Jimmy Harper's Operations Manager Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of Use

Health Service problem on Windows 2000 Agent

Health Service problem on Windows 2000 Agent

  • Comments 9
  • Likes

I recently ran into an interesting issue with a customer.  A Windows 2000 Agent (running OpsMgr SP1) was not able to process configuration due to problems creating/using the self-signed certificate that the Health Service uses (this is not a Gateway or DMZ scenario, this is the certificate that all agents create and use).  At first, we were seeing the following errors in the OpsMgr Event Log:

 

Event ID:      1220
Description:
Received configuration cannot be processed. Management group "<MANAGEMENT_GROUP_NAME>". The error is Cannot find the certificate and private key for decryption.
(0x8009200B).

Event ID:      21021
Description:
No certificate could be loaded or created.  This Health Service will not be able to communicate with other health services.  Look for previous events in the event log for more detail.

 

After removing/reinstalling the agent, the Health Service would not start, and the following error was seen in the System Event Log:

 

Event ID:      7024
Description:
The OpsMgr Health Service service terminated with service-specific error 2148073494.

 

This error maps to "Keyset does not exist".

 

This looks to me like the Health Service is having problems creating its self-signed certificate.  To investigate this:

 

Check to see if we have the certificate in the certificate store:

  1. Start – Run – MMC.exe
  2. File – Add/Remove Snap-in
  3. Add – Certificates – Add
  4. Computer Account – Next – Local Computer – Finish

Here’s what it looks like when the cert is there:

image

 

If the certificate is there and we still think we’re having problems with it, there’s no harm in deleting it….it should be re-created when the Health Service starts.  In our case, since we had uninstalled the agent, the certificate was removed.  When we tried to start the Health Service, it was failing to create the certificate.  So, the next step is to verify that the Health Service is running under the context of the Local System account:

image

 

If it is, then the next step is to verify that the System and Administrator accounts have Full Control of the following directories:

 

%System Drive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

%System Drive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18

 

Also, verify that the Administrators group is the owner of these directories.  This is necessary for the Local System account to be able to create the certificate.

 

So, everything above checked out fine in my customer’s environment.  While researching this, I came across another customer case where some other service was failing to create a certificate because a service named “Protected Storage Service” was not running.  I tested on a Windows Server 2003 Agent and could not reproduce the problem…we created the self-signed cert just fine without the Protected Storage service running.  Then, I remembered that my customer’s problem was on a Windows 2000 Agent, and the other customer case I was reading was quite old, so likely from Windows 2000.

Anyway, we checked the Protected Storage Service and it was disabled.  Enabled and start it and the Health Service started without error, created its certificate, and was talking to the Management Server in no time.

So, if you have any of the above errors, check to verify that the Protected Storage Service is started.

Comments
  • Hi Jimmy.

    A while ago I bumped into the same issue and solved it in another manner. Also blogged about it: http://thoughtsonopsmgr.blogspot.com/2009/02/eventid-7024.html

    It is good to see that you used another approach but got the same endresult as well. I'll refer to this posting in my blogarticle.

    Best regards,

    Marnix Wolf

  • Do these certificates automatically renew?  By reading this and looking at a number of our agents, they are set to expire in less than a month.

    Thank you.

  • Yes, it should renew automatically.  You really should never have to touch this, unless your Health Service is failing to start.

  • Hello. The same problem but i couldn't even find a folder in Certificates which names "Operation Manager". How could i create it?

  • First, verify that you are looking in the Certificate store for Local Computer and not for your user account.  If the folder isn't there, then it should be created once we are able to create the certificate....so try to resolve the problem using the steps in this blog and see if it gets created.

  • Saw additional Event IDs 7005, 7009 and 7022 in the Operations Manager event log.

    Searched the net for this error:

    ======================

    Event Type: Error

    Event Source: HealthService

    Event Category: Health Service

    Event ID: 7022

    Date: 29/01/2010

    Time: 1:17:25 p.m.

    User: N/A

    Computer: xxxxxx

    Description:

    The Health Service has downloaded secure configuration for management group <Management Group Name>, and processing the

    configuration failed with error code 0x80FF0066(0x80FF0066).

    =======================

    Found

    http://www.ntx.at/blog/Lists/Beitraege/Post.aspx?ID=76 and

    http://www.systemcentercentral.com/tabid/60/indexId/34058/tag/Forums+Operations_Manager/Default.aspx#vindex56241

    Both articles mention registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\<Management Group Name>\SSDB\References.

    Imported this key from a working server. Server is still reporting as healthy.

  • I had the same problem, cant start the service, and just start Protected Storage service and solve my problem.

  • I ran into the same problem on a Windows 2008 R2 server and it was the permissions on the folder C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 that were wrong. Thank you Jimmy!

  • We're having this exact same problem with the SCOM2012 agent. We're "baking" it into our image and the certificate has the name of the image template. Removing the cert, then bouncing the service fixed it. Thanks for pointing me in the right direction.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment