Monitoring Active Directory Health

Article
02/20/2014

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

This is part of the Microsoft Active Directory Management Pack Technical Reference guide

Active Directory Management Pack monitors Active Directory, and the external components related to Active Directory, to ensure that their ongoing behavior falls within the bounds of normal, healthy Active Directory behavior. The ADMP definitions for the health of Active Directory and its related component are contained in the more than 400 ready-to-run processing rules that are included with Active Directory Management Pack. After MOM and ADMP are installed, these rules begin to monitor Active Directory and related component behavior immediately and automatically, and they alert you whenever unexpected behavior occurs.

Processing Rules and Operating System Versions

Microsoft Operations Manager 2000 can be used to monitor domain controllers running Windows 2000 Server and domain controllers running Windows Server 2003. Active Directory Management Pack includes processing rules that apply to both Windows 2000 Server and Windows Server 2003, as well as processing rules that apply only to one or the other. ADMP processing rules in rule groups that contain “(Shared)” in the name of the group apply to both operating systems. Processing rules in rule groups that do not contain “(Shared)” in their name, and that reside within the Active Directory Windows .NET (enabled) processing rule group, apply only to domain controllers running Windows Server 2003. Processing rules in rule groups that do not contain “(Shared)” in their name, and that reside within the Active Directory Windows 2000 (enabled) processing rule group, apply only to domain controllers running Windows 2000 Server. MOM applies the appropriate ADMP rules to the appropriate domain controllers automatically, based on the operating system running on each domain controller. No manual configuration is required.

Note: In the MOM console, ADMP refers to “Windows Server 2003” as “Windows .NET.”

Monitoring Active Directory Components

The following sections provide an overview of the Active Directory Management Pack processing rules that are used to monitor each of the Active Directory components, as well as the external components on which Active Directory depends.

Note In addition to the processing rules that are listed in the tables in this section, Active Directory Management Pack includes processing rules that perform ADMP-specific functions. For example, ADMP includes several “Miscellaneous componentname error” processing rules that are designed to monitor for event numbers that are not generated by current operating system versions but may be introduced by future product updates and service packs. In addition, ADMP also includes several “Reportname report available” processing rules that are designed to notify administrators when data collected by ADMP is available for viewing.

Interfaces

This section describes Active Directory Management Pack monitoring of the Active Directory protocol interfaces, which are sometimes referred to as protocol heads.

LDAP and Global Catalog

The LDAP and global catalog protocol interfaces provide the mechanism for communicating with Active Directory, and they are also indicators of Active Directory health. By performing LDAP global catalog binds and searches against a domain controller, Active Directory Management Pack can take a basic measure of Active Directory health. The LDAP and global catalog response time requirements vary by directory-enabled applications, but they are generally on the order of one second.

In addition to monitoring for specific events, ADMP monitors the general responsiveness of the LDAP protocol interface with the AD General Response monitoring script. For more information about this script, see “Appendix A: Active Directory Management Pack Scripts.”

The following table lists the processing rules that ADMP uses to monitor the LDAP protocol interface, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
Active Directory Last Bind - Critical Error	Threshold	Active Directory Availability (Shared)	Bind response time is greater than 30 seconds. Object equals ActiveDirectoryMP. Counter equals Active Directory Last Bind.	Critical Error
Active Directory Last Bind - Error	Threshold	Active Directory Availability (Shared)	Bind response time is greater than 15 seconds and less than 30 seconds. Object equals ActiveDirectoryMP. Counter equals Active Directory Last Bind.	Error
An Intersite Messaging service request to modify an LDAP object failed	Event	Active Directory - General (Shared)	Event Number equals 1407. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
LDAP agent cannot open security provider	Event	Active Directory - General (Shared)	Event Number equals 1238. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
LDAP connection closed because maximum connections were exceeded	Event	Active Directory - General (Shared)	Event Number equals 1210. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
The Inter-Site Messaging Service cannot perform a requested LDAP bind operation	Event	Active Directory - General (Shared)	Event Number equals 1824.	Error
The Inter-Site Messaging Service requested to abandon an LDAP notification message	Event	Active Directory - General (Shared)	Directory Service Event ID equals 1823.	Error
LDAP Client Sessions	Measuring	Reporting Rules for Active Directory (Shared)	Not applicable (NA)	NA
LDAP Searches/sec	Measuring	Reporting Rules for Active Directory (Shared)	NA	NA
LDAP UDP Operations/sec	Measuring	Reporting Rules for Active Directory (Shared)	NA	NA
LDAP Writes/sec	Measuring	Reporting Rules for Active Directory (Shared)	NA	NA
Active Directory Last Bind - Warning	Threshold	Active Directory Availability (Shared)	Bind response time is greater than 5 seconds and less than 15 seconds. Object equals ActiveDirectoryMP. Counter equals Active Directory Last Bind.	Warning

In addition to monitoring for specific events, Active Directory Management Pack monitors the health of the global catalog interface with the AD Global Catalog Search Response script. For information about this script, see “Appendix A: Active Directory Management Pack Scripts.”

The following table lists the processing rules that ADMP uses to monitor the global catalog interface, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
Global Catalog Search Time - Critical Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Global Catalog Search Time. Response time is greater than 30 seconds.	Critical
AD Global Catalog search failed	Event	Active Directory Availability (Shared)	Event Number equals 21026. Source Name equals AD Global Catalog Search Response	Error
DC is both a Global Catalog and the Infrastructure Update master	Event	Active Directory - General (Shared)	Event Number equals 1419. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Global Catalog Search Time - Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Global Catalog Search Time. Response time is greater than 15 seconds.	Error
The system failed to promote this server into a Global Catalog	Event	Active Directory - General (Shared)	Event Number equals 1790.	Error
Unable to establish connection with any Global Catalog(s)	Event	Active Directory - General (Shared)	Event Number equals 1126. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Global Catalog Search Time - Warning	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Global Catalog Search Time. Response time is greater than 5 seconds.	Warning
This domain controller failed to register as (and will not advertise as) a global catalog (Applies only to Windows Server 2003.)	Event	Active Directory - General	Event Number equals 1992.	Warning

MAPI

No specific health measurements exist for the MAPI interface, and Active Directory Management Pack does not currently include any monitoring rules that are specific to MAPI.

Replication Subsystem

Replication is one of the most important processes in Active Directory; therefore, it is monitored regularly by Active Directory Management Pack. ADMP monitors replication with several monitoring scripts, including AD Replication Monitoring, AD Replication Partner Count, and AD Replication. For more information about these scripts, see “Appendix A: Active Directory Management Pack Scripts.”

In addition, ADMP monitors for specific replication-related events, and it collects replication performance data for several replication-related ADMP reports. The following table lists the processing rules that ADMP uses to monitor replication, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
A domain controller has an extremely high number of replication partners	Event	Active Directory Availability (Shared)	Event Number equals 20081. Event Type equals Error. Source Name equals AD Replication Partner Count.	Error
A lingering object has been detected. Replication has been blocked.	Event	Active Directory - General (Shared)	Event Number equals 1388. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
AD Replication Monitoring - Time skew detected	Event	Active Directory Availability (Shared)	Event Number equals 20063. Source Name equals AD Replication Monitoring.	Error
Certificate for intersite replication was rejected	Event	Active Directory - General (Shared)	Event Number matches Boolean regular expression 1222\|1223. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Direct replication cannot occur as configured	Event	Active Directory - General (Shared)	Event Number equals 1090. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Initial replication after domain controller promotion has not completed	Event	Active Directory Availability (Shared)	Event Number equals 20069. Source Name equals AD Replication Monitoring.	Error
KCC cannot compute a replication path		Active Directory - General (Shared)	Event Number equals .1311. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC cannot compute a replication path	Event	Active Directory - General (Shared)	Event Number equals 1311. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC cannot configure replication topology due to ISM failure	Event	Active Directory - General (Shared)	Event Number equals 1312. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC cannot configure replication topology due to ISM failure	Event	Active Directory - General (Shared)	Event Number equals 1312. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC failed to initialize	Event	Active Directory - General (Shared)	Event Number equals 1008. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC failed to stop	Event	Active Directory - General (Shared)	Event Number equals 1024. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC failed to update replication topology	Event	Active Directory - General (Shared)	Event Number equals 1130. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
KCC is ignoring a replication path because non-intersecting schedules are preventing replication along that path	Event	Active Directory - General (Shared)	Event Number equals 1788.	Error
None of the preferred bridgehead servers can replicate the directory partition	Event	Active Directory - General (Shared)	Event Number equals 1567. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Replication error	Event	Active Directory - General (Shared)	Event Number equals 1694.	Error
Replication has been aborted	Event	Active Directory - General (Shared)	Event Number equals 1791.	Error
Replication is not occurring - All replication partners have failed to synchronize	Event	Active Directory Availability (Shared)	Event Number equals 20064. Source Name equals AD Replication Monitoring.	Error
The AD replication process is unable to continue	Event	Active Directory - General (Shared)	Event Number equals 1107. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
The Knowledge Consistency Checker (KCC) detected an incompatible up-to-dateness vector format (Applies only to Windows Server 2003.)	Event	Active Directory - General	Event Number equals 1910.	Error
The local domain controller has denied a replication attempt on a directory partition. This may pose a security risk. (Applies only to Windows Server 2003.)	Event	Active Directory - General	Event Number equals 1964.	Error
This server cannot process the replication request	Event	Active Directory - General (Shared)	Event Number equals 1700.	Error
This source server failed to add schema information for the mail replication request	Event	Active Directory - General (Shared)	Event Number equals 1701.	Error
A domain controller has an unusually high number of replication partners	Event	Active Directory Availability (Shared)	Event Number equals 20081. Event Type equals Warning. Source Name equals AD Replication Partner Count.	Warning
A domain controller has received a significant number of new replication partners	Event	Active Directory Availability (Shared)	Event Number equals 20082. Source Name equals AD Replication Partner Count.	Warning
A domain controller made a replication request for a writable directory partition that has been denied by the local domain controller (Applies only to Windows Server 2003.)	Event	Active Directory - General	Event Number equals 1977.	Warning
A replication island has been detected. Replication will not occur across the enterprise.	Event	Active Directory Availability (Shared)	Event Number equals 20080. Source Name equals AD Replication Partner Count.	Warning
Active Directory cannot set the replication consistency registry key	Event	Active Directory - General	Event Number equals 2033.	Warning
Active Directory encountered a replication error. Replication will be delayed. (Applies only to Windows Server 2003.)	Event	Active Directory - General	Event Number equals 1958.	Warning
AD Replication is occurring slowly *	Event	Active Directory Availability (Shared)	Event Number equals 20062. Source Name equals AD Replication Monitoring.	Warning
AD Replication Monitoring - Access Denied	Event	Active Directory Availability (Shared)	Event Number equals 20067. Source Name equals AD Replication Monitoring.	Warning
Replication has been stopped with a source (Applies only to Windows Server 2003.)	Event	Active Directory - General	Event Number equals 2042.	Warning
Some replication partners have failed to synchronize	Event	Active Directory Availability (Shared)	Event Number equals 20065. Source Name equals AD Replication Monitoring.	Warning
The Knowledge Consistency Checker (KCC) cannot run successfully. Replication may be affected. (Applies only to Windows Server 2003.)		Active Directory - General	Event Number equals 2002.	Warning
The Knowledge Consistency Checker (KCC) cannot run successfully. Replication may be affected.	Event	Active Directory - General	Event Number equals 2002.	Warning
WMI Replication Provider is not installed - Replication cannot be monitored fully.	Event	Active Directory Availability (Shared)	Event Number equals 20068. Source Name equals AD Replication Monitoring.	Warning
Collection rule for the Replication Collisions Report	Collection	Reporting Rules for Active Directory (Shared)	Event Number equals 1233.	NA
Collection rule for the Replication Failures Report	Collection	Reporting Rules for Active Directory (Shared)	Event Number equals any of the following: 1425, 1531, 1075, 1532, 1096, 1014, 1455, 1274, 1098, 1100, 1457, 1077, 1308.	NA

* This alert can cause an excessive amount of alert traffic in your environment. To quiet this alert, configure alert suppression by clearing the Computer field on the Alert Suppression tab of the rule properties.

SAM

The following table lists the processing rules that Active Directory Management Pack uses to monitor SAM, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
An attempt to check whether group caching is enabled has failed	Event	Active Directory - SAM Errors (Shared)	Event Number equals 12299. Source Name equals SAM.	Error
An attempt to update user credentials failed	Event	Active Directory - SAM Errors (Shared)	Event Number equals 12302. Source Name equals SAM.	Error
Domain Operation Mode has been changed to Native Mode	Event	Active Directory - SAM Errors (Shared)	Event Number equals 16408. Source Name equals SAM.	Information
The domain controller is booting to directory services restore mode	Event	Active Directory - SAM Errors (Shared)	Event Number equals 16652. Source Name equals SAM.	Information
The group caching option has now been properly updated	Event	Active Directory - SAM Errors (Shared)	Event Number equals 12300. Source Name equals SAM.	Information
This domain controller has been promoted to PDC	Event	Active Directory - SAM Errors (Shared)	Event Number equals 12297. Source Name equals SAM.	Information
Account creation will fail on this domain controller until the account identifier pool is obtained	Event	Active Directory - SAM Errors (Shared)	Event Number equals 16643. Source Name equals SAM.	Warning
The account identifier pool for this domain controller cannot be updated	Event	Active Directory - SAM Errors (Shared)	Event Number equals 16641. Source Name equals SAM.	Warning
The DC was unable to obtain the next account-identifier	Event	Active Directory - SAM Errors (Shared)	Event Number equals 16651. Source Name equals SAM.	Warning
The domain controller failed to obtain a new account identifier pool	Event	Active Directory - SAM Errors (Shared)	Event Number equals 16651. Source Name equals SAM.	Warning
A well known account has been recreated because it did not exist	Collection	Active Directory - SAM Errors (Shared)	Event Number equals 16406. Source Name equals SAM.	NA
A well known group has been recreated because it did not exist	Collection	Active Directory - SAM Errors (Shared)	Event Number equals 16407. Source Name equals SAM.	NA
Accounts with the same SID have been detected - one has been deleted	Collection	Active Directory - SAM Errors (Shared)	Event Number equals 12303. Source Name equals SAM.	NA
An account cannot be added to the group	Collection	Active Directory - SAM Errors (Shared)	Event Number matches Boolean regular expression 16392\|16394. Source Name equals SAM.	NA
Duplicate account names were detected - one account has been renamed	Collection	Active Directory - SAM Errors (Shared)	Event Number equals 12304. Source Name equals SAM.	NA
Setting the administrators password failed. It has been reset to blank.	Collection	Active Directory - SAM Errors (Shared)	Event Number equals 16397. Source Name equals SAM.	NA
This domain controller will not start up because its machine account has been deleted	Collection	Active Directory - SAM Errors (Shared)	Event Number equals 16405. Source Name equals SAM.	NA

Intersite Messaging

The following table lists the processing rules that Active Directory Management Pack uses to monitor Intersite Messaging, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
Inter-Site Messaging (ISM) Service SMTP Transport plug-in has determined that one or more classes from CDO library are not registered as expected	Event	Active Directory - General (Shared)	Event Number equals 1527. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Inter-Site Messaging (ISM) Service SMTP Transport plug-in has encountered an unexpected error from CDO library	Event	Active Directory - General (Shared)	Event Number equals 1528. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Inter-Site Messaging Service SMTP Transport plug-in failed to bind the event sink ismsink.dll to the SMTP Service	Event	Active Directory - General (Shared)	Event Number equals 1468. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Inter-Site Messaging Service SMTP Transport plug-in failed to register the event sink ismsink.dll	Event	Active Directory - General (Shared)	Event Number equals 1467. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
ISM cannot receive messages	Event	Active Directory - General (Shared)	Event Number equals 1373. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
ISM Request Failure	Event	Active Directory - General (Shared)	Event Number matches any of the following 137[456]. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
ISM transport has been shut down	Event	Active Directory - General (Shared)	Event Number equals 1378. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error

LSASS

Active Directory Management Pack monitors LSASS with the AD CPU Overload script and also by monitoring an LSASS-specific performance counter: Process Private Bytes LSASS 15 minutes. By default, ADMP generates a warning error when average LSASS CPU utilization exceeds 80 percent over 10 samples taken one minute apart.

The following table lists the processing rules that Active Directory Management Pack uses to monitor LSASS, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Group	Criteria	Severity
LSASS Error Messages	Event	Active Directory - General (Shared)	Event Type equals Error. Source Name equals LSASERV.	Error
LSASS running out of virtual address space	Threshold	Active Directory - General (Shared)	LSASS virtual address space exceeds 2000000000 bytes.	Error
The LSASS process is using a high percentage of available CPU time	Event	Active Directory - General (Shared)	Event Number equals 20071. Source Name equals AD CPU Overload.	Warning
LSASS Handle Count	Measuring	Reporting Rules for Active Directory (Shared)	NA	NA
LSASS Private Bytes	Measuring	Reporting Rules for Active Directory (Shared)	NA	NA
LSASS Total CPU	Measuring	Reporting Rules for Active Directory (Shared)	NA	NA

DIT

Active Directory Management Pack contains processing rules for monitoring database and log files in the DIT and for monitoring the quantity of lost and found objects on a domain controller.

Database and Log Files

By default, Active Directory Management Pack monitors the Active Directory database files and log files every 15 minutes for file size, and it monitors free disk space on the hosting volume, using the AD Database and Log File script:

If the database file or log file grows between measurements by more than 20 percent, which represents a fixed percentage in ADMP that cannot be modified, ADMP generates a warning alert.
If the free space on the volume hosting the Active Directory database is not at least 500 megabytes (MB) or 20 percent of current database size, whichever is greater, ADMP generates an error alert.
If the free space on the volume hosting the Active Directory log files is not at least 200 MB or 5 percent of current database size, whichever is greater, ADMP generates an error alert.

The following table lists the processing rules that Active Directory Management Pack uses to monitor database and log files, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Group	Criteria	Severity
The Active Directory database is corrupt	Event	Active Directory - General (Shared)	Event Number equals 404. Source Name equals NTDS ISAM.	Critical
AD cannot update object because the disk containing the database is full	Event	Active Directory Availability (Shared)	Event Number equals 1480. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
AD database is corrupt	Event	Active Directory - General (Shared)	Event Number equals 1017. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Database and Log File Drive Space - Error	Event	Active Directory Availability (Shared)	Event Number equals 20333. Source Name equals AD Database and Log.	Error

Lost and Found Objects

On a domain controller, the Lost and Found container contains Active Directory objects that have been orphaned. Orphaned objects create administrative overhead, because administrators must manually determine what to do with them. The AD Lost and Found Object Count script in Active Directory Management Pack monitors the number of orphaned objects on a domain controller every two hours.

The script generates a warning alert if more than 10 objects exist in the Lost and Found container. The script generates an error alert if more than 100 objects exist in the Lost and Found container.

The following table lists the processing rules that Active Directory Management Pack uses to monitor lost and found objects, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
Active Directory Lost Objects - Error	Threshold	Active Directory Availability (Shared)	More than 100 objects exist in the Lost and Found container.	Error
Active Directory Lost Objects - Warning	Threshold	Active Directory Availability (Shared)	More than 10 objects exist in the Lost and Found container.	Warning
Failed to bind to Lost and Found Objects Container	Event	Active Directory Availability (Shared)	Event Number equals 20029. Source Name equals AD Lost and Found Object Count.	Warning

Active Directory Lost Objects - Error

Threshold

Active Directory Availability (Shared)

More than 100 objects exist in the Lost and Found container.

Error

Active Directory Lost Objects - Warning

Threshold

Active Directory Availability (Shared)

More than 10 objects exist in the Lost and Found container.

Warning

Failed to bind to Lost and Found Objects Container

Event

Active Directory Availability (Shared)

Event Number equals 20029.

Source Name equals AD Lost and Found Object Count.

Warning

Operations Masters (FSMOs)

Much of the monitoring of the operations master roles (also known as flexible single master operations (FSMO)) in Active Directory Management Pack occurs in the AD Op Master Response script. By default, this script runs every five minutes to determine if the operations master role holders are responding, and it reports alerts at various levels, depending on whether the role holders are reachable and how quickly they respond.

ADMP also includes the AD Replication Partner Op Master Consistency script for operation master monitoring. This script runs every hour to determine if domain controller replication partners agree on the identity of the role holders, and it generates alerts if domain controllers disagree on the current role holders.

The following table lists the processing rules that Active Directory Management Pack uses to monitor operations masters, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
Op Master Domain Naming Last Bind - Critical Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master Domain Naming Last Bind. Average response time is greater than 30 seconds.	Critical Error
Op Master Infrastructure Last Bind - Critical Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master Infrastructure Last Bind. Average response time is greater than 30 seconds.	Critical Error
Op Master PDC Last Bind - Critical Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master PDC Last Bind. Average response time is greater than 30 seconds.	Critical Error
Op Master RID Last Bind - Critical Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master RID Last Bind. Average response time is greater than 30 seconds.	Critical Error
Op Master Schema Last Bind - Critical Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master Schema Last Bind. Average response time is greater than 30 seconds.	Critical Error
DC is both a Global Catalog and the Infrastructure Update master	Event	Active Directory - General (Shared)	Event Number equals 1419. Message DLL equals Ntdsmsg.dll. Provider Name equals Directory Service.	Error
Op Master Domain Naming Last Bind - Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master Domain Naming Last Bind. Average response time is greater than 15 seconds.	Error
Op Master Infrastructure Last Bind - Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master Infrastructure Last Bind. Average response time is greater than 15 seconds.	Error
Op Master PDC Last Bind - Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master PDC Last Bind. Average response time is greater than 15 seconds.	Error
Op Master RID Last Bind - Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master RID Last Bind. Average response time is greater than 15 seconds.	Error
Op Master Schema Last Bind - Error	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master Schema Last Bind. Average response time is greater than 15 seconds.	Error
Failed to ping or bind to the Domain Naming Master FSMO role holder	Event	Active Directory Availability (Shared)	Event Number equals 20003. Event Type equals Warning. Source Name equals AD Op Master Response.	Warning
Failed to ping or bind to the Infrastructure Master FSMO role holder	Event	Active Directory Availability (Shared)	Event Number equals 20007. Event Type equals Warning. Source Name equals AD Op Master Response.	Warning
Failed to ping or bind to the RID Master FSMO role holder	Event	Active Directory Availability (Shared)	Event Number equals 20015. Event Type equals Warning. Source Name equals AD Op Master Response.	Warning
Failed to ping or bind to the Schema Master FSMO role holder	Event	Active Directory Availability (Shared)	Event Number equals 20019. Event Type equals Warning. Source Name equals AD Op Master Response.	Warning
Op Master Domain Naming Last Bind - Warning	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master Domain Naming Last Bind. Average response time is greater than 30 seconds.	Warning
Op Master Infrastructure Last Bind - Warning	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master Infrastructure Last Bind. Average response time is greater than 5 seconds.	Warning
Op Master PDC Last Bind - Warning	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master PDC Last Bind. Average response time is greater than 5 seconds.	Warning
Op Master RID Last Bind - Warning	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master RID Last Bind. Average response time is greater than 5 seconds.	Warning
Op Master Schema Last Bind - Warning	Threshold	Active Directory Availability (Shared)	Object equals ActiveDirectoryMP. Counter equals Op Master Schema Last Bind. Average response time is greater than 5 seconds.	Warning
Contacting the Domain Naming FSMO Role Holder has completed successfully	Event	Active Directory Availability (Shared)	Event Number equals 20003. Event Type equals None. Source Name equals AD Op Master Response.	Success
Contacting the Infrastructure FSMO Role Holder has completed successfully	Event	Active Directory Availability (Shared)	Event Number equals 20007. Event Type equals None. Source Name equals AD Op Master Response'	Success
Contacting the PDC FSMO Role Holder has completed successfully	Event	Active Directory Availability (Shared)	Event Number equals 20011. Event Type equals None. Source Name equals AD Op Master Response.	Success
Contacting the RID Master FSMO Role Holder has completed successfully	Event	Active Directory Availability (Shared)	Event Number equals 20015. Event Type equals None. Source Name equals AD Op Master Response.	Success
Contacting the Schema Master FSMO Role Holder has completed successfully	Event	Active Directory Availability (Shared)	Event Number equals 20019. Event Type equals None. Source Name equals AD Op Master Response.	Success

Monitoring External Components

This section describes the Active Directory Management Pack monitoring of components that are external to Active Directory.

SYSVOL

Active Directory Management Pack monitors the SYSVOL volume with the AD Essential Services script. ADMP monitors SYSVOL to make sure that it is available for connection.

The following table lists the processing rules that Active Directory Management Pack uses to monitor SYSVOL, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
A journal wrap error has occurred on the SYSVOL	Event	Active Directory - SYSVOL (Shared)	Event Number equals 13568. Source Name equals NtFrs. Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).	Error
Cannot connect to local SYSVOL share	Event	Active Directory - General (Shared)	Event Number equals 38906. Source Name equals AD Essential Services Running.	Error
FRS has not replicated one or more files in the SYSVOL to other domain controllers	Event	Active Directory - SYSVOL (Shared)	Event Number equals 13569. Source Name equals NtFrs. Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).	Warning

A journal wrap error has occurred on the SYSVOL

Event

Active Directory - SYSVOL (Shared)

Event Number equals 13568.

Source Name equals NtFrs.

Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).

Error

Cannot connect to local SYSVOL share

Event

Active Directory - General (Shared)

Event Number equals 38906.

Source Name equals AD Essential Services Running.

Error

FRS has not replicated one or more files in the SYSVOL to other domain controllers

Event

Active Directory - SYSVOL (Shared)

Event Number equals 13569.

Source Name equals NtFrs.

Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).

Warning

FRS

Active Directory Management Pack monitors the status of FRS with the AD Essential Services script and by watching for event IDs from FRS in the event log, including event IDs 13566 and 13569.

The following table lists the processing rules that Active Directory Management Pack uses to monitor FRS, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Processing Rule Group	Criteria	Severity
File Replication Service is not running	Active Directory - General (Shared)	Event Number equals 38901. Event Type equals Error. Source Name equals AD Essential Services Running.	Error
File Replication Service has resumed running	Active Directory - General (Shared)	Event Number equals 38901. Event Type equals Information. Source Name equals AD Essential Services Running.	Information
FRS is scanning the system volume before sharing it	Active Directory - SYSVOL (Shared)	Event Number equals 13566. Source Name equals NtFrs.	Information

File Replication Service is not running

Active Directory - General (Shared)

Event Number equals 38901.

Event Type equals Error.

Source Name equals AD Essential Services Running.

Error

File Replication Service has resumed running

Active Directory - General (Shared)

Event Number equals 38901.

Event Type equals Information.

Source Name equals AD Essential Services Running.

Information

FRS is scanning the system volume before sharing it

Active Directory - SYSVOL (Shared)

Event Number equals 13566.

Source Name equals NtFrs.

Information

NetLogon Service and DC Locator

Active Directory Management Pack monitors the NetLogon service with event messages and with the AD Essential Services script.

The following table lists the processing rules that Active Directory Management Pack uses to monitor NetLogon, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
Session setup failed because no trust account exists: Script - AD Validate Server Trust Event	Event	Active Directory - NetLogon (Shared)	Event Number equals 5723. Source Name equals NetLogon.	Critical Error
Security: Two computers involved in a trust relationship have the same machine security identifier (SID). Windows should be re-installed on one of the machines.	Event	Active Directory - NetLogon (Shared)	Event Number equals 5516. Message DLL equals NetMsg.dll. Provider Name equals System.	Error
A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name.	Event	Active Directory - NetLogon (Shared)	Event Number equals 5517. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning
An account name collision occurred - this may result in authentication failures (Applies only to Windows Server 2003.)	Event	Active Directory - NetLogon	Event Number equals 5800. Source Name equals NetLogon.	Warning
Global group SERVERS exists and has members. This group defines Lan Manager BDCs in the domain. Lan Manager BDCs are not permitted in Active Directory domains.	Event	Active Directory - NetLogon (Shared)	Event Number equals 5772. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning
Manual deregistration of some DNS records is required (Applies only to Windows Server 2003.)	Event	Active Directory - NetLogon	Event Number equals 5808. Source Name equals NetLogon.	Warning
NetLogon cannot register a name	Event	Active Directory - NetLogon (Shared)	Event Number equals 5741. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning
No suitable domain controller is available for authentication in this domain (Applies only to Windows Server 2003.)	Event	Active Directory - NetLogon	Event Number equals 5790. Source Name equals NetLogon.	Warning
The computer cannot function properly for authentication purposes (Applies only to Windows Server 2003.)	Event	Active Directory - NetLogon	Event Number equals 5791. Source Name equals NetLogon.	Warning
The computer name cannot be mapped to an object in Active Directory - this may result in authentication failures (Applies only to Windows Server 2003.)	Event	Active Directory - NetLogon	Event Number equals 5801. Source Name equals NetLogon.	Warning
The NetLogon service on remote machines will not be able to connect to this DC over TCP/IP resulting in authentication failure (Applies only to Windows Server 2003.)	Event	Active Directory - NetLogon	Event Number equals 5809. Source Name equals NetLogon.	Warning
The session setup from a machine failed because no trust account exists.	Event	Active Directory - NetLogon (Shared)	Event Number equals 5723. Source Name equals NetLogon.	Warning
The session setup to another domain failed because the domain does not have an account for the computer.	Event	Active Directory - NetLogon (Shared)	Event Number equals 5721. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning
The session setup to the domain controller failed because the computer does not have a local security database account.	Event	Active Directory - NetLogon (Shared)	Event Number equals 5720. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning

DC Locator

DC Locator is a function that is performed by NetLogon, and it is monitored by the AD Essential Services script.

The following table lists the processing rules that Active Directory Management Pack uses to monitor domain controller locator service records, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
One or more of the DC Locator DNS records are not registered in the DNS database	Event	Active Directory - DC Locator (Shared)	Event Number equals 5774. Source Name equals .NetLogon.	Error
One or more of the DC Locator DNS records are not registered in the DNS database since the primary DNS server doesn't support the dynamic update of the DNS records	Event	Active Directory - DC Locator (Shared)	Event Number equals 5773. Source Name equals NetLogon.	Error
A DNS server used by this server for name resolution did not respond within the timeout interval	Event	Active Directory - DC Locator (Shared)	Event Number matches Boolean regular expression 11150\|11162. Source Name equals DNSAPI.	Error
A resource record for the computer name of the DC is not registered in the DNS database.	Event	Active Directory - DC Locator (Shared)	Event Number matches Boolean regular expression 11151\|11155 \|11163\|11167. Source Name equals DNSAPI.	Error
One or more of the DC Locator DNS records are not registered in the DNS database	Event	Active Directory - DC Locator (Shared)	Event Number equals 5774. Source Name equals NetLogon.	Error
One or more of the DC Locator DNS records are not registered in the DNS database since the primary DNS server doesn't support the dynamic update of the DNS records	Event	Active Directory - DC Locator (Shared)	Event Number equals 5773. Source Name equals NetLogon.	Error
The DNS server with which this DC will register does not support the dynamic update protocol or the authoritative zone is not configured to allow dynamic updates	Event	Active Directory - DC Locator (Shared)	Event Number matches Boolean regular expression 11152\|11153 \|11164\|11165. Source Name equals DNSAPI.	Error

W32Time (Time Synchronization)

W32Time is monitored by the AD Essential Services script.

The following table lists the processing rules that Active Directory Management Pack uses to monitor W32Time, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
Network connectivity has prevented time being synchronized (Applies only to Windows Server 2003.)	Alert	Active Directory - Timesync	Event Number equals 64. Source Name equals W32Time.	Warning
An attempt to shift time by more than 12 hours was aborted (Applies only to Windows Server 2003.)	Event	Active Directory - Timesync	Event Number equals 14. Source Name equals W32Time.	Warning
The NTP Server is not synchronized so time has not been set (Applies only to Windows Server 2003.)	Event	Active Directory - Timesync	Event Number equals 12. Source Name equals W32Time.	As configured
The time server returned an unsigned time stamp (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 60. Source Name equals W32Time.	NA
A new DC time source has been located (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 55. Source Name equals W32Time.	NA
gethostbyname failed for specified server (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 52. Source Name equals W32Time.	NA
The domain controller returned an incorrectly signed time stamp (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 56. Source Name equals W32Time.	NA
The time server returned an incorrectly signed time stamp (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 53. Source Name equals W32Time.	NA
The time service can only provide insecure time synchronization with this client (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 60. Source Name equals W32Time.	NA
This DC is a PDC, it should synchronize time from an external source (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 62. Source Name equals W32Time.	NA
Time has been synchronized (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 61. Source Name equals W32Time.	NA
Time was not updated because no DC was available (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 54. Source Name equals W32Time.	NA
The system clock has not been synchronized for some time (Applies only to Windows Server 2003.)	Event	Active Directory - Timesync	Event Number equals 36. Source Name equals W32Time.	Warning
The system clock is unsynchronized (Applies only to Windows Server 2003.)	Event	Active Directory - Timesync	Event Number equals 50. Source Name equals W32Time.	As configured
The Time Service report should be reviewed - possible time synchronization problems have been detected (Applies only to Windows Server 2003.)	Event	Active Directory - Timesync	Event Number matches Boolean regular expression 14\|15\|16\|17\|24\|25\|26\| 27\|28\|29\|35\|43\|47\|48\|49. Source Name equals W32Time.	Information
An error occurred during DNS lookup of a manually configured peer (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number matches Boolean regular expression 16\|17. Source Name equals W32Time.	NA
An error occurred during the DNS lookup of a manually configured peer (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 48. Source Name equals W32Time.	NA
A time source did not respond and has been discarded (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 24. Source Name equals W32Time.	NA
A time source has been chosen (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 35. Source Name equals W32Time.	NA
No time sources are currently accessible (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number matches Boolean regular expression 28\|29. Source Name equals W32Time.	NA
NtpClient cannot determine if the response has a valid signature (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 25. Source Name equals W32Time.	NA
The NtpClient was unable to find a domain controller to use as a time source (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 49. Source Name equals W32Time.	NA
The response from the domain controller may have been tampered with and will be ignored (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number matches Boolean regular expression 26\|27. Source Name equals W32Time.	NA
The time provider returned an error when notified of a network change (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 43. Source Name equals W32Time.	NA
The time source did not respond and has been discarded (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number equals 47. Source Name equals W32Time.	NA
Time service unable to find domain controller to use as time source. (Applies only to Windows Server 2003.)	Collection	Active Directory - Timesync	Event Number matches Boolean regular expression 14\|15. Source Name equals W32Time.	NA

Kerberos and NTLM

The following table lists the processing rules that Active Directory Management Pack uses to monitor Kerberos and KDC, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
Duplicate User Principal Names have been detected	Event	Active Directory - KDC (Shared)	Event Number equals 11. Source Name equals KDC. Parameter 2 matches regular expression (8)\|(DS_USER_PRINCIPAL_NAME).	Critical Error
Kerberos Key Distribution Center Service (KDC) is not running	Event	Active Directory - General (Shared)	Event Number equals 38903. Event Type equals Error. Source Name equals AD Essential Services Running.	Error
Invalid Policy Data	Event	Active Directory - KDC (Shared)	Event Number equals 17. Event Type equals Error. Source Name equals KDC.	Error
Change Password on KRBTGT Account Failed	Event	Active Directory - KDC (Shared)	Event Number equals 10. Event Type equals Error. Source Name equals KDC.	Error
Corrupt Credentials	Event	Active Directory - KDC (Shared)	Event Number equals 13. Event Type equals Error. Source Name equals KDC.	Error
Invalid Forwarded AS Request	Event	Active Directory - KDC (Shared)	Event Number equals 15. Event Type equals Error. Source Name equals KDC.	Error
No Key to Generate Kerberos Ticket	Event	Active Directory - KDC (Shared)	Event Number matches Boolean regular expression 8\|14\|16. Event Type equals Error. Source Name equals KDC.	Error
PAC Verification Failure	Event	Active Directory - KDC (Shared)	Event Number equals 18. Event Type equals Error. Source Name equals KDC.	Error
Policy Update Failure	Event	Active Directory - KDC (Shared)	Event Number equals 5. Event Type equals Error. Source Name equals KDC.	Error
Trusted Domain List Update Failure	Event	Active Directory - KDC (Shared)	Event Number equals 6. Event Type equals Error. Source Name equals KDC.	Error
Unexpected SAM Failure	Event	Active Directory - KDC (Shared)	Event Number equals 7. Event Type equals Error. Source Name equals KDC.	Error
Kerberos Key Distribution Center Service (KDC) has resumed running	Event	Active Directory - General (Shared)	Event Number equals 38903. Event Type equals Information. Source Name equals AD Essential Services Running.	Information
Account Name Not Unique	Collection	Active Directory - KDC (Shared)	Event Number equals 11. Event Type equals Error. Source Name equals KDC.	NA
Kerberos Authentications/sec	Measuring	Reporting Rules for Active Directory (Shared)	NA	NA

NTLM

The following table lists the processing rules that Active Directory Management Pack uses to monitor NTLM, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
NTLM Authentications/sec	Measuring	Reporting Rules for Active Directory (Shared)	NA	NA

Trusts

On domain controllers running Windows Server 2003, trusts are monitored by the AD Monitor Trusts script. This script does not run on domain controllers running Windows 2000 Server.

The following table lists the processing rules that Active Directory Management Pack uses to monitor trusts, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
A problem has been detected with the trust relationship between two domains (Applies only to Windows Server 2003.)	Event	Active Directory Monitor Trusts	Event Number equals 20083. Source Name equals AD Monitor Trusts.	Error
A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name.	Event	Active Directory - NetLogon (Shared)	Event Number equals 5517. Message DLL equals Netmsg.dll. Provider Name equals System.	Warning

A problem has been detected with the trust relationship between two domains

(Applies only to Windows Server 2003.)

Event

Active Directory Monitor Trusts

Event Number equals 20083.

Source Name equals AD Monitor Trusts.

Error

A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name.

Event

Active Directory - NetLogon (Shared)

Event Number equals 5517.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

Group Policy

The following table lists the processing rules that Active Directory Management Pack uses to monitor Group Policy, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
Cannot process client side group policy extension	Event	Active Directory - UserEnv (Shared)	Event Number equals 1003. Source Name equals UserEnv. User Name equals System.	Error
Group policy processing aborted - cannot connect to the Directory Service	Event	Active Directory - UserEnv (Shared)	Event Number matches Boolean regular expression 1005\|1006. Source Name equals UserEnv. User Name equals System.	Error
Group policy processing aborted - cannot determine site	Event	Active Directory - UserEnv (Shared)	Event Number equals 1007. Source Name equals UserEnv. User Name equals System.	Error
Group policy processing aborted - reboot this machine	Event	Active Directory - UserEnv (Shared)	Event Number equals 1035. Source Name equals UserEnv. User Name equals System.	Error
Group policy processing aborted - the search for the root AD object failed	Event	Active Directory - UserEnv (Shared)	Event Number equals 1008. Source Name equals UserEnv. User Name equals System.	Error
Local group policy is disabled	Event	Active Directory - UserEnv (Shared)	Event Number equals 1004. Source Name equals UserEnv. User Name equals System.	Error
Unexpected Error applying group policy to machine account	Event	Active Directory - UserEnv (Shared)	Event Number equals 1000. Source Name equals UserEnv. User Name equals System.	Error
A Group Policy object cannot be found in Active Directory	Event	Active Directory - UserEnv (Shared)	Event Number equals 1102. Source Name equals UserEnv. User Name equals System.	Warning
A Group Policy Object has not been processed because the filter check could not be performed	Event	Active Directory - UserEnv (Shared)	Event Number equals 1104. Source Name equals UserEnv. User Name equals System.	Warning
A Group Policy Object is corrupt.	Event	Active Directory - UserEnv (Shared)	Event Number equals 1057. Source Name equals UserEnv. User Name equals System.	Warning
Cross-domain Group Policy processing has been aborted because the other domain cannot be reached	Event	Active Directory - UserEnv (Shared)	Event Number equals 1105. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing aborted because a filter check for the GPO failed	Event	Active Directory - UserEnv (Shared)	Event Number equals 1065. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing aborted because the common name for the GPO cannot be accessed	Event	Active Directory - UserEnv (Shared)	Event Number equals 1059. Source Name equals UserEnv. User Name equals System.	Warning
Group policy processing aborted because the GPO does not have a version number	Event	Active Directory - UserEnv (Shared)	Event Number equals 1060. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted (in planning mode) because the user/computer does not have access to a required object	Event	Active Directory - UserEnv (Shared)	Event Number equals 1100. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because an invalid class of object was discovered	Event	Active Directory - UserEnv (Shared)	Event Number equals 1077. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because GPO lists cannot be set up	Event	Active Directory - UserEnv (Shared)	Event Number equals 1075. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because of an invalid access configuration	Event	Active Directory - UserEnv (Shared)	Event Number equals 1081. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because the extensions from the registry cannot be read	Event	Active Directory - UserEnv (Shared)	Event Number equals 1066. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because the file gpt.ini cannot be accessed	Event	Active Directory - UserEnv (Shared)	Event Number equals 1058. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because the GPLink property of an object cannot be accessed	Event	Active Directory - UserEnv (Shared)	Event Number equals 1099. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because the GPO does not have a functionality version number	Event	Active Directory - UserEnv (Shared)	Event Number equals 1072. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing has been aborted because the user does not have access to an object	Event	Active Directory - UserEnv (Shared)	Event Number equals 1101. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because a security check failed	Event	Active Directory - UserEnv (Shared)	Event Number equals 1064. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because historical data cannot be moved from the users old SID to their new one	Event	Active Directory - UserEnv (Shared)	Event Number equals 1084. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because security cannot be set on Group Policy events	Event	Active Directory - UserEnv (Shared)	Event Number equals 1094. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because the refresh timer cannot be set	Event	Active Directory - UserEnv (Shared)	Event Number equals 1082. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because the search for objects cannot be completed	Event	Active Directory - UserEnv (Shared)	Event Number matches Boolean regular expression 1079\|1080. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because the security ID of the user cannot be obtained	Event	Active Directory - UserEnv (Shared)	Event Number equals 1078. Source Name equals UserEnv. User Name equals System.	Warning
Group Policy processing was aborted because the users security ID cannot be written to the registry	Event	Active Directory - UserEnv (Shared)	Event Number equals 1083. Source Name equals UserEnv. User Name equals System.	Warning
The Group Policy client side extension failed to execute	Event	Active Directory - UserEnv (Shared)	Event Number equals 1085. Source Name equals UserEnv. User Name equals System.	Warning
The WMI service is disabled. A Group Policy object has not been processed	Event	Active Directory - UserEnv (Shared)	Event Number equals 1106. Source Name equals UserEnv. User Name equals System.	Warning
There are no domain-based Group Policy objects for this user/computer.	Event	Active Directory - UserEnv (Shared)	Event Number equals 1103. Source Name equals UserEnv. User Name equals System.	Warning

Client-Side Monitoring

In addition to monitoring from the perspective of domain controllers, Active Directory Management Pack also monitors from the perspective of directory clients. The goal of client-side monitoring is to provide a client perspective on the health of Active Directory. ADMP implements client-side monitoring by using workstations or servers in strategic physical locations as “probes,” or ADMP agents. These monitoring agents perform scripted directory tasks that mimic common actions performed by typical directory clients. The directory service results that are experienced by the ADMP agents are reported through ADMP alerts and performance, just as they are with monitored domain controllers.

You determine which computers on your network to use for client-side monitoring by simply adding those computers to the Active Directory Client Side Monitoring computer group. It is recommended that you have a computer for client-side monitoring physically near each of your directory-enabled application servers.

Active Directory Management Pack includes the processing rules in the following table for monitoring Active Directory health from the perspective of the client, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule	Rule Type	Processing Rule Group	Criteria	Severity
AD Client Pack DC discovery encountered an error - some machines will not be monitored by the client pack	Event	Active Directory Client Side Monitoring	Event Number equals 21006. Source Name equals AD Client Update DCs.	Error
AD Client Side Test Failed	Event	Active Directory Client Side Monitoring	Event Number equals 21002. Source Name matches wildcard AD*.	Error
The PDC Emulator cannot be contacted	Event	Active Directory Client Side Monitoring	Event Number equals 21004. Event Type equals Warning. Source Name equals AD Client PDC Response.	Error
AD Client Side - Script Based Test Failed to Complete	Event	Active Directory Client Side Monitoring	Event Number equals 25001. Source Name matches wildcard AD*.	Warning
AD Client Side - Script Parameters are configured incorrectly	Event	Active Directory Client Side Monitoring	Event Number equals 25003. Source Name matches wildcard AD*.	Warning
AD Client Side PDC Response Event Collection	Collection	Active Directory Client Side Monitoring	Event Number equals 21005. Source Name equals AD Client PDC Response.	NA
AD Client Side Monitoring Event Collection	Collection	Active Directory Client Side Monitoring	Event Number equals 21001. Source Name matches wildcard AD*.	NA
AD Client Side - Script Generated Success Event	Event	Active Directory Client Side Monitoring	Event Number equals 25000. Source Name matches wildcard AD*.	Success
AD Client Side Test succeeded after consecutive failures	Event	Active Directory Client Side Monitoring	Event Number equals 21003. Event Type equals Information. Source Name matches wildcard AD*.	Success
The PDC Emulator has been contacted successfully	Event	Active Directory Client Side Monitoring	Event Number equals 21004. Event Type equals None. Source Name equals AD Client PDC Response.	Success

AI Skills Fest

Share via

Monitoring Active Directory Health

On This Page

Processing Rules and Operating System Versions

Monitoring Active Directory Components

Monitoring External Components

Client-Side Monitoring

Additional resources