Last week I deployed my scom agents on my domain controllers. The installation was succesful and of course I checked the agent proxing checkbox in the administration console.
After 30 minutes I checked the status of my agent and it was grayed out!! So I looked at the event log of my dc and saw this error
Event Type: Error
Event Source: HealthService
Event Category: Health Service
Event ID: 7017
The health service blocked access to the windows credential NT AUTHORITYSYSTEM because it is not authorized on management group dgz. You can run the HSLockdown tool to change which credentials are authorized.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
On computers requiring high security, for example a domain controller, you may need to deny certain identities access to rules, tasks, and monitors that might jeopardize the security of your server
So, you have to run the HSlockdown tool to change the credentials that are authorized:
When you run HSLockdown [ManagementGroupName] /L – List Accounts/groups you can see that the system account is denied! Thats why my agents are greyed out!
Next run HSLockdown [ManagementGroupName] /R “NT AUTHORITYSYSTEM”
Restart your healthservice and you’re done!!