24.5 C
Dubai
Tuesday, December 6, 2022

Configuring Active Directory 2012 R2 Management Pack with SCOM 2012 R2

  • Create a Domain Admin Service Account and credentials wont be shared with the Monitoring Team.
  • Where they can push agents and update them.

Step 1:

Make sure Allow Log on locally is set to administrators by default in default domain controllers policy.

image

Step 2:

  • Now you can push the SCOM Agent using the discovery wizard.
  • Use the same account for Run as . Once its discovered.
image

Step 3:

Login to the Domain Controllers where we are going to monitor – Disable AD integration

'SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\'

EnableADIntegration REG_DWORD to ‘0’.

image

Step 4:

SCOM Console – Administration – Run as Configuration – Accounts Create a Run As Account called Privileged Monitoring.

image

Get the Domain Controllers alone added.

image

Step 5 –

Assign the Privileged monitoring account in the AD MP Account profile.

image

Step 6 –

Login to Domain Controllers – Open Power-Shell – Run as administrator –

cd "C:\Program Files\Microsoft Monitoring Agent\Agent"

"C:\Program Files\Microsoft Monitoring Agent\Agent" .\hslockdown.exe SCOMGROUNAME /l

image

If you see SYSTEM is on Denied List.


cd "C:\Program Files\Microsoft Monitoring Agent\Agent"

.\hslockdown.exe SCOMGROUPNAME /R "NT AUTHORITY\SYSTEM"

image

Step 7


Restart Microsoft Monitoring Agent on Domain Controllers.


Make Sure Agent restarts without any Errors/Warnings.


image

Now you should see.


NOTE : For Active Directory Topology view to Work . Install .Net 3.5 on all SCOM Management Servers


image

Reference Events –


Log Name: Operations Manager
Source: HealthService
Event ID: 2119
Task Category: Health Service
Level: Warning
Computer: DS002.careexchange.in


Description:
Active Directory Integration has been disabled because this Health Service is running on a Domain Controller. To suppress this message, set the value

'SYSTEM\CurrentControlSet\Services\HealthService\Parameters\ConnectorManager\EnableADIntegration' 

in the registry to ‘0’.

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Specialized in Microsoft Azure - Office 365 / Microsoft Exchange; conducted numerous projects worldwide in designing, supporting, and implementing messaging and virtualization infrastructure for medium-sized and large enterprises. Further, I am a Cloud Architect and Technical Advisor for various start-ups.

Related Articles

3 COMMENTS

  1. You can use PowerShell to capture the Management Group & the location of the hslockdown

    ForEach ($ManagementGroup in gci “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups” | Select -ExpandProperty PSChildName) {
    Invoke-Expression $(“. ‘{0}’ {1} /R `”NT AUTHORITY\SYSTEM`”” -f $(join-path (Split-Path ((Get-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\services\HealthService\’).ImagePath).replace(‘”‘,”)) ‘hslockdown.exe’), $ManagementGroup)
    }; Restart-Service healthservice

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?