Dual home SCOM UNIX/LINUX Agents and Migrate – Part 1

One of the tasks for a SCOM administrator is to do a parallel migration of SCOM. During the migration process, agent migration is an important task. The high level plan for migrating agents is to dual home the agents and then remove the monitoring from old Management Group (MG). For windows agents the process is well documented but for X-Plat agents the process is not so well documented.

In this blog, I will explain how to dual home SCOM UNIX/LINUX agents. Bear in mind, this method is still NOT supported. That means Microsoft has not tested this method. But it works in all the cases I have worked.
** Dual homing with deprecated versions like SCOM 2012, SP1, R2, 1801 and 1807 is strictly not supported.

Later, I will also explain how to do the migration of the SCOM UNIX/LINUX agents to the new MG – This will be in Part 2 as this blog exceeded the length I was expecting.

In order to understand the process of dual homing SCOM UNIX/LINUX agents let us understand the basic difference between Windows Agent monitoring and X-Plat Monitoring. In Windows monitoring, the agent communicates to the Primary Management Server (mostly). So the dual homing needs to be at the agent level. However, in X-Plat monitoring, it is the Management Servers (MS) or Gateways (GW) in the X-Plat Resource Pool that communicate to the SCX Agent. That means we do not have to do the dual homing at the SCX Agent but in the Management Servers and Gateways in X-Plat Resource Pool. This is a key point.

Enough of theory, let us get on with the real stuff!!

My setup:

  1. Management Group 1 – SCOM 2012 R2 UR14 / 1 Management Server in X-Plat Resource Pool
  2. Management Group 2 – SCOM 2019 RTM / 1 Management Server in the X-Plat Resource Pool
  3. Agent version – 1.5.1-256

** Management Group name does not matter in this process. So I am omitting those.
** I will refer the SCOM 2012 R2 MG as Old MG and SCOM 2019 MG as New MG.

Steps:

  1. Export the SCX certificates from all Management Servers and Gateways in X-Plat Resource Pool in the old MG. In my case, as I have just 1 MS in my old MG X-Plat Resource Pool I will have to do it once.
    Imp** If you have both SCX SHA1 and SHA256 certificates in SCOM 2012 R2 environment, you will have 2 certificates in Management Servers/Gateways in the X-Plat Resource Pool. We have deprecated SHA1 certificate from SCOM 2012 R2 UR12.
    https://support.microsoft.com/en-us/help/3209587/system-center-2012-r2-om-ur12

    Open command prompt on the MS -> type certlm.msc -> Navigate to Trusted Root Certification Authorities -> Certificates.Open command prompt with administrative privilege’s and navigate to the SCOM installation directory like  C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server
    Run the below command
    scxcertconfig.exe -export C:\temp\2012MS1.cer
    ** Choose a local path (like C:\Temp) or a shared path (\\sharedpath)
  2.  Copy the certificate (in my case 2012MS1.cer) to the new Management Server. If it is in a shared path go to the next step.
  3. Again, open command prompt with administrative privilege’s in the new Management Server and navigate to the SCOM installation directory like  C:\Program Files\Microsoft System Center \Operations Manager\Server
    Run the below command
    scxcertconfig.exe -import C:\temp\2012MS1.cer
  4. Navigate to the certificate store like in step 1. Now you should see 2 certificates. One with the new MS name and other with old MS.
  5. Now repeat the same process in the new Management Server (steps 1 – 4). Export the certificate of new MS and import it in the old MS. After following the steps 1-4, you see the below in your old MS.
  6. What if I have multiple MS or GW in the RP. Glad you asked!!
    In that case, one simple way is to run the scxcertconfig.exe on all the Management Servers or Gateway Servers in the X-Plat Resource Pool to export the certificate.
    Or else, you can use the below PowerShell script on any Management Server or Gateway Server to export all the SCX certificates from the root certificate store.** Change the location where you want to dump the certificates in the script.

    #get all the SCX certs from the root store of local machine
$certs = Get-ChildItem -Path cert:\LocalMachine\Root | where {$_.Subject -like "*SCX*"}

# Get SCOM instllation path
$SCOMPath =((Get-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup" -name InstallDirectory).InstallDirectory); 

foreach($cert in $certs)
{    
    $subjectname=$cert.SubjectName.Name
    $subjectname=$subjectname.Split(',')[0]
    $subjectname=$subjectname.Split('=')[1]
    $cert="C:\Temp\Certs\$($subjectname).cer"
    & ($SCOMPath+'scxcertconfig.exe') -export $cert    
}
  7. After that, either you can import the certificates again by running the scxcertconfig.exe and then specifying the path of each certificate.
    Or else, you can use the below PowerShell script on any Management Server or Gateway Server to import all the SCX certificates from the root certificate store.** Run the script on all the Management Servers or Gateways in the new X-plat resource pool.

    #get all the SCX certs from the location except the certificate for the host which is not required
$localhost=hostname
$exclude=$localhost + '.cer'
$certs = Get-ChildItem  C:\Temp\Certs -Exclude $exclude

# Get SCOM instllation path
$SCOMPath =((Get-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup" -name InstallDirectory).InstallDirectory); 

foreach($cert in $certs)
{
    $cert="C:\Temp\Certs\$($cert.name)"
    & ($SCOMPath+'scxcertconfig.exe') -import $cert 
}

     

  8. If the new Management Group is supposed to use new Run As Accounts configure them in the sudoers. Also if you are using minimum privilege’s for installation and monitoring, there might be slight change in the sudoers permission in SCOM 2016/SCOM2019. Below is an article of how to configure the sudoers for SCOM X-Plat servers.
    http://88i.5b8.mywebsitetransfer.com/how-to-configure-sudoers-file-for-scom-monitoring/
  9. Now the time is to discover the X-Plat servers in the new Management Group. In my case, I am using the agent named SLES12SP3. You should be familiar with a X-Plat agent discovery so I am fast forwarding to the place where the installation will occur.In case you need assistance, refer to the below blog.
    http://88i.5b8.mywebsitetransfer.com/monitoring-rhel8-in-scom-2019-ur1/Imp** You should see the discovery wizard landing into manage action. This is what you should see if everything has gone according to plan. Because the agent is already installed and certificate on the agent is trusted by this MG, so the installation and certificate signing phase is skipped and we land into manage which is equivalent of adding the agent to SCOM database.
  10. The agent should now install successfully and healthy after a few minutes.

That’s all… Let us summarize what we have done.

  1. Export the SCX certificates of Management Servers and Gateways in the X-Plat Resource Pools of old MG.
  2. Export the SCX certificates of Management Servers and Gateways in the X-Plat Resource Pools of new MG.
  3. Import the SCX certificates of Management Servers and Gateways in the X-Plat Resource Pools of old MG into all the new MG Management Servers and Gateways in the X-Plat Resource Pools
  4. Vice versa, export the SCX certificates of Management Servers and Gateways in the X-Plat Resource Pools of new MG into all the old MG Management Servers and Gateways in the X-Plat Resource Pools
  5. Discover the agent in the new MG and you should be good to go.

Stay tune for the Part 2 where I will show how to migrate the agents to the new MG.

Hope that was helpful.

Thanks!

Explore, Learn, Share, Repeat!

 

 

Post Views: 5,293
This entry was posted in SCOM on by .