The Operations Manager Health Service does not process configuration files and logs Event IDs 7022 and 1220

Gilt für: Microsoft System Center Operations Manager 2007Microsoft System Center 2012 Operations ManagerSystem Center Operations Manager 2007 R2

Symptoms


After you install the Microsoft System Center Operations Manager agent on a Windows domain controller, the Health Service does not process configuration files. Additionally, events that resemble the following are logged every 30 minutes to the Application log on the domain controller:

Event 1

Event 2

Cause


This problem occurs when you configure an account that does not have administrative rights as the Default Action Account.

The System Center Operations Manager agent uses the Run As Profile that is named Privileged Monitoring Account to process Health Service configuration. By default, the Privileged Monitoring Account profile uses the Local System account.

When you configure the agent to use a domain user as the Default Action Account on a domain controller, the Health Service Lockdown Tool (HSLockdown.exe) is automatically run at installation. The Health Service Lockdown Tool denies Health Service access to the NT AUTHORITY\SYSTEM security principal.

In this scenario, only the NT AUTHORITY\Authenticated Users security principal is allowed access to the Health Service. But when the Active Directory is hardened, or the agent is misconfigured, the Local System account cannot authenticate through the Authenticated Users security principal, therefore the agent cannot process Health Service configuration information.

Resolution


To resolve this problem, use one of the following methods.

Method 1: Configure the Privileged Monitoring Account profile

Configure the Privileged Monitoring Account profile to use a domain user who has administrative rights on the affected domain controllers. To do this, follow these steps:
  1. Open the SCOM Console, and then click Administration.
  2. Under Security, right-click Run As Accounts, and then click Create Run As Account. This starts the Create Run As Account Wizard.
  3. Select Windows in the Run As Account type box. Enter a display name, and then click Next.
  4. Enter the user name and the password for an account that is a member of the Administrators group on the domain controller, and then click Create.
  5. After the Run As Account is created, open the Run As Profiles view, and double-click Privileged Monitoring Account.
  6. Click the Run As Accounts tab.
  7. Click New.
  8. Click the Run As Account that you created in step 2 through step 4.
  9. Click the domain controller in the list of computers, and then click OK.
  10. Repeat step 7 through step 9 for each affected domain controller.
  11. Click OK in the Run As Profile Properties dialog box.
  12. Restart the OpsMgr Health Service on the affected domain controllers.

Method 2: Run HSLockdown.exe to configure permissions

Run HSLockdown.exe on the affected domain controllers to remove NT Authority\SYSTEM from the Denied list. To do this, follow these steps:

  1. On the domain controller, open a command prompt, and then open the folder where the agent software is installed.
  2. Type the following command, and then press ENTER:
    hslockdown "Management_Group _Name" /R "NT AUTHORITY\SYSTEM"
    In this command, Management_Group _Name is the name of the Operations Manager 2007 management group of which the agent is a member. Use quotation marks if the name contains spaces.
  3. Restart the OpsMgr Health Service.
  4. Repeat step 1 through step 3 on each domain controller that is affected.

References


For more information about HSLockdown.exe, visit the following Microsoft TechNet Web site: