22 C
Dubai
Tuesday, April 16, 2024

Configuring Active Directory 2012 R2 Management Pack with SCOM 2012 R2

  • Create a Domain Admin Service Account and credentials wont be shared with the Monitoring Team.
  • Where they can push agents and update them.

Step 1:

Make sure Allow Log on locally is set to administrators by default in default domain controllers policy.

image

Step 2:

  • Now you can push the SCOM Agent using the discovery wizard.
  • Use the same account for Run as . Once its discovered.
image

Step 3:

Login to the Domain Controllers where we are going to monitor – Disable AD integration

'SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\'

EnableADIntegration REG_DWORD to ‘0’.

image

Step 4:

SCOM Console – Administration – Run as Configuration – Accounts Create a Run As Account called Privileged Monitoring.

image

Get the Domain Controllers alone added.

image

Step 5 –

Assign the Privileged monitoring account in the AD MP Account profile.

image

Step 6 –

Login to Domain Controllers – Open Power-Shell – Run as administrator –

cd "C:\Program Files\Microsoft Monitoring Agent\Agent"

"C:\Program Files\Microsoft Monitoring Agent\Agent" .\hslockdown.exe SCOMGROUNAME /l

image

If you see SYSTEM is on Denied List.


cd "C:\Program Files\Microsoft Monitoring Agent\Agent"

.\hslockdown.exe SCOMGROUPNAME /R "NT AUTHORITY\SYSTEM"

image

Step 7


Restart Microsoft Monitoring Agent on Domain Controllers.


Make Sure Agent restarts without any Errors/Warnings.


image

Now you should see.


NOTE : For Active Directory Topology view to Work . Install .Net 3.5 on all SCOM Management Servers


image

Reference Events –


Log Name: Operations Manager
Source: HealthService
Event ID: 2119
Task Category: Health Service
Level: Warning
Computer: DS002.careexchange.in


Description:
Active Directory Integration has been disabled because this Health Service is running on a Domain Controller. To suppress this message, set the value

'SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration' 

in the registry to ‘0’.

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

3 COMMENTS

  1. You can use PowerShell to capture the Management Group & the location of the hslockdown

    ForEach ($ManagementGroup in gci “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups” | Select -ExpandProperty PSChildName) {
    Invoke-Expression $(“. ‘{0}’ {1} /R `”NT AUTHORITY\SYSTEM`”” -f $(join-path (Split-Path ((Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\services\HealthService\’).ImagePath).replace(‘”‘,”)) ‘hslockdown.exe’), $ManagementGroup)
    }; Restart-Service healthservice

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?