AD Management script questions RRS feed

  • Question

  • I have deployed the AD management pack into the scom 2007 r2, and have setup the AD replication monitoring, but I have many alerts already appearing which I am not sure.  Some about AD scripts not running due to not enough permissions.  These alerts are:

    AD Replication Monitoring : encountered a permissions error.
    The script failed to update this DCs monitoring object in the naming context 'DC=ForestDnsZones,DC=euphony,DC=com' because access was denied.  Alter the permissions for this naming context so that the script can add this container, or change the parameters for this script to stop monitoring this naming context.


    AD Replication Partner Op Master Consistency : The script 'AD Replication Partner Op Master Consistency' failed to executethe following LDAP query: '<LDAP://dc.domain.com/DC=domain,DC=com>;(&(objectClass=infrastructureUpdate)(fSMORoleOwner=*));fSMORoleOwner;Subtree'
    The error returned was 'Table does not exist.' (0x80040E37)

    I have read somewhere about having to setup a replication account or it use the mgt action account.  My mgt action account is only domain admins, would it need to be an enterprise admin.  Or can it be setup to use another account such as setup as a runas account. How would you do this.  Also in my AD, i do see OpsMgrLatencyMonitors container and underneath the container it does have folders for each DC we have.

    Any ideas why the scripts would not run.

    Also in the replication monitor for replication latency there are some charts, the x axis show the date/time but what does the Y axis show it has some numbers, but I dont know what they mean.   Any ideas

    Friday, August 20, 2010 10:45 AM


  • Hi,


    Based on my research, I would like to suggest the following:


    1.    Verify Replication Monitoring Account Permissions:


    Active Directory Management Pack - Replication Monitoring Account Permissions



    2.    Using LDP tool to check the connectivity:


    You can get LDP in Windows support tool



    1)     Run LDP.exe

    2)     Connection-->Connect (Enter the DC name)

    3)     Connection-->Bind (Enter username, password and domain)

    4)     Browse-->Search (Enter Dn at BaseDN "CN=Schema,CN=Configuration,DC=corp,DC=ab-xy,DC=com") taken from event Id 1000

    5)     In Filter enter (&(objectClass=dMD)(fSMORoleOwner=*))

    6)     At Scope select Subtree

    7)     Options--> clear all at Atributes and mention fSMORoleOwner

    8)     Hit Run- we should see the DC with Schema master role.


    If the above steps return the value then there is no problem with connectivity at this time.


    As the FSMO roles don't need to be changed frequently, you may also override the value for this monitor from 60 sec to other time depending on your environment.


    Meanwhile, please also refer to:


    Active Directory Management Pack Checklist



    Hope this helps.



    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Nicholas Li Thursday, September 2, 2010 7:55 AM
    Monday, August 23, 2010 8:43 AM