I thought that this was just another "Stop System Center Management service - delete Health Service State - start System Center Management service"...
BUT.... no.... when I started the service, I got a pop-up:
...and the service didn't start.
hmmm....
Further investigation - and a little help from this article:
http://blogs.technet.com/b/smsandmom/archive/2008/04/30/opsmgr-2007-healthservice-service-fails-to-start-with-25362-warning.aspx
send me in this direction:
check the WindowsAccountLockDownSD key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\
And.. sure... the key was not present on these grey machines.
So, I found a healthy machine, exported the WindowsAccountLockDownSD key, copied the reg-file to the "defect" machines and merged it.
And... VOILA.... the service started nicely again.
BUT.... the service started nicely, but the server was still grey.
Looking into the eventlog I found an error 7005 with the following text:
The Health Service was unable to publish its public key to management group [MyMG] and will be unable to receive secure messages until this key is published. Attempts to publish the key will continue.
As long as the agent can't publish its public key it will not communicate with the SCOM management server.
It turned out that two more keys was missing in the registry.
In the following location there should be two keys with a long coded name (string of about 30 characters):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\mymgmtgroup\SSDB\References\
If it is not there you can pick it up from another machine in the same management group and merge it.
Then restart the System Center Management service and ... Voila... the servers go green.
