I know that this tool needs certain .NET components (and some even say MSXML6.0 as well, but I doubt that) but these are present and functional on that server. So time to dive a bit deeper.
Hmmm. It turned out DEP was set at its highest level. And I wasn’t allowed to add the tool since it is x64 based. At least that’s what the error message told me when I wanted to make an exception on DEP. And simply adjusting DEP wasn’t a problem first. But when it is adjusted the servers needs a reboot. But rebooting a server during production hours isn’t really a good decision.
So how to go further?
Actually the MOMCertImport.exe is nothing more than a convenient tool to help us lazy OpsMgr administrators to get through the day without too much manual labor. The tool adds an entry to the registry where it ‘tells’ the OpsMgr Health Service what certificate it needs to load from the computer certificate store. That’s it. Oh and a small pitfall: the serial number is used here, but some pesky OpsMgr developer decided to store that serial the other way round…
But when one keeps that in mind, no problem what so ever.
This is what I did in order to work around the MOMCertImport.exe tool on the problematic server:
Process 1: Finding out the serial number of the certificate:
- Open the MMC, add a snap-in. Select Certificates for the Computer Account. Go to Personal, expand it and select the certificate OpsMgr will use.
- Double click it and go to the second tab, ‘Details'.
- The second entry has the field name ‘Serial Number’. Write it down or use the button ‘Copy To File’. The latter is the best option since no errors will be made with the serial number.
Process 2: Adding the found serial number in REVERSE order in the registry:
- Open the registry
- Go to HKLM\Software\Microsoft\Microsoft OperationsManager\3.0\Machine Settings
- Create here a new sub-regkey with a Binary Value, named ChannelCertificateSerialNumber
- Put here the earlier found serial number of the Certificate. Remember to REVERSE the order. Do not use spaces, these will be added automatically.
Example: suppose the serial number is 34 56 85, you must enter it as 85 56 34. DO NOT REVERSE THE ORDER OF THE DIGITS IN THE PAIRS!
Now the health service can be restarted. Soon enough EventID 20053 will show up, telling that the certificate has been successfully loaded. When EventID 20066 is displayed instead of it, the wrong serial number has been entered into the registry. Go back and double check it.
This way production doesn’t suffer a single second down-time and the OpsMgr implementation can continue as well. A win-win situation actually…
5 comments:
This is exactly what I was looking for but when I go into regedit the ther is no Microsoft Operations Manager folder under Software\Microsoft. Is it somewere else in server 2008?
Hi Liam.
In Windows Server 2008 (R2) this key is present and found in the hive HKEY_LOCAL_MACHINE. To be more precise: HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings.
Hope this helps.
Cheers,
Marnix
I had the same issue here and then I went looking for the Registry Key and when I saw it wasn't present realized I forgot to install the agent first (LMAO). Installed the agent and then ran the tool without a hitch.
I had the same issue and when I went to look for the registry key I could not find it. I then realized I forgot to install the SCOM Agent first (LMAO). Installed the SCOM Agent and then ran the MOMCertImport Tool without a hitch.
I had the same issue but then realised i installed the x86 agent on an x64 server.
Once i installed the x64 agent instead, the momcertinstall.exe worked fine.
Post a Comment