How to Restore Missing SNMP Service Security Tab on Windows Server 2012 R2 Domain Controller


14 views

After promoting a Windows Server 2012 R2 to a Domain Controller, many administrators report the SNMP service's Security tab vanishes from the service properties. This isn't just a UI glitch - it fundamentally prevents configuring SNMP communities and accepted host restrictions.

The root cause lies in permission changes during DC promotion. The LocalService account loses certain privileges needed to expose the security configuration interface. Here's what happens under the hood:

  • DC promotion modifies default service permissions
  • SNMP service runs under NT AUTHORITY\LocalService
  • Security descriptor changes hide the configuration tab

When the GUI fails, we can configure SNMP settings directly through PowerShell:


# Set SNMP community strings
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\SNMP\Parameters\ValidCommunities" -Name "public" -Value 4 -Type DWord

# Configure accepted hosts
$hosts = @("192.168.1.100", "10.0.0.50")
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers" -Name "1" -Value $hosts[0] -PropertyType String
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers" -Name "2" -Value $hosts[1] -PropertyType String

# Restart service to apply changes
Restart-Service -Name "SNMP"

For more complex scenarios, direct registry editing may be necessary:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters]
"EnableAuthenticationTraps"=dword:00000001
"TrapConfiguration"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\TrapConfiguration\public]
"1"="192.168.1.100"
"2"="10.0.0.50"

To permanently fix the missing tab, we need to reset service permissions:


# Take ownership of SNMP service registry key
takeown /f "HKLM\SYSTEM\CurrentControlSet\services\SNMP" /a

# Grant full control to Administrators
$acl = Get-Acl "HKLM:\SYSTEM\CurrentControlSet\services\SNMP"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule("BUILTIN\Administrators","FullControl","ContainerInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path "HKLM:\SYSTEM\CurrentControlSet\services\SNMP" -AclObject $acl

# Restart SNMP and Remote Registry services
Restart-Service -Name "SNMP","RemoteRegistry"

After making changes, verify SNMP functionality:


# Test SNMP response from another host
snmpwalk -v 2c -c public your-server-ip system

# Check service status
Get-Service SNMP | Select-Object Status,StartType

For monitoring systems like Nagios or Zabbix, ensure your new community strings and permitted hosts are properly configured in their SNMP check templates.

After promoting a Windows Server 2012 R2 to a Domain Controller, the SNMP service's Security tab vanished from the Services management console. This is particularly frustrating when you need to add authorized management stations for network monitoring.

The DC role installation modifies system security policies and service configurations. SNMP service behavior changes because:

  • Domain Controllers enforce stricter security defaults
  • Service Control Manager permissions are modified during promotion
  • The SNMP service runs under Network Service account with different privileges

When the GUI fails, PowerShell comes to the rescue. Here's how to configure SNMP communities and permitted managers:

# First, verify SNMP service is running
Get-Service -Name SNMP

# Set SNMP community strings (replace 'public' with your community)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\ValidCommunities" /v public /t REG_DWORD /d 4 /f

# Add permitted manager IP addresses
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers" /v 1 /t REG_SZ /d "192.168.1.100" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers" /v 2 /t REG_SZ /d "192.168.1.101" /f

# Restart SNMP service to apply changes
Restart-Service -Name SNMP

For more advanced configuration, use WMI:

$snmpservice = Get-WmiObject -Class Win32_Service -Filter "Name='SNMP'"
$snmpservice.Change($null,$null,$null,$null,$null,$null,"NT AUTHORITY\NetworkService",$null,$null,$null,$null)

Check registry settings to confirm changes:

# View configured communities
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\ValidCommunities"

# View permitted managers
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SNMP\Parameters\PermittedManagers"

When configuring SNMP on a Domain Controller:

  • Always use non-default community strings
  • Restrict access to specific monitoring IPs
  • Consider using SNMPv3 for encryption if supported by your monitoring system
  • Document all changes in your domain security policy

If SNMP still doesn't work after configuration:

  1. Check Windows Firewall rules for UDP port 161
  2. Verify the SNMP service is running under Network Service account
  3. Test connectivity using snmpwalk from a monitoring station
  4. Review Event Viewer for SNMP-related errors