Tuesday , December 18 2018

Configuring Active Directory 2012 R2 Management Pack with SCOM 2012 R2

  • Create a Domain Admin Service Account and credentials wont be shared with the Monitoring Team.
  • Where they can push agents and update them.

Step 1:

Make sure Allow Log on locally is set to administrators by default in default domain controllers policy.

image

Step 2:

  • Now you can push the SCOM Agent using the discovery wizard.
  • Use the same account for Run as . Once its discovered.

image

Step 3:

Login to the Domain Controllers where we are going to monitor – Disable AD integration

‘SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration’ in the registry to ‘0’.

image

Step 4:

SCOM Console – Administration – Run as Configuration – Accounts

Create a Run As Account called Privileged Monitoring.

image

Get the Domain Controllers alone added.

image

Step 5 –

Assign the Privileged monitoring account in the AD MP Account profile.

image

Step 6 –

Login to Domain Controllers – Open Power-Shell – Run as administrator –

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”
“C:\Program Files\Microsoft Monitoring Agent\Agent” .\hslockdown.exe SCOMGROUNAME /l

image

If you see SYSTEM is on Denied List.

cd “C:\Program Files\Microsoft Monitoring Agent\Agent”
.\hslockdown.exe SCOMGROUPNAME /R "NT AUTHORITY\SYSTEM"

image

Step 7

Restart Microsoft Monitoring Agent on Domain Controllers.

Make Sure Agent restarts without any Errors/Warnings.

image

 

Now you should see.

NOTE : For Active Directory Topology view to Work . Install .Net 3.5 on all SCOM Management Servers

image

 

Reference Events –

Log Name: Operations Manager
Source: HealthService
Event ID: 2119
Task Category: Health Service
Level: Warning
Computer: DS002.careexchange.in

Description:
Active Directory Integration has been disabled because this Health Service is running on a Domain Controller. To suppress this message, set the value ‘SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration’ in the registry to ‘0’.

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in
Supporting/Deploying/Designing Microsoft Exchange for some years.
Extensive experience on Microsoft Technologies.

Check Also

Anonymous Application relay connectors in Exchange 2016

Lets see how to create an Anonymous Application relay connectors in Exchange 2016. Every Application ...

3 comments

  1. Thanks you VERY VERY VERY MUCH!

  2. You can use PowerShell to capture the Management Group & the location of the hslockdown

    ForEach ($ManagementGroup in gci “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups” | Select -ExpandProperty PSChildName) {
    Invoke-Expression $(“. ‘{0}’ {1} /R `”NT AUTHORITY\SYSTEM`”” -f $(join-path (Split-Path ((Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\services\HealthService\’).ImagePath).replace(‘”‘,”)) ‘hslockdown.exe’), $ManagementGroup)
    }; Restart-Service healthservice

  3. Is AD Management Pack (6.0.1.0) and ADDS Management pack (10.0.1.0) will work together?

Leave a Reply

Your email address will not be published.