Friday , April 19 2019

Configuring Active Directory 2012 R2 Management Pack with SCOM 2012 R2

  • Create a Domain Admin Service Account and credentials wont be shared with the Monitoring Team.
  • Where they can push agents and update them.

Step 1:

Make sure Allow Log on locally is set to administrators by default in default domain controllers policy.


Step 2:

  • Now you can push the SCOM Agent using the discovery wizard.
  • Use the same account for Run as . Once its discovered.


Step 3:

Login to the Domain Controllers where we are going to monitor – Disable AD integration

‘SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration’ in the registry to ‘0’.


Step 4:

SCOM Console – Administration – Run as Configuration – Accounts

Create a Run As Account called Privileged Monitoring.


Get the Domain Controllers alone added.


Step 5 –

Assign the Privileged monitoring account in the AD MP Account profile.


Step 6 –

Login to Domain Controllers – Open Power-Shell – Run as administrator –

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”
“C:\Program Files\Microsoft Monitoring Agent\Agent” .\hslockdown.exe SCOMGROUNAME /l


If you see SYSTEM is on Denied List.

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”


Step 7

Restart Microsoft Monitoring Agent on Domain Controllers.

Make Sure Agent restarts without any Errors/Warnings.



Now you should see.

NOTE : For Active Directory Topology view to Work . Install .Net 3.5 on all SCOM Management Servers



Reference Events –

Log Name: Operations Manager
Source: HealthService
Event ID: 2119
Task Category: Health Service
Level: Warning

Active Directory Integration has been disabled because this Health Service is running on a Domain Controller. To suppress this message, set the value ‘SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration’ in the registry to ‘0’.

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of
Supporting/Deploying/Designing Microsoft Exchange for some years.
Extensive experience on Microsoft Technologies.

Check Also

Moving Mailboxes from Child domain to root domain.

In my Scenario _ Root Domain – Child Domain – – Customer wants ...


  1. Thanks you VERY VERY VERY MUCH!

  2. You can use PowerShell to capture the Management Group & the location of the hslockdown

    ForEach ($ManagementGroup in gci “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups” | Select -ExpandProperty PSChildName) {
    Invoke-Expression $(“. ‘{0}’ {1} /R `”NT AUTHORITY\SYSTEM`”” -f $(join-path (Split-Path ((Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\services\HealthService\’).ImagePath).replace(‘”‘,”)) ‘hslockdown.exe’), $ManagementGroup)
    }; Restart-Service healthservice

  3. Is AD Management Pack ( and ADDS Management pack ( will work together?

Leave a Reply

Your email address will not be published.