none
SCOM AD Monitoring RRS feed

  • Question

  • Hi ,

    I am not sure what is happening, I imported 2008 AD management pack in SCOM couple of weeks ago and it shows all the DC's with states .

    However when i look into the Topology views all views  Not Monitored. (Topology , connection objects , Ad Sites , Ad Forests and Domains)

    Also the AD Distributed application Active Directory Topology Root shows and Not Monitored as well.

    I have enabled Proxy on all the DC's recently.

    All the SCOM agents on DC are installed Through SCOM console

    The Action Account doenst have permission on DC's so we used DomainA dmins Account to discover and install the agent through SCOm console

    I am following http://opsmgrunleashed.wordpress.com/2009/09/29/opsmgr-r2-by-example-the-active-directory-management-pack/

    I followed Steps 1 - 6

    I dint configure any AD account as mentioned in step 7

    I see OpsMgrLatencyMonitors is prestent in AD and all my DC containers are there

    I haven't installed OOMADs.msi

    Any suggestion

    Also I see Event Id 61 on all our domain controllers for a particular DC

    AD Replication Monitoring : The following DCs have not updated their OpsMgrLatencyMonitor objects within the specified time period (24 hours).  This is probably caused by either replication not occurring, or because the 'AD Replication Monitoring' script is not running on the DC.

    Format: DC, Naming Context, Hours since last update

    ABC
      ABCDC1, Domain:DC1.my.dimain.com, 69
      ABCDC1, NDNC:DC=DomainDnsZones,DC=my,DC=domain,DC=com, 69
      ABCDC1, NDNC:DC=ForestDnsZones,DC=my,DC=domain,DC=com, 69

    I dont know why this should come, i have not enabled the 

    Monday, January 7, 2013 9:09 AM

All replies

  • Did you run the HSlockdown on the DC's?

    http://support.microsoft.com/kb/946428?wa=wsignin1.0

    i dont see it mentioned.

    Monday, January 7, 2013 9:46 AM
  • No i didnt , do i have to run this even if i install the agent using SCOM console.
    Monday, January 7, 2013 10:03 AM
  • Yes, its one of the things to do manually on a DC, here is a blog to explain it more for u,

    http://thoughtsonopsmgr.blogspot.com/2009/09/hslockdown-explained.html

    and it looks like you are deploying agents to new DC's,

    there is also another step to take if you have Windows server 2008 and R2 that is not fixed in the Management Packs, you can read about it here

    http://blogs.technet.com/b/rohitkochher/archive/2011/11/17/3465922.aspx

    Monday, January 7, 2013 10:33 AM
  • I had used this method to install SCOM Agent on the Domain controllers http://blogs.technet.com/b/kevinholman/archive/2009/02/20/getting-and-keeping-the-scom-agent-on-a-domain-controller-how-do-you-do-it.aspx

    But i never did anything else . 

    I do not have domain admin rights so will have to wait for Domain Admin to run HSLockdown

    I checked  http://systemcentersolutions.wordpress.com/category/management-pack-active-directory/oomads-msi/

    It states we dont have to run oomads if we use console to install agent on DC's 

    I am not sure though.


    Monday, January 7, 2013 12:27 PM
  • That is correct it gets deployed with the Agent automatically when it is installed to a DC thru the console.

    and also don't forget if you have a Windows Server 2008 / R2 DC to add the symbolic link also,

    http://blogs.technet.com/b/rohitkochher/archive/2011/11/17/3465922.aspx

    otherwise you will get some false alerts.

    Monday, January 7, 2013 12:59 PM
  • I checked event viewer On DC's and do not see any Event ID's 7022 and 1120 in OpsMgr log as explained in 

    http://thoughtsonopsmgr.blogspot.com/2009/09/hslockdown-explained.html

    http://support.microsoft.com/kb/946428?wa=wsignin1.0

    The domain controllers are not grayed out. It is only that the topology view shows not monitored.

    I checked Add-Remove program fro all the Domain controller and I see Active Directory Management Pack Helper Object installed on all DC's

    I think we are moving in a different perspective on this post,.

    Any other information

    The Only event that i see on DC's is a warning:

    AD Replication Monitoring : The following DCs have not updated their OpsMgrLatencyMonitor objects within the specified time period (24 hours).  This is probably caused by either replication not occurring, or because the 'AD Replication Monitoring' script is not running on the DC.

    Format: DC, Naming Context, Hours since last update

    ABC
      ABCDC1, Domain:DC1.my.dimain.com, 69
      ABCDC1, NDNC:DC=DomainDnsZones,DC=my,DC=domain,DC=com, 69
      ABCDC1, NDNC:DC=ForestDnsZones,DC=my,DC=domain,DC=com, 69

    • Edited by Kitaab Tuesday, January 8, 2013 5:19 AM
    Tuesday, January 8, 2013 4:01 AM
  • Did you run the Hslockdown on the DC's to allow the Health Service on the Secure channel of AD.

    Cause when you installed it thru the Console with the Domain admins account the agent registerd some items but Hslockdown must be done manually on the DC for security reasons, and therefore the Script won't run again, becaused it used the NT AUTHORITY\Authenticated Users which is allowed.

    • Marked as answer by Nicholas LiModerator Monday, January 14, 2013 4:45 AM
    • Unmarked as answer by Kitaab Thursday, January 24, 2013 8:08 AM
    Tuesday, January 8, 2013 7:45 AM
  • I c checked  thoughtsonopsmgr.blogspot.com/2009/09/hslockdown-explained.html

    When i run HSLockdown 

    i do not see Local System under dendied


    My DCs are not grayed out , they are being monitored fine.

    the only problem is AD Topology root is unmonitored  / all topology views are unmonitored.

    can i get some more advice on this situation

    Thursday, January 24, 2013 8:13 AM
  • Hi Kitaab

    There are some firewall between that DC and the Scom servers?

    Regards.

    Thursday, January 24, 2013 11:47 AM
  • No firewall at all
    Friday, January 25, 2013 9:57 AM
  • Some other advice.
    Saturday, February 2, 2013 5:05 AM