Tuesday , October 23 2018

Configuring Active Directory 2012 R2 Management Pack with SCOM 2012 R2

  • Create a Domain Admin Service Account and credentials wont be shared with the Monitoring Team.
  • Where they can push agents and update them.

Step 1:

Make sure Allow Log on locally is set to administrators by default in default domain controllers policy.

image

Step 2:

  • Now you can push the SCOM Agent using the discovery wizard.
  • Use the same account for Run as . Once its discovered.

image

Step 3:

Login to the Domain Controllers where we are going to monitor – Disable AD integration

‘SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration’ in the registry to ‘0’.

image

Step 4:

SCOM Console – Administration – Run as Configuration – Accounts

Create a Run As Account called Privileged Monitoring.

image

Get the Domain Controllers alone added.

image

Step 5 –

Assign the Privileged monitoring account in the AD MP Account profile.

image

Step 6 –

Login to Domain Controllers – Open Power-Shell – Run as administrator –

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”
“C:\Program Files\Microsoft Monitoring Agent\Agent” .\hslockdown.exe SCOMGROUNAME /l

image

If you see SYSTEM is on Denied List.

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”
.\hslockdown.exe SCOMGROUPNAME /R "NT AUTHORITY\SYSTEM"

image

Step 7

Restart Microsoft Monitoring Agent on Domain Controllers.

Make Sure Agent restarts without any Errors/Warnings.

image

 

Now you should see.

NOTE : For Active Directory Topology view to Work . Install .Net 3.5 on all SCOM Management Servers

image

 

Reference Events –

Log Name: Operations Manager
Source: HealthService
Event ID: 2119
Task Category: Health Service
Level: Warning
Computer: DS002.careexchange.in

Description:
Active Directory Integration has been disabled because this Health Service is running on a Domain Controller. To suppress this message, set the value ‘SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration’ in the registry to ‘0’.

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in
Supporting/Deploying/Designing Microsoft Exchange for some years.
Extensive experience on Microsoft Technologies.

Check Also

.Net 4.7.1 Offline Installation

.Net 4.7.1 Offline Installation in a secure environment. https://www.microsoft.com/en-us/download/details.aspx?id=56116 Blocking Issues: The Update corresponding to ...

3 comments

  1. Thanks you VERY VERY VERY MUCH!

  2. You can use PowerShell to capture the Management Group & the location of the hslockdown

    ForEach ($ManagementGroup in gci “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups” | Select -ExpandProperty PSChildName) {
    Invoke-Expression $(“. ‘{0}’ {1} /R `”NT AUTHORITY\SYSTEM`”” -f $(join-path (Split-Path ((Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\services\HealthService\’).ImagePath).replace(‘”‘,”)) ‘hslockdown.exe’), $ManagementGroup)
    }; Restart-Service healthservice

  3. Is AD Management Pack (6.0.1.0) and ADDS Management pack (10.0.1.0) will work together?

Leave a Reply

Your email address will not be published.