01 May 2008

OpsMgr: Monitoring Domain Controllers

Encountered this issue a number of times.
When you install an agent to Domain Controllers (DC), you might notice that the color of
state of the agent is "gray" though it is indicating that it is healthy all the time.

New Bitmap Image

The System Center Operations Manager 2007 agent uses the Run As Profile that is named Privileged Monitoring Account to process Health Service configuration. By default, the Privileged Monitoring Account profile uses the Local System account.

When you configure the agent to use a domain user as the Default Action Account on a domain controller, the Health Service Lockdown Tool (HSLockdown.exe) is automatically run at installation. The Health Service Lockdown Tool denies Health Service access to the NT AUTHORITY\SYSTEM security principal.

In this scenario, only the NT AUTHORITY\Authenticated Users security principal is allowed access to the Health Service. But when the Active Directory is hardened, or the agent is misconfigured, the Local System account cannot authenticate through the Authenticated Users security principal. Therefore, the agent cannot process Health Service configuration information.
  • Take a look at your DC, go to Command Prompt and open your OpsMgr folder
  • Type "hslockdown /L" to list the Accounts Permission for your Management Group. The result should look like this:

New Bitmap Image

  • As you can see, NT AUTHORITY\SYSTEM account is being denied.


  • To resolve this, we have to remove NT AUTHORITY\SYSTEM from the Denied list.
  • In the command prompt, type hslockdown "{Management Group Name}" /R "NT AUTHORITY\SYSTEM"
  • Restart your Health Service for your DC
  • Repeat the steps above for every DC's that you are monitoring.
  • That should do the trick !


NOTE: Some of you might ask, what does hslockdown.exe being used for ? How come I didn't come to know about it? Some information for you.


Happy Learning ...