Tuesday , December 18 2018

Configuring Active Directory 2012 R2 Management Pack with SCOM 2012 R2

  • Create a Domain Admin Service Account and credentials wont be shared with the Monitoring Team.
  • Where they can push agents and update them.

Step 1:

Make sure Allow Log on locally is set to administrators by default in default domain controllers policy.


Step 2:

  • Now you can push the SCOM Agent using the discovery wizard.
  • Use the same account for Run as . Once its discovered.


Step 3:

Login to the Domain Controllers where we are going to monitor – Disable AD integration

‘SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration’ in the registry to ‘0’.


Step 4:

SCOM Console – Administration – Run as Configuration – Accounts

Create a Run As Account called Privileged Monitoring.


Get the Domain Controllers alone added.


Step 5 –

Assign the Privileged monitoring account in the AD MP Account profile.


Step 6 –

Login to Domain Controllers – Open Power-Shell – Run as administrator –

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”
“C:\Program Files\Microsoft Monitoring Agent\Agent” .\hslockdown.exe SCOMGROUNAME /l


If you see SYSTEM is on Denied List.

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”


Step 7

Restart Microsoft Monitoring Agent on Domain Controllers.

Make Sure Agent restarts without any Errors/Warnings.



Now you should see.

NOTE : For Active Directory Topology view to Work . Install .Net 3.5 on all SCOM Management Servers



Reference Events –

Log Name: Operations Manager
Source: HealthService
Event ID: 2119
Task Category: Health Service
Level: Warning
Computer: DS002.careexchange.in

Active Directory Integration has been disabled because this Health Service is running on a Domain Controller. To suppress this message, set the value ‘SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration’ in the registry to ‘0’.

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in
Supporting/Deploying/Designing Microsoft Exchange for some years.
Extensive experience on Microsoft Technologies.

Check Also

Anonymous Application relay connectors in Exchange 2016

Lets see how to create an Anonymous Application relay connectors in Exchange 2016. Every Application ...


  1. Thanks you VERY VERY VERY MUCH!

  2. You can use PowerShell to capture the Management Group & the location of the hslockdown

    ForEach ($ManagementGroup in gci “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups” | Select -ExpandProperty PSChildName) {
    Invoke-Expression $(“. ‘{0}’ {1} /R `”NT AUTHORITY\SYSTEM`”” -f $(join-path (Split-Path ((Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\services\HealthService\’).ImagePath).replace(‘”‘,”)) ‘hslockdown.exe’), $ManagementGroup)
    }; Restart-Service healthservice

  3. Is AD Management Pack ( and ADDS Management pack ( will work together?

Leave a Reply

Your email address will not be published.