After you install the Microsoft System Center Operations Manager agent on a Windows domain controller, the Health Service does not process configuration files. Additionally, events that resemble the following are logged every 30 minutes to the Application log on the domain controller:
Event 1
Event Type: Error
Event Source: HealthService
Event Category: Health Service
Event ID: 7022
Date: Date
Time: Time
User: N/A
Computer: Computer_Name
Description:
The Health Service has downloaded secure configuration for management group Management_Group_Name, and processing the configuration failed with error code 0x80FF003F(0x80FF003F).
Event 2
Event Type: Error
Event Source: HealthService
Event Category: Health Service
Event ID: 1220
Date: Date
Time: Time
User: N/A
Computer: Computer_Name
Description:
Received configuration cannot be processed. Management group " Management_Group_Name".
This problem occurs when you configure an account that does not have administrative rights as the Default Action Account.
The System Center Operations Manager agent uses the Run As Profile that is named Privileged Monitoring Account to process Health Service configuration. By default, the Privileged Monitoring Account profile uses the Local System account.
When you configure the agent to use a domain user as the Default Action Account on a domain controller, the Health Service Lockdown Tool (HSLockdown.exe) is automatically run at installation. The Health Service Lockdown Tool denies Health Service access to the NT AUTHORITY\SYSTEM security principal.
In this scenario, only the NT AUTHORITY\Authenticated Users security principal is allowed access to the Health Service. But when the Active Directory is hardened, or the agent is misconfigured, the Local System account cannot authenticate through the Authenticated Users security principal, therefore the agent cannot process Health Service configuration information.
To resolve this problem, use one of the following methods.
Method 1: Configure the Privileged Monitoring Account profile
Configure the Privileged Monitoring Account profile to use a domain user who has administrative rights on the
affected domain controllers. To do this, follow these steps:
- Open the SCOM Console, and then click Administration.
-
Under Security, right-click Run As Accounts, and then click Create Run As
Account. This starts the Create Run As Account Wizard.
- Select Windows in the Run As Account type box.
Enter a display name, and then click Next.
-
Enter the user name and the password for an account that is a member of the
Administrators group on the domain controller, and then click Create.
-
After the Run As Account is created, open the Run As Profiles view, and
double-click Privileged Monitoring Account.
-
Click the Run As Accounts tab.
- Click New.
- Click the Run As Account that you created in step 2 through step 4.
- Click the domain controller in the list of computers, and then click OK.
-
Repeat step 7 through step 9 for each affected domain controller.
-
Click OK in the Run As Profile Properties dialog box.
-
Restart the OpsMgr Health Service on the affected domain controllers.
Method 2: Run HSLockdown.exe to configure permissions
Run HSLockdown.exe on the affected domain controllers to remove NT Authority\SYSTEM from the Denied list. To do this, follow these steps:
- On the domain controller, open a command prompt, and then open the folder where the agent software is installed.
- Type the following command, and then press ENTER:
hslockdown "Management_Group _Name" /R "NT AUTHORITY\SYSTEM"
In this command, Management_Group _Name is the name of the Operations Manager 2007 management group of which the agent is a member. Use quotation marks if the name contains
spaces. - Restart the OpsMgr Health Service.
- Repeat step 1 through step 3 on each domain controller that is affected.
For more information about HSLockdown.exe, visit the following Microsoft TechNet Web site: