Domain Controller Health Service Lockdown Issue with SCOM 2016

I came to this realization last year, but I don’t think I wrote about it.

When monitoring domain controllers, specifically domain controllers running on Windows Server 2016, and specifically with System Center Operations Manager 2016 (and later, I assume) have a bit of an issue when you deploy the SCOM Agent to the server.  It deploys, it installs… but when you look at the list, your domain controllers do not have that friendly GREEN check mark… you get the same icon, but it is grey.

SCOM Greyed

Reason? The Health Service is denying the NT AUTHORITY\SYSTEM.


This is an easy fix.  If you are running Server with Desktop Experience (what we until recently called the GUI), then make sure you open the Command Prompt with elevated privileges.  Navigate to c:\Program Files\Microsoft Monitoring Agent\Agent, and then type the following:

  1. HSLockdown.exe /A “NT AUTHORITY\SYSTEM”
  2. net stop healthservice
  3. net start healthservice

Once you do that, it should only take a minute for SCOM to reflect the change.  If you are too impatient to wait, you can click REFRESH.

I hope this helps!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: