SCOM Agents are Grey on a Domain Controller (SCOM 2007, 2012 and 2016)

When deploying a SCOM Agent to a Domain Controller you might notice the agent going grey. Most likely this is because you have configured the agent to use the default action account which is the LocalSystem account, or in other words: NT AUTHORITY\SYSTEM.

Now we could change this and use a specific domain user account just for our domain controllers, but in my experience going from client to client they simply don’t have it configured that way. So the purpose of this post isn’t to say which I think is better but to show you how to get it working under the default scenario.

So as you can see here’s a new SCOM 2016 build, I’ve just installed the agent on my locked down domain controller and it’s gone grey.

01 - DC Agent is Grey







So let’s fix this so our Domain Controller can be monitored.

Let me introduce you to the hslockdown tool. Nope there’s nothing new to see here…if you’ve been around since SCOM 2007 you might recognize this tool and there have been plenty of blogs (well, a few) that have talked about this tool. So fast forward to SCOM 2016 and nothing has changed this also works on the latest build of SCOM 2016.

You’ll find the HSLockdown.exe in the folder where you’ve installed the Microsoft Monitoring Agent on the domain controller…this defaults to C:\Program Files\Microsoft Monitoring Agent\Agent.






So let’s run HSLockdown.exe /a “NT Authority\System” and then restart the Healthservice on the Domain Controller.

hslockdown 2






And after we restart the service…the agent goes green…


04 - DC Agent is Green






Hope that helps 🙂




Thanks this has worked and solved my issue.
I had to change the quotes, as after copying qoutes were different.

Leave a Reply