How to Configure System Center Operations Manager Agent on Windows Server 2012 R2

How to Configure System Center Operations Manager Agent on Windows Server 2012 R2

System Center Operations Manager (SCOM) is Microsoft’s enterprise monitoring solution that provides comprehensive, agent-based monitoring of Windows servers, applications, network infrastructure, and services. The SCOM agent installed on each managed server collects performance data, event log entries, and application health information, forwarding it to the Management Server for centralized analysis, alerting, and reporting. For organizations running System Center, deploying the SCOM agent on all Windows Server 2012 R2 instances is a standard part of server provisioning.

This guide covers both agent installation methods — push installation from the Operations Console and manual installation — as well as agent configuration, multi-homing agents to multiple management groups, certificate-based authentication for workgroup servers, and maintaining the agent over time. The procedures are applicable to SCOM 2012 R2 and SCOM 2016/2019 agents deployed to Windows Server 2012 R2 targets.

Prerequisites

– A functioning SCOM Management Group with at least one Management Server
– Windows Server 2012 R2 as the target managed node
– Administrative credentials on the target server
– Network connectivity from the target server to the SCOM Management Server on TCP port 5723
– For push installation: administrative credentials from the SCOM server to the target
– Firewall rules allowing SCOM agent communication
– .NET Framework 3.5 or 4.x installed on the managed node

Step 1: Prepare the Target Server for Agent Installation

Before installing the SCOM agent, ensure the target server meets prerequisites:

# Verify .NET Framework version
(Get-ItemProperty "HKLM:SOFTWAREMicrosoftNET Framework SetupNDPv4Full").Release
# 379893 = .NET 4.5.2 (minimum recommended for SCOM 2012 R2 agent)

# Install .NET 3.5 if needed by older management packs
Install-WindowsFeature NET-Framework-Features

# Check available disk space (agent requires ~100MB)
Get-PSDrive C | Select-Object Name, @{N="FreeGB"; E={[math]::Round($_.Free/1GB,2)}}

# Open required firewall port for SCOM
New-NetFirewallRule -DisplayName "SCOM Agent TCP 5723" `
    -Direction Inbound -Protocol TCP -LocalPort 5723 -Action Allow `
    -Description "System Center Operations Manager agent communication"

# Verify the port is not blocked outbound to the management server
Test-NetConnection -ComputerName "SCOMServer01" -Port 5723

Step 2: Push Agent Installation from Operations Console

The most common deployment method is using the Discovery Wizard in the SCOM Operations Console to push agents to target computers.

On the SCOM Management Server, open the Operations Console and navigate to Administration > Device Management > Agent Managed. Right-click and select Discovery Wizard:

1. Discovery Type: Windows computers
2. Discovery Method: Scan Active Directory or Browse for computers — enter the target server name
3. Administrator Account: SCOM Action Account or specify alternate credentials
4. Select the target and click Install

The push installation copies agent files from the Management Server to \TargetServerAdmin$Temp and executes the installer. Monitor progress in the Agent Management Tasks view.

Step 3: Manual Agent Installation

For servers without Remote Registry or file sharing access, install the agent manually. Copy the agent installer from the SCOM media or Management Server share:

# Agent installer location on SCOM media:
# AgentAMD64MOMAgent.msi (for 64-bit Windows Server 2012 R2)

# Silent installation command
msiexec.exe /i "MOMAgent.msi" /qn `
    MANAGEMENT_GROUP="SCOMGroup01" `
    MANAGEMENT_SERVER_DNS="SCOMServer01.domain.com" `
    MANAGEMENT_SERVER_PORT=5723 `
    SECURE_PORT=5724 `
    ACTIONS_USE_COMPUTER_ACCOUNT=1 `
    /l*v "C:LogsSCOM_Agent_Install.log"

For PowerShell-based deployment:

# Copy agent installer to target
Copy-Item "\SCOMServer01d$SCOMAgentAMD64MOMAgent.msi" "C:TempMOMAgent.msi"

# Run installation
$args = '/i "C:TempMOMAgent.msi" /qn MANAGEMENT_GROUP="SCOMGroup01" MANAGEMENT_SERVER_DNS="SCOMServer01.domain.com" MANAGEMENT_SERVER_PORT=5723 ACTIONS_USE_COMPUTER_ACCOUNT=1 /l*v C:LogsSCOM_Install.log'
Start-Process msiexec.exe -ArgumentList $args -Wait

# Verify installation
Get-Service HealthService | Select-Object Name, Status, StartType

Step 4: Verify Agent Installation and Communication

After installation, verify the agent is running and communicating with the Management Server:

# Check the Health Service (SCOM agent service)
Get-Service HealthService | Select-Object Name, Status, StartType

# Check the agent event logs
Get-WinEvent -LogName "Operations Manager" -MaxEvents 20 |
    Where-Object { $_.Level -le 3 } |
    Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-List

# Verify TCP connection to Management Server is established
Get-NetTCPConnection -RemotePort 5723 | Select-Object LocalAddress, RemoteAddress, State

# Check the SCOM agent configuration file
Get-Content "C:Program FilesMicrosoft Monitoring AgentAgentHealthServiceStateManagement GroupsSCOMGroup01Mom.Config" | Select-String "ManagementServer"

Step 5: Configure the Agent Action Account

The SCOM agent uses an action account to run monitoring workflows. By default it uses Local System, but you can configure a domain service account for access to network resources or domain-joined SQL instances:

# The action account is configured in the SCOM Operations Console:
# Administration > Run As Configuration > Accounts
# Create a Windows Run As Account with the service account credentials
# Then associate it with the SCOM Action Account profile

# Verify from the managed server which account the HealthService is running as
(Get-WmiObject Win32_Service -Filter "Name='HealthService'").StartName

# For local configuration, use the MOMAgent.MSI ADDLOCAL properties or
# the Health Service Properties dialog in Task Manager or Services MMC

Step 6: Configure Agent Proxy Settings

If the SCOM agent needs to proxy through another agent to reach the Management Server (useful for DMZ or segmented network scenarios), configure agent proxying:

# On the Management Server, configure proxy from PowerShell using SCOM PowerShell module
Import-Module OperationsManager -ErrorAction SilentlyContinue
New-SCOMManagementGroupConnection -ManagementServerName "SCOMServer01"

# Allow this agent to act as a proxy for other computers
$agent = Get-SCOMAgent -Name "WS2012R2Server01.domain.com"
Enable-SCOMAgentProxy -Agent $agent

Step 7: Multi-Home the Agent to Multiple Management Groups

In environments with multiple SCOM Management Groups (e.g., separate production and DR management groups), configure the agent to report to both:

# Using the SCOM Agent Configuration utility (MOMAgentMgmt.exe)
# Located at: C:Program FilesMicrosoft Monitoring AgentAgentMOMAgentMgmt.exe

# Add a second management group
& "C:Program FilesMicrosoft Monitoring AgentAgentMOMAgentMgmt.exe" /AddManagementGroup `
    /ManagementGroupName:"SCOMGroup02" `
    /ManagementServerName:"SCOMServer02.domain.com" `
    /ManagementServerPort:5723

# Verify the agent is reporting to multiple groups
& "C:Program FilesMicrosoft Monitoring AgentAgentMOMAgentMgmt.exe" /ListManagementGroups

Step 8: Configure Agent for Certificate Authentication (Workgroup Servers)

For non-domain-joined servers, SCOM agent communication must use certificate-based authentication instead of Kerberos:

# Step 1: Request and install a certificate for the managed server
# The certificate must be from a CA trusted by both the managed server and Management Server
# Required: Server Authentication OID (1.3.6.1.5.5.7.3.1) and Client Authentication OID (1.3.6.1.5.5.7.3.2)

# Step 2: After installing the certificate, run MOMCertImport.exe to configure SCOM to use it
$certThumbprint = (Get-ChildItem cert:LocalMachineMy | Where-Object Subject -like "*ServerName*").Thumbprint

& "C:Program FilesMicrosoft Monitoring AgentAgentMOMCertImport.exe" /SubjectName "ServerName.domain.com"

# Step 3: Restart the Health Service after certificate configuration
Restart-Service HealthService

# Verify certificate is configured in registry
Get-ItemProperty "HKLM:SOFTWAREMicrosoftMicrosoft Operations Manager3.0Machine Settings" |
    Select-Object ChannelCertificateSubjectName, ChannelCertificateSerialNumber

Step 9: Maintain and Update the SCOM Agent

# Check current agent version
(Get-ItemProperty "HKLM:SOFTWAREMicrosoftMicrosoft Operations Manager3.0Setup").AgentVersion

# Approve pending agent updates in the Operations Console:
# Administration > Pending Management > select servers > Approve

# Manually update agent via push from Operations Console:
# Administration > Agent Managed > right-click server > Upgrade Agent

# Flush the agent cache if experiencing stale data issues
Stop-Service HealthService
Remove-Item "C:Program FilesMicrosoft Monitoring AgentAgentHealthServiceState*" -Recurse -Force
Start-Service HealthService

# Reset the agent to re-register with the Management Server
Get-Service HealthService | Restart-Service

Step 10: Troubleshoot Agent Connectivity Issues

# Check SCOM event log for errors
Get-WinEvent -LogName "Operations Manager" -MaxEvents 50 |
    Where-Object { $_.Level -le 3 } |
    Select-Object TimeCreated, Id, Message | 
    Where-Object { $_.Message -match "connect|fail|error|certificate" } |
    Format-List

# Verify DNS resolution of Management Server
Resolve-DnsName "SCOMServer01.domain.com"

# Test TCP connectivity on SCOM port
Test-NetConnection -ComputerName "SCOMServer01.domain.com" -Port 5723

# Check if Health Service is running and not crashing
Get-EventLog -LogName System -Source "Service Control Manager" -Newest 20 |
    Where-Object { $_.Message -match "HealthService" } |
    Select-Object TimeGenerated, EventID, Message

# Verify firewall is not blocking the agent
Get-NetFirewallRule -DisplayName "*SCOM*" | Select-Object DisplayName, Enabled, Direction, Action

Summary

The SCOM agent on Windows Server 2012 R2 provides the foundation for enterprise-class monitoring, delivering detailed performance, availability, and health data to the central management group. Whether installed via Operations Console push deployment for domain members or via manual installation with certificate authentication for workgroup servers, the agent’s Health Service maintains a persistent, authenticated channel to the Management Server. Proper agent configuration — including appropriate action accounts, proxy settings for segmented networks, and multi-homing for high availability — ensures comprehensive monitoring coverage. Regular agent maintenance through console-driven updates and periodic log review keeps the monitoring infrastructure healthy and the data flowing reliably.