Monitoring Active Directory Health

Article
12/08/2008

Active Directory Management Pack (ADMP) monitors Active Directory — and the external components that are related to Active Directory — to ensure that their ongoing behavior falls within the bounds of normal, healthy Active Directory behavior. The ADMP definitions for the health of Active Directory and its related components are contained in the more than 400 ready-to-run rules that are included with ADMP. After MOM and ADMP are installed, these rules begin to monitor Active Directory and related component behavior immediately and automatically, and they alert you whenever unexpected behavior occurs.

Note

ADMP will not monitor events that occur as a result of Active Directory installation or removal, or domain rename operations.

Processing Rules and Operating System Versions

You can use ADMP to monitor domain controllers running Microsoft Windows® 2000 Server and Windows Server 2003. ADMP includes groups of rules that apply to both Windows 2000 Server and Windows Server 2003, as well as rules that apply only to one operating system or the other:

The Active Directory Windows 2000 rule group applies only to domain controllers running Windows 2000 Server.
The Active Directory Windows 2000 and Windows Server 2003 rule group applies to domain controllers running Windows 2000 Server or Windows Server 2003.
The Active Directory Windows Server 2003 rule group applies only to domain controllers running Windows Server 2003.

MOM applies the appropriate ADMP rules to the appropriate domain controllers automatically, based on the operating system that is running on each domain controller. No manual configuration is required.

Monitoring Active Directory Components

The following sections provide an overview of the ADMP rules that are used to monitor each of the Active Directory components along with the external components on which Active Directory depends.

Note

In addition to the rules that are listed in the tables in this section, ADMP includes rules that are triggered when an ADMP configuration or run-time error is encountered. ADMP also includes several “Miscellaneous componentname error” rules that are designed to monitor event numbers that are not generated by current operating system versions but may be introduced by future product updates and service packs. In addition, ADMP also includes several “Reportname report available” rules that are designed to notify administrators when data that is collected by ADMP is available for viewing.

Interfaces

The following sections describe ADMP monitoring of the Active Directory protocol interfaces, which are sometimes referred to as protocol heads.

LDAP

LDAP is the standard protocol that directory clients use to gain access to data that is held by directory servers. LDAP supports a relatively simple set of operations, such as bind, unbind, read, and modify. LDAP is the primary interface to Active Directory, and it is responsible for packaging and interpreting LDAP packets over the network. By performing LDAP binds and searches against a domain controller, ADMP can take a basic measure of Active Directory health. The LDAP response time requirements vary by directory-enabled applications, but they are generally on the order of one second.

In addition to monitoring for specific events, ADMP monitors the general responsiveness of the LDAP interface with the AD General Response monitoring script. For more information about this script, see "Active Directory Management Pack Scripts” later in this document.

The following table lists each rule that ADMP uses to monitor the LDAP interface, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
Active Directory Last Bind - Threshold Exceeded	Threshold	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Bind response time is greater than 30 seconds. – Or – Bind response time is greater than 15 seconds and less than 30 seconds. – Or – Bind response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Active Directory Last Bind.	Critical Error Error Warning
An Intersite Messaging service request to modify an LDAP object failed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1407. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
LDAP agent cannot open security provider	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1238. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
LDAP connection closed because maximum connections were exceeded	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1210. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service cannot perform a requested LDAP bind operation	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1824.	Error
The Inter-Site Messaging Service requested to abandon an LDAP notification message	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Directory Service Event ID equals 1823.	Error

Global catalog

Directory clients use the global catalog interface to perform forest-wide searches by querying a single server. By performing global catalog binds and searches against a domain controller, ADMP can take a basic measure of Active Directory health. The global catalog response time requirements vary by directory-enabled applications, but they are generally on the order of one second.

In addition to monitoring for specific events, ADMP monitors the health of the global catalog interface with the AD Global Catalog Search Response script. For information about this script, see "Active Directory Management Pack Scripts" later in this document. For more information about global catalog discovery using the ADMP Client Pack see "AD Client GC Availability" later in this document.

The following table lists each rule that ADMP uses to monitor the global catalog interface, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
Global Catalog Search Time - Threshold Exceeded	Threshold	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Response time is greater than 30 seconds. – Or – Response time is greater than 15 seconds. – Or – Response time is greater than 5 seconds. Object equals ActiveDirectoryMP. Counter equals Global Catalog Search Time.	Critical Error Error Warning
AD Global Catalog search failed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 21026. Source Name equals AD Global Catalog Search Response	Error
DC is both a Global Catalog and the Infrastructure Update master	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1419. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
The system failed to promote this server into a Global Catalog	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1790.	Error
Unable to establish connection with any Global Catalog(s)	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1126. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
This domain controller failed to register as (and will not advertise as) a global catalog	Event	Active Directory Windows Server 2003 - Active Directory General	Event Number equals 1992.	Warning

MAPI

Messaging clients, such as Microsoft Outlook, use the Microsoft Messaging API (MAPI) interface to gain access to data (for example, telephone numbers) that is held by Active Directory. No specific health measurements exist for the MAPI interface, and ADMP does not currently include any monitoring rules that are specific to MAPI.

Replication Subsystem

The replication subsystem is used to maintain data consistency across all domain controllers in a domain or forest. Active Directory uses the replication remote procedure call (RPC) interface over Internet Protocol (IP) or Simple Mail Transfer Protocol (SMTP) to replicate data between domain controllers. The Knowledge Consistency Checker (KCC), which is part of the replication subsystem, automatically computes the most efficient replication topology for your network based on information that you provide to Active Directory about your network topology. In addition, the KCC regularly recalculates the replication topology to adjust for any network changes that occur.

Replication is one of the most important processes in Active Directory; therefore, it is monitored regularly by ADMP. ADMP monitors replication with several monitoring scripts, including AD Replication Monitoring and AD Replication Partner Count. For more information about these scripts see "Active Directory Management Pack Scripts" later in this document.

In addition, ADMP monitors specific replication-related events, and it collects replication performance data for several replication-related ADMP reports. The following table lists each rule that ADMP uses to monitor replication, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
A domain controller has an extremely high number of replication partners	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20081. Event Type equals Error. Source Name equals AD Replication Partner Count.	Error
A lingering object has been detected. Replication has been blocked.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1388. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
AD Replication Monitoring - Time skew detected	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20063. Source Name equals AD Replication Monitoring.	Error
Certificate for intersite replication was rejected	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number matches Boolean regular expression 1222\|1223. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Direct replication cannot occur as configured	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1090. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Initial replication after domain controller promotion has not completed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20069. Source Name equals AD Replication Monitoring.	Error
KCC cannot compute a replication path	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1311. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC cannot compute a replication path	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1311. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC cannot configure replication topology due to ISM failure	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1312. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC failed to initialize	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1008. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC failed to stop	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1024. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC failed to update replication topology	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1130. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC is ignoring a replication path because non-intersecting schedules are preventing replication along that path	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1788.	Error
None of the preferred bridgehead servers can replicate the directory partition	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1567. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Replication error	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1694.	Error
Replication has been aborted	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1791.	Error
Replication is not occurring - All replication partners have failed to synchronize	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20064. Source Name equals AD Replication Monitoring.	Error
The AD replication process is unable to continue	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1107. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
The Knowledge Consistency Checker (KCC) detected an incompatible up-to-dateness vector format	Event	Active Directory Windows Server 2003 - Active Directory General	Event Number equals 1910.	Error
The local domain controller has denied a replication attempt on a directory partition. This may pose a security risk.	Event	Active Directory Windows Server 2003 - Active Directory General	Event Number equals 1964.	Error
This server cannot process the replication request	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1700.	Error
This source server failed to add schema information for the mail replication request	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1701.	Error
A domain controller has an unusually high number of replication partners	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20081. Event Type equals Warning. Source Name equals AD Replication Partner Count.	Warning
A domain controller has an extremely high number of replication partners	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20082. Source Name equals AD Replication Partner Count.	Error
A domain controller made a replication request for a writable directory partition that has been denied by the local domain controller	Event	Active Directory Windows Server 2003 - Active Directory General	Event Number equals 1977.	Warning
A replication island has been detected. Replication will not occur across the enterprise.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20080. Source Name equals AD Replication Partner Count.	Warning
Active Directory cannot set the replication consistency registry key	Event	Active Directory Windows Server 2003 - Active Directory General	Event Number equals 2033.	Warning
Active Directory encountered a replication error. Replication will be delayed.	Event	Active Directory Windows Server 2003 - Active Directory General	Event Number equals 1958.	Warning
AD Replication is occurring slowly	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20062. Source Name equals AD Replication Monitoring.	Warning
AD Replication Monitoring - Access Denied	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20067. Source Name equals AD Replication Monitoring.	Warning
Replication has been stopped with a source	Event	Active Directory Windows Server 2003 - Active Directory General	Event Number equals 2042.	Warning
Some replication partners have failed to synchronize	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20065. Source Name equals AD Replication Monitoring.	Warning
The Knowledge Consistency Checker (KCC) cannot run successfully. Replication may be affected.	Event	Active Directory Windows Server 2003 - Active Directory General	Event Number equals 2002.	Warning
WMI Replication Provider is not installed - Replication cannot be monitored fully.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20068. Source Name equals AD Replication Monitoring.	Warning

SAM

Security Accounts Manager (SAM) is used for verifying passwords and for checking passwords against any existing password policies that are in effect on a domain controller. In addition, SAM provides legacy support for Microsoft Windows NT® 4.0 users and groups.

The following table lists each rule that ADMP uses to monitor SAM, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
An attempt to check whether group caching is enabled has failed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 12299. Source Name equals SAM.	Error
An attempt to update user credentials failed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 12302. Source Name equals SAM.	Error
Domain Operation Mode has been changed to Native Mode	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 16408. Source Name equals SAM.	Information
The domain controller is booting to directory services restore mode	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 16652. Source Name equals SAM.	Information
The group caching option has now been properly updated	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 12300. Source Name equals SAM.	Information
This domain controller has been promoted to PDC	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 12297. Source Name equals SAM.	Information
Account creation will fail on this domain controller until the account identifier pool is obtained	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 16643. Source Name equals SAM.	Warning
The account identifier pool for this domain controller cannot be updated	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 16641. Source Name equals SAM.	Warning
The DC was unable to obtain the next account-identifier	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 16651. Source Name equals SAM.	Warning
The domain controller failed to obtain a new account identifier pool	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 16651. Source Name equals SAM.	Warning
Account Changes Report Available1	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Responds to Event IDs included in the SAM Account Errors report. Source Name equals SAM.	Information
Miscellaneous SAM Errors2	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Only responds to Event IDs with a severity of Error or above that are not known at the time that ADMP for MOM 2005 is released. Source Name equals SAM.	Error
The Domain Changes report has data available	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Responds to Event IDs that are included in the Domain Changes report. Source Name equals SAM.	Information

1 The report name that is referenced in the rule name is incorrect. The correct report name is SAM Account Errors. This rule, indicating that the Account Changes Report is available, actually indicates that the SAM Account Errors report is available.

2 The Miscellaneous SAM Errors rule is a "Miscellaneous componentname error" rule, which is described in "Monitoring Active Directory Components" earlier in this document. This rule is designed to monitor event numbers that are not generated for current operating system versions but may be introduced by future product updates and service packs.

Intersite Messaging

The Intersite Messaging service is required by domain controllers that are not in an Active Directory forest that is operating at the Windows Server 2003 forest functional level. It enables multiple transports, including SMTP, to be used in intersite messaging. The Intersite Messaging service provides services to the KCC in the form of queries for available replication paths. It also enables messaging communication that can use SMTP servers other than the servers that are dedicated to processing e-mail applications.

The following table lists each rule that ADMP uses to monitor Intersite Messaging, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
Inter-Site Messaging (ISM) Service SMTP Transport plug-in has determined that one or more classes from CDO library are not registered as expected	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1527. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Inter-Site Messaging (ISM) Service SMTP Transport plug-in has encountered an unexpected error from CDO library	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1528. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Inter-Site Messaging Service SMTP Transport plug-in failed to read the SMTP mail message	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1405. Provider Name equals Directory Service.	Error
Inter-Site Messaging Service SMTP Transport plug-in failed to bind the event sink ismsink.dll to the SMTP Service	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1468. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Inter-Site Messaging Service SMTP Transport plug-in failed to add SMTP routing domain	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1466. Provider Name equals Directory Service.	Error
Inter-Site Messaging Service SMTP Transport plug-in failed to register the event sink ismsink.dll	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1467. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Intersite Messaging Service has resumed running	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 38905. Source equals AD Essential Services Running script.	Information
Intersite Messaging Service is not running	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals38905. Source equals AD Essential Services Running script.	Error
Intersite Messaging Service SMTP Transport received a delivery failure	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1448. Provider Name equals Directory Service.	Error
ISM cannot receive messages	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1373. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
ISM Request Failure	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number matches Boolean regular expression 137[456]. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
ISM transport has been shut down	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1378. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service cannot allocate memory	Event	Active Directory Windows 2000 and Windows Server 2003	Event Number equals 1815. Provider Name equals	Error
The Inter-Site Messaging Service cannot perform a requested LDAP bind operation	Event	Active Directory Windows 2000 and Windows Server 2003	Event Number equals 1824. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service encountered a malformed transport distinguished name	Event	Active Directory Windows 2000 and Windows Server 2003	Event Number equals 1814. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service encountered an error while attempting to start the Service Control Dispatcher	Event	Active Directory Windows 2000 and Windows Server 2003	Event Number equals 1811. Provider Name Equals Directory Service.	Error
The Inter-Site Messaging Service failed to create an event	Event	Active Directory Windows 2000 and Windows Server 2003	Event ID equals 1813. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service failed to initialize	Event	Active Directory Windows 2000 and Windows Server 2003	Event Number equals 1812. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service failed to start	Event	Active Directory Windows 2000 and Windows Server 2003	Event Number equals 1816 and 1817. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service failed to start the RPC server	Event	Active Directory Windows 2000 and Windows Server 2003	Event Number equals 1818, 1819, 1820, and 1821. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service failed to wait for a message	Event	Active Directory Windows 2000 and Windows Server 2003	Event Name equals 1810. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service requested to abandon an LDAP notification message	Event	Active Directory Windows 2000 and Windows Server 2003	Event Number equals 1823. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service SMTP Transport plug-in failed to remove SMTP routing domain	Event	Active Directory Windows 2000 and Windows Server 2003	Event Name equals 1834. Provider Name equals Directory Service.	Error

LSASS

From the perspective of CPU utilization, Active Directory is represented on a domain controller by the Local Security Authority Subsystem (LSASS) process.

ADMP monitors LSASS with the AD CPU Overload script and also by monitoring an LSASS-specific performance counter: Process Private Bytes LSASS 15 minutes. By default, ADMP generates a Warning alert when average LSASS CPU utilization exceeds 80 percent over 10 samples taken one minute apart.

The following table lists each rule that ADMP uses to monitor LSASS, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
LSASS Error Messages	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Type equals Error. Source Name equals LSASERV.	Error
The LSASS process is using a high percentage of available CPU time	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 20071. Source Name equals AD CPU Overload.	Warning

LSASS Error Messages

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Type equals Error.

Source Name equals LSASERV.

Error

The LSASS process is using a high percentage of available CPU time

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 20071.

Source Name equals AD CPU Overload.

Warning

Active Directory Database

ADMP contains rules for monitoring database and log files in the Active Directory database and rules for monitoring the quantity of lost and found objects on a domain controller.

Database and log files

By default, ADMP monitors the Active Directory database files and log files every 15 minutes for file size, and it monitors free disk space on the hosting volumes, using the AD Database and Log File script:

If the database file or log file grows between measurements by more than 20 percent, which represents a fixed percentage in ADMP that cannot be modified, ADMP generates a Warning alert unless the domain controller is a new domain controller and it is performing its initial replication.
If the free space on the volume hosting the Active Directory database is not at least 500 megabytes (MB) or 20 percent of current database size, whichever is greater, ADMP generates an Error alert.
If the free space on the volume hosting the Active Directory log files is not at least 200 MB or 5 percent of current database size, whichever is greater, ADMP generates an Error alert.

The following table lists each rule that ADMP uses to monitor database and log files, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
The Active Directory database is corrupt	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 404. Source Name equals NTDS ISAM.	Critical
AD cannot update object because the disk containing the database is full	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1480. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
AD database is corrupt	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1017. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Database and Log File Drive Space - Error	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20333. Source Name equals AD Database and Log.	Error

Lost and found objects

On a domain controller, the Lost and Found container contains Active Directory objects that have been orphaned. An object is orphaned when the object is created on one domain controller and the container in which the object is placed is deleted from the directory on another domain controller before the object has a chance to replicate. An orphaned object is automatically placed in the Lost and Found container where it can be found by an administrator, who must determine whether to move or delete the object.

The AD Lost and Found Object Count script in ADMP monitors the number of orphaned objects on a domain controller every two hours. The script generates a Warning alert if more than 10 objects exist in the Lost and Found container. The script generates an Error alert if more than 100 objects exist in the Lost and Found container.

The following table lists each rule that ADMP uses to monitor lost and found objects, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
Active Directory Lost Objects - Threshold Exceeded	Threshold	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	More than 100 objects exist in the Lost and Found container. – Or – More than 10 objects exist in the Lost and Found container.	Error Warning

Active Directory Lost Objects - Threshold Exceeded

Threshold

Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability

More than 100 objects exist in the Lost and Found container.

– Or –

More than 10 objects exist in the Lost and Found container.

Error

Warning

Operations Masters (FSMOs)

Much of the monitoring of the operations master roles (also known as flexible single master operations (FSMO)) in ADMP occurs in the AD Op Master Response script. By default, this script runs every five minutes to determine if the operations master role holders are responding, and it reports alerts at various levels, depending on whether the role holders are reachable and how quickly they respond.

ADMP also includes the AD Replication Partner Op Master Consistency script for operations master monitoring. This script runs every hour to determine if domain controller replication partners agree on the identity of the role holders, and it generates alerts if domain controllers disagree on the current role holders.

The following table lists each rule that ADMP uses to monitor operations masters, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
Op Master Domain Naming Last Bind - Threshold Exceeded	Threshold	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Average response time is greater than 30 seconds. – Or – Average response time is greater than 15 seconds and less than 30 seconds. – Or – Average response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Op Master Domain Naming Last Bind.	Critical Error Error Warning
Op Master Infrastructure Last Bind - Threshold Exceeded	Threshold	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Average response time is greater than 30 seconds. – Or – Average response time is greater than 15 seconds and less than 30 seconds. – Or – Average response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Op Master Infrastructure Last Bind.	Critical Error Error Warning
Op Master PDC Last Bind - Threshold Exceeded	Threshold	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Average response time is greater than 30 seconds. – Or – Average response time is greater than 15 seconds and less than 30 seconds. – Or – Average response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Op Master PDC Last Bind.	Critical Error Error Warning
Op Master RID Last Bind - Threshold Exceeded	Threshold	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Average response time is greater than 30 seconds. – Or – Average response time is greater than 15 seconds and less than 30 seconds. – Or – Average response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Op Master RID Last Bind.	Critical Error Error Warning
Op Master Schema Last Bind - Threshold Exceeded	Threshold	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Average response time is greater than 30 seconds. – Or – Average response time is greater than 15 seconds and less than 30 seconds. – Or – Average response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Op Master Schema Last Bind.	Critical Error Error Warning
DC is both a Global Catalog and the Infrastructure Update master	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 1419. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Failed to ping or bind to the Domain Naming Master FSMO role holder	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20003. Event Type equals Warning. Source Name equals AD Op Master Response.	Warning
Failed to ping or bind to the Infrastructure Master FSMO role holder	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20007. Event Type equals Warning. Source Name equals AD Op Master Response.	Warning
Failed to ping or bind to the RID Master FSMO role holder	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20015. Event Type equals Warning. Source Name equals AD Op Master Response.	Warning
Failed to ping or bind to the PDC Master FSMO role holder	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20011. Event Type equals Warning. Source Name equals AD Op Master Response.	Warning
Failed to ping or bind to the Schema Master FSMO role holder	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20019. Event Type equals Warning. Source Name equals AD Op Master Response.	Warning
Contacting the Domain Naming FSMO Role Holder has completed successfully	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20003. Event Type equals None. Source Name equals AD Op Master Response.	Success
Contacting the Infrastructure FSMO Role Holder has completed successfully	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20007. Event Type equals None. Source Name equals AD Op Master Response	Success
Contacting the PDC FSMO Role Holder has completed successfully	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20011. Event Type equals None. Source Name equals AD Op Master Response.	Success
Contacting the RID Master FSMO Role Holder has completed successfully	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20015. Event Type equals None. Source Name equals AD Op Master Response.	Success
Contacting the Schema Master FSMO Role Holder has completed successfully	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20019. Event Type equals None. Source Name equals AD Op Master Response.	Success

Monitoring External Components

The following sections describe ADMP monitoring of components that are external to Active Directory.

SYSVOL

SYSVOL is the shared directory on domain controllers that contains Group Policy and logon script information. SYSVOL is important because it is a prerequisite for the Net Logon service to advertise Domain Name System (DNS) records in Active Directory–integrated DNS. Replication of SYSVOL is handled by FRS.

ADMP monitors the SYSVOL shared directory on managed computers with the AD Essential Services script. ADMP monitors SYSVOL to make sure that it is available for connection.

The following table lists each rule that ADMP uses to monitor SYSVOL, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
A journal wrap error has occurred on the SYSVOL	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL	Event Number equals 13568. Source Name equals NtFrs. Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).	Error
Cannot connect to local SYSVOL share	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 38906. Source Name equals AD Essential Services Running.	Error
FRS has not replicated one or more files in the SYSVOL to other domain controllers	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL	Event Number equals 13569. Source Name equals NtFrs. Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).	Warning

A journal wrap error has occurred on the SYSVOL

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL

Event Number equals 13568.

Source Name equals NtFrs.

Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).

Error

Cannot connect to local SYSVOL share

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 38906.

Source Name equals AD Essential Services Running.

Error

FRS has not replicated one or more files in the SYSVOL to other domain controllers

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL

Event Number equals 13569.

Source Name equals NtFrs.

Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).

Warning

FRS

FRS is responsible for the replication of the SYSVOL share.

ADMP monitors the status of FRS with the AD Essential Services script and by monitoring event IDs from FRS in the event log.

The following table lists each rule that ADMP uses to monitor FRS, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
File Replication Service is not running	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 38901. Event Type equals Error. Source Name equals AD Essential Services Running.	Error
File Replication Service has resumed running	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 38901. Event Type equals Information. Source Name equals AD Essential Services Running.	Information
FRS is scanning the system volume before sharing it	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL	Event Number equals 13566. Source Name equals NtFrs.	Information

File Replication Service is not running

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 38901.

Event Type equals Error.

Source Name equals AD Essential Services Running.

Error

File Replication Service has resumed running

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 38901.

Event Type equals Information.

Source Name equals AD Essential Services Running.

Information

FRS is scanning the system volume before sharing it

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SYSVOL

Event Number equals 13566.

Source Name equals NtFrs.

Information

Note

For more in-depth monitoring of SYSVOL and FRS, you can download and install the Ultrasound tool from Monitoring and Troubleshooting the File Replication Service on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=25827. Ultrasound shows health ratings and historical information about FRS replica sets. You can use it to monitor the progress of replication and to detect problems that can cause replication to become backlogged or stop. Ultrasound also provides detailed views for troubleshooting and a framework that you can use to customize alerts and views for your organization.

Net Logon Service and Domain Controller Locator

Active Directory uses the Net Logon service to establish a secure channel between domain controllers and directory clients. ADMP monitors the Net Logon service with event messages and with the AD Essential Services script.

Domain controller Locator is a function that is performed by the Net Logon service, and it is monitored by the AD Essential Services script.

The following table lists each rule that ADMP uses to monitor the Net Logon service and domain controller Locator, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
Session setup failed because no trust account exists: Script - AD Validate Server Trust Event	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5723. Source Name equals NetLogon.	Critical Error
Security: Two computers involved in a trust relationship have the same machine security identifier (SID). Windows should be re-installed on one of the machines.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5516. Message DLL equals NetMsg.dll. Provider Name equals System.	Error
A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5517. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning
An account name collision occurred - this may result in authentication failures	Event	Active Directory Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5800. Source Name equals NetLogon.	Warning
Global group SERVERS exists and has members. This group defines Lan Manager BDCs in the domain. Lan Manager BDCs are not permitted in Active Directory domains.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5772. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning
Manual deregistration of some DNS records is required	Event	Active Directory Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5808. Source Name equals NetLogon.	Warning
NetLogon cannot register a name	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5741. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning
No suitable domain controller is available for authentication in this domain	Event	Active Directory Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5790. Source Name equals NetLogon.	Warning
The computer cannot function properly for authentication purposes	Event	Active Directory Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5791. Source Name equals NetLogon.	Warning
The computer name cannot be mapped to an object in Active Directory - this may result in authentication failures	Event	Active Directory Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5801. Source Name equals NetLogon.	Warning
The NetLogon service on remote machines will not be able to connect to this DC over TCP/IP resulting in authentication failure	Event	Active Directory Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5809. Source Name equals NetLogon.	Warning
The session setup from a machine failed because no trust account exists.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5723. Source Name equals NetLogon.	Warning
The session setup to another domain failed because the domain does not have an account for the computer.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5721. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning
The session setup to the domain controller failed because the computer does not have a local security database account.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5720. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning
One or more of the DC Locator DNS records are not registered in the DNS database since the primary DNS server doesn't support the dynamic update of the DNS records	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator	Event Number equals 5773. Source Name equals NetLogon.	Error

DNS

Active Directory advertises its directory services with DNS using service (SRV) and host address (A) records. Active Directory uses the name resolution services that are provided by DNS to enable clients to locate domain controllers and to enable the domain controllers that host the directory service to communicate with each other.

ADMP monitors DNS with event messages and with the AD DNS Verification script.

The following table lists each rule that ADMP uses to monitor DNS, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
A DNS server used by this server for name resolution did not respond within the timeout interval	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator	Event Number matches Boolean regular expression 11150\|11162. Source Name equals DNSAPI.	Error
A resource record for the computer name of the DC is not registered in the DNS database	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator	Event Number matches Boolean regular expression 11151\|11155\|11163\|11167. Source Name equals DNSAPI.	Error
The DNS server with which this DC will register does not support the dynamic update protocol or the authoritative zone is not configured to allow dynamic updates	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - DC Locator	Event Number matches Boolean regular expression 11152\|11153\|11164\|11165. Source Name equals DNSAPI.	Error
DNS registrations of essential Domain controller records is failing because the Active Directory Domain is a single label domain for Windows 2000 SP 4 and 2003	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory Availability	Event Number equals 20072. Source Name equals AD DNS Verification.	Error

W32Time (Time Synchronization)

The Kerberos authentication protocol gets its time from the domain controller on which it is running, and it uses that time to determine ticket expiration times and to resolve replication conflicts. If a time skew of greater than five minutes exists between domain controllers, Kerberos authentication fails, which causes problems in Active Directory. The Windows Time service (W32Time) synchronizes the time between domain controllers, which prevents time skews from occurring.

ADMP monitors W32Time with the AD Essential Services script.

The following table lists each rule that ADMP uses to monitor W32Time, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
An attempt to shift time by more than 12 hours was aborted	Event	Active Directory Windows 2000 - Active Directory - Timesync	Event Number equals 14. Source Name equals W32Time.	Warning
Time has not synchronized for a long time	Event	Active Directory Windows 2000 - Active Directory - Timesync	Event Number equals 25. Source Name equals W32Time.	Warning
An attempt to set the time was aborted due to the offset being too large	Event	Active Directory Windows Server 2003 -Active Directory - Timesync	Event Number equals 34. Source Name equals W32Time.	Error
No input provider to sync time	Event	Active Directory Windows Server 2003 -Active Directory - Timesync	Event Number equals 21. Source Name equals W32Time.	Error
The system clock has not been synchronized for some time	Event	Active Directory Windows Server 2003 -Active Directory - Timesync	Event Number equals 36. Source Name equals W32Time.	Warning

Kerberos and NTLM

Kerberos is a standards-based authentication protocol that is the preferred authentication method for Windows 2000 and Microsoft Windows® XP clients. NTLM is a legacy authentication protocol that is used by Microsoft Windows® 98 and earlier clients and by Windows NT clients. Kerberos is more secure than NTLM, and it offers delegation abilities that NTLM does not offer. The Kerberos authentication protocol is implemented by the Kerberos Key Distribution Center service.

The following table lists each rule that ADMP uses to monitor Kerberos and the KDC, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
Duplicate User Principal Names have been detected	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number equals 11. Source Name equals KDC. Parameter 2 matches regular expression (8)\|(DS_USER_PRINCIPAL_NAME).	Critical Error
Kerberos Key Distribution Center Service (KDC) is not running	Event	Active Directory Windows 2000 and Windows Server 2003 -Active Directory - General	Event Number equals 38903. Event Type equals Error. Source Name equals AD Essential Services Running.	Error
Invalid Policy Data	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number equals 17. Event Type equals Error. Source Name equals KDC.	Error
Change Password on KRBTGT Account Failed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number equals 10. Event Type equals Error. Source Name equals KDC.	Error
Corrupt Credentials	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number equals 13. Event Type equals Error. Source Name equals KDC.	Error
Invalid Forwarded AS Request	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number equals 15. Event Type equals Error. Source Name equals KDC.	Error
No Key to Generate Kerberos Ticket	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number matches Boolean regular expression 8\|14\|16. Event Type equals Error. Source Name equals KDC.	Error
PAC Verification Failure	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number equals 18. Event Type equals Error. Source Name equals KDC.	Error
Policy Update Failure	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number equals 5. Event Type equals Error. Source Name equals KDC.	Error
Trusted Domain List Update Failure	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number equals 6. Event Type equals Error. Source Name equals KDC.	Error
Unexpected SAM Failure	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number equals 7. Event Type equals Error. Source Name equals KDC.	Error
Kerberos Key Distribution Center Service (KDC) has resumed running	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - General	Event Number equals 38903. Event Type equals Information. Source Name equals AD Essential Services Running.	Information

Trusts

Trusts are relationships that are established between domains or forests that enable users in one domain or forest to be authenticated by a domain controller in another domain or forest. Trusts allow users in one domain or forest to access resources in a different domain or forest.

On domain controllers running Windows Server 2003, trusts are monitored by the AD Monitor Trusts script. This script does not run on domain controllers running Windows 2000 Server.

The following table lists each rule that ADMP uses to monitor trusts, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
A problem has been detected with the trust relationship between two domains	Event	Active Directory Windows Server 2003 - Active Directory Monitor Trusts	Event Number equals 20083. Source Name equals AD Monitor Trusts.	Error
A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon	Event Number equals 5517. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning

A problem has been detected with the trust relationship between two domains

Event

Active Directory Windows Server 2003 - Active Directory Monitor Trusts

Event Number equals 20083.

Source Name equals AD Monitor Trusts.

Error

A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name.

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory - NetLogon

Event Number equals 5517.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

Group Policy

Use the Group Policy rules in ADMP if you do not have Group Policy Management Pack (GPMP) installed. However, if you want to take advantage of the most up-to-date Group Policy monitoring capabilities, install GPMP. If you have both ADMP and GPMP installed, it is recommended that you disable the Group Policy rules that are available in ADMP and use only the rules in GPMP to monitor Group Policy.

The following table lists each rule that ADMP uses to monitor Group Policy, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
Cannot process client side group policy extension	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1003. Source Name equals UserEnv. User Name equals System.	Error
Group policy processing aborted - cannot connect to the Directory Service	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number matches Boolean regular expression 1005\|1006. Source Name equals UserEnv. User Name equals System.	Error
Group policy processing aborted - cannot determine site	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1007. Source Name equals UserEnv. User Name equals System.	Error
Group policy processing aborted - reboot this machine	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1035. Source Name equals UserEnv. User Name equals System.	Error
Group policy processing aborted - the search for the root AD object failed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1008. Source Name equals UserEnv. User Name equals System.	Error
Local group policy is disabled	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1004. Source Name equals UserEnv. User Name equals System.	Error
Unexpected Error applying group policy to machine account	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1000. Source Name equals UserEnv. User Name equals System.	Error
A Group Policy object cannot be found in Active Directory	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1102. Source Name equals UserEnv. User Name equals System.	Warning
A Group Policy Object has not been processed because the filter check could not be performed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1104. Source Name equals UserEnv. User Name equals System.	Warning
A Group Policy Object is corrupt.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1057. Source Name equals UserEnv. User Name equals System.	Warning
Cross-domain Group Policy processing has been aborted because the other domain cannot be reached	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1105. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing aborted because a filter check for the GPO failed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1065. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing aborted because the common name for the GPO cannot be accessed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1059. Source Name equals UserEnv. User Name equals System.	Warning
Group policy processing aborted because the GPO does not have a version number	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1060. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted (in planning mode) because the user/computer does not have access to a required object	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1100. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because an invalid class of object was discovered	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1077. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because GPO lists cannot be set up	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1075. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because of an invalid access configuration	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1081. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because the extensions from the registry cannot be read	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1066. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because the file gpt.ini cannot be accessed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1058. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because the GPLink property of an object cannot be accessed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1099. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because the GPO does not have a functionality version number	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1072. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because the user does not have access to an object	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1101. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because a security check failed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1064. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because historical data cannot be moved from the users old SID to their new one	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1084. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because security cannot be set on Group Policy events	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1094. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because the refresh timer cannot be set	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1082. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because the search for objects cannot be completed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number matches Boolean regular expression 1079\|1080. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because the security ID of the user cannot be obtained	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1078. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because the users security ID cannot be written to the registry	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1083. Source Name equals UserEnv. User Name equals System.	Warning
The Group Policy client side extension failed to execute	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1085. Source Name equals UserEnv. User Name equals System.	Warning
The WMI service is disabled. A Group Policy object has not been processed	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1106. Source Name equals UserEnv. User Name equals System.	Warning
There are no domain-based Group Policy objects for this user/computer.	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - UserEnv	Event Number equals 1103. Source Name equals UserEnv. User Name equals System.	Warning

Additional Active Directory Management Pack Rules

In addition to the rules listed earlier in this document, ADMP includes rules that sample performance counters to collect data, and it includes rules that are designed to notify administrators when data that is collected by ADMP is available for viewing. ADMP also includes rules that are generated when an ADMP configuration or run-time error is encountered.

Measuring Rules

Measuring rules sample performance counters and store the performance data in the MOM database. The following table lists each ADMP measuring rule, the rule type, and the rule group to which the rule belongs.

Rule	Rule Type	Rule Group
LDAP Client Sessions	Measuring	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory
LDAP Searches/sec	Measuring	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory
LDAP UDP Operations/sec	Measuring	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory
LDAP Writes/sec	Measuring	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory
LSASS Handle Count	Measuring	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory
LSASS Private Bytes	Measuring	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory
LSASS Total CPU	Measuring	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory
Kerberos Authentications/sec	Measuring	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory
NTLM Authentications/sec	Measuring	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory

Collection Rules

Collection rules collect events and store the event data in the MOM database.

Note

In general, collection rules are used to generate data for reports, and they do not generate alerts.

The following table lists each ADMP collection rule; the rule type; the rule group to which the rule belongs; and event criteria, including the source and event ID, if applicable.

Rule	Rule Type	Rule Group	Event Criteria
Collection rule for the Replication Collisions Report	Collection	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory	Event Number equals 1233.
Collection rule for the Replication Failures Report	Collection	Active Directory Windows 2000 and Windows Server 2003 - Reporting Rules for Active Directory	Event Number equals any of the following: 1425, 1531, 1075, 1532, 1096, 1014, 1455, 1274, 1098, 1100, 1457, 1077, 1308.
A well known account has been recreated because it did not exist	Collection	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 16406. Source Name equals SAM.
A well known group has been recreated because it did not exist	Collection	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 16407. Source Name equals SAM.
Accounts with the same SID have been detected - one has been deleted	Collection	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 12303. Source Name equals SAM.
An account cannot be added to the group	Collection	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number matches Boolean regular expression 16392\|16394. Source Name equals SAM.
Duplicate account names were detected - one account has been renamed	Collection	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 12304. Source Name equals SAM.
Setting the administrators password failed. It has been reset to blank.	Collection	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 16397. Source Name equals SAM.
This domain controller will not start up because its machine account has been deleted	Collection	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - SAM Errors	Event Number equals 16405. Source Name equals SAM.
Account Name Not Unique	Collection	Active Directory Windows 2000 and Windows Server 2003 - Active Directory - KDC	Event Number equals 11. Event Type equals Error. Source Name equals KDC.

General ADMP Rules

ADMP generates certain rules when it encounters a configuration or run-time error. The following table lists each general ADMP rule; the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
Script Based Test Failed to Complete	Event	Active Directory Windows 2000 and Windows Server 2003 - Active Directory General	Event Number equals 21000. Source Name matches wildcard AD*.	Warning
Script Parameters are configured incorrectly	Event	Active Directory Windows 2000 and Windows Server 2003	Event Number equals 20066. Source Name matches wildcard AD*.	Warning
Script success event has been reported	Event	Active Directory Windows 2000 and Windows Server 2003	Event Number matches the Boolean regular expression ^(20099\|38910\|20025\|20026\|20028\|20040)$. Source Name matches wildcard AD*.	Success

Script Based Test Failed to Complete

Event

Active Directory Windows 2000 and Windows Server 2003 - Active Directory General

Event Number equals 21000.

Source Name matches wildcard AD*.

Warning

Script Parameters are configured incorrectly

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number equals 20066.

Source Name matches wildcard AD*.

Warning

Script success event has been reported

Event

Active Directory Windows 2000 and Windows Server 2003

Event Number matches the Boolean regular expression ^(20099|38910|20025|20026|20028|20040)$.

Source Name matches wildcard AD*.

Success

Client-Side Monitoring

In addition to monitoring from the perspective of domain controllers, ADMP also monitors from the perspective of Active Directory clients. The goal of client-side monitoring is to provide a client perspective on the health of Active Directory. ADMP implements client-side monitoring by using workstations or servers in strategic physical locations to assess the responsiveness of Active Directory. ADMP performs scripted directory tasks that mimic common actions that are performed by typical directory clients. The results are reported by the ADMP Client Pack through ADMP alerts and performance data.

You determine which computers to use on your network for client-side monitoring by simply adding those computers to the Active Directory Client Side Monitoring computer group. It is recommended that you deploy client-side monitoring either on or physically near each of your directory-enabled application servers.

The following table lists each rule that ADMP uses for monitoring Active Directory health from the perspective of the client, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
AD Client Pack DC discovery encountered an error - some machines will not be monitored by the client pack	Event	Active Directory Client Side Monitoring	Event Number equals 21006. Source Name equals AD Client Update DCs.	Error
The PDC Emulator cannot be contacted	Event	Active Directory Client Side Monitoring	Event Number equals 21004. Event Type equals Warning. Source Name equals AD Client PDC Response.	Error
There are not enough GCs available	Event	Active Directory Client Side Monitoring	Event Number equals 29002. Event Type equals Error. Source Name AD Client Side GC Availability.	Error
The PDC Emulator has been contacted successfully	Event	Active Directory Client Side Monitoring	Event Number equals 21004. Event Type equals None. Source Name equals AD Client PDC. Response.	Success

ADMP Client Pack Collection Rules

Collection rules collect events and store the event data in the MOM database.

Note

In general, collection rules are used to generate data for reports, and they do not generate alerts.

The following table lists each ADMP client pack collection rule, as well as the rule type; the rule group to which the rule belongs; and event criteria, including the source and event ID, if applicable.

Rule	Rule Type	Rule Group	Event Criteria
AD Client Side PDC Response Event Collection	Collection	Active Directory Client Side Monitoring	Event Number equals 21005. Source Name equals AD Client PDC Response.
AD Client Side Monitoring Event Collection	Collection	Active Directory Client Side Monitoring	Event Number equals 21001. Source Name matches wildcard AD*.

AD Client Side PDC Response Event Collection

Collection

Active Directory Client Side Monitoring

Event Number equals 21005.

Source Name equals AD Client PDC Response.

AD Client Side Monitoring Event Collection

Collection

Active Directory Client Side Monitoring

Event Number equals 21001.

Source Name matches wildcard AD*.

General ADMP Client Pack Rules

The ADMP client pack generates certain rules when it encounters a configuration or run-time error. The following table lists each general ADMP client pack rule, as well as the rule type; the rule group to which the rule belongs; event criteria, including the source and event ID, if applicable; and the event type that is associated with the rule.

Rule	Rule Type	Rule Group	Event Criteria	Event Type
The AD Management Pack does not support the agentless management mode	Event	Active Directory Client Side Monitoring	Event Number equals 20098. Event Type equals None. Source Name matches wildcard AD Client*.	Error
AD Client Side - Script Based Test Failed to Complete	Event	Active Directory Client Side Monitoring	Event Number equals 25001. Source Name matches wildcard AD*.	Warning
AD Client Side - Script Parameters are configured incorrectly	Event	Active Directory Client Side Monitoring	Event Number equals 25003. Source Name matches wildcard AD*.	Warning
AD Client Side - Script Generated Success Event	Event	Active Directory Client Side Monitoring	Event Number equals 25000. Source Name matches wildcard AD*.	Success
AD Client Side Test succeeded after consecutive failures	Event	Active Directory Client Side Monitoring	Event Number equals 21003. Event Type equals Information. Source Name matches wildcard AD*.	Success
AD Client Side Test Failed	Event	Active Directory Client Side Monitoring	Event Number equals 21002. Source Name matches wildcard AD*.	Error

Monitoring Active Directory Health

On This Page

Processing Rules and Operating System Versions

Monitoring Active Directory Components

Interfaces

LDAP

Global catalog

MAPI

Replication Subsystem

SAM

Intersite Messaging

LSASS

Active Directory Database

Database and log files

Lost and found objects

Operations Masters (FSMOs)

Monitoring External Components

SYSVOL

FRS

Net Logon Service and Domain Controller Locator

DNS

W32Time (Time Synchronization)

Kerberos and NTLM

Trusts

Group Policy

Additional Active Directory Management Pack Rules

Measuring Rules

Collection Rules

General ADMP Rules

Client-Side Monitoring

ADMP Client Pack Collection Rules

General ADMP Client Pack Rules

Additional resources