locked
Health Service Credentials Not Found Alert Message - DFS RRS feed

  • Question

  • I followed the DFS guide (6.0.06321.0) and created a dedicated RunAs account and placed it in the DFS RunAs Profiles. I selected the more secure distribution option. I added all my DFS servers to the list.

    Now I receive an alert on 103 non DFS servers (mostly SQL servers) stating it can't resolve the RunAs account. It should not be trying to resolve it. I copied the message below. I used Bing and came across a post talking about the same issue with the Dynamics AX MP. That link is below.

    http://social.technet.microsoft.com/Forums/en-US/operationsmanagergeneral/thread/1264f3b5-14c2-4972-b7a5-f0211bae29f0/

    That link sent me to this tool but have not tried it.

    http://blogs.msdn.com/b/mariussutara/archive/2009/04/09/tool-opsmgr-2007-r2-what-to-do-with-secure-reference-override-alert.aspx

    ++++++++++++++++++++++++++++

    An account specified in the Run As profile "Microsoft.Windows.DFSNamespaceDiscoveryAccount" cannot be resolved.

    This condition may have occurred because the account is not configured to be distributed to this computer. To resolve this problem, you need to open the Run As profile specified below, locate the account entry as specified by its SSID, and either choose to distribute the account to this computer if appropriate, or change the setting in the profile so that the target object does not use the specified account.
    Note: you may use the command shell to get the Run As account display name by its SSID.

    Management Group: XXXX_HQ
    Run As Profile: Microsoft.Windows.DFSNamespaceDiscoveryAccount
    Account SSID: 007EA868E4325BD5FED76B2EC69CB2A6214AEA312900000000000000000000000000000000000000

    +++++++++++++++++++++++++

    So how do I resolve the error?

    Tuesday, March 29, 2011 9:55 PM

Answers

  • Hi,

     

    Please also try configuring the Run As Account and run as profile referring to the method in the following post:

     

    AD MP throws error: ‘Health Service Credentials Not Found Alert Message’

    http://thoughtsonopsmgr.blogspot.com/2010/07/ad-mp-throws-error-health-service.html

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    Hope this helps.

     

    Thanks.


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the
    • Marked as answer by SCCMRanger Thursday, March 31, 2011 4:05 PM
    Thursday, March 31, 2011 7:51 AM

All replies

  • Hi,

     

    It seems that SQL Run-As Accounts were not being distributed to SQL Servers.

     

    Try below steps...

     

    Locate the following Run-As Accounts in the Console under Administration>Profiles:

    SQL Server Discovery Account
    SQL Server Monitoring Account

    Right click and go to Properties. Under Run As Accounts, click Add

    Select the Drop-down box under Run As account and chose SQL Account or create a New one with SQL Rights.

    Proceed to the bottom under “A selected class, group or object” click Select.

    Choose Group and in the Filter by, type sql

    Select the SQL Computers group and click Ok, then Save.

    On the Wizard completed successfully screen, Under “More-secure Run As Accounts, click the account that was just added.

    Click add and add all of the SQL Servers in question. This will distribute the appropriate accounts to the SQL Servers.

     

    Don’t forget to click ‘Mark as Answer” on the post if this helps you.

    Wednesday, March 30, 2011 2:51 AM
  • Thank you for your reply.

    I do not think we are on the same page. Why would the DFS account be distributed to non DFS servers? Especially when configured to use the More Secure method of specifying my DFS servers?

    Also, I am using the default Action Account to manage the SQL servers. I was under the impression the SQL RunAs profiles do not need to be populated if using the default Action Account. Did I misunderstand the guide? 

    Thanks again for the reply. I look forward to your answer.

    Wednesday, March 30, 2011 3:14 PM
  • This is a known issue in DFS management pack.  The seed discovery (registry key) uses the run as account so this is what you are seeing on other computers.  This would not happen if the "less secure" option (e.g. let the agent store encrypted credentials on all computers). was selected.

    The work around is to create a group for the DFS servers, and disable the DFS seed discovery globally, then re-enable the DFS seed discovery on the group scope.

     


    Microsoft Corporation
    Wednesday, March 30, 2011 6:32 PM
  • Dan, thank you for clarifying the issue. I would prefer not to create a group that must be manually updated every time we add a DFS server.

    Are you aware if the default Action Account can be used and not populate the DFS RunAs profiles?

    Thanks for the input!

    Wednesday, March 30, 2011 8:13 PM
  • Hi,

     

    Please also try configuring the Run As Account and run as profile referring to the method in the following post:

     

    AD MP throws error: ‘Health Service Credentials Not Found Alert Message’

    http://thoughtsonopsmgr.blogspot.com/2010/07/ad-mp-throws-error-health-service.html

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    Hope this helps.

     

    Thanks.


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the
    • Marked as answer by SCCMRanger Thursday, March 31, 2011 4:05 PM
    Thursday, March 31, 2011 7:51 AM
  • The easiest way is to give up on the "more secure" option.  Unless you have DFS servers in your DMZ (are you crazy?!!!) this shouldn't be something you worry about.  The difference between more and less secure is more of a hyper-security-minded feature PM decision than it is a security problem.  Unless you are managing secret DFS servers, or have them in your DMZ (ouch!) you should think about the "less secure" option.  This simply shares encrypted creds at the agent level versus sharing encrypted creds at the agent level (go figure).  The distinction is "all agents" or "some agents".  Because of the need to do some agents, and because the seed discovery accidentally has a run-as-profile associated with it, the only way to prevent these alerts is to use group scoping.
    Microsoft Corporation
    Thursday, March 31, 2011 3:34 PM
  • Thanks everyone for your help. I used the link Nicholas to help resolve the issue. Instead of adding a single computer one at a time, I created an explicit group and populated it. I than targeted the group. 

     

    AD MP throws error: ‘Health Service Credentials Not Found Alert Message’

    http://thoughtsonopsmgr.blogspot.com/2010/07/ad-mp-throws-error-health-service.html

    

    Thanks again!

     
    Thursday, March 31, 2011 4:05 PM
  • My pleasure. I am very glad to know it works!

     

    In the future, if you experience any issues regarding our products or if you have any feedbacks, you are also welcome to post a new thread in our forum.

     

    Thanks again!


    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, April 4, 2011 2:09 AM