The Health Service does not process configuration files, and events 7022 and 1220 are logged every 30 minutes on a domain controller on which you installed the Operations Manager 2007 agent

After you install the Microsoft System Center Operations Manager 2007 agent on a domain controller, the Health Service does not process configuration files. Additionally, events that resemble the following events are logged every 30 minutes to the Application log on the domain controller:

Event 1

Event Type: Error
Event Source: HealthService
Event Category: Health Service
Event ID: 7022
Date: Date
Time: Time
User: N/A
Computer: Computer_Name
Description: The Health Service has downloaded secure configuration for management group Management_Group_Name, and processing the configuration failed with error code 0x80FF003F(0x80FF003F).

Event 2

Event Type: Error
Event Source: HealthService
Event Category: Health Service
Event ID: 1220
Date: Date
Time: Time
User: N/A
Computer: Computer_Name
Description: Received configuration cannot be processed. Management group " Management_Group_Name".

This problem occurs when you configure an account that does not have administrative rights as the Default Action Account.

The System Center Operations Manager 2007 agent uses the Run As Profile that is named Privileged Monitoring Account to process Health Service configuration. By default, the Privileged Monitoring Account profile uses the Local System account.

When you configure the agent to use a domain user as the Default Action Account on a domain controller, the Health Service Lockdown Tool (HSLockdown.exe) is automatically run at installation. The Health Service Lockdown Tool denies Health Service access to the NT AUTHORITY\SYSTEM security principal.

In this scenario, only the NT AUTHORITY\Authenticated Users security principal is allowed access to the Health Service. But when the Active Directory is hardened, or the agent is misconfigured, the Local System account cannot authenticate through the Authenticated Users security principal. Therefore, the agent cannot process Health Service configuration information.

To resolve this problem, use one of the following methods.

Method 1: Configure the Privileged Monitoring Account profile

Configure the Privileged Monitoring Account profile to use a domain user who has administrative rights on the affected domain controllers. To do this, follow these steps:

1. Open the SCOM 2007 Console, and then click Administration.
2. Under Security, right-click Run As Accounts, and then click Create Run As Account. This starts the Create Run As Account Wizard.
3. Select Windows in the Run As Account type box. Enter a display name, and then click Next.
4. Enter the user name and the password for an account that is a member of the Administrators group on the domain controller, and then click Create.
5. After the Run As Account is created, open the Run As Profiles view, and double-click Privileged Monitoring Account.
6. Click the Run As Accounts tab.
7. Click New.
8. Click the Run As Account that you created in step 2 through step 4.
9. Click the domain controller in the list of computers, and then click OK.
10. Repeat step 7 through step 9 for each affected domain controller.
11. Click OK in the Run As Profile Properties dialog box.
12. Restart the OpsMgr Health Service on the affected domain controllers.

Method 2: Run HSLockdown.exe to configure permissions

Run HSLockdown.exe on the affected domain controllers to remove NT Authority\SYSTEM from the Denied list. To do this, follow these steps:

1. On the domain controller, open a command prompt, and then open the folder where the agent software is installed. By default, the agent is installed in the following folder:
   C:\Program Files\System Center Operations Manager 2007
2. Type the following command, and then press ENTER:
   hslockdown "Management_Group _Name" /R "NT AUTHORITY\SYSTEM"
   In this command, Management_Group _Name is the name of the Operations Manager 2007 management group of which the agent is a member. Use quotation marks if the name contains spaces.
3. Restart the OpsMgr Health Service.
4. Repeat step 1 through step 3 on each domain controller that is affected.

For more information about HSLockdown.exe, visit the following Microsoft TechNet Web site: