****
*
*
*
*







*
*
                                      
*
*
Windows Server



    

Monitoring Active Directory Health    

*
*

*
*

Monitoring Active Directory Health



Jan
15

Monitoring Active Directory Health

http://technet.microsoft.com/en-us/library/cc180912.aspx

Monitoring Active Directory Health

Active Directory Management Pack (ADMP) monitors Active Directory — and the external components that are related to Active Directory — to ensure that their ongoing behavior falls within the bounds of normal, healthy Active Directory behavior. The ADMP definitions for the health of Active Directory and its related components are contained in the more than 400 ready-to-run rules that are included with ADMP. After MOM and ADMP are installed, these rules begin to monitor Active Directory and related component behavior immediately and automatically, and they alert you whenever unexpected behavior occurs.

 

Note

ADMP will not monitor events that occur as a result of Active Directory installation or removal, or domain rename operations.

 

Processing Rules and Operating System Versions

 

You can use ADMP to monitor domain controllers running Microsoft Windows® 2000 Server and Windows Server 2003. ADMP includes groups of rules that apply to both Windows 2000 Server and Windows Server 2003, as well as rules that apply only to one operating system or the other:

  • The Active Directory Windows 2000 rule group applies only to domain controllers running Windows 2000 Server.
  • The Active Directory Windows 2000 and Windows Server 2003 rule group applies to domain controllers running Windows 2000 Server or Windows Server 2003.
  • The Active Directory Windows Server 2003 rule group applies only to domain controllers running Windows Server 2003.

MOM applies the appropriate ADMP rules to the appropriate domain controllers automatically, based on the operating system that is running on each domain controller. No manual configuration is required.

 

Monitoring Active Directory Components

 

The following sections provide an overview of the ADMP rules that are used to monitor each of the Active Directory components along with the external components on which Active Directory depends.

Note

In addition to the rules that are listed in the tables in this section, ADMP includes rules that are triggered when an ADMP configuration or run-time error is encountered. ADMP also includes several “Miscellaneous componentname error” rules that are designed to monitor event numbers that are not generated by current operating system versions but may be introduced by future product updates and service packs. In addition, ADMP also includes several “Reportname report available” rules that are designed to notify administrators when data that is collected by ADMP is available for viewing.

Interfaces

 

The following sections describe ADMP monitoring of the Active Directory protocol interfaces, which are sometimes referred to as protocol heads.

 

LDAP

LDAP is the standard protocol that directory clients use to gain access to data that is held by directory servers. LDAP supports a relatively simple set of operations, such as bind, unbind, read, and modify. LDAP is the primary interface to Active Directory, and it is responsible for packaging and interpreting LDAP packets over the network. By performing LDAP binds and searches against a domain controller, ADMP can take a basic measure of Active Directory health. The LDAP response time requirements vary by directory-enabled applications, but they are generally on the order of one second.

In addition to monitoring for specific events, ADMP monitors the general responsiveness of the LDAP interface with the AD General Response monitoring script. For more information about this script, see "Active Directory Management Pack Scripts” later in this document.

The following table lists each rule that ADMP uses to monitor the LDAP interface, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

Active Directory Last Bind - Threshold Exceeded

Threshold

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Bind response time is greater than 30 seconds.

– Or –

Bind response time is greater than 15 seconds and less than 30 seconds.

– Or –

Bind response time is greater than 5 seconds and less than 15 seconds.

Object equals ActiveDirectoryMP.

Counter equals Active Directory Last Bind.

Critical Error

Error

Warning

An Intersite Messaging service request to modify an LDAP object failed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1407.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

LDAP agent cannot open security provider

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1238.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

LDAP connection closed because maximum connections were exceeded

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1210.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service cannot perform a requested LDAP bind operation

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1824.

Error

The Inter-Site Messaging Service requested to abandon an LDAP notification message

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Directory Service Event ID equals 1823.

Error

 

Global catalog

Directory clients use the global catalog interface to perform forest-wide searches by querying a single server. By performing global catalog binds and searches against a domain controller, ADMP can take a basic measure of Active Directory health. The global catalog response time requirements vary by directory-enabled applications, but they are generally on the order of one second.

In addition to monitoring for specific events, ADMP monitors the health of the global catalog interface with the AD Global Catalog Search Response script. For information about this script, see "Active Directory Management Pack Scripts" later in this document. For more information about global catalog discovery using the ADMP Client Pack see "AD Client GC Availability" later in this document.

The following table lists each rule that ADMP uses to monitor the global catalog interface, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

Global Catalog Search Time - Threshold Exceeded

Threshold

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Response time is greater than 30 seconds.

– Or –

Response time is greater than 15 seconds.

– Or –

Response time is greater than 5 seconds.

Object equals ActiveDirectoryMP.

Counter equals Global Catalog Search Time.

Critical Error

Error

Warning

AD Global Catalog search failed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 21026.

Source Name equals AD Global Catalog Search Response

Error

DC is both a Global Catalog and the Infrastructure Update master

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1419.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

The system failed to promote this server into a Global Catalog

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1790.

Error

Unable to establish connection with any Global Catalog(s)

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1126.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

This domain controller failed to register as (and will not advertise as) a global catalog

Event

Active Directory Windows Server 2003 - Active Directory General

Event Number equals 1992.

Warning

 

MAPI

 

Messaging clients, such as Microsoft Outlook, use the Microsoft Messaging API (MAPI) interface to gain access to data (for example, telephone numbers) that is held by Active Directory. No specific health measurements exist for the MAPI interface, and ADMP does not currently include any monitoring rules that are specific to MAPI.

Replication Subsystem

The replication subsystem is used to maintain data consistency across all domain controllers in a domain or forest. Active Directory uses the replication remote procedure call (RPC) interface over Internet Protocol (IP) or Simple Mail Transfer Protocol (SMTP) to replicate data between domain controllers. The Knowledge Consistency Checker (KCC), which is part of the replication subsystem, automatically computes the most efficient replication topology for your network based on information that you provide to Active Directory about your network topology. In addition, the KCC regularly recalculates the replication topology to adjust for any network changes that occur.

Replication is one of the most important processes in Active Directory; therefore, it is monitored regularly by ADMP. ADMP monitors replication with several monitoring scripts, including AD Replication Monitoring and AD Replication Partner Count. For more information about these scripts see "Active Directory Management Pack Scripts" later in this document.

In addition, ADMP monitors specific replication-related events, and it collects replication performance data for several replication-related ADMP reports. The following table lists each rule that ADMP uses to monitor replication, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

A domain controller has an extremely high number of replication partners

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20081.

Event Type equals Error.

Source Name equals AD Replication Partner Count.

Error

A lingering object has been detected. Replication has been blocked.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1388.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

AD Replication Monitoring - Time skew detected

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20063.

Source Name equals AD Replication Monitoring.

Error

Certificate for intersite replication was rejected

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number matches Boolean regular expression 1222|1223.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Direct replication cannot occur as configured

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1090.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Initial replication after domain controller promotion has not completed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20069.

Source Name equals AD Replication Monitoring.

Error

KCC cannot compute a replication path

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1311.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC cannot compute a replication path

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1311.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC cannot configure replication topology due to ISM failure

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1312.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC failed to initialize

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1008.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC failed to stop

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1024.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC failed to update replication topology

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1130.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC is ignoring a replication path because non-intersecting schedules are preventing replication along that path

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1788.

Error

None of the preferred bridgehead servers can replicate the directory partition

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1567.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Replication error

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1694.

Error

Replication has been aborted

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1791.

Error

Replication is not occurring - All replication partners have failed to synchronize

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20064.

Source Name equals AD Replication Monitoring.

Error

The AD replication process is unable to continue

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1107.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

The Knowledge Consistency Checker (KCC) detected an incompatible up-to-dateness vector format

Event

Active Directory Windows Server 2003 - Active Directory General

Event Number equals 1910.

Error

The local domain controller has denied a replication attempt on a directory partition. This may pose a security risk.

Event

Active Directory Windows Server 2003 - Active Directory General

Event Number equals 1964.

Error

This server cannot process the replication request

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1700.

Error

This source server failed to add schema information for the mail replication request

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1701.

Error

A domain controller has an unusually high number of replication partners

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20081.

Event Type equals Warning.

Source Name equals AD Replication Partner Count.

Warning

A domain controller has an extremely high number of replication partners

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20082.

Source Name equals AD Replication Partner Count.

Error

A domain controller made a replication request for a writable directory partition that has been denied by the local domain controller

Event

Active Directory Windows Server 2003 - Active Directory General

Event Number equals 1977.

Warning

A replication island has been detected. Replication will not occur across the enterprise.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20080.

Source Name equals AD Replication Partner Count.

Warning

Active Directory cannot set the replication consistency registry key

Event

Active Directory Windows Server 2003 - Active Directory General

Event Number equals 2033.

Warning

Active Directory encountered a replication error. Replication will be delayed.

Event

Active Directory Windows Server 2003 - Active Directory General

Event Number equals 1958.

Warning

AD Replication is occurring slowly

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20062.

Source Name equals AD Replication Monitoring.

Warning

AD Replication Monitoring - Access Denied

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20067.

Source Name equals AD Replication Monitoring.

Warning

Replication has been stopped with a source

Event

Active Directory Windows Server 2003 - Active Directory General

Event Number equals 2042.

Warning

Some replication partners have failed to synchronize

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20065.

Source Name equals AD Replication Monitoring.

Warning

The Knowledge Consistency Checker (KCC) cannot run successfully. Replication may be affected.

Event

Active Directory Windows Server 2003 - Active Directory General

Event Number equals 2002.

Warning

WMI Replication Provider is not installed - Replication cannot be monitored fully.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20068.

Source Name equals AD Replication Monitoring.

Warning

 

SAM

 

Security Accounts Manager (SAM) is used for verifying passwords and for checking passwords against any existing password policies that are in effect on a domain controller. In addition, SAM provides legacy support for Microsoft Windows NT® 4.0 users and groups.

The following table lists each rule that ADMP uses to monitor SAM, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

An attempt to check whether group caching is enabled has failed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 12299.

Source Name equals SAM.

Error

An attempt to update user credentials failed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 12302.

Source Name equals SAM.

Error

Domain Operation Mode has been changed to Native Mode

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 16408.

Source Name equals SAM.

Information

The domain controller is booting to directory services restore mode

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 16652.

Source Name equals SAM.

Information

The group caching option has now been properly updated

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 12300.

Source Name equals SAM.

Information

This domain controller has been promoted to PDC

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 12297.

Source Name equals SAM.

Information

Account creation will fail on this domain controller until the account identifier pool is obtained

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 16643.

Source Name equals SAM.

Warning

The account identifier pool for this domain controller cannot be updated

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 16641.

Source Name equals SAM.

Warning

The DC was unable to obtain the next account-identifier

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 16651.

Source Name equals SAM.

Warning

The domain controller failed to obtain a new account identifier pool

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 16651.

Source Name equals SAM.

Warning

Account Changes Report Available1

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Responds to Event IDs included in the SAM Account Errors report.

Source Name equals SAM.

Information

Miscellaneous SAM Errors2

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Only responds to Event IDs with a severity of Error or above that are not known at the time that ADMP for MOM 2005 is released.

Source Name equals SAM.

Error

The Domain Changes report has data available

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Responds to Event IDs that are included in the Domain Changes report.

Source Name equals SAM.

Information

 

1 The report name that is referenced in the rule name is incorrect. The correct report name is SAM Account Errors. This rule, indicating that the Account Changes Report is available, actually indicates that the SAM Account Errors report is available.

 

2 The Miscellaneous SAM Errors rule is a "Miscellaneous componentname error" rule, which is described in "Monitoring Active Directory Components" earlier in this document. This rule is designed to monitor event numbers that are not generated for current operating system versions but may be introduced by future product updates and service packs.

 

Intersite Messaging

 

The Intersite Messaging service is required by domain controllers that are not in an Active Directory forest that is operating at the Windows Server 2003 forest functional level. It enables multiple transports, including SMTP, to be used in intersite messaging. The Intersite Messaging service provides services to the KCC in the form of queries for available replication paths. It also enables messaging communication that can use SMTP servers other than the servers that are dedicated to processing e-mail applications.

The following table lists each rule that ADMP uses to monitor Intersite Messaging, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

Inter-Site Messaging (ISM) Service SMTP Transport plug-in has determined that one or more classes from CDO library are not registered as expected

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1527.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Inter-Site Messaging (ISM) Service SMTP Transport plug-in has encountered an unexpected error from CDO library

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1528.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Inter-Site Messaging Service SMTP Transport plug-in failed to read the SMTP mail message

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1405.

Provider Name equals Directory Service.

Error

Inter-Site Messaging Service SMTP Transport plug-in failed to bind the event sink ismsink.dll to the SMTP Service

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1468.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Inter-Site Messaging Service SMTP Transport plug-in failed to add SMTP routing domain

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1466.

Provider Name equals Directory Service.

Error

Inter-Site Messaging Service SMTP Transport plug-in failed to register the event sink ismsink.dll

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1467.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Intersite Messaging Service has resumed running

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 38905.

Source equals AD Essential Services Running script.

Information

Intersite Messaging Service is not running

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals38905.

Source equals AD Essential Services Running script.

Error

Intersite Messaging Service SMTP Transport received a delivery failure

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1448.

Provider Name equals Directory Service.

Error

ISM cannot receive messages

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1373.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

ISM Request Failure

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number matches Boolean regular expression 137[456].

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

ISM transport has been shut down

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1378.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service cannot allocate memory

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number equals 1815.

Provider Name equals

Error

The Inter-Site Messaging Service cannot perform a requested LDAP bind operation

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number equals 1824.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service encountered a malformed transport distinguished name

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number equals 1814.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service encountered an error while attempting to start the Service Control Dispatcher

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number equals 1811.

Provider Name Equals Directory Service.

Error

The Inter-Site Messaging Service failed to create an event

Event

Active Directory Windows 2000 and Windows Server 2003

Event ID equals 1813.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service failed to initialize

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number equals 1812.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service failed to start

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number equals 1816 and 1817.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service failed to start the RPC server

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number equals 1818, 1819, 1820, and 1821.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service failed to wait for a message

Event

Active Directory Windows 2000 and Windows Server 2003

Event Name equals 1810.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service requested to abandon an LDAP notification message

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number equals 1823.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service SMTP Transport plug-in failed to remove SMTP routing domain

Event

Active Directory Windows 2000 and Windows Server 2003

Event Name equals 1834.

Provider Name equals Directory Service.

Error

 

LSASS

 

From the perspective of CPU utilization, Active Directory is represented on a domain controller by the Local Security Authority Subsystem (LSASS) process.

ADMP monitors LSASS with the AD CPU Overload script and also by monitoring an LSASS-specific performance counter: Process Private Bytes LSASS 15 minutes. By default, ADMP generates a Warning alert when average LSASS CPU utilization exceeds 80 percent over 10 samples taken one minute apart.

The following table lists each rule that ADMP uses to monitor LSASS, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

LSASS Error Messages

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Type equals Error.

Source Name equals LSASERV.

Error

The LSASS process is using a high percentage of available CPU time

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 20071.

Source Name equals AD CPU Overload.

Warning

 

Active Directory Database

 

ADMP contains rules for monitoring database and log files in the Active Directory database and rules for monitoring the quantity of lost and found objects on a domain controller.

 

Database and log files

 

By default, ADMP monitors the Active Directory database files and log files every 15 minutes for file size, and it monitors free disk space on the hosting volumes, using the AD Database and Log File script:

  • If the database file or log file grows between measurements by more than 20 percent, which represents a fixed percentage in ADMP that cannot be modified, ADMP generates a Warning alert unless the domain controller is a new domain controller and it is performing its initial replication.
  • If the free space on the volume hosting the Active Directory database is not at least 500 megabytes (MB) or 20 percent of current database size, whichever is greater, ADMP generates an Error alert.
  • If the free space on the volume hosting the Active Directory log files is not at least 200 MB or 5 percent of current database size, whichever is greater, ADMP generates an Error alert.

The following table lists each rule that ADMP uses to monitor database and log files, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

The Active Directory database is corrupt

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 404.

Source Name equals NTDS ISAM.

Critical

AD cannot update object because the disk containing the database is full

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1480.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

AD database is corrupt

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1017.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Database and Log File Drive Space - Error

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20333.

Source Name equals AD Database and Log.

Error

 

Lost and found objects

 

On a domain controller, the Lost and Found container contains Active Directory objects that have been orphaned. An object is orphaned when the object is created on one domain controller and the container in which the object is placed is deleted from the directory on another domain controller before the object has a chance to replicate. An orphaned object is automatically placed in the Lost and Found container where it can be found by an administrator, who must determine whether to move or delete the object.

The AD Lost and Found Object Count script in ADMP monitors the number of orphaned objects on a domain controller every two hours. The script generates a Warning alert if more than 10 objects exist in the Lost and Found container. The script generates an Error alert if more than 100 objects exist in the Lost and Found container.

The following table lists each rule that ADMP uses to monitor lost and found objects, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

Active Directory Lost Objects - Threshold Exceeded

Threshold

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

More than 100 objects exist in the Lost and Found container.

– Or –

More than 10 objects exist in the Lost and Found container.

Error

Warning

 

Operations Masters (FSMOs)

 

Much of the monitoring of the operations master roles (also known as flexible single master operations (FSMO)) in ADMP occurs in the AD Op Master Response script. By default, this script runs every five minutes to determine if the operations master role holders are responding, and it reports alerts at various levels, depending on whether the role holders are reachable and how quickly they respond.

ADMP also includes the AD Replication Partner Op Master Consistency script for operations master monitoring. This script runs every hour to determine if domain controller replication partners agree on the identity of the role holders, and it generates alerts if domain controllers disagree on the current role holders.

The following table lists each rule that ADMP uses to monitor operations masters, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

Op Master Domain Naming Last Bind - Threshold Exceeded

Threshold

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Average response time is greater than 30 seconds.

– Or –

Average response time is greater than 15 seconds and less than 30 seconds.

– Or –

Average response time is greater than 5 seconds and less than 15 seconds.

Object equals ActiveDirectoryMP.

Counter equals Op Master Domain Naming Last Bind.

Critical Error

Error

Warning

Op Master Infrastructure Last Bind - Threshold Exceeded

Threshold

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Average response time is greater than 30 seconds.

– Or –

Average response time is greater than 15 seconds and less than 30 seconds.

– Or –

Average response time is greater than 5 seconds and less than 15 seconds.

Object equals ActiveDirectoryMP.

Counter equals Op Master Infrastructure Last Bind.

Critical Error

Error

Warning

Op Master PDC Last Bind - Threshold Exceeded

Threshold

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Average response time is greater than 30 seconds.

– Or –

Average response time is greater than 15 seconds and less than 30 seconds.

– Or –

Average response time is greater than 5 seconds and less than 15 seconds.

Object equals ActiveDirectoryMP.

Counter equals Op Master PDC Last Bind.

Critical Error

Error

Warning

Op Master RID Last Bind - Threshold Exceeded

Threshold

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Average response time is greater than 30 seconds.

– Or –

Average response time is greater than 15 seconds and less than 30 seconds.

– Or –

Average response time is greater than 5 seconds and less than 15 seconds.

Object equals ActiveDirectoryMP.

Counter equals Op Master RID Last Bind.

Critical Error

Error

Warning

Op Master Schema Last Bind - Threshold Exceeded

Threshold

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Average response time is greater than 30 seconds.

– Or –

Average response time is greater than 15 seconds and less than 30 seconds.

– Or –

Average response time is greater than 5 seconds and less than 15 seconds.

Object equals ActiveDirectoryMP.

Counter equals Op Master Schema Last Bind.

Critical Error

Error

Warning

DC is both a Global Catalog and the Infrastructure Update master

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 1419.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Failed to ping or bind to the Domain Naming Master FSMO role holder

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20003.

Event Type equals Warning.

Source Name equals AD Op Master Response.

Warning

Failed to ping or bind to the Infrastructure Master FSMO role holder

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20007.

Event Type equals Warning.

Source Name equals AD Op Master Response.

Warning

Failed to ping or bind to the RID Master FSMO role holder

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20015.

Event Type equals Warning.

Source Name equals AD Op Master Response.

Warning

Failed to ping or bind to the PDC Master FSMO role holder

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20011.

Event Type equals Warning.

Source Name equals AD Op Master Response.

Warning

Failed to ping or bind to the Schema Master FSMO role holder

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20019.

Event Type equals Warning.

Source Name equals AD Op Master Response.

Warning

Contacting the Domain Naming FSMO Role Holder has completed successfully

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20003.

Event Type equals None.

Source Name equals AD Op Master Response.

Success

Contacting the Infrastructure FSMO Role Holder has completed successfully

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20007.

Event Type equals None.

Source Name equals AD Op Master Response

Success

Contacting the PDC FSMO Role Holder has completed successfully

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20011.

Event Type equals None.

Source Name equals AD Op Master Response.

Success

Contacting the RID Master FSMO Role Holder has completed successfully

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20015.

Event Type equals None.

Source Name equals AD Op Master Response.

Success

Contacting the Schema Master FSMO Role Holder has completed successfully

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20019.

Event Type equals None.

Source Name equals AD Op Master Response.

Success

 

Monitoring External Components

 

The following sections describe ADMP monitoring of components that are external to Active Directory.

 

SYSVOL

 

SYSVOL is the shared directory on domain controllers that contains Group Policy and logon script information. SYSVOL is important because it is a prerequisite for the Net Logon service to advertise Domain Name System (DNS) records in Active Directory–integrated DNS. Replication of SYSVOL is handled by FRS.

ADMP monitors the SYSVOL shared directory on managed computers with the AD Essential Services script. ADMP monitors SYSVOL to make sure that it is available for connection.

 

The following table lists each rule that ADMP uses to monitor SYSVOL, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

A journal wrap error has occurred on the SYSVOL

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL

Event Number equals 13568.

Source Name equals NtFrs.

Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).

Error

Cannot connect to local SYSVOL share

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 38906.

Source Name equals AD Essential Services Running.

Error

FRS has not replicated one or more files in the SYSVOL to other domain controllers

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL

Event Number equals 13569.

Source Name equals NtFrs.

Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).

Warning

 

FRS

 

FRS is responsible for the replication of the SYSVOL share.

ADMP monitors the status of FRS with the AD Essential Services script and by monitoring event IDs from FRS in the event log.

 

The following table lists each rule that ADMP uses to monitor FRS, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

File Replication Service is not running

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 38901.

Event Type equals Error.

Source Name equals AD Essential Services Running.

Error

File Replication Service has resumed running

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 38901.

Event Type equals Information.

Source Name equals AD Essential Services Running.

Information

FRS is scanning the system volume before sharing it

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL

Event Number equals 13566.

Source Name equals NtFrs.

Information

 

Note

 

For more in-depth monitoring of SYSVOL and FRS, you can download and install the Ultrasound tool from Monitoring and Troubleshooting the File Replication Service on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=25827. Ultrasound shows health ratings and historical information about FRS replica sets. You can use it to monitor the progress of replication and to detect problems that can cause replication to become backlogged or stop. Ultrasound also provides detailed views for troubleshooting and a framework that you can use to customize alerts and views for your organization.

 

Net Logon Service and Domain Controller Locator

 

Active Directory uses the Net Logon service to establish a secure channel between domain controllers and directory clients. ADMP monitors the Net Logon service with event messages and with the AD Essential Services script.

Domain controller Locator is a function that is performed by the Net Logon service, and it is monitored by the AD Essential Services script.

The following table lists each rule that ADMP uses to monitor the Net Logon service and domain controller Locator, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

Session setup failed because no trust account exists: Script - AD Validate Server Trust Event

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5723.

Source Name equals NetLogon.

Critical Error

Security: Two computers involved in a trust relationship have the same machine security identifier (SID). Windows should be re-installed on one of the machines.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5516.

Message DLL equals NetMsg.dll.

Provider Name equals System.

Error

A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5517.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

An account name collision occurred - this may result in authentication failures

Event

Active Directory Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5800.

Source Name equals NetLogon.

Warning

Global group SERVERS exists and has members. This group defines Lan Manager BDCs in the domain. Lan Manager BDCs are not permitted in Active Directory domains.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5772.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

Manual deregistration of some DNS records is required

Event

Active Directory Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5808.

Source Name equals NetLogon.

Warning

NetLogon cannot register a name

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5741.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

No suitable domain controller is available for authentication in this domain

Event

Active Directory Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5790.

Source Name equals NetLogon.

Warning

The computer cannot function properly for authentication purposes

Event

Active Directory Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5791.

Source Name equals NetLogon.

Warning

The computer name cannot be mapped to an object in Active Directory - this may result in authentication failures

Event

Active Directory Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5801.

Source Name equals NetLogon.

Warning

The NetLogon service on remote machines will not be able to connect to this DC over TCP/IP resulting in authentication failure

Event

Active Directory Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5809.

Source Name equals NetLogon.

Warning

The session setup from a machine failed because no trust account exists.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5723.

Source Name equals NetLogon.

Warning

The session setup to another domain failed because the domain does not have an account for the computer.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5721.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

The session setup to the domain controller failed because the computer does not have a local security database account.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5720.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

One or more of the DC Locator DNS records are not registered in the DNS database since the primary DNS server doesn't support the dynamic update of the DNS records

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator

Event Number equals 5773.

Source Name equals NetLogon.

Error

 

DNS

 

Active Directory advertises its directory services with DNS using service (SRV) and host address (A) records. Active Directory uses the name resolution services that are provided by DNS to enable clients to locate domain controllers and to enable the domain controllers that host the directory service to communicate with each other.

ADMP monitors DNS with event messages and with the AD DNS Verification script.

The following table lists each rule that ADMP uses to monitor DNS, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

A DNS server used by this server for name resolution did not respond within the timeout interval

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator

Event Number matches Boolean regular expression 11150|11162.

Source Name equals DNSAPI.

Error

A resource record for the computer name of the DC is not registered in the DNS database

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator

Event Number matches Boolean regular expression 11151|11155|11163|11167.

Source Name equals DNSAPI.

Error

The DNS server with which this DC will register does not support the dynamic update protocol or the authoritative zone is not configured to allow dynamic updates

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator

Event Number matches Boolean regular expression 11152|11153|11164|11165.

Source Name equals DNSAPI.

Error

DNS registrations of essential Domain controller records is failing because the Active Directory Domain is a single label domain for Windows 2000 SP 4 and 2003

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

Event Number equals 20072.

Source Name equals AD DNS Verification.

Error

 

W32Time (Time Synchronization)

 

The Kerberos authentication protocol gets its time from the domain controller on which it is running, and it uses that time to determine ticket expiration times and to resolve replication conflicts. If a time skew of greater than five minutes exists between domain controllers, Kerberos authentication fails, which causes problems in Active Directory. The Windows Time service (W32Time) synchronizes the time between domain controllers, which prevents time skews from occurring.

 

ADMP monitors W32Time with the AD Essential Services script.

 

The following table lists each rule that ADMP uses to monitor W32Time, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

An attempt to shift time by more than 12 hours was aborted

Event

Active Directory Windows 2000 - Active Directory - Timesync

Event Number equals 14.

Source Name equals W32Time.

Warning

Time has not synchronized for a long time

Event

Active Directory Windows 2000 - Active Directory - Timesync

Event Number equals 25.

Source Name equals W32Time.

Warning

An attempt to set the time was aborted due to the offset being too large

Event

Active Directory Windows Server 2003 -Active Directory - Timesync

Event Number equals 34.

Source Name equals W32Time.

Error

No input provider to sync time

Event

Active Directory Windows Server 2003 -Active Directory - Timesync

Event Number equals 21.

Source Name equals W32Time.

Error

The system clock has not been synchronized for some time

Event

Active Directory Windows Server 2003 -Active Directory - Timesync

Event Number equals 36.

Source Name equals W32Time.

Warning

 

Kerberos and NTLM

 

Kerberos is a standards-based authentication protocol that is the preferred authentication method for Windows 2000 and Microsoft Windows® XP clients. NTLM is a legacy authentication protocol that is used by Microsoft Windows® 98 and earlier clients and by Windows NT clients. Kerberos is more secure than NTLM, and it offers delegation abilities that NTLM does not offer. The Kerberos authentication protocol is implemented by the Kerberos Key Distribution Center service.

The following table lists each rule that ADMP uses to monitor Kerberos and the KDC, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

Duplicate User Principal Names have been detected

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number equals 11.

Source Name equals KDC.

Parameter 2 matches regular expression (8)|(DS_USER_PRINCIPAL_NAME).

Critical Error

Kerberos Key Distribution Center Service (KDC) is not running

Event

Active Directory Windows 2000 and Windows Server 2003 -Active Directory - General

Event Number equals 38903.

Event Type equals Error.

Source Name equals AD Essential Services Running.

Error

Invalid Policy Data

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number equals 17.

Event Type equals Error.

Source Name equals KDC.

Error

Change Password on KRBTGT Account Failed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number equals 10.

Event Type equals Error.

Source Name equals KDC.

Error

Corrupt Credentials

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number equals 13.

Event Type equals Error.

Source Name equals KDC.

Error

Invalid Forwarded AS Request

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number equals 15.

Event Type equals Error.

Source Name equals KDC.

Error

No Key to Generate Kerberos Ticket

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number matches Boolean regular expression 8|14|16.

Event Type equals Error.

Source Name equals KDC.

Error

PAC Verification Failure

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number equals 18.

Event Type equals Error.

Source Name equals KDC.

Error

Policy Update Failure

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number equals 5.

Event Type equals Error.

Source Name equals KDC.

Error

Trusted Domain List Update Failure

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number equals 6.

Event Type equals Error.

Source Name equals KDC.

Error

Unexpected SAM Failure

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number equals 7.

Event Type equals Error.

Source Name equals KDC.

Error

Kerberos Key Distribution Center Service (KDC) has resumed running

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - General

Event Number equals 38903.

Event Type equals Information.

Source Name equals AD Essential Services Running.

Information

 

Trusts

 

Trusts are relationships that are established between domains or forests that enable users in one domain or forest to be authenticated by a domain controller in another domain or forest. Trusts allow users in one domain or forest to access resources in a different domain or forest.

 

On domain controllers running Windows Server 2003, trusts are monitored by the AD Monitor Trusts script. This script does not run on domain controllers running Windows 2000 Server.

 

The following table lists each rule that ADMP uses to monitor trusts, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

A problem has been detected with the trust relationship between two domains

Event

Active Directory Windows Server 2003 - Active Directory Monitor Trusts

Event Number equals 20083.

Source Name equals AD Monitor Trusts.

Error

A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5517.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

 

Group Policy

 

Use the Group Policy rules in ADMP if you do not have Group Policy Management Pack (GPMP) installed. However, if you want to take advantage of the most up-to-date Group Policy monitoring capabilities, install GPMP. If you have both ADMP and GPMP installed, it is recommended that you disable the Group Policy rules that are available in ADMP and use only the rules in GPMP to monitor Group Policy.

 

The following table lists each rule that ADMP uses to monitor Group Policy, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

Cannot process client side group policy extension

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1003.

Source Name equals UserEnv.

User Name equals System.

Error

Group policy processing aborted - cannot connect to the Directory Service

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number matches Boolean regular expression 1005|1006.

Source Name equals UserEnv.

User Name equals System.

Error

Group policy processing aborted - cannot determine site

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1007.

Source Name equals UserEnv.

User Name equals System.

Error

Group policy processing aborted - reboot this machine

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1035.

Source Name equals UserEnv.

User Name equals System.

Error

Group policy processing aborted - the search for the root AD object failed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1008.

Source Name equals UserEnv.

User Name equals System.

Error

Local group policy is disabled

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1004.

Source Name equals UserEnv.

User Name equals System.

Error

Unexpected Error applying group policy to machine account

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1000.

Source Name equals UserEnv.

User Name equals System.

Error

A Group Policy object cannot be found in Active Directory

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1102.

Source Name equals UserEnv.

User Name equals System.

Warning

A Group Policy Object has not been processed because the filter check could not be performed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1104.

Source Name equals UserEnv.

User Name equals System.

Warning

A Group Policy Object is corrupt.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1057.

Source Name equals UserEnv.

User Name equals System.

Warning

Cross-domain Group Policy processing has been aborted because the other domain cannot be reached

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1105.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing aborted because a filter check for the GPO failed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1065.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing aborted because the common name for the GPO cannot be accessed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1059.

Source Name equals UserEnv.

User Name equals System.

Warning

Group policy processing aborted because the GPO does not have a version number

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1060.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted (in planning mode) because the user/computer does not have access to a required object

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1100.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because an invalid class of object was discovered

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1077.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because GPO lists cannot be set up

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1075.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because of an invalid access configuration

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1081.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because the extensions from the registry cannot be read

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1066.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because the file gpt.ini cannot be accessed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1058.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because the GPLink property of an object cannot be accessed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1099.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because the GPO does not have a functionality version number

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1072.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because the user does not have access to an object

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1101.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because a security check failed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1064.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because historical data cannot be moved from the users old SID to their new one

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1084.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because security cannot be set on Group Policy events

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1094.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because the refresh timer cannot be set

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1082.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because the search for objects cannot be completed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number matches Boolean regular expression 1079|1080.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because the security ID of the user cannot be obtained

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1078.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because the users security ID cannot be written to the registry

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1083.

Source Name equals UserEnv.

User Name equals System.

Warning

The Group Policy client side extension failed to execute

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1085.

Source Name equals UserEnv.

User Name equals System.

Warning

The WMI service is disabled. A Group Policy object has not been processed

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1106.

Source Name equals UserEnv.

User Name equals System.

Warning

There are no domain-based Group Policy objects for this user/computer.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv

Event Number equals 1103.

Source Name equals UserEnv.

User Name equals System.

Warning

 

 

Additional Active Directory Management Pack Rules

 

In addition to the rules listed earlier in this document, ADMP includes rules that sample performance counters to collect data, and it includes rules that are designed to notify administrators when data that is collected by ADMP is available for viewing. ADMP also includes rules that are generated when an ADMP configuration or run-time error is encountered.

 

Measuring Rules

 

Measuring rules sample performance counters and store the performance data in the MOM database. The following table lists each ADMP measuring rule, the rule type, and the rule group to which the rule belongs.

Rule

Rule Type

Rule Group

LDAP Client Sessions

Measuring

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

LDAP Searches/sec

Measuring

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

LDAP UDP Operations/sec

Measuring

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

LDAP Writes/sec

Measuring

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

LSASS Handle Count

Measuring

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

LSASS Private Bytes

Measuring

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

LSASS Total CPU

Measuring

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

Kerberos Authentications/sec

Measuring

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

NTLM Authentications/sec

Measuring

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

 

Collection Rules

 

Collection rules collect events and store the event data in the MOM database.

 

Note

In general, collection rules are used to generate data for reports, and they do not generate alerts.

 

The following table lists each ADMP collection rule; the rule type; the rule group to which the rule belongs; and event criteria, including the source and event ID, if applicable.

Rule

Rule Type

Rule Group

Event Criteria

Collection rule for the Replication Collisions Report

Collection

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

Event Number equals 1233.

Collection rule for the Replication Failures Report

Collection

Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

Event Number equals any of the following: 1425, 1531, 1075, 1532, 1096, 1014, 1455, 1274, 1098, 1100, 1457, 1077, 1308.

A well known account has been recreated because it did not exist

Collection

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 16406.

Source Name equals SAM.

A well known group has been recreated because it did not exist

Collection

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 16407.

Source Name equals SAM.

Accounts with the same SID have been detected - one has been deleted

Collection

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 12303.

Source Name equals SAM.

An account cannot be added to the group

Collection

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number matches Boolean regular expression 16392|16394.

Source Name equals SAM.

Duplicate account names were detected - one account has been renamed

Collection

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 12304.

Source Name equals SAM.

Setting the administrators password failed. It has been reset to blank.

Collection

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 16397.

Source Name equals SAM.

This domain controller will not start up because its machine account has been deleted

Collection

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors

Event Number equals 16405.

Source Name equals SAM.

Account Name Not Unique

Collection

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC

Event Number equals 11.

Event Type equals Error.

Source Name equals KDC.

 

General ADMP Rules

 

ADMP generates certain rules when it encounters a configuration or run-time error. The following table lists each general ADMP rule; the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

Script Based Test Failed to Complete

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 21000.

Source Name matches wildcard AD*.

Warning

Script Parameters are configured incorrectly

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number equals 20066.

Source Name matches wildcard AD*.

Warning

Script success event has been reported

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number matches the Boolean regular expression ^(20099|38910|20025|20026|20028|20040)$.

Source Name matches wildcard AD*.

Success

 

 

Client-Side Monitoring

 

In addition to monitoring from the perspective of domain controllers, ADMP also monitors from the perspective of Active Directory clients. The goal of client-side monitoring is to provide a client perspective on the health of Active Directory. ADMP implements client-side monitoring by using workstations or servers in strategic physical locations to assess the responsiveness of Active Directory. ADMP performs scripted directory tasks that mimic common actions that are performed by typical directory clients. The results are reported by the ADMP Client Pack through ADMP alerts and performance data.

You determine which computers to use on your network for client-side monitoring by simply adding those computers to the Active Directory Client Side Monitoring computer group. It is recommended that you deploy client-side monitoring either on or physically near each of your directory-enabled application servers.

The following table lists each rule that ADMP uses for monitoring Active Directory health from the perspective of the client, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

AD Client Pack DC discovery encountered an error - some machines will not be monitored by the client pack

Event

Active Directory Client Side Monitoring

Event Number equals 21006.

Source Name equals AD Client Update DCs.

Error

The PDC Emulator cannot be contacted

Event

Active Directory Client Side Monitoring

Event Number equals 21004.

Event Type equals Warning.

Source Name equals AD Client PDC Response.

Error

There are not enough GCs available

Event

Active Directory Client Side Monitoring

Event Number equals 29002.

Event Type equals Error.

Source Name AD Client Side GC Availability.

Error

The PDC Emulator has been contacted successfully

Event

Active Directory Client Side Monitoring

Event Number equals 21004.

Event Type equals None.

Source Name equals AD Client PDC. Response.

Success

 

ADMP Client Pack Collection Rules

 

Collection rules collect events and store the event data in the MOM database.

 

Note

In general, collection rules are used to generate data for reports, and they do not generate alerts.

The following table lists each ADMP client pack collection rule, as well as the rule type; the rule group to which the rule belongs; and event criteria, including the source and event ID, if applicable.

Rule

Rule Type

Rule Group

Event Criteria

AD Client Side PDC Response Event Collection

Collection

Active Directory Client Side Monitoring

Event Number equals 21005.

Source Name equals AD Client PDC Response.

AD Client Side Monitoring Event Collection

Collection

Active Directory Client Side Monitoring

Event Number equals 21001.

Source Name matches wildcard AD*.

 

General ADMP Client Pack Rules

 

The ADMP client pack generates certain rules when it encounters a configuration or run-time error. The following table lists each general ADMP client pack rule, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule

Rule Type

Rule Group

Event Criteria

Event Type

The AD Management Pack does not support the agentless management mode

Event

Active Directory Client Side Monitoring

Event Number equals 20098.

Event Type equals None.

Source Name matches wildcard AD Client*.

Error

AD Client Side - Script Based Test Failed to Complete

Event

Active Directory Client Side Monitoring

Event Number equals 25001.

Source Name matches wildcard AD*.

Warning

AD Client Side - Script Parameters are configured incorrectly

Event

Active Directory Client Side Monitoring

Event Number equals 25003.

Source Name matches wildcard AD*.

Warning

AD Client Side - Script Generated Success Event

Event

Active Directory Client Side Monitoring

Event Number equals 25000.

Source Name matches wildcard AD*.

Success

AD Client Side Test succeeded after consecutive failures

Event

Active Directory Client Side Monitoring

Event Number equals 21003.

Event Type equals Information.

Source Name matches wildcard AD*.

Success

AD Client Side Test Failed

Event

Active Directory Client Side Monitoring

Event Number equals 21002.

Source Name matches wildcard AD*.

Error

 

http://technet.microsoft.com/en-us/library/cc180912.aspx

 



No TrackBacks

TrackBack URL: http://www.skar.us/site/mt-tb.cgi/2928

Leave a comment








*
*

administrator
Author Bio          ★★★★★

Author Name:         administrator
Author Location:    India
Author Rank:          Writer
Author Status:        
The Green leave stands!!


*
*
*
*
****



*****



    Desktop
  • eBooks
  • Games
  • Softwares
  • Tools
  • Tweaks
  • Wallpapers
  • Warez
    PDA
  • Games
  • Tools
  • Wallpapers
    System Administration
  • dll Center
  • Scripts
  • Tools
  • .extensions database
  • Write-up
    more...
  • Download Database
  • Jobs
  • Lists
  • Polls
  • Glossary

01000011 01110010 01100001 01100011 01101011 01111010 01101000 01100001 01100011 01101011