To monitor non-domain members I had to do the following:-
- Add the CA’s certificate to the Trusted Root Certification Authorities store on both the RMS and the Monitored server.
- Create a certificate for both the RMS and monitored server with OIDs of 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 (Server Authentication and Client Authentication) and use the FQDN as the Name and Friendly Name for each certificate.
- Install the created certs on the RMS and monitored servers.
- Run MOMCertImport on the RMS to import the RMS servers certificate into SCOM, then restart the System Center Management service on the RMS.
- Do a manual SCOM agent install on the target monitored server and install any applicable CUs.
- Run MOMCertImport on the target server to import it’s certificate for SCOM use, the restart the System Center Management service.
- Approve the manual agent installation from the Pending Installations section of Administration in the SCOM console.
- Create a runas account for an account which has administrative access on the target server. Specify servername\account as the account name to create it as a local account.
- Edit the profile for the Default SCOM Action Account, to specify the created account as the Action Account for the target monitored server which should be in the list of servers.
Some important notes:
- Server must have a FQDN, so if it is in a workgroup add a domain suffix manually.
- The server being monitored must be able to resolve the FQDN of the SCOM server. If no DNS servers are specified, add a HOSTS file entry for the SCOM server.
- MomCertImport /remove can be used to remove installed SCOM certificates.
- Syntax of MOMCertImport is as follows:
momcertimport /subjectname <fqdn of cert> OR
momcertimport <full path to pfx for cert>