #12 (.PFX) is selected. Click Next.

clip_image051

  1. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.

clip_image053

  1. On the File to Export page, specify the name of the file that you want to export, and then click Next.

clip_image055

  1. To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box.

clip_image057

8. Close Certificates (Local Computer).

9. Store the file securely and ensure that you can access it from the Configuration Manager console. The certificate is now ready to be imported when you configure the distribution point.

clip_image059

Categories: ConfigMgr 2012

Operations Manager Hotfixes and Cumulative Updates for all versions

December 5, 2013 Leave a comment

Below are the hotfixes and cumulative updates for all versions of Operations Manager and the versions to which they apply.

This post will be continuously updated as new hotfixes become available. Some of these updates are required based on certain conditions. I do not recommend installing each and every single one of these. Please read the KB article and install them only if you are experiencing the problem described in the KB article.

Last Updated 1/29/2014

2007 RTM

2878378 OpsMgr 2012 or OpsMgr 2007 R2 generates a “Heartbeat Failure” message and then goes into a greyed out state in Windows Server 2008 R2 SP1

2007 SP1

Hotfixes

2878378 OpsMgr 2012 or OpsMgr 2007 R2 generates a “Heartbeat Failure” message and then goes into a greyed out state in Windows Server 2008 R2 SP1

Cumulative Updates

2028594 Description of System Center Operations Manager 2007 Cumulative Update 1

2007 R2 RTM

Hotfixes

2878378 OpsMgr 2012 or OpsMgr 2007 R2 generates a “Heartbeat Failure” message and then goes into a greyed out state in Windows Server 2008 R2 SP1

Cumulative Updates

979257   System Center Operations Manager 2007 R2 Cumulative Update 2

2251525 System Center Operations Manager 2007 R2 Cumulative Update 3

2449679 System Center Operations Manager 2007 R2 Cumulative Update 4

2495674 System Center Operations Manager 2007 R2 Cumulative Update 5

2626076 System Center Operations Manager 2007 R2 Cumulative Update 6

2783850 System Center Operations Manager 2007 R2 Cumulative Update 7

2012 RTM

Hotfixes

2878378 OpsMgr 2012 or OpsMgr 2007 R2 generates a “Heartbeat Failure” message and then goes into a greyed out state in Windows Server 2008 R2 SP1

Cumulative Updates

2674695 System Center Operations Manager 2012 Update Rollup 1

2731874 System Center Operations Manager 2012 Update Rollup 2

2756127 System Center Operations Manager 2012 Update Rollup 3

2785681 System Center Operations Manager 2012 Update Rollup 4

2822776 System Center Operations Manager 2012 Update Rollup 5

Update rollups 6 & 7 did not contain any updates for Operations Manager.

2012 SP1

Hotfixes

2878378 OpsMgr 2012 or OpsMgr 2007 R2 generates a “Heartbeat Failure” message and then goes into a greyed out state in Windows Server 2008 R2 SP1

Cumulative Updates

2785682 System Center Operations Manager 2012 SP1 Update Rollup 1

2802159 System Center Operations Manager 2012 SP1 Update Rollup 2

2836751 System Center Operations Manager 2012 SP1 Update Rollup 3

2879276 System Center Operations Manager 2012 SP1 Update Rollup 4

2904730 Description of System Center 2012 Service Pack 1 Update Rollup 5

 

 

2012 R2 RTM

Hotfixes

2878378 OpsMgr 2012 or OpsMgr 2007 R2 generates a “Heartbeat Failure” message and then goes into a greyed out state in Windows Server 2008 R2 SP1

Cumulative Updates

2904734                Description of Update Rollup 1 for System Center 2012 R2

Categories: OpsMgr 2012

PKI Certificates for Configuration Manager 2012 R2 – Part 2/4 (Client Certificate for Windows Computers)

November 27, 2013 Leave a comment

Welcome to part 2 of 4 in PKI Certificates for ConfigMgr 2012 and converting the environment from http to https. In this Post I will continue to show the Step-by-Step process (found here) for configuring and requesting the certificates that will be used with the Configuration Manager 2012 R2 environment and the clients.

For the links to all the parts of this series see below

Part 1 – Web Server Certificate

Part 2 – Windows Computers (You are here)

Part 3– Distribution Points

Part 4 – Converting Roles

Creating and Issuing the Workstation Authentication Security Template

1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

clip_image002

2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.

clip_image004

3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

clip_image006

4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate.

clip_image008

5. Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Autoenroll. Do not clear Enroll. Click OK and close Certificate Templates Console.

clip_image010

6. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

clip_image012

7. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Certificate, and then click OK.

clip_image014

Configuring Auto Enrollment of the Workstation Authentication Security Template

1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.

clip_image016

2. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and click OK.

clip_image018

3. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.

clip_image020

4. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies.

clip_image022

5. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.

clip_image024

6. From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.

clip_image026

7. Close Group Policy Management.

Auto enrolling the Workstation Authentication Security Template and Verifying its Installation on the Client Computer

1. Restart the workstation computer, and wait a few minutes before logging on.

2. Log on with an account that has administrative privileges.

3. In the search box, type mmc.exe., and then press Enter.

4. In the empty management console, click File, and then click Add/Remove Snap-in.

clip_image028

5. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

clip_image030

6. In the Certificate snap-in dialog box, select Computer account, and then click Next.

clip_image032

7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.

clip_image034

8. In the Add or Remove Snap-ins dialog box, click OK.

clip_image036

  1. In the console, expand Certificates (Local Computer), expand Personal, and then click Certificates. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Certificate is displayed in the Certificate Template column.

clip_image038

Close Certificates (Local Computer).

Categories: ConfigMgr 2012

PKI Certificates for Configuration Manager 2012 R2 – Part 1 of 4 (Web Server Certificate)

November 26, 2013 2 comments

This is the first post in a four part series. In this Post I will show the Step-by-Step process (found here) for configuring and requesting the certificates that will be used with the Configuration Manager 2012 R2 environment and the clients.

Part 1 – Webserver Certificate (You are here)

Part 2 – Windows Computers

Part 3– Distribution Points

Part 4 – Converting Roles

Environment:

The Lab environment consists of two servers for this scenario.

Windows Server 2012 R2 Domain Controller

Windows Serve 2012 R2 with System Center 2012 R2 – Configuration Manager (Single Server Installation)

Creating the Web Server Certificate

This procedure creates a certificate template for Configuration Manager site systems and adds it to the certification authority.

1. First thing will be to create a security group that will contain the System Center 2012 Configuration site systems that will run IIS. In this example I will be using the name ConfigMgr IIS Servers.

clip_image002

Add the Configuration Manager IIS Servers as members of this group.

clip_image004

2. Open the Certification Authority Console on the Member that has it installed. Right-click Certificate Templates and click Manage to load the Certificate Templates console.

clip_image006

3. The Certificate Templates console window will open. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.

clip_image008

4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

Note: Do not select Windows 2008 server, Enterprise Edition

clip_image010

5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.

clip_image012

6. Click the Subject Name tab. Make sure that Supply in the request is selected.

clip_image014

7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

clip_image016

clip_image018

8. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.

clip_image020

9. Select the Enroll permission for this group. Do not clear the Read permission. Click OK, and close the Certificate Templates Console.

clip_image022

10. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

clip_image024

11. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Web Server Certificate, and then click OK.

clip_image026

12. If you do not need to create and issue any more certificate, close Certification Authority.

Requesting the Web Server Certificate

Now that we have created the Web Server Certificate, we will need to request the certificate for the Member server that runs IIS. This procedure allows you to specify the intranet and Internet FQDN values that will be configured in the site system server properties, and then install the web server certificate on to the member server that runs IIS.

1. I recommend restarting the member server that runs IIS. This will ensure that the computer can access the certificate template that you just created by using the Read and Enroll permissions that you configured.

  1. Click Start, click Run, and type mmc.exe. Click File, and then click Add/Remove Snap-in.

clip_image028

  1. The Add or Remove Snap-ins window will open. Select Certificates from the list of Available snap-ins, and then click Add.

clip_image030

  1. The Certificate snap-in window will open. Select Computer account, and then click Next.

clip_image032

  1. The Select Computer dialog box window will open. Ensure Local computer: (the computer this console is running on) is selected. Click Finish.

clip_image034

  1. The Add or Remove Snap-ins dialog box will return. You will now see Certificates (Local Computer) in the Selected snap-ins column. Click OK.

clip_image036

  1. In the console, expand Certificates (Local Computer), and then click Personal. Right-click Certificates, click All Tasks, and then click Request New Certificate.

clip_image038

  1. On the Before You Begin page, click Next.

clip_image040

  1. If you see the Select Certificate Enrollment Policy page, click Next.

clip_image042

  1. On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.

clip_image044

  1. In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS.

clip_image046

  1. In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click Add and then click OK to close the Certificate Properties dialog box.

clip_image048

  1. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.

clip_image050

  1. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. Close Certificates (Local Computer).

clip_image052

Configure IIS to use the Web Server Certificate

This procedure binds the installed certificate to the IIS Default Web Site.

  1. On the member server that has IIS installed, click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

clip_image054

  1. Expand Sites, right-click Default Web Site, and then select Edit Bindings.

clip_image056

  1. Click the https entry, and then click Edit.

clip_image058

  1. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK.

clip_image060

  1. Click OK in the Edit Site Binding dialog box, and then click Close. Close Internet Information Services (IIS) Manager.

The member server is now provisioned with a ConfigMgr Web Server certificate.

Categories: ConfigMgr 2012

Creating OpsMgr 2012 Gateway Server Certificates

November 13, 2013 Leave a comment

This post will provide step by step instructions on acquiring and importing the Root CA from the Domain where Operations Manager resides, and importing into the Gateway certificate store. This section also details how to request and apply a certificate for the Gateway server.

Prerequisites

  • Disk space: %SYSTEMDRIVE% requires at least 1024 MB free hard disk space.
  • Server Operating System: must be Windows Server 2008 R2 SP1, Windows Server 2012, or Windows Server 2012 Core Installation.
  • Processor Architecture: must be x64.
  • Windows PowerShell version: Windows PowerShell version 2.0, or Windows PowerShell version 3.0.
  • Microsoft Core XML Services (MSXML) version: Microsoft Core XML Services 6.0 is required for the management server.
  • .NET 3.51 SP1
  • .NET Framework 4 is required if the Gateway server manages UNIX/Linux agents or network devices.

Installation

Create the Operations Manager Gateway Certificate

This section will provide the process of how to create a certificate to use for the Gateway server(s).

Perform the following steps on the PKI Certificate Server.

Open the Certification Authority program. Expand the CA Server, right click Certificate Templates and select Manage.

The Certificate Templates window will open. Right click IPSec (Offline request) and select Duplicate Template.

The Duplicate Template window will open. Keep the default selection Window Server 2003 Enterprise. Click OK.

The Properties of the New Template window will open. In the Template display name field type in Operations Manager 2012 Gateway Certificate. The Template name will duplicate what is typed in above. Keep the Validity period at 2 years and Renewal period at 6 weeks. Click on the Request Handling tab.

Select Allow private key to be exported.

Click on the Security tab.

Click on Authenticated Users. Check Enroll. Click on the Extensions tab.

Select Application Policies and click Edit.

Remove IP security IKE intermediate. Click Add

Add Client Authentication and Server Authentication. Click OK.

Click OK to close out of the Properties of New Template.

Notice the newly created template. Close out of the Certificate Templates Console.

From the Certificate Authority, right click Certificate Templates. Select New and select Certificate Template to Issue.

The Enable Certificate Templates window will open. Locate the Operations Manager 2012 Gateway Certificate template. Click OK.

The Certificate is ready for issuing. Close out of the Certificate Authority.

Request the Operations Manager Certificate for the Management Server

On the Management Server, we also need to install a certificate. Since we have an Enterprise Root CA, integrated with AD, the root CA certificate is already trusted by our Management Server who is a domain member. This section will walk through requesting the Operations Manager 2012 Gateway certificate.

Perform the following steps on the Management Server.

Open the Local Computer certificate store on the management server.

Import the certificate that was created earlier. Select Request New Certificate

The Certificate Enrollment window will open. Click Next.

The Select Certificate Enrollment Policy window will open. Select Active Directory Enrollment Policy. Click Next

The extra information needed is the Common Name in the first box (opsmgr.lab.ad) and the FQDN in the bottom box with DNS.

Fill in the values and click add under Subject Name and Alternative name.

Type: Common Name:opsmgr.lab.ad

Alternate Name:

Type: DNS: opsmgr.lab.ad

Click OK

Click Enroll

Verify the status succeeded. Click Finish.

The certificate now appears in the Local Computer Personal Certificates Store

Request the Operations Manager Certificate for the Gateway Server

The gateway is not part of the same domain as Operations Manager. And does not trust the Enterprise CA by default. The process below will walk through getting and installing the Root CA certificate from the AD CS.

Perform the following steps on the Gateway Certificate Server.

Open an MMC.

Open the Add or Remove Snap-ins. Select Certificates. Click Add.

The Certificates snap-in window will open. Select Computer account. Click Next.

The Select Computer window will open. Select Local computer. Click Finish.

Repeat the process to add the current user account.

The Certificates snap-in window will open. Select My user account. Click Finish.

Notice both the Certificates (LocalComputer) and Certificates – Current User are listed in the Selected snap-ins column. Click OK.

Expand Trusted Root Certification Authorities. Notice the certificate from the Root CA needs to be added to the Trusted Root Certification Authorities list.

Open a web browser on the Gateway Server, and browse to the Microsoft Active Directory Certificate Services website on the Domain:

http://certificateserver/certsrv Select Download a CA certificate, certificate chain or CRL.

The Web Access Confirmation windows will open. Click Yes.

The Download a CA Certificate, Certificate chain, or CRL window will open. Select Base 64. Click Download CA certificate chain

The File download window will open. Click Save.

Save the file to a location that is easily accessible. Click Save.

Within the MMC import the certificate into the local computer.

The Certificate Import Wizard window will open. Click Next.

Browse to the saved location. Change the file type to PKCS #7 Certificates. Click Open

The file should appear in the File name field. Click Next.

The Certificate will be placed in the Trusted Root Certification Authorities. Click Next.

Click Finish to import the Root Certificate.

The Certificate is now in the list. This means the Gateway Server will trust certificates issued by the Enterprise Root CA.

The Steps below will walk through creating a requesting the Operations Manager Certificate for the gateway server.

Request a Certificate from the CA

Note: For target servers running W2K3, do the following steps from that machine; if target is W2K8, run the following from a W2K3 server instead

Open Internet Explorer and browse to http://<cert server>/certsrv

Select Request a certificate

The Request a Certificate webpage will open.

Select advanced certificate request

The Advanced certificate request webpage will open. Select Create and submit a request to this CA.

Select the template that was created earlier, and fill in the Name and Friendly Name fields with the FQDN of the Gateway Server.

If the Gateway server is in a workgroup, the NetBIOS name is sufficient.

Ensure the Request Format is PKCS10. Click Submit

The Certificate is now generated. Click on Install Certificate.

The Certificate has been successfully installed. Note: this is saved to the Personal certificate store.

We need to authenticate computers, and the certificate is imported in the Personal certificate store. Open the Certificates MMC and copy the certificate from the personal store to the local computer store.

The certificate will now reside in the Local Computer Certificates Store.

The certificate is now installed and you can verify everything is installed correctly by opening the certificate and checking if the certification path is ok.

Import the MOMCertImport to the Management Server

This section provides step-by-step instructions on importing the certificate to the Management Server using the MOMCertImport.exe utility.

Perform the following steps on the Management Server virtual machine.

Copy the MOMCertImport.exe tool from the installation media to the gateway server, into the gateway installation path (IE: D:\Program files\System Center 2012\ Operations Manager\Server).

From the Management Server, browse to the Local Computer Certificate store. Under personal select the certificate and choose Export.

The Certificate Export Wizard window will open. Click Next.

The Export Private Key window will open. Click Yes, export the private key. Click Next.

The Export File Format windows will open. Ensure Export all extended properties is checked. Click Next

The Password window will open. Type and confirm a password. Click Next.

Specify a name and location to save the exported certificate to that is easily accessible. Click Next.

Click Finish to complete the export.

The Certificate Export Wizard window will open. Verify the export was successful. Copy the file to a location that is accessible to the Gateway Server. Click OK.

Open a command prompt with
Administrator Credentials on the Management server. Browse to the installation folder on the Gateway
Server and run tine following command:

Momcertimport.exe D:\Sources\Certificates\opsmgr.pfx

A prompt will appear to Enter certificate password. Enter the certificate password. Hit Enter.

After a few moments, a message will appear. Verify Successfully installed the certificate. Please Check Operations Manager in event viewer to check channel connectivity appears. Close out of the command prompt window

Import the MOMCertImport on Gateway Server

Perform the following steps on the Gateway Server virtual machine.

Copy the MOMCertImport.exe tool from the installation media to the gateway server, into the gateway installation path.

From the Management Server, browse to the Local Computer Certificate store. Under personal select the certificate and choose Export.

The Certificate Export Wizard window will open. Click Next.

The Export Private Key window will open. Click Yes, export the private key. Click Next.

The Export File Format windows will open. Ensure Export all extended properties is checked. Click Next

The Password window will open. Type and confirm a password. Click Next.

Specify a name and location to save the exported certificate.

Click Finish to complete the export.

Verify the export was successful. Copy the file to a location that is accessible to the Gateway Server.

Open a command prompt on the Management Server. Browse to the gateway installation folder and run tine following command:

Momcertimport.exe D:\Sources\Certificates\OpsMgrMS01.pfx

Enter the certificate password.

Verify the certificate installed successfully.

Approve Gateway to communicate with the Management sever

Perform the following steps on the Management Server virtual machine.

Browse the installation media to Supporttools\AMD64.

Select the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe and Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.CONFIG files and Copy

Paste the files to the Operations Manager\Setup folder. (IE: D:\Program Files\System Center 2012\Operations Manager\Setup)

Open a Command Prompt with Run as Administrator

Browse to the Operations Manager installation folder. Configure the command line to match below:

MICROSOFT.ENTERPRISEMANAGEMENT.GATEWAYAPPROVALTOOL.EXE /managementservername=opsmgr.lab.ad /gatewayname=dc01.lab.ad /Action=Create

The process will take a few minutes to complete.

If the approval is successful, you will see the approval of server <GatewayFQDN> completed successfully.

Install Gateway Server

Perform the following steps on the Gateway Management Server virtual machine.

Browse to the media source. Locate the Autorun.exe and double click on it to start the install. The Systems Center Configuration Manager window will open. Select Gateway management server

The Operations Manager Gateway Server Setup window will open.

The Destination Folder window will open. Specify the installation folder. Click Next.

The Management Group Configuration window will open. Specify the information: Click Next.

The Gateway Action Account window will open. Select the type of Action Account to gather the operational data. Local System. Click Next.

The Microsoft Update window will open. Select whether or not to provide feedback. Click Next.

The Ready to Install window will open. Review the installation settings. Click Install.

The installation will take a few Moments to complete.

Click Finish.

Troubleshooting

Perform the following steps on the Gateway Management Server virtual machine.

If an event ID 21006 appears, make sure the firewalls on the gateway and/or on the management server are not blocking communication

Select Allow this server to act as a proxy and discover managed objects on other computers. This one will act as a proxy for other systems that will connect trough the gateway server.

Categories: OpsMgr 2012

Configuration Manager 2012 Cumulative Updates and Hotfixes

November 12, 2013 Leave a comment

Below are the hotfixes for Configuration Manager 2012 both RTM, SP1, and R2 and the versions to which they apply.

This post will be continuously updated as new hotfixes become available. Some of these updates are required based on certain conditions. I do not recommend installing each and every single one of these. Please read the KB article and install them only if you are experiencing the problem described in the KB article.

Last Updated: 4/2/2014

RTM – 5.00.7711.0000

CU1 – 5.00.7711.0200

CU2 – 5.00.7711.0301

SP1 – 5.00.7804.1000

SP1 CU1 – 5.00.7804.1202

SP1 CU2 – 5.00.7804.1300

SP1 CU3 – 5.00.7804.1400

SP1CU4 – 5.00.7804.1500

R2 – 5.00.7958.1000

RTM

2717295 Description of Cumulative Update 1 for System Center 2012 Configuration Manager

2737681 You cannot deploy a client agent by using System Center 2012 Configuration Manager on a computer that is running the French version of Windows 7

2744420 An update is available to support Alternate Content Provider in Task Sequences in System Center 2012 Configuration Manager

2780664 Description of Cumulative Update 2 for System Center 2012 Configuration Manager

2798545 Application evaluation fails in System Center 2012 Configuration Manager running on Windows XP

Service Pack 1

2793237 FIX: The Schedule Updates Wizard does not list content for Windows Server 2012 in System Center 2012 Configuration Manager Service Pack 1

2798545 Application evaluation fails in System Center 2012 Configuration Manager running on Windows XP

2801987 Installation error 0x800b0101: System Center 2012 Configuration Manager Service Pack 1 client

2907566 November 2013 anti-malware platform update for Endpoint Protection clients

CU1 with Post CU1 Hotfixes

2817245 Description of Cumulative Update 1 for System Center 2012 Configuration Manager Service Pack 1

2828233 An anti-malware platform update for System Center 2012 Endpoint Protection Service Pack 1 clients is available from Microsoft Support

2828900 FIX: The content status of a package is stuck in “In progress – Waiting for Content” status in System Center 2012 Configuration Manager SP1

2832598 DMP Uploader enters a bad loop in System Center 2012 Configuration Manager Service Pack 1

2832622 FIX: Automatic client upgrades are unsuccessful for Configuration Manager 2007 clients in System Center 2012 Configuration Manager Service Pack 1

2837395 The “Install Application” task sequence fails in System Center 2012 Configuration Manager SP1

2841764 FIX: Site assignments do not work in a System Center 2012 Configuration Manager site environment

2838585 FIX: Task sequence to install an operating system doesn’t run when you use custom port settings in System Center Configuration Manager 2012 SP1

CU2 with Post CU2 Hotfixes

2854009 Description of Cumulative Update 2 for System Center 2012 Configuration Manager Service Pack 1

2867422 FIX: Errors when you try to install or recover a secondary site in System Center 2012 Configuration Manager

2869380 FIX: A task sequence stops responding when multiple task sequences are started in System Center 2012 Configuration Manager

2865173 An anti-malware platform update for Endpoint Protection clients is available from Microsoft Support

2870742 FIX: An Alternate Content Provider does not work in a task sequence for a System Center 2012 Configuration Manager SP1 site

CU3 with Post CU3 Hotfixes

2882125 Description of Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1

2894539
A post-CU3 update is available for System Center 2012 Configuration Manager SP1

2913703 Applications that use dynamic variable lists are not installed in System Center 2012 Configuration Manager

CU3 with Post CU3 Hotfixes

2922875 Description of Cumulative Update 4 for System Center 2012 Configuration Manager Service Pack 1

2918997 Hotfix updates the Software Requirements UI for Mac software distribution operating systems in System Center 2012 Configuration Manager SP1

R2 RTM

2905002
An update is available for the “Operating System Deployment” feature of System Center 2012 R2 Configuration Manager

2907591
Per-computer variables for imported computers are not read in System Center 2012 R2 Configuration Manager

2907566 November 2013 anti-malware platform update for Endpoint Protection clients

2916611 Automatic Deployment Rules do not work when you use specific proxy authentication on a site server that is running Microsoft System Center 2012 R2 Configuration Manager

2910552 You cannot deploy Windows 8.1 to a Windows XP-based computer after you upgrade to System Center 2012 R2 Configuration Manager

2928122 Application contents are duplicated in stand-alone media in System Center 2012 R2 Configuration Manager

 

R2CU1 with Post R2CU1 Hotfixes

2938441 Description of Cumulative Update 1 for System Center 2012 R2 Configuration Manager

Categories: ConfigMgr 2012
Follow

Get every new post delivered to your Inbox.

Join 46 other followers