Wednesday , June 19 2019

Configuring Active Directory 2012 R2 Management Pack with SCOM 2012 R2

  • Create a Domain Admin Service Account and credentials wont be shared with the Monitoring Team.
  • Where they can push agents and update them.

Step 1:

Make sure Allow Log on locally is set to administrators by default in default domain controllers policy.


Step 2:

  • Now you can push the SCOM Agent using the discovery wizard.
  • Use the same account for Run as . Once its discovered.


Step 3:

Login to the Domain Controllers where we are going to monitor – Disable AD integration

‘SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration’ in the registry to ‘0’.


Step 4:

SCOM Console – Administration – Run as Configuration – Accounts

Create a Run As Account called Privileged Monitoring.


Get the Domain Controllers alone added.


Step 5 –

Assign the Privileged monitoring account in the AD MP Account profile.


Step 6 –

Login to Domain Controllers – Open Power-Shell – Run as administrator –

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”
“C:\Program Files\Microsoft Monitoring Agent\Agent” .\hslockdown.exe SCOMGROUNAME /l


If you see SYSTEM is on Denied List.

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”


Step 7

Restart Microsoft Monitoring Agent on Domain Controllers.

Make Sure Agent restarts without any Errors/Warnings.



Now you should see.

NOTE : For Active Directory Topology view to Work . Install .Net 3.5 on all SCOM Management Servers



Reference Events –

Log Name: Operations Manager
Source: HealthService
Event ID: 2119
Task Category: Health Service
Level: Warning

Active Directory Integration has been disabled because this Health Service is running on a Domain Controller. To suppress this message, set the value ‘SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration’ in the registry to ‘0’.

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Office Server and Services MVP , Publisher of Specialized in Office365 / Microsoft Exchange / Virtualization , Sathesh is an Messaging Expert supporting/Designing/Deploying many medium size businesses to large enterprises when it comes to Corporate messaging and Virtualization Infrastructure

Check Also

Only Android Phones getting Cert Error from Load Balancer

Bypassing load balancer seems to be no error. and iOS devices and Outlook seems to ...


  1. Thanks you VERY VERY VERY MUCH!

  2. You can use PowerShell to capture the Management Group & the location of the hslockdown

    ForEach ($ManagementGroup in gci “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups” | Select -ExpandProperty PSChildName) {
    Invoke-Expression $(“. ‘{0}’ {1} /R `”NT AUTHORITY\SYSTEM`”” -f $(join-path (Split-Path ((Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\services\HealthService\’).ImagePath).replace(‘”‘,”)) ‘hslockdown.exe’), $ManagementGroup)
    }; Restart-Service healthservice

  3. Is AD Management Pack ( and ADDS Management pack ( will work together?

Leave a Reply

Your email address will not be published.