locked
OpsMgr and Active Directory MP throwing errors RRS feed

  • Question

  • Hello,

    I deployed System Center Operations Manager 2007 R2 and it works fine so far. However I installed the AD Management Pack and now get the following errors for both domain controllers:

    Alert Rule: AD Replication Partner Op Master Consistency AD Client Side Script Based Test Failed to Complete
    Alert Description: AD Replication Partner Op Master Consistency : The script 'AD Replication Partner Op Master Consistency' failed to get the fSMORoleOwner for 'ad02.domain.xx'.
    The error returned was '' (0x80020009)

    Alert Rule: Could not determine the FSMO role holder
    Alert Description: AD Replication Partner Op Master Consistency : Unable to determine infrastructure Op Master on domain controller 'ad02'.

    I created an ADReplMon account for replication monitoring and even gabe it domain admin rights. When I try running the script ad_replicatin_partner_op_master_consistency.vbs under this account, it runs without problems.

    Both domain controller are Windows 2008. One Standard Full the other Standard Core.

    The configuration is single forest, single domain. Not trust relationships and both DCs are GCs. I found similar problems on the Internet but nothing seemed to help.

    I hope someone can help with that.

    Thank you
    Sascha
    Tuesday, August 11, 2009 8:21 PM

Answers

  • The system account is sandboxed and will not work off the host in most cases.  For this monitor to successfully run, you will need to map a run-as account to the appropriate profile for this monitor, and assign an authorized domain account, not a host, machine or local account.  Default action account will fail for this monitor because it requires specific domain level permissions that system accounts are not permitted to have.

    Microsoft Corporation
    • Marked as answer by Dan Rogers Wednesday, October 14, 2009 4:17 PM
    Wednesday, October 14, 2009 4:17 PM

All replies

  • Please take a look at this post http://ops-mgr.spaces.live.com/blog/cns!3D3B8489FCAA9B51!1077.entry it contains a number of common AD MP alerts and resolution to them.
    Anders Bengtsson | Microsoft MVP - Operations Manager | http://www.contoso.se
    Tuesday, August 11, 2009 8:39 PM
  • Sorry, but I've been through this post countless times.

    There is one item in there

    10) Check to make sure Active Directory shows up under Monitoring -> Distributed Applications as a distributed application that is in the Healthy, Warning or Critical state. If it is in the “Not Monitored” state, check for domain controllers that are not installed or are in a “gray” state.

    which is true (AD not monitored) but I assume this is due to the fact that there is no infrastructure master found.

    The other things that matches my problems in this document are:

    Alert: Could not determine the FSMO role holder.

    Issue: Each domain controller in the environment reported the error when trying to determine the Schema Op Master on the various domain controllers. The rule generating this was “Could not determine the FSMO role holder”.

    Resolution: We used the NETDOM Query FSMO task (changing the Support Tools Install Dir to %windir%\system32) to validate the FSMO role holders on each domain controller.

    Executing this task brings out the correct FSMO role holders including Infrastructure Master. Also executing repadmin /replsum returns no errors.


    There are two more things I might add.
    1. Both DCs are virtualized using Hyper-V
    2. Active Directory is configured to "List Object" mode

    However the thing I really find curious that the script runs well when running under adreplmon account using a command line and it fails when executed by the agent using the same user account.

    I hope you have more suggestion on how to solve this problem.

    Thank you.
    Best regards
    Sascha

    Tuesday, August 11, 2009 9:48 PM
  • Hi

    Have you run the HSLockdown tool:
    http://support.microsoft.com/kb/946428

    Cheers

    Graham
    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Tuesday, August 11, 2009 10:05 PM
  • Hello,

    thank you for the suggestion. Neither method 1 or 2 from the KB article worked.

    Using hslockdown /L didn't list "NT AUTHORITY\SYSTEM" neither allowed nor denied though.

    Regards
    Sascha
    Tuesday, August 11, 2009 10:23 PM
  • Hi Sascha

    Unless the account is listed as allowed then access is denied. It is similar to NTFS permissions. The reason for having a "denied" option is that if I am a member of 2 groups, one of which is allowed and one of which is denied, the denied takes precedence. So if NT Authority\ System is not listed as allowed then when you ran HSLockdown, the change didn't take.

    What is the agent action account for the domain controllers? You can see this in Administration, Agent Managed. If it is local system then you'll need to use HSLockdown to allow local system to work.

    HSLockdown /A "NT Authority\System"

    And additional item to check, id you use ADSIEdit.msc - do you see the OpsMgrlatency counters created in the domain partition? 

    Good Luck

    Graham 
    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Wednesday, August 12, 2009 7:02 AM
  • Hi Graham,

    I added the System account using HSLockdown and restarted the health service but it didn't change anything. After a minute the alerts are back.

    In ADSIEdit the container OpsMgrLatencyMonitor is created and two subcontainers (AD01 and ad02) are there though both of them are empty.

    Best regards
    Sascha
    Wednesday, August 12, 2009 7:19 AM
  • Hello,

    I added some debugging code to the script and found out that the problem is at the following point:

      strQuery = "<LDAP://" & strDnsDC & "/" & strNC & ">;(&(objectClass=" & strObjClass & ")(fSMORoleOwner=*));fSMORoleOwner;Subtree"
      Set rsResult = oADOConn.Execute(strQuery)
      If 0 <> Err Then
        CreateEvent EVENTID_SCRIPT_ERROR, EVENT_TYPE_WARNING, "The script '" & SCRIPT_NAME & "' failed to execute" & _
                                            "the following LDAP query: '" & strQuery & "'.  " & _
                                            vbCrLf & GetErrorString(Err.Number, Err.Description)
        Exit Function
      End If

      rsResult.MoveFirst
      <=== The error returned was 'Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.' (0xBCD)

    As I see it the LDAP query does not return any results. The LDAP query is <LDAP://ad01.e-xxxxxxxxxx.de/DC=e-xxxxxxxxxx,DC=de>;(&(objectClass=infrastructureUpdate)(fSMORoleOwner=*));fSMORoleOwner;Subtree

    However it seems to work PDC emulator and RID master that are query for before query for infrastructure master.

    Any help is appreciated

    Sascha
    Wednesday, August 12, 2009 8:56 PM
  • Hi Sascha,

    did you work out a solution for this specific problem yet?
    We were also having problems with some scripts from the admp.
    For us the solution was to change the default action account on all DCs to the same account as the admp replication account.

    Best Regards

    Jochen

    Wednesday, September 30, 2009 11:09 AM
  • Hi Jochen,

    for me it has been a problem with permissions on the InfrastructureMaster object. Because we are running in object list mode the action account did not have sufficient privileges.

    Best regards
    Sascha
    Wednesday, September 30, 2009 11:14 AM
  • The system account is sandboxed and will not work off the host in most cases.  For this monitor to successfully run, you will need to map a run-as account to the appropriate profile for this monitor, and assign an authorized domain account, not a host, machine or local account.  Default action account will fail for this monitor because it requires specific domain level permissions that system accounts are not permitted to have.

    Microsoft Corporation
    • Marked as answer by Dan Rogers Wednesday, October 14, 2009 4:17 PM
    Wednesday, October 14, 2009 4:17 PM
  • Hi Jochen,

    for me it has been a problem with permissions on the InfrastructureMaster object. Because we are running in object list mode the action account did not have sufficient privileges.

    Best regards
    Sascha

    Hi Sascha,

    Can you also specify what permissions you have changed to make it work?

    Best regards
    Alexander
    Monday, December 14, 2009 12:06 PM