none
Alert: MomADAdmin not Run

    Question

  • We have implemented AD integration in our forest for agent failover when deploying the SCOM 2007 R2 a while back.  It has worked fine until recently when there has been an alert for several domains in the forest saying...

    "OperationsManager container doesn't exist in domain X1 or the Run As Account associated with the AD based agent assignment rule does not have access to the container.  Please run MomADAdmin before configuiring agent assignment rules and make sure the associated Run As Account is the member of the Operations Manager Administrator role."

    We have indeed run MomADAdmin long time ago when initially deploying SCOM and didn't have any problem at the time.  We haven't touched the OperationsManager container in any of our domains in the last few months, at least if not longer.   Also, we have just verified that the Run As Account is a member of the Operations Manager Administrator role.

    Any idea what could cause this alerts?  I have google'd around but didn't seem to find anything relevant and helpful.

    Thanks.

    H.

    Friday, May 04, 2012 8:39 PM

Answers

  • Sometimes it helps to reset the runas account frmo the SCOM admin console. I mean re-type the credentials in the runas account properties there. Is the runas account also a member of a group with rights to those AD containers? If its a domain admin for that domain it will be alright as well of course.

    Bob Cornelissen - BICTT (My Blog about SCOM) - MVP 2012 and Microsoft Community Contributor 2011 Recipient

    Sunday, May 06, 2012 3:12 PM
  • I can see how that seems not logical. I think your action at least worked :-)

    You could take one of those agents and clear its cache (stop the system center mnangement service + clear the contents of C:\program files\system center operations manager 2007\health service state\*.*  + start system center management service) and watch the box for a few minutes to see whats happening.

    Also check if the agent is set to Remotely Manageable. In scom admin pane, go to agent managed. It is a column in the list of agents there, otherwise use the Personalize view... button to add that column to your view. If it is set to remotely manageable = yes; than the config of the agents is managed by SCOM. I can image if that is so and it first checks AD and next finds that it is remotely mangeable that the agent might do what you describe (2012 followed by 20063). Have not tested that last bit though. In any case would not worry about it too much.


    Bob Cornelissen - BICTT (My Blog about SCOM) - MVP 2012 and Microsoft Community Contributor 2011 Recipient

    Thursday, May 10, 2012 5:59 AM

All replies

  • Sometimes it helps to reset the runas account frmo the SCOM admin console. I mean re-type the credentials in the runas account properties there. Is the runas account also a member of a group with rights to those AD containers? If its a domain admin for that domain it will be alright as well of course.

    Bob Cornelissen - BICTT (My Blog about SCOM) - MVP 2012 and Microsoft Community Contributor 2011 Recipient

    Sunday, May 06, 2012 3:12 PM

  • Hi,

    Meanwhile, please also check if the container “OperationsManager” exists in ADUC. If not, please try again with the MOMADAdmin tool to create it.

    Regarding AD integration, I would like to share the following with you for your reference:

    Understanding how Active Directory integration feature works in OpsMgr 2007
    http://blogs.technet.com/b/momteam/archive/2008/01/02/understanding-how-active-directory-integration-feature-works-in-opsmgr-2007.aspx

    OpsMgr AD Integration - how it works
    http://blogs.msdn.com/b/steverac/archive/2008/03/20/opsmgr-ad-integration-how-it-works.aspx

    Thanks.


    Nicholas Li

    TechNet Community Support

    Monday, May 07, 2012 7:45 AM
  • The OperationsManager container still exist for all domains in our forest.  I also compared the permissions and they're all the same across.  So, I guess we don't need to run the MomADAdmin tool again.  Or do we need to remove the OperationsManager container from those domains that we received the alerts for and then run the MomADAdmin tool again???

    Regarding resetting the runas account, I can only find one place to reset the account, Run As Configuration - Accounts - Properties - Credentials.  But if I reset the account there, apparently it would affect all domains, which I'm reluctant to do as we don't want to touch those domains that appears to be working fine, ie, do not generate any alerts yet.

    Thanks.

    H.

    Monday, May 07, 2012 7:07 PM
  • Hi , yes that is the place. And by reset I do not mean to change the password. Just re-type the password there of the existing account (the same password, which you can check by first using it to logon somewhere).
    Next wait half a hour and restart the System Center Management service on those domain controllers. See what happens.

    Bob Cornelissen - BICTT (My Blog about SCOM) - MVP 2012 and Microsoft Community Contributor 2011 Recipient

    Tuesday, May 08, 2012 6:21 AM
  • The account has just been reset.  Will wait a bit and then restart the SCM service.

    Just noticed the following messages logged in the event log in many machines being monitored by our scom:

    event ID 2012 (The Health Service successfully retrieved policy from Active Directory) and then followed by event ID 20063 (Active Directory Integration has been disabled for management group XYZ).

    I believe it is normal to receive event 2012 but what about 20063?  Does that mean something is wrong with the OperationsManager containers in our AD?  If so, that may be why we have been receiving the alerts.  Any suggestions as to what to check?

    Thanks.

    H.

    Tuesday, May 08, 2012 7:25 PM
  • We haven't received such alert in the last 24 hours.  Hopefully the problem is already fixed by resetting the account.

    The last questions we have... is it normal to have event 20063 logged in the event viewer right after event 2012?

    Thanks.

    H.

    Wednesday, May 09, 2012 8:57 PM
  • I can see how that seems not logical. I think your action at least worked :-)

    You could take one of those agents and clear its cache (stop the system center mnangement service + clear the contents of C:\program files\system center operations manager 2007\health service state\*.*  + start system center management service) and watch the box for a few minutes to see whats happening.

    Also check if the agent is set to Remotely Manageable. In scom admin pane, go to agent managed. It is a column in the list of agents there, otherwise use the Personalize view... button to add that column to your view. If it is set to remotely manageable = yes; than the config of the agents is managed by SCOM. I can image if that is so and it first checks AD and next finds that it is remotely mangeable that the agent might do what you describe (2012 followed by 20063). Have not tested that last bit though. In any case would not worry about it too much.


    Bob Cornelissen - BICTT (My Blog about SCOM) - MVP 2012 and Microsoft Community Contributor 2011 Recipient

    Thursday, May 10, 2012 5:59 AM
  • Yap, remotely manageable is "Yes".  It is good that no need to worry about it.

    Thanks for all your help.

    H.

    Friday, May 11, 2012 7:33 PM