Deploying SCOM 2012 Agents to untrusted Forests/Domain

Similar Messages

• SCOM 2012 Agent - Best Practices with Base Images

  I've read through the
  SCOM 2012 agent installation methods technet article, as well as how to
  install the SCOM 2012 agent via command line, but don't see any best practices in regards to how to include the SCOM 2012 agent in a base workstation image. My understanding is that the SCOM agent's unique identifier is created at the time of client installation,
  is this correct? I need to ensure that this is a supported configuration before I can recommend it. 
  If it is supported, and it does work the way I think it does, I'm trying to find out a way to strip out the unique information so that a new client GUID will be created after the machine is sysprepped, similar to how the SCCM client should be stripped of
  unique data when preparing a base image. 
  Has anyone successfully included a SCOM 2012 (or 2007 for that matter) agent in their base image?
  Thanks, 
  Joe

  Hi
  It is fine to build the agent into a base image but you then need to have a way to assign the agent to a management group. SCOM does this via AD Integration:
  http://technet.microsoft.com/en-us/library/cc950514.aspx
  http://blogs.msdn.com/b/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspx
  http://blogs.technet.com/b/jonathanalmquist/archive/2010/06/14/ad-integration-considerations.aspx
  http://thoughtsonopsmgr.blogspot.co.uk/2010/07/active-directory-ad-integration-when-to.html
  http://technet.microsoft.com/en-us/library/hh212922.aspx
  http://blogs.technet.com/b/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx
  You have to be careful in environments with multiple forests if no trust exists.
  http://blogs.technet.com/b/smsandmom/archive/2008/05/21/opsmgr-2007-how-to-enable-ad-integration-for-an-untrusted-domain.aspx
  http://rburri.wordpress.com/2008/12/03/untrusted-ad-integration-suppress-misleading-runas-alerts/
  You might also want to consider group policy or SCCM as methods for installing agents.
  Cheers
  Graham
  Regards Graham New System Center 2012 Blog! -
  http://www.systemcentersolutions.co.uk
  View OpsMgr tips and tricks at
  http://systemcentersolutions.wordpress.com/

• Deploy scom 2012 r2 on server 2012 r2

  Going to deploy scom 2012 r2 on server 2012 r2 with sql 2012 sp1. a few questions before starting:
  1. roles placement: server1 - management server, operation console;
                               server2: database server, reporting server;
                               Not sure where to place web console - server1 or server2?
  2. what are the least privileges to have for the installation account - domain user with local administrators?
      should the servers' system account need to be member of local administrators?
  3. what about other SCOM specific accounts? what least privileges they need?
  Thanks in advance.

  1. You can place it on the 1st server. do note however the downside doing all in one box SCOM components.
  2. It would be best to use a domain user account with local admin rights on the box
  3. Its all in the SCOM deployment docs..
  You might want to check this link
  http://blogs.technet.com/b/kevinholman/archive/2013/10/18/opsmgr-2012-r2-quickstart-deployment-guide.aspx (same as 
  Blake Mengotto)
  Hope this helps.
  Thanks,

• Can I use SCCM 2007 to deploy SCCM 2012 Agent

  I was reading the scenarios for deploying the SCCM 2012 agent here
  http://technet.microsoft.com/en-us/library/gg682132.aspx
  I have been planning to deploy the 2012 agent using an SCCM 2007 deployment package. I am not migrating any data/packages/collections/anything from SCCM 2007. 
  I am looking for a sane way to deploy 2000ish clients a day for 2 weeks and be done. 
  I figure they are all SCCM 2007 clients so lets deploy 2012 agent using SCCM 2007.
  I read the following in the link above and it sounds like the way I want to go – use SCCM 2007 software distribution…
  Upgrade installation by using application management
  Upgrades clients to a newer version by using Configuration   Manager application management. You can also use Configuration Manager 2007 software  
  distribution to upgrade clients to System Center 2012 Configuration Manager.
  Then later in the same document there is this…
  How to Upgrade Configuration Manager Clients by Using a Package and Program
  You can use Configuration Manager to create and deploy a package and program that upgrades the client software for selected computers in your hierarchy. A package definition file
  is supplied with Configuration Manager that populates the package properties with typically used values. You can customize the behavior of the client installation by specifying additional command line properties.
  You cannot upgrade Configuration Manager 2007 clients to System Center 2012 Configuration Manager by using this method.
  In this scenario, use automatic client upgrade, which automatically creates and deploys a package that contains the latest version of the client.
  What???!??  There is no Automatic client upgrade feature in 2007 – so how does that even make sense?  In one section, it says I can deploy the 2012 Agent using SCCM 2007 software distribution, and then later in the same document, it
  says I can't.  I am probably misunderstanding somthing.
  Is it possible to make a package/program in SCCM 2007 that will make targeted clients upgrade to Agent 2012 and join the new SCCM 2012 Site?

  I tested this (deploying 2012 agent using existing 2007 SCCM infrastructure) with a few test systems at my desk and it seems to work pretty smoothly.  I made a package to deploy SCCM 2012 SP1 and added it to my SCCM 2007 Site.  Then I deployed
  the 2012 agent from 2007 and it worked great.  If it works this well in production, I will be able to migrate all of my clients in less than a weeks time. 
  I have not published the 2012 site information in AD - and I don't plan to.  We would have some overlapping site boundaries - and in 2012 it seems its unnecessary in a single site hierarchy.  I AM planning to use boundaries to assign
  DPs, but thankfully site and DP boundaries have been separated.  It works great to just specify the site in everything and not worry about auto discovery.  My clients don't move among sites since I only have one large site.
  Sorry that I somehow posted this same question twice, and thanks for cleaning that up.
   In my installation, I just called ccmsetup.exe with the following command line...
   /mp:myMP.mydomain.com CCMLOGMAXHISTORY=5 CCMLOGMAXSIZE=1000000 SMSCACHEFLAGS=PERCENTDISKSPACE;NTFSONLY SMSCACHESIZE=10 SMSMP=myMP.mydomain.com SMSSITECODE=CCM
  I am not sure that I need to specify the MP twice, but it is working to do so.  I'm also not sure whether the log and cache flags will be honored since there are existing settings from SCCM2007 agent.  I think that the 2012 install will not change
  these settings upon installation, but it does not appear to hurt the process to include them just in case it does work.

• Does the SCOM 2012 agent "look back" in the logs before the service was started?

  Does the SCOM 2012 agent "look back" in the logs before the service was started?<o:p></o:p>
  We raised this question to our Microsoft rep back when we migrated to SCOM 2007. We wanted to know if SCOM would alert on errors generated before the Heath Service started. For example, errors
  logged before the service is started on reboot (which is when some critical errors are logged). We also wondered what happens when the service is restarted...would errors during the same window be missed?
  If I remember correctly the MS response was that the agent looks back on startup/restart based on a timestamp of some kind. We did some testing that seemed to confirm this information. I've
  recently encountered several instances of errors generated while the service was stopped (primarily during boot up) where SCOM failed to alert on the error.
  Can anyone confirm how the SCOM 2012 agent deals with errors generated before the service starts on boot and during service restarts?

  I would suspect it's with watermarks as it has been in the past.  What you should look into is if these alerts you were expecting are event based, and if there are rules set to alert for these conditions.  If so, and you don't get an alert,
  then you can bring that up with your msft rep.  However, they should be caught.
  Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ If my response was helpful, please mark it as so, if it answered your question, then please also mark it accordingly. Thank you.
  There is a watermark. If the agent has been down for a significant period of time, the watermark may not apply, as the log would have rolled - but the entire log will still be processed regardless of what has already been discarded in the log. This may cause
  some problems if a monitor picks up an unhealthy state, and the healthy state log entry has already been flushed. In this case, you need to reset health on that particular monitor, or just flush the cache on the agent to start anew.
  Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

• Scom 2007 and scom 2012 agent multi home

  is there version limit for the agent multihom for scom 2007 and scom 2012?
  In technet i found it for SCOM upgrade it mentioned need scom 2007 CU4 and above, how about for multihome approach for SCOM agent?
  Besides that, instead of agent upgrade, could we perform agent uninstallation scom 2007 and reinstall scom 2012?
  Thanks for your advice.

  Hi Cylim,
  You can upgrade your agents to SCOM 2012 only from SCOM 2007 R2 CU4. Please look at these helpful links:
  http://blogs.technet.com/b/kevinholman/archive/2014/01/20/do-i-need-a-specific-cumulative-update-release-ur-in-order-to-upgrade-to-scom-2012-or-2012-sp1-or-2012-r2.aspx
  http://blogs.catapultsystems.com/cfuller/archive/2012/05/31/quicktricks-multi-homing-an-agent-to-opsmgr-2012-scom-sysctr.aspx
  http://blogs.catapultsystems.com/cfuller/archive/2014/04/02/multihomed-migrations-in-operations-manager-lessons-from-the-field.aspx
  As Scott mentioned, you can uninstall SCOM 2007 agent and install SCOM 2012 agent on one or a few servers, and see if they report properly to both management groups SCOM 2007 and SCOM 2012:
  http://dynamicdatacenter.wordpress.com/2012/10/15/om-2012-agent-report-to-scom-2007-not-r2-scom-2012/
  Natalya

• Deploying SCOM 2012 R2 on a high availability

  I I am deploying scom 2012 r2 in high availabilty my question is that i need a witness resource disk or file share witness disk for the sql 2012 high availabilty or not  and also share the steps of making the scom 2012 r2 high availability through
  screen shots.with sql server 2012 high availability

  Looks like you asked this twice?
  I replied on the later thread:
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/3b69afd0-db93-436e-84a7-caee7b79a5a6/deploying-scom-2012-r2-on-a-high-availability?forum=operationsmanagerdeployment
  John Joyner MVP-SC-CDM

• SCOM 2012 Agent Deployment query

  Hello,
  I have tried to deploy the agent remotely to a Windows Storage Server Standard - SP1 server but it failed,
  I have checked the compatible OS list and it makes reference to Server 2008 SP2 but not Storage Server.
  If I upgrade to SP2 will the agent install on the OS or will it fail anyway.
  THanks
  Nick

  Hello,
  I have tried to deploy the agent remotely to a Windows Storage Server Standard - SP1 server but it failed,
  I have checked the compatible OS list and it makes reference to Server 2008 SP2 but not Storage Server.
  If I upgrade to SP2 will the agent install on the OS or will it fail anyway.
  THanks
  Nick
  I had raised a ticket with Microsoft as this was quite unclear no matter where we looked.
  This was their response,
  I can confirm SCOM 2012 SP1 agent can be installed on the server “Windows Storage Server Standard –
  SP2” as per the below technet link.
  http://technet.microsoft.com/en-us/library/jj656654.aspx#BKMK_RBF_WindowsAgents
  Operating Systems: Windows Server 2003 SP2,
  Windows Server 2008 SP2, Windows Server 2008 R2, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2, Windows XP Professional x64 Edition SP2, Windows XP Professional SP3, Windows Vista SP2, Windows
  7, POSReady, Windows XP Embedded Standard, Windows XP Embedded Enterprise, Windows XP Embedded POSReady, Windows 7 Professional for Embedded Systems, Windows 7 Ultimate for Embedded Systems, Windows 8 Pro, Windows 8 Enterprise, Windows 8.1 Pro, or Windows
  Embedded 8.1 Industry.
  Hope this answers your question. Kindly let me know if you have any queries regarding this case further if not I will proceed with the case closure.

• SCOM 2012: Agent Proxy not enabled.

  I am seeing Critical Severity alerts on my SCOM 2012 Server stating:
  "The agent was not able to submit data on behalf of another computer because agent proxy is not enabled. Details:Health service ( 0C43A2D6-628F-D150-9553-8EABFECA600C ) should not generate data about this managed object ( 716D31EF-F34C-A4E3-1A16-3B8B75E85C0D
  I have about 8 servers with this error. All of which have had Proxy turned on in SCOM ( Administration -> Agent Managed -> <agents in question> -> Properties -> Security Tab -> Checked "Allow this agent to act as a proxy...".
   All of these servers are on the same domain as the SCOM server (we only have 1 domain).
  Thanks,

  For what it's worth I'm experiencing this issue. I've closed out the alerts and watched them pop back up later.
  The agent was not able to submit data on behalf of another
  computer because agent proxy is not enabled. Details:Health service (
  774FAEE6-003E-7CAC-FC02-676C0D9F675E ) should not generate data about this
  managed object ( 13354EE4-F0F9-DF55-88F0-271F30A70AAB ).
  PS C:\> Get-SCOMAgent |Where-Object -Property id -eq '13354EE4-F0F9-DF55-88F0-271F30A70AAB'
  PS C:\> Get-SCOMAgent |Where-Object -Property id -eq '774FAEE6-003E-7CAC-FC02-676C0D9F675E'
  PS C:\>
  This alert was generated about an hour ago, I have 160 agents installed.
  My guess is...well I don't have a good guess. any help about this would really be appreciated.
  Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

• Issues with SCOM 2012 Agent on Red Hat 5 Server

  We are running SCOM 2012 server and have deployed the agent successfully to a number of Red Hat Linux servers. I am having an issue on about a quarter of the hosts, in that they appear as HEALTHY but are Grayed out and not green. When I look at the /var/opt/microsoft/scx/log/omiserver.log
  file I see:
  WARNING: wsman: authentication failed for user scom2012
  I have verified that the system account is setup with the correct password and the runas account is setup with the correct password (i am able to deploy the agent from the SCOM server using it, so the passwords DO match).
  Any ideas? 

  We are running SCOM 2012 server and have deployed the agent successfully to a number of Red Hat Linux servers. I am having an issue on about a quarter of the hosts, in that they appear as HEALTHY but are Grayed out and not green. When I look at the /var/opt/microsoft/scx/log/omiserver.log
  file I see:
  WARNING: wsman: authentication failed for user scom2012
  I have verified that the system account is setup with the correct password and the runas account is setup with the correct password (i am able to deploy the agent from the SCOM server using it, so the passwords DO match).
  Any ideas? 
  I've seen this on a few systems here when the agent has been upgraded but the old agent process does not die off.  Just to rule it out, pick a node, make sure there are no instances of scxcimserver or scxcimprovagt and then start the agent and
  see if the issue goes away.  I've also seen wsman authentication failures related to the libssl issue that was fixed in yesterday's release.

• Upgrade to SCOM 2012 Agent - 25211.Failed to install performance counters.. Error Code: -2147024809 (The parameters is incorrect)

  I have seen this behavior on multiple servers. I receive this error when upgrading from a 2007 Agent to SCOM 2012.
  Event ID: 10005
  Product: System Center 2012 - Operations Manager Agent -- Error 25211.Failed to install performance counters.. Error Code: -2147024809 (The parameter is incorrect.).
  Event ID: 1008
  The Open Procedure for service "HealthService" in DLL "C:\Program Files\System Center Operations Manager 2007\HealthServicePerformance.dll" failed. Performance data for this service will not be available. The Status code returned is the
  first DWORD in the attached data.
  Any idea why I receive this error?
  Thanks
  Mike

  Hi,
  Please refer to this article:
  SCOM 2012 – Unable to upgrade agent after upgrade from SCOM 2007
  http://www.phits.nl/wordpress/2013/02/01/scom-2012-unable-to-update-agent-after-upgrade-from-scom-2007/
  Alex Zhao
  TechNet Community Support

• I get this error when i deploy SCOM 2012 in my Lab server

  When i install SCOM 2012 i get this error "
  The version of SQL Server on this computer is either not supported or could not be validated"
  I tried performing as per this article but still i have the same issue.
  Below is the screen shot of the error.
  I also tried the steps in the below article. The command completes success fully but still i get the below error.
  http://social.technet.microsoft.com/wiki/contents/articles/13954.opsmgr-2012-the-version-of-sql-server-on-this-computer-is-either-not-supported-or-could-not-be-validated.aspx
  Can some one please help on this.

  Hi,
  look at this two blog:
  http://www.scom2k7.com/fix-scom-2012-install-error-the-version-of-sql-server-on-this-computer-is-either-not-supported-or-could-not-be-validated-because-of-an-issue-connecting-to-the-wmi-provider/
  http://kevingreeneitblog.blogspot.com/2013/06/scom-2012-sp1-install-error-with-sql.html
  Regards.
  Ivan 

• Deploy SCOM 2012 R2 Agents to Domain Servers on Perimeter Network using SCOM Gateway on different Domain

  Hi, I have a bit odd situation on a SCOM 2012R2 deployment.
  I have a MS on the internal network, and a Gateway Server on the perimeter network. Each server is connected to different Active Directory Forests and there are no trust relationships between them. I configured the communication between the two using certificates.
  I have already connected some servers through the Gateway using certificates because there are on Workgroups, they are already approved on the MS and reporting their status.
  However, I have some servers that are member servers of the internal AD domain but are located on the perimeter network.
  So I've tried to configure one of them for testing to connect to the Gateway Server using a certificate using manual agent installation. Initially it didn't report on the SCOM, but then I ran the get-scompendingmanagement and saw that it showed there,
  so I ended up approving the agent using Powershell and then it was reported on the Console as "Not Monitored"
  First the agent was running as local system and then tried using a local admin account on the server, neither options have worked.
  I get the following errors:
  The OpsMgr Connector connected to scomgateway.externaldomain.com, but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the
  server has not received configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  OpsMgr was unable to set up a communications channel to scomgateway.externaldomain.com and there are no failover hosts.  Communication will resume when scomgateway.externaldomain.com is available and communication from this computer is allowed.
  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  Is this configuration possible? Or do I need to open communication ports from the agents to the MS inside the corporate network and not use the Gateway?
  Any ideas if someone else has done this are appreciated.
  Thank you.
  Regards.
  Eduardo Rojas

  I'm sorry, maybe I didn't explained myself correctly, I already have the gateway up and running with some Workgroup machines connected to it using certificates, so the Gateway is indeed working. These Workgroup machines are in fact reporting back to the
  Management Server on the internal network through the Gateway.
  My problem is with Domain Member machines that are on the perimeter network. This machines are joined to the Active Directory inside the corporate firewall, not the Active directory from the perimeter network (where the Gateway is joined). So my question
  is, can I connect these machines through the Gateway (even if the Gateway is on a different domain) or do I need to open ports and connect them directly to the management server (which is on the same active directory domain)? 
   Let me know if I made myself clear.
  Thank you.
  Regards.
  Eduardo Rojas

• SCOM 2012 R2 Agent Deployment - Uninstall Old and Install New

  By chance anyone come up with a scripted method for removing an existing SCOM 2012 SP1 agent and installing a new 2012 R2 agent? While I've come across a few scripts I'm trying to kill a few birds with one stone. This is a cross-domain attempt where the
  SCOM servers sit in one domain and the member servers are scattered across multiple domains. Member servers range from Windows Server 2003, 2008, and 2012. In most cases the servers have the 2012 SP1 agent installed and in some cases there are multiple management
  groups from previous SCOM standups. In addition there's a separate DEV SCOM 2012 R2 environment to manage DEV/QA servers. Active Directory Integration is configured and I have the necessary security groups created. There is a group policy created which is
  filtered to just that security group. So the plan is to simply drop the servers into the correct group and have the agent installed via group policy start up script. ADI should have DEV servers appear in DEV SCOM and PROD in PROD SCOM.
  Although there are ways to facilitate agent deployment via the console I need to perform a staged migration against a ton of server so as to not impact the existing production environment. So I'd rather do this remotely to pre-selected servers. This process
  should involve removing the existing agent, installing the new one, and if possible removing any existing management groups. So far I've come up with the following:
  Uninstall SCOM Agent:
  %WinDir%\System32\msiexec.exe /x <path>\MOMAgent.msi /qb
  Install SCOM Agent:
  msiexec.exe /i \\path\Directory\MOMAgent.msi /qn /l*v \logs\MOMAgent_install.log USE_SETTINGS_FROM_AD=0 MANAGEMENT_GROUP=<MG_Name> MANAGEMENT_SERVER_DNS=<MSDNSName> ACTIONS_USE_COMPUTER_ACCOUNT=0 ACTIONSUSER=<AccountUser> ACTIONSDOMAIN=<AccountDomain>
  ACTIONSPASSWORD=<AccountPassword>
  Remove Management Group via Script
  http://gallery.technet.microsoft.com/Remove-a-Management-group-336c849a/view/Discussions#content
  I'm guessing this wheel has already been invented or maybe there's a better way. So I'm open to ideas or suggestions.
  Any responses appreciated.

  Wow! 4 days and no responses, not good Microsoft SCOM Community. So here's a status on this issue.
  As stated I have Active Directory Integration configured which means:
  I see the OperationsManager container in AD: dev_scom
  I see the HealthService SCP and separate OU's for each of my management servers.
  I have an ADI security group containing my management servers and scom action account.
  I have an Agent security group which will contain servers the scom agent will be deployed via group policy.
  I also have an AD LDAP query set to target the SCOM agent group.
  (&(objectCategory=group)(name=DSCOM_ADI))
  I finally get the script to install via the following steps:
  Reference:
  http://technet.microsoft.com/en-us/library/cc754995.aspx
  http://technet.microsoft.com/en-us/library/cc770556.aspx
  http://blog.coretech.dk/msk/install-a-scom-2012-agent-silent/
  1. Launch Notepad ++ and enter the following:
  msiexec /i
  \\server.yourdomain.com\opsmgragent\%Processor_Architecture%\MOMAgent.msi USE_SETTINGS_FROM_AD=1 MANAGEMENT_GROUP=DEV_SCOM MANAGEMENT_SERVER_DNS=YourSCOMsrvr1.yourdomain.com ACTIONS_USE_COMPUTER_ACCOUNT=0 USE_MANUALLY_SPECIFIED_SETTINGS=0 ACTIONSUSER=svc_dscom
  ACTIONSDOMAIN=yourdomain ACTIONSPASSWORD=YourPassword! AcceptEndUserLicenseAgreement=1 /qn /l*v c:\scom2012r2mmainstall.log
  2. Save the script to a name of your choice. For me it's installdopsmgragent.cmd. Watch the extensions as you may end up saving it as installdopsmgragent.cmd.txt.
  Note: Make note of this steps in the reference articles listed above:
  "In the Add a Script dialog box, do the following:
  In the Script Name box, type the path to the script, or click Browse to search for the script file in the Netlogon shared folder on the domain controller."
  It's been a while since having to use a startup script so it took me a minute to figure this out. "getting too old 'fer this..."
  3. Copy the script to the Netlogon folder which is located in the following directory on my Windows 2012 server: E:\SYSVOL\sysvol\yourdomain.com\scripts
  4. Launch the group policy management console, create a new policy, edit it, and navigate to the following location:
  Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)
  5. Double-click Startup to open the Startup Properties window.
  6. Click Add and browse to the location of the script which you copied to the Netlogon share.
  7. Click OK to close the Startup Properties window.
  8. Close the Group Policy Management Editor.
  9. Link the policy to an OU containing the servers.
  10. Add the SCOM Agent group to the Security Filtering area of the group policy. I also remove Authenticated Users.
  Note: make sure you have a few test servers in your Agent security group.
  11. Drop to a command line and run gpupdate /force. You can also use gpupdate /force /sync but you will have to reboot the box you're running this from.
  12. Log into one of the servers you have slated to deploy the agent to, drop to a command line, and run the same gpupdate command.
  13. Follow this with a gpresult /r command to ensure that you see the policy applied in the Computer Settings area.
  14. Reboot the server and you should see the startup script run.
  15. Log into the server and launch the Control Panel.
  16. If all went well you'll see the "Microsoft Monitoring Agent" icon.
  17. Launch Event Viewer, navigate to the Operations Manager events node located under Applications and Services Logs and validate the logs.
  17. If all didn't go well check the error log located, for me, on the C:\scom2012r2mmainstall.log
  My issue: I don't see the management info in the Agent properties.
  I installed this last night and waited until the next day still no changes. Event logs show the following:
  Event ID: 2011 The Health Service did not find any policy in Active Directory
  Event ID: 2003 No management groups were started.  This may either be because no management groups are currently configured or a configured management group failed to start.  The Health Service will wait for policy from Active Directory configuring
  a management group to run.
  I see the HealthService is Running in Task Manager on this server and of course I don't see anything listed in the Management Groups registry key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\
  I don't want to manually add the management group info. Checking as I may have missed something in one of the switches. 
  Any responses appreciated.

• SCOM 2012 R2 Agent Issue: Error 25211.Failed to install performance counters.. Error Code: -2147024809

  Hi All,
  I'm trying to deploy SCOM 2012 R2 agent onto a domain controller and I get the following error "Product: Microsoft Monitoring Agent -- Error 25211.Failed to install performance counters.. Error Code: -2147024809 (The parameter is incorrect.)."
  I've installed the agent successfully onto 4 other domain controllers with out any issues.</p><p>The domain controllers are all VM's running on VMWare and are Windows Server 2012 R2.
  I've rebuilt the Perfmon Counters based on this article:&nbsp;https://support.microsoft.com/en-us/kb/2554336?a=wsignin1.0
  I've also enabled verbose logging on the msi installation:
  InstallHSPerfCounters: Custom Action Data. C:\Program Files\Microsoft Monitoring Agent\Agent\
  InstallHSPerfCounters: Installing agent perf counters. 
  InstallCounters: LoadPerfCounterTextStrings() failed . Error Code: 0x80070057. momv3 "C:\Program Files\Microsoft Monitoring Agent\Agent\HealthServiceCounters.ini"
  InstallPerfCountersHelper: pcCounterInstaller->InstallCounters() for the default counters failed. Error Code: 0x80070057. HealthService
  InstallPerfCountersLib: InstallHealthServicePerfCounters() failed . Error Code: 0x80070057. 
  InstallPerfCountersLib: Retry Count : . 
  InstallCounters: LoadPerfCounterTextStrings() failed . Error Code: 0x80070057. momv3 "C:\Program Files\Microsoft Monitoring Agent\Agent\MOMConnectorCounters.ini"
  InstallPerfCountersHelper: pcCounterInstaller->InstallCounters() for the default counters failed. Error Code: 0x80070057. MOMConnector
  InstallPerfCountersLib: InstallHealthServicePerfCounters() failed . Error Code: 0x80070057. 
  Any help on this would be great.

  Hi Stefan,
  I've successfully installed the agent. The server needed a reboot after fixing the corrupt perfmon counters.
  I know have a issue with the agent on the domain controller. It kkeeps on greying out and have used hslockdown to allow the local system access by using the following command.
  HSLockdown.exe "ManagementGroupName" /A "NT AUTHORITY\Authenticated Users"
  Further digging into the issue I see in the SCOM Management Server the following error "The entity servername is not heartbeating"
  Written a SQL query to gather more information. SQL query I used is:
  SELECT
  ME.FullName,
  HSO.StartDateTime AS OutageStartDateTime,
  DATEDIFF (DD, hso.StartDateTime, GETDATE()) AS OutageDays,
  HSO.ReasonCode,
  DS.Name AS ReasonString
  FROM  vManagedEntity AS ME
  INNER JOIN     vHealthServiceOutage AS HSO ON HSO.ManagedEntityRowId = ME.ManagedEntityRowId
  INNER JOIN     vStringResource AS SR ON HSO.ReasonCode =
  REPLACE(LEFT(SR.StringResourceSystemName, LEN(SR.StringResourceSystemName)
  – CHARINDEX(‘.’, REVERSE(SR.StringResourceSystemName))), ‘System.Availability.StateData.Reasons.’, ”)
  INNER JOIN     vDisplayString AS DS ON DS.ElementGuid = SR.StringResourceGuid
  WHERE (SR.StringResourceSystemName LIKE ‘System.Availability.StateData.Reasons.[0-9]%’)
  AND DS.LanguageCode = ‘ENU’
  AND ME.FullName like ‘%SERVER NAME%’   –Change name here or leave %% for ALL SERVERS
  ORDER BY OutageStartDateTime
  This gives me the following reason behind the failure : "The heartbeat from System Center Management Service is missing."
  Have I missed anything? The agent is running fine, however SCOM is reporting that the heartbeat is missing.
  Any help on this would be great.