Monitoring Active Directory Health
Active Directory Management Pack (ADMP) monitors Active Directory — and the external components that are related to Active Directory — to ensure that their ongoing behavior falls within the bounds of normal, healthy Active Directory behavior. The ADMP definitions for the health of Active Directory and its related components are contained in the more than 400 ready-to-run rules that are included with ADMP. After MOM and ADMP are installed, these rules begin to monitor Active Directory and related component behavior immediately and automatically, and they alert you whenever unexpected behavior occurs.
Note
ADMP will not monitor events that occur as a result of Active Directory installation or removal, or domain rename operations.
Processing Rules and Operating System Versions
Monitoring Active Directory Components
Monitoring External Components
Additional Active Directory Management Pack Rules
Client-Side Monitoring
You can use ADMP to monitor domain controllers running Microsoft Windows® 2000 Server and Windows Server 2003. ADMP includes groups of rules that apply to both Windows 2000 Server and Windows Server 2003, as well as rules that apply only to one operating system or the other:
The Active Directory Windows 2000 rule group applies only to domain controllers running Windows 2000 Server.
The Active Directory Windows 2000 and Windows Server 2003 rule group applies to domain controllers running Windows 2000 Server or Windows Server 2003.
The Active Directory Windows Server 2003 rule group applies only to domain controllers running Windows Server 2003.
MOM applies the appropriate ADMP rules to the appropriate domain controllers automatically, based on the operating system that is running on each domain controller. No manual configuration is required.
The following sections provide an overview of the ADMP rules that are used to monitor each of the Active Directory components along with the external components on which Active Directory depends.
Note
In addition to the rules that are listed in the tables in this section, ADMP includes rules that are triggered when an ADMP configuration or run-time error is encountered. ADMP also includes several “Miscellaneous componentname error” rules that are designed to monitor event numbers that are not generated by current operating system versions but may be introduced by future product updates and service packs. In addition, ADMP also includes several “Reportname report available” rules that are designed to notify administrators when data that is collected by ADMP is available for viewing.
The following sections describe ADMP monitoring of the Active Directory protocol interfaces, which are sometimes referred to as protocol heads.
LDAP is the standard protocol that directory clients use to gain access to data that is held by directory servers. LDAP supports a relatively simple set of operations, such as bind, unbind, read, and modify. LDAP is the primary interface to Active Directory, and it is responsible for packaging and interpreting LDAP packets over the network. By performing LDAP binds and searches against a domain controller, ADMP can take a basic measure of Active Directory health. The LDAP response time requirements vary by directory-enabled applications, but they are generally on the order of one second.
In addition to monitoring for specific events, ADMP monitors the general responsiveness of the LDAP interface with the AD General Response monitoring script. For more information about this script, see "Active Directory Management Pack Scripts” later in this document.
The following table lists each rule that ADMP uses to monitor the LDAP interface, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
Active Directory Last Bind - Threshold Exceeded |
Threshold |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Bind response time is greater than 30 seconds. – Or – Bind response time is greater than 15 seconds and less than 30 seconds. – Or – Bind response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Active Directory Last Bind. |
Critical Error Error Warning |
An Intersite Messaging service request to modify an LDAP object failed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1407. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
LDAP agent cannot open security provider |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1238. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
LDAP connection closed because maximum connections were exceeded |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1210. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
The Inter-Site Messaging Service cannot perform a requested LDAP bind operation |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1824. |
Error |
The Inter-Site Messaging Service requested to abandon an LDAP notification message |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Directory Service Event ID equals 1823. |
Error |
Directory clients use the global catalog interface to perform forest-wide searches by querying a single server. By performing global catalog binds and searches against a domain controller, ADMP can take a basic measure of Active Directory health. The global catalog response time requirements vary by directory-enabled applications, but they are generally on the order of one second.
In addition to monitoring for specific events, ADMP monitors the health of the global catalog interface with the AD Global Catalog Search Response script. For information about this script, see "Active Directory Management Pack Scripts" later in this document. For more information about global catalog discovery using the ADMP Client Pack see "AD Client GC Availability" later in this document.
The following table lists each rule that ADMP uses to monitor the global catalog interface, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
Global Catalog Search Time - Threshold Exceeded |
Threshold |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Response time is greater than 30 seconds. – Or – Response time is greater than 15 seconds. – Or – Response time is greater than 5 seconds. Object equals ActiveDirectoryMP. Counter equals Global Catalog Search Time. |
Critical Error Error Warning |
AD Global Catalog search failed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 21026. Source Name equals AD Global Catalog Search Response |
Error |
DC is both a Global Catalog and the Infrastructure Update master |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1419. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
The system failed to promote this server into a Global Catalog |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1790. |
Error |
Unable to establish connection with any Global Catalog(s) |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1126. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
This domain controller failed to register as (and will not advertise as) a global catalog |
Event |
Active Directory Windows Server 2003 - Active Directory General |
Event Number equals 1992. |
Warning |
Messaging clients, such as Microsoft Outlook, use the Microsoft Messaging API (MAPI) interface to gain access to data (for example, telephone numbers) that is held by Active Directory. No specific health measurements exist for the MAPI interface, and ADMP does not currently include any monitoring rules that are specific to MAPI.
The replication subsystem is used to maintain data consistency across all domain controllers in a domain or forest. Active Directory uses the replication remote procedure call (RPC) interface over Internet Protocol (IP) or Simple Mail Transfer Protocol (SMTP) to replicate data between domain controllers. The Knowledge Consistency Checker (KCC), which is part of the replication subsystem, automatically computes the most efficient replication topology for your network based on information that you provide to Active Directory about your network topology. In addition, the KCC regularly recalculates the replication topology to adjust for any network changes that occur.
Replication is one of the most important processes in Active Directory; therefore, it is monitored regularly by ADMP. ADMP monitors replication with several monitoring scripts, including AD Replication Monitoring and AD Replication Partner Count. For more information about these scripts see "Active Directory Management Pack Scripts" later in this document.
In addition, ADMP monitors specific replication-related events, and it collects replication performance data for several replication-related ADMP reports. The following table lists each rule that ADMP uses to monitor replication, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
A domain controller has an extremely high number of replication partners |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20081. Event Type equals Error. Source Name equals AD Replication Partner Count. |
Error |
A lingering object has been detected. Replication has been blocked. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1388. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
AD Replication Monitoring - Time skew detected |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20063. Source Name equals AD Replication Monitoring. |
Error |
Certificate for intersite replication was rejected |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number matches Boolean regular expression 1222|1223. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
Direct replication cannot occur as configured |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1090. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
Initial replication after domain controller promotion has not completed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20069. Source Name equals AD Replication Monitoring. |
Error |
KCC cannot compute a replication path |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1311. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
KCC cannot compute a replication path |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1311. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
KCC cannot configure replication topology due to ISM failure |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1312. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
KCC failed to initialize |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1008. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
KCC failed to stop |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1024. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
KCC failed to update replication topology |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1130. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
KCC is ignoring a replication path because non-intersecting schedules are preventing replication along that path |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1788. |
Error |
None of the preferred bridgehead servers can replicate the directory partition |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1567. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
Replication error |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1694. |
Error |
Replication has been aborted |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1791. |
Error |
Replication is not occurring - All replication partners have failed to synchronize |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20064. Source Name equals AD Replication Monitoring. |
Error |
The AD replication process is unable to continue |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1107. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
The Knowledge Consistency Checker (KCC) detected an incompatible up-to-dateness vector format |
Event |
Active Directory Windows Server 2003 - Active Directory General |
Event Number equals 1910. |
Error |
The local domain controller has denied a replication attempt on a directory partition. This may pose a security risk. |
Event |
Active Directory Windows Server 2003 - Active Directory General |
Event Number equals 1964. |
Error |
This server cannot process the replication request |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1700. |
Error |
This source server failed to add schema information for the mail replication request |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1701. |
Error |
A domain controller has an unusually high number of replication partners |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20081. Event Type equals Warning. Source Name equals AD Replication Partner Count. |
Warning |
A domain controller has an extremely high number of replication partners |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20082. Source Name equals AD Replication Partner Count. |
Error |
A domain controller made a replication request for a writable directory partition that has been denied by the local domain controller |
Event |
Active Directory Windows Server 2003 - Active Directory General |
Event Number equals 1977. |
Warning |
A replication island has been detected. Replication will not occur across the enterprise. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20080. Source Name equals AD Replication Partner Count. |
Warning |
Active Directory cannot set the replication consistency registry key |
Event |
Active Directory Windows Server 2003 - Active Directory General |
Event Number equals 2033. |
Warning |
Active Directory encountered a replication error. Replication will be delayed. |
Event |
Active Directory Windows Server 2003 - Active Directory General |
Event Number equals 1958. |
Warning |
AD Replication is occurring slowly |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20062. Source Name equals AD Replication Monitoring. |
Warning |
AD Replication Monitoring - Access Denied |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20067. Source Name equals AD Replication Monitoring. |
Warning |
Replication has been stopped with a source |
Event |
Active Directory Windows Server 2003 - Active Directory General |
Event Number equals 2042. |
Warning |
Some replication partners have failed to synchronize |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20065. Source Name equals AD Replication Monitoring. |
Warning |
The Knowledge Consistency Checker (KCC) cannot run successfully. Replication may be affected. |
Event |
Active Directory Windows Server 2003 - Active Directory General |
Event Number equals 2002. |
Warning |
WMI Replication Provider is not installed - Replication cannot be monitored fully. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20068. Source Name equals AD Replication Monitoring. |
Warning |
Security Accounts Manager (SAM) is used for verifying passwords and for checking passwords against any existing password policies that are in effect on a domain controller. In addition, SAM provides legacy support for Microsoft Windows NT® 4.0 users and groups.
The following table lists each rule that ADMP uses to monitor SAM, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
An attempt to check whether group caching is enabled has failed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 12299. Source Name equals SAM. |
Error |
An attempt to update user credentials failed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 12302. Source Name equals SAM. |
Error |
Domain Operation Mode has been changed to Native Mode |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 16408. Source Name equals SAM. |
Information |
The domain controller is booting to directory services restore mode |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 16652. Source Name equals SAM. |
Information |
The group caching option has now been properly updated |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 12300. Source Name equals SAM. |
Information |
This domain controller has been promoted to PDC |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 12297. Source Name equals SAM. |
Information |
Account creation will fail on this domain controller until the account identifier pool is obtained |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 16643. Source Name equals SAM. |
Warning |
The account identifier pool for this domain controller cannot be updated |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 16641. Source Name equals SAM. |
Warning |
The DC was unable to obtain the next account-identifier |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 16651. Source Name equals SAM. |
Warning |
The domain controller failed to obtain a new account identifier pool |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 16651. Source Name equals SAM. |
Warning |
Account Changes Report Available1 |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Responds to Event IDs included in the SAM Account Errors report. Source Name equals SAM. |
Information |
Miscellaneous SAM Errors2 |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Only responds to Event IDs with a severity of Error or above that are not known at the time that ADMP for MOM 2005 is released. Source Name equals SAM. |
Error |
The Domain Changes report has data available |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Responds to Event IDs that are included in the Domain Changes report. Source Name equals SAM. |
Information |
1 The report name that is referenced in the rule name is incorrect. The correct report name is SAM Account Errors. This rule, indicating that the Account Changes Report is available, actually indicates that the SAM Account Errors report is available.
2 The Miscellaneous SAM Errors rule is a "Miscellaneous componentname error" rule, which is described in "Monitoring Active Directory Components" earlier in this document. This rule is designed to monitor event numbers that are not generated for current operating system versions but may be introduced by future product updates and service packs.
The Intersite Messaging service is required by domain controllers that are not in an Active Directory forest that is operating at the Windows Server 2003 forest functional level. It enables multiple transports, including SMTP, to be used in intersite messaging. The Intersite Messaging service provides services to the KCC in the form of queries for available replication paths. It also enables messaging communication that can use SMTP servers other than the servers that are dedicated to processing e-mail applications.
The following table lists each rule that ADMP uses to monitor Intersite Messaging, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
Inter-Site Messaging (ISM) Service SMTP Transport plug-in has determined that one or more classes from CDO library are not registered as expected |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1527. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
Inter-Site Messaging (ISM) Service SMTP Transport plug-in has encountered an unexpected error from CDO library |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1528. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
Inter-Site Messaging Service SMTP Transport plug-in failed to read the SMTP mail message |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1405. Provider Name equals Directory Service. |
Error |
Inter-Site Messaging Service SMTP Transport plug-in failed to bind the event sink ismsink.dll to the SMTP Service |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1468. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
Inter-Site Messaging Service SMTP Transport plug-in failed to add SMTP routing domain |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1466. Provider Name equals Directory Service. |
Error |
Inter-Site Messaging Service SMTP Transport plug-in failed to register the event sink ismsink.dll |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1467. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
Intersite Messaging Service has resumed running |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 38905. Source equals AD Essential Services Running script. |
Information |
Intersite Messaging Service is not running |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals38905. Source equals AD Essential Services Running script. |
Error |
Intersite Messaging Service SMTP Transport received a delivery failure |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1448. Provider Name equals Directory Service. |
Error |
ISM cannot receive messages |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1373. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
ISM Request Failure |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number matches Boolean regular expression 137[456]. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
ISM transport has been shut down |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1378. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
The Inter-Site Messaging Service cannot allocate memory |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Number equals 1815. Provider Name equals |
Error |
The Inter-Site Messaging Service cannot perform a requested LDAP bind operation |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Number equals 1824. Provider Name equals Directory Service. |
Error |
The Inter-Site Messaging Service encountered a malformed transport distinguished name |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Number equals 1814. Provider Name equals Directory Service. |
Error |
The Inter-Site Messaging Service encountered an error while attempting to start the Service Control Dispatcher |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Number equals 1811. Provider Name Equals Directory Service. |
Error |
The Inter-Site Messaging Service failed to create an event |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event ID equals 1813. Provider Name equals Directory Service. |
Error |
The Inter-Site Messaging Service failed to initialize |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Number equals 1812. Provider Name equals Directory Service. |
Error |
The Inter-Site Messaging Service failed to start |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Number equals 1816 and 1817. Provider Name equals Directory Service. |
Error |
The Inter-Site Messaging Service failed to start the RPC server |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Number equals 1818, 1819, 1820, and 1821. Provider Name equals Directory Service. |
Error |
The Inter-Site Messaging Service failed to wait for a message |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Name equals 1810. Provider Name equals Directory Service. |
Error |
The Inter-Site Messaging Service requested to abandon an LDAP notification message |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Number equals 1823. Provider Name equals Directory Service. |
Error |
The Inter-Site Messaging Service SMTP Transport plug-in failed to remove SMTP routing domain |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Name equals 1834. Provider Name equals Directory Service. |
Error |
From the perspective of CPU utilization, Active Directory is represented on a domain controller by the Local Security Authority Subsystem (LSASS) process.
ADMP monitors LSASS with the AD CPU Overload script and also by monitoring an LSASS-specific performance counter: Process Private Bytes LSASS 15 minutes. By default, ADMP generates a Warning alert when average LSASS CPU utilization exceeds 80 percent over 10 samples taken one minute apart.
The following table lists each rule that ADMP uses to monitor LSASS, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
LSASS Error Messages |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Type equals Error. Source Name equals LSASERV. |
Error |
The LSASS process is using a high percentage of available CPU time |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 20071. Source Name equals AD CPU Overload. |
Warning |
ADMP contains rules for monitoring database and log files in the Active Directory database and rules for monitoring the quantity of lost and found objects on a domain controller.
By default, ADMP monitors the Active Directory database files and log files every 15 minutes for file size, and it monitors free disk space on the hosting volumes, using the AD Database and Log File script:
If the database file or log file grows between measurements by more than 20 percent, which represents a fixed percentage in ADMP that cannot be modified, ADMP generates a Warning alert unless the domain controller is a new domain controller and it is performing its initial replication.
If the free space on the volume hosting the Active Directory database is not at least 500 megabytes (MB) or 20 percent of current database size, whichever is greater, ADMP generates an Error alert.
If the free space on the volume hosting the Active Directory log files is not at least 200 MB or 5 percent of current database size, whichever is greater, ADMP generates an Error alert.
The following table lists each rule that ADMP uses to monitor database and log files, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
The Active Directory database is corrupt |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 404. Source Name equals NTDS ISAM. |
Critical |
AD cannot update object because the disk containing the database is full |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1480. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
AD database is corrupt |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1017. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
Database and Log File Drive Space - Error |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20333. Source Name equals AD Database and Log. |
Error |
On a domain controller, the Lost and Found container contains Active Directory objects that have been orphaned. An object is orphaned when the object is created on one domain controller and the container in which the object is placed is deleted from the directory on another domain controller before the object has a chance to replicate. An orphaned object is automatically placed in the Lost and Found container where it can be found by an administrator, who must determine whether to move or delete the object.
The AD Lost and Found Object Count script in ADMP monitors the number of orphaned objects on a domain controller every two hours. The script generates a Warning alert if more than 10 objects exist in the Lost and Found container. The script generates an Error alert if more than 100 objects exist in the Lost and Found container.
The following table lists each rule that ADMP uses to monitor lost and found objects, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
Active Directory Lost Objects - Threshold Exceeded |
Threshold |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
More than 100 objects exist in the Lost and Found container. – Or – More than 10 objects exist in the Lost and Found container. |
Error Warning |
Much of the monitoring of the operations master roles (also known as flexible single master operations (FSMO)) in ADMP occurs in the AD Op Master Response script. By default, this script runs every five minutes to determine if the operations master role holders are responding, and it reports alerts at various levels, depending on whether the role holders are reachable and how quickly they respond.
ADMP also includes the AD Replication Partner Op Master Consistency script for operations master monitoring. This script runs every hour to determine if domain controller replication partners agree on the identity of the role holders, and it generates alerts if domain controllers disagree on the current role holders.
The following table lists each rule that ADMP uses to monitor operations masters, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
Op Master Domain Naming Last Bind - Threshold Exceeded |
Threshold |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Average response time is greater than 30 seconds. – Or – Average response time is greater than 15 seconds and less than 30 seconds. – Or – Average response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Op Master Domain Naming Last Bind. |
Critical Error Error Warning |
Op Master Infrastructure Last Bind - Threshold Exceeded |
Threshold |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Average response time is greater than 30 seconds. – Or – Average response time is greater than 15 seconds and less than 30 seconds. – Or – Average response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Op Master Infrastructure Last Bind. |
Critical Error Error Warning |
Op Master PDC Last Bind - Threshold Exceeded |
Threshold |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Average response time is greater than 30 seconds. – Or – Average response time is greater than 15 seconds and less than 30 seconds. – Or – Average response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Op Master PDC Last Bind. |
Critical Error Error Warning |
Op Master RID Last Bind - Threshold Exceeded |
Threshold |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Average response time is greater than 30 seconds. – Or – Average response time is greater than 15 seconds and less than 30 seconds. – Or – Average response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Op Master RID Last Bind. |
Critical Error Error Warning |
Op Master Schema Last Bind - Threshold Exceeded |
Threshold |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Average response time is greater than 30 seconds. – Or – Average response time is greater than 15 seconds and less than 30 seconds. – Or – Average response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Op Master Schema Last Bind. |
Critical Error Error Warning |
DC is both a Global Catalog and the Infrastructure Update master |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 1419. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service. |
Error |
Failed to ping or bind to the Domain Naming Master FSMO role holder |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20003. Event Type equals Warning. Source Name equals AD Op Master Response. |
Warning |
Failed to ping or bind to the Infrastructure Master FSMO role holder |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20007. Event Type equals Warning. Source Name equals AD Op Master Response. |
Warning |
Failed to ping or bind to the RID Master FSMO role holder |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20015. Event Type equals Warning. Source Name equals AD Op Master Response. |
Warning |
Failed to ping or bind to the PDC Master FSMO role holder |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20011. Event Type equals Warning. Source Name equals AD Op Master Response. |
Warning |
Failed to ping or bind to the Schema Master FSMO role holder |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20019. Event Type equals Warning. Source Name equals AD Op Master Response. |
Warning |
Contacting the Domain Naming FSMO Role Holder has completed successfully |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20003. Event Type equals None. Source Name equals AD Op Master Response. |
Success |
Contacting the Infrastructure FSMO Role Holder has completed successfully |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20007. Event Type equals None. Source Name equals AD Op Master Response |
Success |
Contacting the PDC FSMO Role Holder has completed successfully |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20011. Event Type equals None. Source Name equals AD Op Master Response. |
Success |
Contacting the RID Master FSMO Role Holder has completed successfully |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20015. Event Type equals None. Source Name equals AD Op Master Response. |
Success |
Contacting the Schema Master FSMO Role Holder has completed successfully |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20019. Event Type equals None. Source Name equals AD Op Master Response. |
Success |
The following sections describe ADMP monitoring of components that are external to Active Directory.
SYSVOL is the shared directory on domain controllers that contains Group Policy and logon script information. SYSVOL is important because it is a prerequisite for the Net Logon service to advertise Domain Name System (DNS) records in Active Directory–integrated DNS. Replication of SYSVOL is handled by FRS.
ADMP monitors the SYSVOL shared directory on managed computers with the AD Essential Services script. ADMP monitors SYSVOL to make sure that it is available for connection.
The following table lists each rule that ADMP uses to monitor SYSVOL, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
A journal wrap error has occurred on the SYSVOL |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL |
Event Number equals 13568. Source Name equals NtFrs. Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE). |
Error |
Cannot connect to local SYSVOL share |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 38906. Source Name equals AD Essential Services Running. |
Error |
FRS has not replicated one or more files in the SYSVOL to other domain controllers |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL |
Event Number equals 13569. Source Name equals NtFrs. Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE). |
Warning |
FRS is responsible for the replication of the SYSVOL share.
ADMP monitors the status of FRS with the AD Essential Services script and by monitoring event IDs from FRS in the event log.
The following table lists each rule that ADMP uses to monitor FRS, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
File Replication Service is not running |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 38901. Event Type equals Error. Source Name equals AD Essential Services Running. |
Error |
File Replication Service has resumed running |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 38901. Event Type equals Information. Source Name equals AD Essential Services Running. |
Information |
FRS is scanning the system volume before sharing it |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL |
Event Number equals 13566. Source Name equals NtFrs. |
Information |
Note
For more in-depth monitoring of SYSVOL and FRS, you can download and install the Ultrasound tool from Monitoring and Troubleshooting the File Replication Service on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=25827. Ultrasound shows health ratings and historical information about FRS replica sets. You can use it to monitor the progress of replication and to detect problems that can cause replication to become backlogged or stop. Ultrasound also provides detailed views for troubleshooting and a framework that you can use to customize alerts and views for your organization.
Active Directory uses the Net Logon service to establish a secure channel between domain controllers and directory clients. ADMP monitors the Net Logon service with event messages and with the AD Essential Services script.
Domain controller Locator is a function that is performed by the Net Logon service, and it is monitored by the AD Essential Services script.
The following table lists each rule that ADMP uses to monitor the Net Logon service and domain controller Locator, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
Session setup failed because no trust account exists: Script - AD Validate Server Trust Event |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5723. Source Name equals NetLogon. |
Critical Error |
Security: Two computers involved in a trust relationship have the same machine security identifier (SID). Windows should be re-installed on one of the machines. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5516. Message DLL equals NetMsg.dll. Provider Name equals System. |
Error |
A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5517. Message DLL equals Netmsg.dll. Provider Name equals System. |
Warning |
An account name collision occurred - this may result in authentication failures |
Event |
Active Directory Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5800. Source Name equals NetLogon. |
Warning |
Global group SERVERS exists and has members. This group defines Lan Manager BDCs in the domain. Lan Manager BDCs are not permitted in Active Directory domains. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5772. Message DLL equals Netmsg.dll. Provider Name equals System. |
Warning |
Manual deregistration of some DNS records is required |
Event |
Active Directory Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5808. Source Name equals NetLogon. |
Warning |
NetLogon cannot register a name |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5741. Message DLL equals Netmsg.dll. Provider Name equals System. |
Warning |
No suitable domain controller is available for authentication in this domain |
Event |
Active Directory Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5790. Source Name equals NetLogon. |
Warning |
The computer cannot function properly for authentication purposes |
Event |
Active Directory Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5791. Source Name equals NetLogon. |
Warning |
The computer name cannot be mapped to an object in Active Directory - this may result in authentication failures |
Event |
Active Directory Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5801. Source Name equals NetLogon. |
Warning |
The NetLogon service on remote machines will not be able to connect to this DC over TCP/IP resulting in authentication failure |
Event |
Active Directory Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5809. Source Name equals NetLogon. |
Warning |
The session setup from a machine failed because no trust account exists. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5723. Source Name equals NetLogon. |
Warning |
The session setup to another domain failed because the domain does not have an account for the computer. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5721. Message DLL equals Netmsg.dll. Provider Name equals System. |
Warning |
The session setup to the domain controller failed because the computer does not have a local security database account. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5720. Message DLL equals Netmsg.dll. Provider Name equals System. |
Warning |
One or more of the DC Locator DNS records are not registered in the DNS database since the primary DNS server doesn't support the dynamic update of the DNS records |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator |
Event Number equals 5773. Source Name equals NetLogon. |
Error |
Active Directory advertises its directory services with DNS using service (SRV) and host address (A) records. Active Directory uses the name resolution services that are provided by DNS to enable clients to locate domain controllers and to enable the domain controllers that host the directory service to communicate with each other.
ADMP monitors DNS with event messages and with the AD DNS Verification script.
The following table lists each rule that ADMP uses to monitor DNS, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
A DNS server used by this server for name resolution did not respond within the timeout interval |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator |
Event Number matches Boolean regular expression 11150|11162. Source Name equals DNSAPI. |
Error |
A resource record for the computer name of the DC is not registered in the DNS database |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator |
Event Number matches Boolean regular expression 11151|11155|11163|11167. Source Name equals DNSAPI. |
Error |
The DNS server with which this DC will register does not support the dynamic update protocol or the authoritative zone is not configured to allow dynamic updates |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator |
Event Number matches Boolean regular expression 11152|11153|11164|11165. Source Name equals DNSAPI. |
Error |
DNS registrations of essential Domain controller records is failing because the Active Directory Domain is a single label domain for Windows 2000 SP 4 and 2003 |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability |
Event Number equals 20072. Source Name equals AD DNS Verification. |
Error |
The Kerberos authentication protocol gets its time from the domain controller on which it is running, and it uses that time to determine ticket expiration times and to resolve replication conflicts. If a time skew of greater than five minutes exists between domain controllers, Kerberos authentication fails, which causes problems in Active Directory. The Windows Time service (W32Time) synchronizes the time between domain controllers, which prevents time skews from occurring.
ADMP monitors W32Time with the AD Essential Services script.
The following table lists each rule that ADMP uses to monitor W32Time, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
An attempt to shift time by more than 12 hours was aborted |
Event |
Active Directory Windows 2000 - Active Directory - Timesync |
Event Number equals 14. Source Name equals W32Time. |
Warning |
Time has not synchronized for a long time |
Event |
Active Directory Windows 2000 - Active Directory - Timesync |
Event Number equals 25. Source Name equals W32Time. |
Warning |
An attempt to set the time was aborted due to the offset being too large |
Event |
Active Directory Windows Server 2003 -Active Directory - Timesync |
Event Number equals 34. Source Name equals W32Time. |
Error |
No input provider to sync time |
Event |
Active Directory Windows Server 2003 -Active Directory - Timesync |
Event Number equals 21. Source Name equals W32Time. |
Error |
The system clock has not been synchronized for some time |
Event |
Active Directory Windows Server 2003 -Active Directory - Timesync |
Event Number equals 36. Source Name equals W32Time. |
Warning |
Kerberos is a standards-based authentication protocol that is the preferred authentication method for Windows 2000 and Microsoft Windows® XP clients. NTLM is a legacy authentication protocol that is used by Microsoft Windows® 98 and earlier clients and by Windows NT clients. Kerberos is more secure than NTLM, and it offers delegation abilities that NTLM does not offer. The Kerberos authentication protocol is implemented by the Kerberos Key Distribution Center service.
The following table lists each rule that ADMP uses to monitor Kerberos and the KDC, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
Duplicate User Principal Names have been detected |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number equals 11. Source Name equals KDC. Parameter 2 matches regular expression (8)|(DS_USER_PRINCIPAL_NAME). |
Critical Error |
Kerberos Key Distribution Center Service (KDC) is not running |
Event |
Active Directory Windows 2000 and Windows Server 2003 -Active Directory - General |
Event Number equals 38903. Event Type equals Error. Source Name equals AD Essential Services Running. |
Error |
Invalid Policy Data |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number equals 17. Event Type equals Error. Source Name equals KDC. |
Error |
Change Password on KRBTGT Account Failed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number equals 10. Event Type equals Error. Source Name equals KDC. |
Error |
Corrupt Credentials |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number equals 13. Event Type equals Error. Source Name equals KDC. |
Error |
Invalid Forwarded AS Request |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number equals 15. Event Type equals Error. Source Name equals KDC. |
Error |
No Key to Generate Kerberos Ticket |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number matches Boolean regular expression 8|14|16. Event Type equals Error. Source Name equals KDC. |
Error |
PAC Verification Failure |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number equals 18. Event Type equals Error. Source Name equals KDC. |
Error |
Policy Update Failure |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number equals 5. Event Type equals Error. Source Name equals KDC. |
Error |
Trusted Domain List Update Failure |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number equals 6. Event Type equals Error. Source Name equals KDC. |
Error |
Unexpected SAM Failure |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number equals 7. Event Type equals Error. Source Name equals KDC. |
Error |
Kerberos Key Distribution Center Service (KDC) has resumed running |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - General |
Event Number equals 38903. Event Type equals Information. Source Name equals AD Essential Services Running. |
Information |
Trusts are relationships that are established between domains or forests that enable users in one domain or forest to be authenticated by a domain controller in another domain or forest. Trusts allow users in one domain or forest to access resources in a different domain or forest.
On domain controllers running Windows Server 2003, trusts are monitored by the AD Monitor Trusts script. This script does not run on domain controllers running Windows 2000 Server.
The following table lists each rule that ADMP uses to monitor trusts, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
A problem has been detected with the trust relationship between two domains |
Event |
Active Directory Windows Server 2003 - Active Directory Monitor Trusts |
Event Number equals 20083. Source Name equals AD Monitor Trusts. |
Error |
A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon |
Event Number equals 5517. Message DLL equals Netmsg.dll. Provider Name equals System. |
Warning |
Use the Group Policy rules in ADMP if you do not have Group Policy Management Pack (GPMP) installed. However, if you want to take advantage of the most up-to-date Group Policy monitoring capabilities, install GPMP. If you have both ADMP and GPMP installed, it is recommended that you disable the Group Policy rules that are available in ADMP and use only the rules in GPMP to monitor Group Policy.
The following table lists each rule that ADMP uses to monitor Group Policy, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
Cannot process client side group policy extension |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1003. Source Name equals UserEnv. User Name equals System. |
Error |
Group policy processing aborted - cannot connect to the Directory Service |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number matches Boolean regular expression 1005|1006. Source Name equals UserEnv. User Name equals System. |
Error |
Group policy processing aborted - cannot determine site |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1007. Source Name equals UserEnv. User Name equals System. |
Error |
Group policy processing aborted - reboot this machine |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1035. Source Name equals UserEnv. User Name equals System. |
Error |
Group policy processing aborted - the search for the root AD object failed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1008. Source Name equals UserEnv. User Name equals System. |
Error |
Local group policy is disabled |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1004. Source Name equals UserEnv. User Name equals System. |
Error |
Unexpected Error applying group policy to machine account |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1000. Source Name equals UserEnv. User Name equals System. |
Error |
A Group Policy object cannot be found in Active Directory |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1102. Source Name equals UserEnv. User Name equals System. |
Warning |
A Group Policy Object has not been processed because the filter check could not be performed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1104. Source Name equals UserEnv. User Name equals System. |
Warning |
A Group Policy Object is corrupt. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1057. Source Name equals UserEnv. User Name equals System. |
Warning |
Cross-domain Group Policy processing has been aborted because the other domain cannot be reached |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1105. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing aborted because a filter check for the GPO failed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1065. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing aborted because the common name for the GPO cannot be accessed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1059. Source Name equals UserEnv. User Name equals System. |
Warning |
Group policy processing aborted because the GPO does not have a version number |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1060. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing has been aborted (in planning mode) because the user/computer does not have access to a required object |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1100. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing has been aborted because an invalid class of object was discovered |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1077. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing has been aborted because GPO lists cannot be set up |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1075. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing has been aborted because of an invalid access configuration |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1081. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing has been aborted because the extensions from the registry cannot be read |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1066. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing has been aborted because the file gpt.ini cannot be accessed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1058. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing has been aborted because the GPLink property of an object cannot be accessed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1099. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing has been aborted because the GPO does not have a functionality version number |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1072. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing has been aborted because the user does not have access to an object |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1101. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing was aborted because a security check failed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1064. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing was aborted because historical data cannot be moved from the users old SID to their new one |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1084. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing was aborted because security cannot be set on Group Policy events |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1094. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing was aborted because the refresh timer cannot be set |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1082. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing was aborted because the search for objects cannot be completed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number matches Boolean regular expression 1079|1080. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing was aborted because the security ID of the user cannot be obtained |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1078. Source Name equals UserEnv. User Name equals System. |
Warning |
Group Policy processing was aborted because the users security ID cannot be written to the registry |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1083. Source Name equals UserEnv. User Name equals System. |
Warning |
The Group Policy client side extension failed to execute |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1085. Source Name equals UserEnv. User Name equals System. |
Warning |
The WMI service is disabled. A Group Policy object has not been processed |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1106. Source Name equals UserEnv. User Name equals System. |
Warning |
There are no domain-based Group Policy objects for this user/computer. |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv |
Event Number equals 1103. Source Name equals UserEnv. User Name equals System. |
Warning |
In addition to the rules listed earlier in this document, ADMP includes rules that sample performance counters to collect data, and it includes rules that are designed to notify administrators when data that is collected by ADMP is available for viewing. ADMP also includes rules that are generated when an ADMP configuration or run-time error is encountered.
Measuring rules sample performance counters and store the performance data in the MOM database. The following table lists each ADMP measuring rule, the rule type, and the rule group to which the rule belongs.
Rule |
Rule Type |
Rule Group |
---|---|---|
LDAP Client Sessions |
Measuring |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
LDAP Searches/sec |
Measuring |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
LDAP UDP Operations/sec |
Measuring |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
LDAP Writes/sec |
Measuring |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
LSASS Handle Count |
Measuring |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
LSASS Private Bytes |
Measuring |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
LSASS Total CPU |
Measuring |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
Kerberos Authentications/sec |
Measuring |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
NTLM Authentications/sec |
Measuring |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
Collection rules collect events and store the event data in the MOM database.
Note
In general, collection rules are used to generate data for reports, and they do not generate alerts.
The following table lists each ADMP collection rule; the rule type; the rule group to which the rule belongs; and event criteria, including the source and event ID, if applicable.
Rule |
Rule Type |
Rule Group |
Event Criteria |
---|---|---|---|
Collection rule for the Replication Collisions Report |
Collection |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
Event Number equals 1233. |
Collection rule for the Replication Failures Report |
Collection |
Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory |
Event Number equals any of the following: 1425, 1531, 1075, 1532, 1096, 1014, 1455, 1274, 1098, 1100, 1457, 1077, 1308. |
A well known account has been recreated because it did not exist |
Collection |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 16406. Source Name equals SAM. |
A well known group has been recreated because it did not exist |
Collection |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 16407. Source Name equals SAM. |
Accounts with the same SID have been detected - one has been deleted |
Collection |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 12303. Source Name equals SAM. |
An account cannot be added to the group |
Collection |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number matches Boolean regular expression 16392|16394. Source Name equals SAM. |
Duplicate account names were detected - one account has been renamed |
Collection |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 12304. Source Name equals SAM. |
Setting the administrators password failed. It has been reset to blank. |
Collection |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 16397. Source Name equals SAM. |
This domain controller will not start up because its machine account has been deleted |
Collection |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors |
Event Number equals 16405. Source Name equals SAM. |
Account Name Not Unique |
Collection |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC |
Event Number equals 11. Event Type equals Error. Source Name equals KDC. |
ADMP generates certain rules when it encounters a configuration or run-time error. The following table lists each general ADMP rule; the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
Script Based Test Failed to Complete |
Event |
Active Directory Windows 2000 and Windows Server 2003 - Active Directory General |
Event Number equals 21000. Source Name matches wildcard AD*. |
Warning |
Script Parameters are configured incorrectly |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Number equals 20066. Source Name matches wildcard AD*. |
Warning |
Script success event has been reported |
Event |
Active Directory Windows 2000 and Windows Server 2003 |
Event Number matches the Boolean regular expression ^(20099|38910|20025|20026|20028|20040)$. Source Name matches wildcard AD*. |
Success |
In addition to monitoring from the perspective of domain controllers, ADMP also monitors from the perspective of Active Directory clients. The goal of client-side monitoring is to provide a client perspective on the health of Active Directory. ADMP implements client-side monitoring by using workstations or servers in strategic physical locations to assess the responsiveness of Active Directory. ADMP performs scripted directory tasks that mimic common actions that are performed by typical directory clients. The results are reported by the ADMP Client Pack through ADMP alerts and performance data.
You determine which computers to use on your network for client-side monitoring by simply adding those computers to the Active Directory Client Side Monitoring computer group. It is recommended that you deploy client-side monitoring either on or physically near each of your directory-enabled application servers.
The following table lists each rule that ADMP uses for monitoring Active Directory health from the perspective of the client, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
AD Client Pack DC discovery encountered an error - some machines will not be monitored by the client pack |
Event |
Active Directory Client Side Monitoring |
Event Number equals 21006. Source Name equals AD Client Update DCs. |
Error |
The PDC Emulator cannot be contacted |
Event |
Active Directory Client Side Monitoring |
Event Number equals 21004. Event Type equals Warning. Source Name equals AD Client PDC Response. |
Error |
There are not enough GCs available |
Event |
Active Directory Client Side Monitoring |
Event Number equals 29002. Event Type equals Error. Source Name AD Client Side GC Availability. |
Error |
The PDC Emulator has been contacted successfully |
Event |
Active Directory Client Side Monitoring |
Event Number equals 21004. Event Type equals None. Source Name equals AD Client PDC. Response. |
Success |
Collection rules collect events and store the event data in the MOM database.
Note
In general, collection rules are used to generate data for reports, and they do not generate alerts.
The following table lists each ADMP client pack collection rule, as well as the rule type; the rule group to which the rule belongs; and event criteria, including the source and event ID, if applicable.
Rule |
Rule Type |
Rule Group |
Event Criteria |
---|---|---|---|
AD Client Side PDC Response Event Collection |
Collection |
Active Directory Client Side Monitoring |
Event Number equals 21005. Source Name equals AD Client PDC Response. |
AD Client Side Monitoring Event Collection |
Collection |
Active Directory Client Side Monitoring |
Event Number equals 21001. Source Name matches wildcard AD*. |
The ADMP client pack generates certain rules when it encounters a configuration or run-time error. The following table lists each general ADMP client pack rule, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.
Rule |
Rule Type |
Rule Group |
Event Criteria |
Event Type |
---|---|---|---|---|
The AD Management Pack does not support the agentless management mode |
Event |
Active Directory Client Side Monitoring |
Event Number equals 20098. Event Type equals None. Source Name matches wildcard AD Client*. |
Error |
AD Client Side - Script Based Test Failed to Complete |
Event |
Active Directory Client Side Monitoring |
Event Number equals 25001. Source Name matches wildcard AD*. |
Warning |
AD Client Side - Script Parameters are configured incorrectly |
Event |
Active Directory Client Side Monitoring |
Event Number equals 25003. Source Name matches wildcard AD*. |
Warning |
AD Client Side - Script Generated Success Event |
Event |
Active Directory Client Side Monitoring |
Event Number equals 25000. Source Name matches wildcard AD*. |
Success |
AD Client Side Test succeeded after consecutive failures |
Event |
Active Directory Client Side Monitoring |
Event Number equals 21003. Event Type equals Information. Source Name matches wildcard AD*. |
Success |
AD Client Side Test Failed |
Event |
Active Directory Client Side Monitoring |
Event Number equals 21002. Source Name matches wildcard AD*. |
Error |