Export (0) Print
Expand All

Monitoring Active Directory Health

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

This is part of the Microsoft Active Directory Management Pack Technical Reference guide

Active Directory Management Pack monitors Active Directory, and the external components related to Active Directory, to ensure that their ongoing behavior falls within the bounds of normal, healthy Active Directory behavior. The ADMP definitions for the health of Active Directory and its related component are contained in the more than 400 ready-to-run processing rules that are included with Active Directory Management Pack. After MOM and ADMP are installed, these rules begin to monitor Active Directory and related component behavior immediately and automatically, and they alert you whenever unexpected behavior occurs.

On This Page

Processing Rules and Operating System Versions
Monitoring Active Directory Components
Monitoring External Components
Client-Side Monitoring

Processing Rules and Operating System Versions

Microsoft Operations Manager 2000 can be used to monitor domain controllers running Windows 2000 Server and domain controllers running Windows Server 2003. Active Directory Management Pack includes processing rules that apply to both Windows 2000 Server and Windows Server 2003, as well as processing rules that apply only to one or the other. ADMP processing rules in rule groups that contain “(Shared)” in the name of the group apply to both operating systems. Processing rules in rule groups that do not contain “(Shared)” in their name, and that reside within the Active Directory Windows .NET (enabled) processing rule group, apply only to domain controllers running Windows Server 2003. Processing rules in rule groups that do not contain “(Shared)” in their name, and that reside within the Active Directory Windows 2000 (enabled) processing rule group, apply only to domain controllers running Windows 2000 Server. MOM applies the appropriate ADMP rules to the appropriate domain controllers automatically, based on the operating system running on each domain controller. No manual configuration is required.

Note: In the MOM console, ADMP refers to “Windows Server 2003” as “Windows .NET.”

Monitoring Active Directory Components

The following sections provide an overview of the Active Directory Management Pack processing rules that are used to monitor each of the Active Directory components, as well as the external components on which Active Directory depends.

Note In addition to the processing rules that are listed in the tables in this section, Active Directory Management Pack includes processing rules that perform ADMP-specific functions. For example, ADMP includes several “Miscellaneous componentname error” processing rules that are designed to monitor for event numbers that are not generated by current operating system versions but may be introduced by future product updates and service packs. In addition, ADMP also includes several “Reportname report available” processing rules that are designed to notify administrators when data collected by ADMP is available for viewing.

Interfaces

This section describes Active Directory Management Pack monitoring of the Active Directory protocol interfaces, which are sometimes referred to as protocol heads.

LDAP and Global Catalog

The LDAP and global catalog protocol interfaces provide the mechanism for communicating with Active Directory, and they are also indicators of Active Directory health. By performing LDAP global catalog binds and searches against a domain controller, Active Directory Management Pack can take a basic measure of Active Directory health. The LDAP and global catalog response time requirements vary by directory-enabled applications, but they are generally on the order of one second.

In addition to monitoring for specific events, ADMP monitors the general responsiveness of the LDAP protocol interface with the AD General Response monitoring script. For more information about this script, see “Appendix A: Active Directory Management Pack Scripts.”

The following table lists the processing rules that ADMP uses to monitor the LDAP protocol interface, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

Active Directory Last Bind - Critical Error

Threshold

Active Directory Availability (Shared)

Bind response time is greater than 30 seconds.

Object equals ActiveDirectoryMP.

Counter equals Active Directory Last Bind.

Critical Error

Active Directory Last Bind - Error

Threshold

Active Directory Availability (Shared)

Bind response time is greater than 15 seconds and less than 30 seconds.

Object equals ActiveDirectoryMP.

Counter equals Active Directory Last Bind.

Error

An Intersite Messaging service request to modify an LDAP object failed

Event

Active Directory - General (Shared)

Event Number equals 1407.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

LDAP agent cannot open security provider

Event

Active Directory - General (Shared)

Event Number equals 1238.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

LDAP connection closed because maximum connections were exceeded

Event

Active Directory - General (Shared)

Event Number equals 1210.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

The Inter-Site Messaging Service cannot perform a requested LDAP bind operation

Event

Active Directory - General (Shared)

Event Number equals 1824.

Error

The Inter-Site Messaging Service requested to abandon an LDAP notification message

Event

Active Directory - General (Shared)

Directory Service Event ID equals 1823.

Error

LDAP Client Sessions

Measuring

Reporting Rules for Active Directory (Shared)

Not applicable (NA)

NA

LDAP Searches/sec

Measuring

Reporting Rules for Active Directory (Shared)

NA

NA

LDAP UDP Operations/sec

Measuring

Reporting Rules for Active Directory (Shared)

NA

NA

LDAP Writes/sec

Measuring

Reporting Rules for Active Directory (Shared)

NA

NA

Active Directory Last Bind - Warning

Threshold

Active Directory Availability (Shared)

Bind response time is greater than 5 seconds and less than 15 seconds.

Object equals ActiveDirectoryMP.

Counter equals Active Directory Last Bind.

Warning

In addition to monitoring for specific events, Active Directory Management Pack monitors the health of the global catalog interface with the AD Global Catalog Search Response script. For information about this script, see “Appendix A: Active Directory Management Pack Scripts.”

The following table lists the processing rules that ADMP uses to monitor the global catalog interface, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

Global Catalog Search Time - Critical Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Global Catalog Search Time.

Response time is greater than 30 seconds.

Critical

AD Global Catalog search failed

Event

Active Directory Availability (Shared)

Event Number equals 21026.

Source Name equals AD Global Catalog Search Response

Error

DC is both a Global Catalog and the Infrastructure Update master

Event

Active Directory - General (Shared)

Event Number equals 1419.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Global Catalog Search Time - Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Global Catalog Search Time.

Response time is greater than 15 seconds.

Error

The system failed to promote this server into a Global Catalog

Event

Active Directory - General (Shared)

Event Number equals 1790.

Error

Unable to establish connection with any Global Catalog(s)

Event

Active Directory - General (Shared)

Event Number equals 1126.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Global Catalog Search Time - Warning

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Global Catalog Search Time.

Response time is greater than 5 seconds.

Warning

This domain controller failed to register as (and will not advertise as) a global catalog

(Applies only to Windows Server 2003.)

Event

Active Directory - General

Event Number equals 1992.

Warning

MAPI

No specific health measurements exist for the MAPI interface, and Active Directory Management Pack does not currently include any monitoring rules that are specific to MAPI.

Replication Subsystem

Replication is one of the most important processes in Active Directory; therefore, it is monitored regularly by Active Directory Management Pack. ADMP monitors replication with several monitoring scripts, including AD Replication Monitoring, AD Replication Partner Count, and AD Replication. For more information about these scripts, see “Appendix A: Active Directory Management Pack Scripts.”

In addition, ADMP monitors for specific replication-related events, and it collects replication performance data for several replication-related ADMP reports. The following table lists the processing rules that ADMP uses to monitor replication, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

A domain controller has an extremely high number of replication partners

Event

Active Directory Availability (Shared)

Event Number equals 20081.

Event Type equals Error.

Source Name equals AD Replication Partner Count.

Error

A lingering object has been detected. Replication has been blocked.

Event

Active Directory - General (Shared)

Event Number equals 1388.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

AD Replication Monitoring - Time skew detected

Event

Active Directory Availability (Shared)

Event Number equals 20063.

Source Name equals AD Replication Monitoring.

Error

Certificate for intersite replication was rejected

Event

Active Directory - General (Shared)

Event Number matches Boolean regular expression 1222|1223.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Direct replication cannot occur as configured

Event

Active Directory - General (Shared)

Event Number equals 1090.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Initial replication after domain controller promotion has not completed

Event

Active Directory Availability (Shared)

Event Number equals 20069.

Source Name equals AD Replication Monitoring.

Error

KCC cannot compute a replication path

 

Active Directory - General (Shared)

Event Number equals .1311.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC cannot compute a replication path

Event

Active Directory - General (Shared)

Event Number equals 1311.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC cannot configure replication topology due to ISM failure

Event

Active Directory - General (Shared)

Event Number equals 1312.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC cannot configure replication topology due to ISM failure

Event

Active Directory - General (Shared)

Event Number equals 1312.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC failed to initialize

Event

Active Directory - General (Shared)

Event Number equals 1008.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC failed to stop

Event

Active Directory - General (Shared)

Event Number equals 1024.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC failed to update replication topology

Event

Active Directory - General (Shared)

Event Number equals 1130.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

KCC is ignoring a replication path because non-intersecting schedules are preventing replication along that path

Event

Active Directory - General (Shared)

Event Number equals 1788.

Error

None of the preferred bridgehead servers can replicate the directory partition

Event

Active Directory - General (Shared)

Event Number equals 1567.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Replication error

Event

Active Directory - General (Shared)

Event Number equals 1694.

Error

Replication has been aborted

Event

Active Directory - General (Shared)

Event Number equals 1791.

Error

Replication is not occurring - All replication partners have failed to synchronize

Event

Active Directory Availability (Shared)

Event Number equals 20064.

Source Name equals AD Replication Monitoring.

Error

The AD replication process is unable to continue

Event

Active Directory - General (Shared)

Event Number equals 1107.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

The Knowledge Consistency Checker (KCC) detected an incompatible up-to-dateness vector format

(Applies only to Windows Server 2003.)

Event

Active Directory - General

Event Number equals 1910.

Error

The local domain controller has denied a replication attempt on a directory partition. This may pose a security risk.

(Applies only to Windows Server 2003.)

Event

Active Directory - General

Event Number equals 1964.

Error

This server cannot process the replication request

Event

Active Directory - General (Shared)

Event Number equals 1700.

Error

This source server failed to add schema information for the mail replication request

Event

Active Directory - General (Shared)

Event Number equals 1701.

Error

A domain controller has an unusually high number of replication partners

Event

Active Directory Availability (Shared)

Event Number equals 20081.

Event Type equals Warning.

Source Name equals AD Replication Partner Count.

Warning

A domain controller has received a significant number of new replication partners

Event

Active Directory Availability (Shared)

Event Number equals 20082.

Source Name equals AD Replication Partner Count.

Warning

A domain controller made a replication request for a writable directory partition that has been denied by the local domain controller

(Applies only to Windows Server 2003.)

Event

Active Directory - General

Event Number equals 1977.

Warning

A replication island has been detected. Replication will not occur across the enterprise.

Event

Active Directory Availability (Shared)

Event Number equals 20080.

Source Name equals AD Replication Partner Count.

Warning

Active Directory cannot set the replication consistency registry key

Event

Active Directory - General

Event Number equals 2033.

Warning

Active Directory encountered a replication error. Replication will be delayed.

(Applies only to Windows Server 2003.)

Event

Active Directory - General

Event Number equals 1958.

Warning

AD Replication is occurring slowly *

Event

Active Directory Availability (Shared)

Event Number equals 20062.

Source Name equals AD Replication Monitoring.

Warning

AD Replication Monitoring - Access Denied

Event

Active Directory Availability (Shared)

Event Number equals 20067.

Source Name equals AD Replication Monitoring.

Warning

Replication has been stopped with a source

(Applies only to Windows Server 2003.)

Event

Active Directory - General

Event Number equals 2042.

Warning

Some replication partners have failed to synchronize

Event

Active Directory Availability (Shared)

Event Number equals 20065.

Source Name equals AD Replication Monitoring.

Warning

The Knowledge Consistency Checker (KCC) cannot run successfully. Replication may be affected.

(Applies only to Windows Server 2003.)

 

Active Directory - General

Event Number equals 2002.

Warning

The Knowledge Consistency Checker (KCC) cannot run successfully. Replication may be affected.

Event

Active Directory - General

Event Number equals 2002.

Warning

WMI Replication Provider is not installed - Replication cannot be monitored fully.

Event

Active Directory Availability (Shared)

Event Number equals 20068.

Source Name equals AD Replication Monitoring.

Warning

Collection rule for the Replication Collisions Report

Collection

Reporting Rules for Active Directory (Shared)

Event Number equals 1233.

NA

Collection rule for the Replication Failures Report

Collection

Reporting Rules for Active Directory (Shared)

Event Number equals any of the following: 1425, 1531, 1075, 1532, 1096, 1014, 1455, 1274, 1098, 1100, 1457, 1077, 1308.

NA

* This alert can cause an excessive amount of alert traffic in your environment. To quiet this alert, configure alert suppression by clearing the Computer field on the Alert Suppression tab of the rule properties.

SAM

The following table lists the processing rules that Active Directory Management Pack uses to monitor SAM, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

An attempt to check whether group caching is enabled has failed

Event

Active Directory - SAM Errors (Shared)

Event Number equals 12299.

Source Name equals SAM.

Error

An attempt to update user credentials failed

Event

Active Directory - SAM Errors (Shared)

Event Number equals 12302.

Source Name equals SAM.

Error

Domain Operation Mode has been changed to Native Mode

Event

Active Directory - SAM Errors (Shared)

Event Number equals 16408.

Source Name equals SAM.

Information

The domain controller is booting to directory services restore mode

Event

Active Directory - SAM Errors (Shared)

Event Number equals 16652.

Source Name equals SAM.

Information

The group caching option has now been properly updated

Event

Active Directory - SAM Errors (Shared)

Event Number equals 12300.

Source Name equals SAM.

Information

This domain controller has been promoted to PDC

Event

Active Directory - SAM Errors (Shared)

Event Number equals 12297.

Source Name equals SAM.

Information

Account creation will fail on this domain controller until the account identifier pool is obtained

Event

Active Directory - SAM Errors (Shared)

Event Number equals 16643.

Source Name equals SAM.

Warning

The account identifier pool for this domain controller cannot be updated

Event

Active Directory - SAM Errors (Shared)

Event Number equals 16641.

Source Name equals SAM.

Warning

The DC was unable to obtain the next account-identifier

Event

Active Directory - SAM Errors (Shared)

Event Number equals 16651.

Source Name equals SAM.

Warning

The domain controller failed to obtain a new account identifier pool

Event

Active Directory - SAM Errors (Shared)

Event Number equals 16651.

Source Name equals SAM.

Warning

A well known account has been recreated because it did not exist

Collection

Active Directory - SAM Errors (Shared)

Event Number equals 16406.

Source Name equals SAM.

NA

A well known group has been recreated because it did not exist

Collection

Active Directory - SAM Errors (Shared)

Event Number equals 16407.

Source Name equals SAM.

NA

Accounts with the same SID have been detected - one has been deleted

Collection

Active Directory - SAM Errors (Shared)

Event Number equals 12303.

Source Name equals SAM.

NA

An account cannot be added to the group

Collection

Active Directory - SAM Errors (Shared)

Event Number matches Boolean regular expression 16392|16394.

Source Name equals SAM.

NA

Duplicate account names were detected - one account has been renamed

Collection

Active Directory - SAM Errors (Shared)

Event Number equals 12304.

Source Name equals SAM.

NA

Setting the administrators password failed. It has been reset to blank.

Collection

Active Directory - SAM Errors (Shared)

Event Number equals 16397.

Source Name equals SAM.

NA

This domain controller will not start up because its machine account has been deleted

Collection

Active Directory - SAM Errors (Shared)

Event Number equals 16405.

Source Name equals SAM.

NA

Intersite Messaging

The following table lists the processing rules that Active Directory Management Pack uses to monitor Intersite Messaging, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

Inter-Site Messaging (ISM) Service SMTP Transport plug-in has determined that one or more classes from CDO library are not registered as expected

Event

Active Directory - General (Shared)

Event Number equals 1527.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Inter-Site Messaging (ISM) Service SMTP Transport plug-in has encountered an unexpected error from CDO library

Event

Active Directory - General (Shared)

Event Number equals 1528.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Inter-Site Messaging Service SMTP Transport plug-in failed to bind the event sink ismsink.dll to the SMTP Service

Event

Active Directory - General (Shared)

Event Number equals 1468.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Inter-Site Messaging Service SMTP Transport plug-in failed to register the event sink ismsink.dll

Event

Active Directory - General (Shared)

Event Number equals 1467.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

ISM cannot receive messages

Event

Active Directory - General (Shared)

Event Number equals 1373.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

ISM Request Failure

Event

Active Directory - General (Shared)

Event Number matches any of the following 137[456].

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

ISM transport has been shut down

Event

Active Directory - General (Shared)

Event Number equals 1378.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

LSASS

Active Directory Management Pack monitors LSASS with the AD CPU Overload script and also by monitoring an LSASS-specific performance counter: Process Private Bytes LSASS 15 minutes. By default, ADMP generates a warning error when average LSASS CPU utilization exceeds 80 percent over 10 samples taken one minute apart.

The following table lists the processing rules that Active Directory Management Pack uses to monitor LSASS, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Group

Criteria

Severity

LSASS Error Messages

Event

Active Directory - General (Shared)

Event Type equals Error.

Source Name equals LSASERV.

Error

LSASS running out of virtual address space

Threshold

Active Directory - General (Shared)

LSASS virtual address space exceeds 2000000000 bytes.

Error

The LSASS process is using a high percentage of available CPU time

Event

Active Directory - General (Shared)

Event Number equals 20071.

Source Name equals AD CPU Overload.

Warning

LSASS Handle Count

Measuring

Reporting Rules for Active Directory (Shared)

NA

NA

LSASS Private Bytes

Measuring

Reporting Rules for Active Directory (Shared)

NA

NA

LSASS Total CPU

Measuring

Reporting Rules for Active Directory (Shared)

NA

NA

DIT

Active Directory Management Pack contains processing rules for monitoring database and log files in the DIT and for monitoring the quantity of lost and found objects on a domain controller.

Database and Log Files

By default, Active Directory Management Pack monitors the Active Directory database files and log files every 15 minutes for file size, and it monitors free disk space on the hosting volume, using the AD Database and Log File script:

  • If the database file or log file grows between measurements by more than 20 percent, which represents a fixed percentage in ADMP that cannot be modified, ADMP generates a warning alert.

  • If the free space on the volume hosting the Active Directory database is not at least 500 megabytes (MB) or 20 percent of current database size, whichever is greater, ADMP generates an error alert.

  • If the free space on the volume hosting the Active Directory log files is not at least 200 MB or 5 percent of current database size, whichever is greater, ADMP generates an error alert.

The following table lists the processing rules that Active Directory Management Pack uses to monitor database and log files, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Group

Criteria

Severity

The Active Directory database is corrupt

Event

Active Directory - General (Shared)

Event Number equals 404.

Source Name equals NTDS ISAM.

Critical

AD cannot update object because the disk containing the database is full

Event

Active Directory Availability (Shared)

Event Number equals 1480.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

AD database is corrupt

Event

Active Directory - General (Shared)

Event Number equals 1017.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Database and Log File Drive Space - Error

Event

Active Directory Availability (Shared)

Event Number equals 20333.

Source Name equals AD Database and Log.

Error

Lost and Found Objects

On a domain controller, the Lost and Found container contains Active Directory objects that have been orphaned. Orphaned objects create administrative overhead, because administrators must manually determine what to do with them. The AD Lost and Found Object Count script in Active Directory Management Pack monitors the number of orphaned objects on a domain controller every two hours.

The script generates a warning alert if more than 10 objects exist in the Lost and Found container. The script generates an error alert if more than 100 objects exist in the Lost and Found container.

The following table lists the processing rules that Active Directory Management Pack uses to monitor lost and found objects, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

Active Directory Lost Objects - Error

Threshold

Active Directory Availability (Shared)

More than 100 objects exist in the Lost and Found container.

Error

Active Directory Lost Objects - Warning

Threshold

Active Directory Availability (Shared)

More than 10 objects exist in the Lost and Found container.

Warning

Failed to bind to Lost and Found Objects Container

Event

Active Directory Availability (Shared)

Event Number equals 20029.

Source Name equals AD Lost and Found Object Count.

Warning

Operations Masters (FSMOs)

Much of the monitoring of the operations master roles (also known as flexible single master operations (FSMO)) in Active Directory Management Pack occurs in the AD Op Master Response script. By default, this script runs every five minutes to determine if the operations master role holders are responding, and it reports alerts at various levels, depending on whether the role holders are reachable and how quickly they respond.

ADMP also includes the AD Replication Partner Op Master Consistency script for operation master monitoring. This script runs every hour to determine if domain controller replication partners agree on the identity of the role holders, and it generates alerts if domain controllers disagree on the current role holders.

The following table lists the processing rules that Active Directory Management Pack uses to monitor operations masters, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

Op Master Domain Naming Last Bind - Critical Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master Domain Naming Last Bind.

Average response time is greater than 30 seconds.

Critical Error

Op Master Infrastructure Last Bind - Critical Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master Infrastructure Last Bind.

Average response time is greater than 30 seconds.

Critical Error

Op Master PDC Last Bind - Critical Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master PDC Last Bind.

Average response time is greater than 30 seconds.

Critical Error

Op Master RID Last Bind - Critical Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master RID Last Bind.

Average response time is greater than 30 seconds.

Critical Error

Op Master Schema Last Bind - Critical Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master Schema Last Bind.

Average response time is greater than 30 seconds.

Critical Error

DC is both a Global Catalog and the Infrastructure Update master

Event

Active Directory - General (Shared)

Event Number equals 1419.

Message DLL equals Ntdsmsg.dll.

Provider Name equals Directory Service.

Error

Op Master Domain Naming Last Bind - Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master Domain Naming Last Bind.

Average response time is greater than 15 seconds.

Error

Op Master Infrastructure Last Bind - Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master Infrastructure Last Bind.

Average response time is greater than 15 seconds.

Error

Op Master PDC Last Bind - Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master PDC Last Bind.

Average response time is greater than 15 seconds.

Error

Op Master RID Last Bind - Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master RID Last Bind.

Average response time is greater than 15 seconds.

Error

Op Master Schema Last Bind - Error

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master Schema Last Bind.

Average response time is greater than 15 seconds.

Error

Failed to ping or bind to the Domain Naming Master FSMO role holder

Event

Active Directory Availability (Shared)

Event Number equals 20003.

Event Type equals Warning.

Source Name equals AD Op Master Response.

Warning

Failed to ping or bind to the Infrastructure Master FSMO role holder

Event

Active Directory Availability (Shared)

Event Number equals 20007.

Event Type equals Warning.

Source Name equals AD Op Master Response.

Warning

Failed to ping or bind to the RID Master FSMO role holder

Event

Active Directory Availability (Shared)

Event Number equals 20015.

Event Type equals Warning.

Source Name equals AD Op Master Response.

Warning

Failed to ping or bind to the Schema Master FSMO role holder

Event

Active Directory Availability (Shared)

Event Number equals 20019.

Event Type equals Warning.

Source Name equals AD Op Master Response.

Warning

Op Master Domain Naming Last Bind - Warning

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master Domain Naming Last Bind.

Average response time is greater than 30 seconds.

Warning

Op Master Infrastructure Last Bind - Warning

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master Infrastructure Last Bind.

Average response time is greater than 5 seconds.

Warning

Op Master PDC Last Bind - Warning

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master PDC Last Bind.

Average response time is greater than 5 seconds.

Warning

Op Master RID Last Bind - Warning

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master RID Last Bind.

Average response time is greater than 5 seconds.

Warning

Op Master Schema Last Bind - Warning

Threshold

Active Directory Availability (Shared)

Object equals ActiveDirectoryMP.

Counter equals Op Master Schema Last Bind.

Average response time is greater than 5 seconds.

Warning

Contacting the Domain Naming FSMO Role Holder has completed successfully

Event

Active Directory Availability (Shared)

Event Number equals 20003.

Event Type equals None.

Source Name equals AD Op Master Response.

Success

Contacting the Infrastructure FSMO Role Holder has completed successfully

Event

Active Directory Availability (Shared)

Event Number equals 20007.

Event Type equals None.

Source Name equals AD Op Master Response'

Success

Contacting the PDC FSMO Role Holder has completed successfully

Event

Active Directory Availability (Shared)

Event Number equals 20011.

Event Type equals None.

Source Name equals AD Op Master Response.

Success

Contacting the RID Master FSMO Role Holder has completed successfully

Event

Active Directory Availability (Shared)

Event Number equals 20015.

Event Type equals None.

Source Name equals AD Op Master Response.

Success

Contacting the Schema Master FSMO Role Holder has completed successfully

Event

Active Directory Availability (Shared)

Event Number equals 20019.

Event Type equals None.

Source Name equals AD Op Master Response.

Success

Monitoring External Components

This section describes the Active Directory Management Pack monitoring of components that are external to Active Directory.

SYSVOL

Active Directory Management Pack monitors the SYSVOL volume with the AD Essential Services script. ADMP monitors SYSVOL to make sure that it is available for connection.

The following table lists the processing rules that Active Directory Management Pack uses to monitor SYSVOL, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

A journal wrap error has occurred on the SYSVOL

Event

Active Directory - SYSVOL (Shared)

Event Number equals 13568.

Source Name equals NtFrs.

Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).

Error

Cannot connect to local SYSVOL share

Event

Active Directory - General (Shared)

Event Number equals 38906.

Source Name equals AD Essential Services Running.

Error

FRS has not replicated one or more files in the SYSVOL to other domain controllers

Event

Active Directory - SYSVOL (Shared)

Event Number equals 13569.

Source Name equals NtFrs.

Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE).

Warning

FRS

Active Directory Management Pack monitors the status of FRS with the AD Essential Services script and by watching for event IDs from FRS in the event log, including event IDs 13566 and 13569.

The following table lists the processing rules that Active Directory Management Pack uses to monitor FRS, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

File Replication Service is not running

 

Active Directory - General (Shared)

Event Number equals 38901.

Event Type equals Error.

Source Name equals AD Essential Services Running.

Error

File Replication Service has resumed running

 

Active Directory - General (Shared)

Event Number equals 38901.

Event Type equals Information.

Source Name equals AD Essential Services Running.

Information

FRS is scanning the system volume before sharing it

 

Active Directory - SYSVOL (Shared)

Event Number equals 13566.

Source Name equals NtFrs.

Information

NetLogon Service and DC Locator

Active Directory Management Pack monitors the NetLogon service with event messages and with the AD Essential Services script.

The following table lists the processing rules that Active Directory Management Pack uses to monitor NetLogon, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

Session setup failed because no trust account exists: Script - AD Validate Server Trust Event

Event

Active Directory - NetLogon (Shared)

Event Number equals 5723.

Source Name equals NetLogon.

Critical Error

Security: Two computers involved in a trust relationship have the same machine security identifier (SID). Windows should be re-installed on one of the machines.

Event

Active Directory - NetLogon (Shared)

Event Number equals 5516.

Message DLL equals NetMsg.dll.

Provider Name equals System.

Error

A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name.

Event

Active Directory - NetLogon (Shared)

Event Number equals 5517.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

An account name collision occurred - this may result in authentication failures

(Applies only to Windows Server 2003.)

Event

Active Directory - NetLogon

Event Number equals 5800.

Source Name equals NetLogon.

Warning

Global group SERVERS exists and has members. This group defines Lan Manager BDCs in the domain. Lan Manager BDCs are not permitted in Active Directory domains.

Event

Active Directory - NetLogon (Shared)

Event Number equals 5772.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

Manual deregistration of some DNS records is required

(Applies only to Windows Server 2003.)

Event

Active Directory - NetLogon

Event Number equals 5808.

Source Name equals NetLogon.

Warning

NetLogon cannot register a name

Event

Active Directory - NetLogon (Shared)

Event Number equals 5741.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

No suitable domain controller is available for authentication in this domain

(Applies only to Windows Server 2003.)

Event

Active Directory - NetLogon

Event Number equals 5790.

Source Name equals NetLogon.

Warning

The computer cannot function properly for authentication purposes

(Applies only to Windows Server 2003.)

Event

Active Directory - NetLogon

Event Number equals 5791.

Source Name equals NetLogon.

Warning

The computer name cannot be mapped to an object in Active Directory - this may result in authentication failures

(Applies only to Windows Server 2003.)

Event

Active Directory - NetLogon

Event Number equals 5801.

Source Name equals NetLogon.

Warning

The NetLogon service on remote machines will not be able to connect to this DC over TCP/IP resulting in authentication failure

(Applies only to Windows Server 2003.)

Event

Active Directory - NetLogon

Event Number equals 5809.

Source Name equals NetLogon.

Warning

The session setup from a machine failed because no trust account exists.

Event

Active Directory - NetLogon (Shared)

Event Number equals 5723.

Source Name equals NetLogon.

Warning

The session setup to another domain failed because the domain does not have an account for the computer.

Event

Active Directory - NetLogon (Shared)

Event Number equals 5721.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

The session setup to the domain controller failed because the computer does not have a local security database account.

Event

Active Directory - NetLogon (Shared)

Event Number equals 5720.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

DC Locator

DC Locator is a function that is performed by NetLogon, and it is monitored by the AD Essential Services script.

The following table lists the processing rules that Active Directory Management Pack uses to monitor domain controller locator service records, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

One or more of the DC Locator DNS records are not registered in the DNS database

Event

Active Directory - DC Locator (Shared)

Event Number equals 5774.

Source Name equals .NetLogon.

Error

One or more of the DC Locator DNS records are not registered in the DNS database since the primary DNS server doesn't support the dynamic update of the DNS records

Event

Active Directory - DC Locator (Shared)

Event Number equals 5773.

Source Name equals NetLogon.

Error

A DNS server used by this server for name resolution did not respond within the timeout interval

Event

Active Directory - DC Locator (Shared)

Event Number matches Boolean regular expression 11150|11162.

Source Name equals DNSAPI.

Error

A resource record for the computer name of the DC is not registered in the DNS database.

Event

Active Directory - DC Locator (Shared)

Event Number matches Boolean regular expression 11151|11155 |11163|11167.

Source Name equals DNSAPI.

Error

One or more of the DC Locator DNS records are not registered in the DNS database

Event

Active Directory - DC Locator (Shared)

Event Number equals 5774.

Source Name equals NetLogon.

Error

One or more of the DC Locator DNS records are not registered in the DNS database since the primary DNS server doesn't support the dynamic update of the DNS records

Event

Active Directory - DC Locator (Shared)

Event Number equals 5773.

Source Name equals NetLogon.

Error

The DNS server with which this DC will register does not support the dynamic update protocol or the authoritative zone is not configured to allow dynamic updates

Event

Active Directory - DC Locator (Shared)

Event Number matches Boolean regular expression 11152|11153 |11164|11165.

Source Name equals DNSAPI.

Error

W32Time (Time Synchronization)

W32Time is monitored by the AD Essential Services script.

The following table lists the processing rules that Active Directory Management Pack uses to monitor W32Time, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

Network connectivity has prevented time being synchronized

(Applies only to Windows Server 2003.)

Alert

Active Directory - Timesync

Event Number equals 64.

Source Name equals W32Time.

Warning

An attempt to shift time by more than 12 hours was aborted

(Applies only to Windows Server 2003.)

Event

Active Directory - Timesync

Event Number equals 14.

Source Name equals W32Time.

Warning

The NTP Server is not synchronized so time has not been set

(Applies only to Windows Server 2003.)

Event

Active Directory - Timesync

Event Number equals 12.

Source Name equals W32Time.

As configured

The time server returned an unsigned time stamp

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 60.

Source Name equals W32Time.

NA

A new DC time source has been located

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 55.

Source Name equals W32Time.

NA

gethostbyname failed for specified server

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 52.

Source Name equals W32Time.

NA

The domain controller returned an incorrectly signed time stamp

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 56.

Source Name equals W32Time.

NA

The time server returned an incorrectly signed time stamp

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 53.

Source Name equals W32Time.

NA

The time service can only provide insecure time synchronization with this client

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 60.

Source Name equals W32Time.

NA

This DC is a PDC, it should synchronize time from an external source

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 62.

Source Name equals W32Time.

NA

Time has been synchronized

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 61.

Source Name equals W32Time.

NA

Time was not updated because no DC was available

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 54.

Source Name equals W32Time.

NA

The system clock has not been synchronized for some time

(Applies only to Windows Server 2003.)

Event

Active Directory - Timesync

Event Number equals 36.

Source Name equals W32Time.

Warning

The system clock is unsynchronized

(Applies only to Windows Server 2003.)

Event

Active Directory - Timesync

Event Number equals 50.

Source Name equals W32Time.

As configured

The Time Service report should be reviewed - possible time synchronization problems have been detected

(Applies only to Windows Server 2003.)

Event

Active Directory - Timesync

Event Number matches Boolean regular expression 14|15|16|17|24|25|26| 27|28|29|35|43|47|48|49.

Source Name equals W32Time.

Information

An error occurred during DNS lookup of a manually configured peer

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number matches Boolean regular expression 16|17.

Source Name equals W32Time.

NA

An error occurred during the DNS lookup of a manually configured peer

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 48.

Source Name equals W32Time.

NA

A time source did not respond and has been discarded

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 24.

Source Name equals W32Time.

NA

A time source has been chosen

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 35.

Source Name equals W32Time.

NA

No time sources are currently accessible

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number matches Boolean regular expression 28|29.

Source Name equals W32Time.

NA

NtpClient cannot determine if the response has a valid signature

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 25.

Source Name equals W32Time.

NA

The NtpClient was unable to find a domain controller to use as a time source

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 49.

Source Name equals W32Time.

NA

The response from the domain controller may have been tampered with and will be ignored

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number matches Boolean regular expression 26|27.

Source Name equals W32Time.

NA

The time provider returned an error when notified of a network change

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 43.

Source Name equals W32Time.

NA

The time source did not respond and has been discarded

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number equals 47.

Source Name equals W32Time.

NA

Time service unable to find domain controller to use as time source.

(Applies only to Windows Server 2003.)

Collection

Active Directory - Timesync

Event Number matches Boolean regular expression 14|15.

Source Name equals W32Time.

NA

Kerberos and NTLM

The following table lists the processing rules that Active Directory Management Pack uses to monitor Kerberos and KDC, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

Duplicate User Principal Names have been detected

Event

Active Directory - KDC (Shared)

Event Number equals 11.

Source Name equals KDC.

Parameter 2 matches regular expression (8)|(DS_USER_PRINCIPAL_NAME).

Critical Error

Kerberos Key Distribution Center Service (KDC) is not running

Event

Active Directory - General (Shared)

Event Number equals 38903.

Event Type equals Error.

Source Name equals AD Essential Services Running.

Error

Invalid Policy Data

Event

Active Directory - KDC (Shared)

Event Number equals 17.

Event Type equals Error.

Source Name equals KDC.

Error

Change Password on KRBTGT Account Failed

Event

Active Directory - KDC (Shared)

Event Number equals 10.

Event Type equals Error.

Source Name equals KDC.

Error

Corrupt Credentials

Event

Active Directory - KDC (Shared)

Event Number equals 13.

Event Type equals Error.

Source Name equals KDC.

Error

Invalid Forwarded AS Request

Event

Active Directory - KDC (Shared)

Event Number equals 15.

Event Type equals Error.

Source Name equals KDC.

Error

No Key to Generate Kerberos Ticket

Event

Active Directory - KDC (Shared)

Event Number matches Boolean regular expression 8|14|16.

Event Type equals Error.

Source Name equals KDC.

Error

PAC Verification Failure

Event

Active Directory - KDC (Shared)

Event Number equals 18.

Event Type equals Error.

Source Name equals KDC.

Error

Policy Update Failure

Event

Active Directory - KDC (Shared)

Event Number equals 5.

Event Type equals Error.

Source Name equals KDC.

Error

Trusted Domain List Update Failure

Event

Active Directory - KDC (Shared)

Event Number equals 6.

Event Type equals Error.

Source Name equals KDC.

Error

Unexpected SAM Failure

Event

Active Directory - KDC (Shared)

Event Number equals 7.

Event Type equals Error.

Source Name equals KDC.

Error

Kerberos Key Distribution Center Service (KDC) has resumed running

Event

Active Directory - General (Shared)

Event Number equals 38903.

Event Type equals Information.

Source Name equals AD Essential Services Running.

Information

Account Name Not Unique

Collection

Active Directory - KDC (Shared)

Event Number equals 11.

Event Type equals Error.

Source Name equals KDC.

NA

Kerberos Authentications/sec

Measuring

Reporting Rules for Active Directory (Shared)

NA

NA

NTLM

The following table lists the processing rules that Active Directory Management Pack uses to monitor NTLM, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

NTLM Authentications/sec

Measuring

Reporting Rules for Active Directory (Shared)

NA

NA

Trusts

On domain controllers running Windows Server 2003, trusts are monitored by the AD Monitor Trusts script. This script does not run on domain controllers running Windows 2000 Server.

The following table lists the processing rules that Active Directory Management Pack uses to monitor trusts, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

A problem has been detected with the trust relationship between two domains

(Applies only to Windows Server 2003.)

Event

Active Directory Monitor Trusts

Event Number equals 20083.

Source Name equals AD Monitor Trusts.

Error

A trusted domain exists with an invalid name. The name of the trusted domain should be changed to a valid name.

Event

Active Directory - NetLogon (Shared)

Event Number equals 5517.

Message DLL equals Netmsg.dll.

Provider Name equals System.

Warning

Group Policy

The following table lists the processing rules that Active Directory Management Pack uses to monitor Group Policy, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

Cannot process client side group policy extension

Event

Active Directory - UserEnv (Shared)

Event Number equals 1003.

Source Name equals UserEnv.

User Name equals System.

Error

Group policy processing aborted - cannot connect to the Directory Service

Event

Active Directory - UserEnv (Shared)

Event Number matches Boolean regular expression 1005|1006.

Source Name equals UserEnv.

User Name equals System.

Error

Group policy processing aborted - cannot determine site

Event

Active Directory - UserEnv (Shared)

Event Number equals 1007.

Source Name equals UserEnv.

User Name equals System.

Error

Group policy processing aborted - reboot this machine

Event

Active Directory - UserEnv (Shared)

Event Number equals 1035.

Source Name equals UserEnv.

User Name equals System.

Error

Group policy processing aborted - the search for the root AD object failed

Event

Active Directory - UserEnv (Shared)

Event Number equals 1008.

Source Name equals UserEnv.

User Name equals System.

Error

Local group policy is disabled

Event

Active Directory - UserEnv (Shared)

Event Number equals 1004.

Source Name equals UserEnv.

User Name equals System.

Error

Unexpected Error applying group policy to machine account

Event

Active Directory - UserEnv (Shared)

Event Number equals 1000.

Source Name equals UserEnv.

User Name equals System.

Error

A Group Policy object cannot be found in Active Directory

Event

Active Directory - UserEnv (Shared)

Event Number equals 1102.

Source Name equals UserEnv.

User Name equals System.

Warning

A Group Policy Object has not been processed because the filter check could not be performed

Event

Active Directory - UserEnv (Shared)

Event Number equals 1104.

Source Name equals UserEnv.

User Name equals System.

Warning

A Group Policy Object is corrupt.

Event

Active Directory - UserEnv (Shared)

Event Number equals 1057.

Source Name equals UserEnv.

User Name equals System.

Warning

Cross-domain Group Policy processing has been aborted because the other domain cannot be reached

Event

Active Directory - UserEnv (Shared)

Event Number equals 1105.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing aborted because a filter check for the GPO failed

Event

Active Directory - UserEnv (Shared)

Event Number equals 1065.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing aborted because the common name for the GPO cannot be accessed

Event

Active Directory - UserEnv (Shared)

Event Number equals 1059.

Source Name equals UserEnv.

User Name equals System.

Warning

Group policy processing aborted because the GPO does not have a version number

Event

Active Directory - UserEnv (Shared)

Event Number equals 1060.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted (in planning mode) because the user/computer does not have access to a required object

Event

Active Directory - UserEnv (Shared)

Event Number equals 1100.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because an invalid class of object was discovered

Event

Active Directory - UserEnv (Shared)

Event Number equals 1077.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because GPO lists cannot be set up

Event

Active Directory - UserEnv (Shared)

Event Number equals 1075.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because of an invalid access configuration

Event

Active Directory - UserEnv (Shared)

Event Number equals 1081.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because the extensions from the registry cannot be read

Event

Active Directory - UserEnv (Shared)

Event Number equals 1066.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because the file gpt.ini cannot be accessed

Event

Active Directory - UserEnv (Shared)

Event Number equals 1058.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because the GPLink property of an object cannot be accessed

Event

Active Directory - UserEnv (Shared)

Event Number equals 1099.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because the GPO does not have a functionality version number

Event

Active Directory - UserEnv (Shared)

Event Number equals 1072.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing has been aborted because the user does not have access to an object

Event

Active Directory - UserEnv (Shared)

Event Number equals 1101.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because a security check failed

Event

Active Directory - UserEnv (Shared)

Event Number equals 1064.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because historical data cannot be moved from the users old SID to their new one

Event

Active Directory - UserEnv (Shared)

Event Number equals 1084.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because security cannot be set on Group Policy events

Event

Active Directory - UserEnv (Shared)

Event Number equals 1094.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because the refresh timer cannot be set

Event

Active Directory - UserEnv (Shared)

Event Number equals 1082.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because the search for objects cannot be completed

Event

Active Directory - UserEnv (Shared)

Event Number matches Boolean regular expression 1079|1080.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because the security ID of the user cannot be obtained

Event

Active Directory - UserEnv (Shared)

Event Number equals 1078.

Source Name equals UserEnv.

User Name equals System.

Warning

Group Policy processing was aborted because the users security ID cannot be written to the registry

Event

Active Directory - UserEnv (Shared)

Event Number equals 1083.

Source Name equals UserEnv.

User Name equals System.

Warning

The Group Policy client side extension failed to execute

Event

Active Directory - UserEnv (Shared)

Event Number equals 1085.

Source Name equals UserEnv.

User Name equals System.

Warning

The WMI service is disabled. A Group Policy object has not been processed

Event

Active Directory - UserEnv (Shared)

Event Number equals 1106.

Source Name equals UserEnv.

User Name equals System.

Warning

There are no domain-based Group Policy objects for this user/computer.

Event

Active Directory - UserEnv (Shared)

Event Number equals 1103.

Source Name equals UserEnv.

User Name equals System.

Warning

Client-Side Monitoring

In addition to monitoring from the perspective of domain controllers, Active Directory Management Pack also monitors from the perspective of directory clients. The goal of client-side monitoring is to provide a client perspective on the health of Active Directory. ADMP implements client-side monitoring by using workstations or servers in strategic physical locations as “probes,” or ADMP agents. These monitoring agents perform scripted directory tasks that mimic common actions performed by typical directory clients. The directory service results that are experienced by the ADMP agents are reported through ADMP alerts and performance, just as they are with monitored domain controllers.

You determine which computers on your network to use for client-side monitoring by simply adding those computers to the Active Directory Client Side Monitoring computer group. It is recommended that you have a computer for client-side monitoring physically near each of your directory-enabled application servers.

Active Directory Management Pack includes the processing rules in the following table for monitoring Active Directory health from the perspective of the client, as well as the events, thresholds, and alert levels that are associated with those rules.

Processing Rule

Rule Type

Processing Rule Group

Criteria

Severity

AD Client Pack DC discovery encountered an error - some machines will not be monitored by the client pack

Event

Active Directory Client Side Monitoring

Event Number equals 21006.

Source Name equals AD Client Update DCs.

Error

AD Client Side Test Failed

Event

Active Directory Client Side Monitoring

Event Number equals 21002.

Source Name matches wildcard AD*.

Error

The PDC Emulator cannot be contacted

Event

Active Directory Client Side Monitoring

Event Number equals 21004.

Event Type equals Warning.

Source Name equals AD Client PDC Response.

Error

AD Client Side - Script Based Test Failed to Complete

Event

Active Directory Client Side Monitoring

Event Number equals 25001.

Source Name matches wildcard AD*.

Warning

AD Client Side - Script Parameters are configured incorrectly

Event

Active Directory Client Side Monitoring

Event Number equals 25003.

Source Name matches wildcard AD*.

Warning

AD Client Side PDC Response Event Collection

Collection

Active Directory Client Side Monitoring

Event Number equals 21005.

Source Name equals AD Client PDC Response.

NA

AD Client Side Monitoring Event Collection

Collection

Active Directory Client Side Monitoring

Event Number equals 21001.

Source Name matches wildcard AD*.

NA

AD Client Side - Script Generated Success Event

Event

Active Directory Client Side Monitoring

Event Number equals 25000.

Source Name matches wildcard AD*.

Success

AD Client Side Test succeeded after consecutive failures

Event

Active Directory Client Side Monitoring

Event Number equals 21003.

Event Type equals Information.

Source Name matches wildcard AD*.

Success

The PDC Emulator has been contacted successfully

Event

Active Directory Client Side Monitoring

Event Number equals 21004.

Event Type equals None.

Source Name equals AD Client PDC Response.

Success

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft