locked
Monitor AD in untrusted domains RRS feed

  • Question

  • Hi.

    We are setting up SCOM 2007 R2 to monitor Windows machines in our hosting environment. Our customers have different domains, which have no trust with the domain the SCOM server is located in. I have set up certificates for agent communication, and it is working fine. We do, however, get a number of warnings on the domain controllers in the untrusted domains, about "Script based test failed to complete".

    Examples:

    AD Lost And Found Object Count : The script 'AD Lost And Found Object Count' failed to create object 'McActiveDir.ActiveDirectory'. This is an unexpected error.
    The error returned was 'ActiveX component can't create object' (0x1AD)

    AD Database and Log : The script 'AD Database and Log' failed to create object 'McActiveDir.ActiveDirectory'.
    The error returned was: 'ActiveX component can't create object' (0x1AD)

    AD Replication Monitoring : encountered a runtime error.
    Failed to create the 'McActiveDir.ActiveDirectory' object.
    The error returned was: 'ActiveX component can't create object' (0x1AD)

     

    Is it possible to get these scripts to work for DCs in untrusted domains, or do we have to disable monitoring of these things?

    Tuesday, July 5, 2011 11:42 AM

Answers

All replies

  • You'll need to configure the default accounts that run the Ops Mgr agent on the domain controllers to run with an account that has enough privilege to write into AD, the default "Local System" account doesn't have the relevant privileges.


    JW
    Tuesday, July 5, 2011 1:23 PM
  • Thanks for your reply. We tried selecting a domain admin account when installing the agent, but then we got a lot of errors regarding rule loading. Is there some specification available for what permissions are needed for the Agent run as account, or what security groups it needs to be member of?

    Or did you mean that we need to do some change in the Run as Configuration\Profiles on the SCOM server?

    Tuesday, July 5, 2011 2:02 PM
  • Yes, create an account on the SCOM server for the monitored domain and in the default action account profile, change the account on the domain controllers in the alternate domain.

    The AD MP Documentation goes into detail on the required privileges and is available for download from the MP Catalogue.

     


    JW
    Tuesday, July 5, 2011 2:21 PM
  • as these are manually installed agents they don't get the needed helper objects. you'll have to copy the appropriate ones to those servers.

    http://jama00.wordpress.com/2010/01/26/monitoring-multiple-active-directory-forests-without-a-trust/

    btw i recommend to use system as AA a lot more safer than a "local admin" on a dc...


    Rob Korving
    http://jama00.wordpress.com/
    Wednesday, July 6, 2011 7:35 AM
  • Thanks, that did the trick.
    Wednesday, July 6, 2011 12:21 PM