Client-Side Monitoring Scripts
Simply monitoring domain controllers does not guarantee that, from the perspective of a directory client, Active Directory is healthy. For example, servers running Microsoft Exchange Server 2003 that rely on Active Directory may encounter a problem connecting to or communicating with a domain controller. In this case, from the perspective of a server running Exchange Server 2003, Active Directory is not healthy, even though the domain controller may not have reported any Active Directory problems.
For this reason, monitoring domain controller health from the perspective of one or more directory clients is very important. If you have one or more computers that depend heavily on Active Directory and you want to monitor those computers from a client perspective, it is recommended that you place the Active Directory client pack on a computer that is physically near the computers that you want to monitor.
Active Directory Management Pack (ADMP) includes five modes of operation for client-side monitoring:
Full — All domain controllers in the domain are monitored.
Specific Site — Only domain controllers in the specified sites are monitored.
Local Site — Only domain controllers in the client’s site are monitored.
Specific — Only specified domain controllers are monitored.
Specific Domain — Only domain controllers in specific domains are monitored.
You can configure these modes in the MOM 2005 console by configuring the script parameters on the Script - AD Client Update DCs rule, which is in the Active Directory Client Side Monitoring rule group.
In the Full, Specific Site, Local Site, and Specific Domain modes, discovery of the domain controllers is performed once per day by default. If a domain controller can not be contacted during a discovery operation, the discovery operation will not be performed again until the following day, and therefore the domain controller will remain unmonitored.
You can configure both a list of specific domain controllers and a list of sites to test. In this case, the individual domain controllers that you specify — and all domain controllers in each of the sites that you specify — are tested.
To configure a computer to run the ADMP client-side tests, you must add the computer manually to the Active Directory Client Side Monitoring computer group. MOM 2005 then downloads the tests automatically to the computer. The computer can be dedicated to monitoring, or it can fulfill another role, such as the role of a server running Exchange Server 2003 or the role of a domain controller.
On This Page
Registry Configuration of Client-Side Monitoring Scripts
AD Client Update DCs
AD Client Connectivity
AD Client Serverless Bind
AD Client PDC Response
AD Client GC Availability
Reporting Failures
Permissions
Events
Registry Configuration of Client-Side Monitoring Scripts
You can configure parameters for client-side monitoring scripts through the MOM 2005 Administrator console. Or, if you want to customize script parameters for a client-side monitoring computer, you can edit the registry of that computer. The configuration parameters are located in the registry at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Operations Manager\AD Management Pack\Client Monitoring
There are two keys under this base:
Configuration
Tests
Under the Configuration key, there are also two entries:
Domain Controllers — a string specifying comma-delimited domain controller names
Sites — a string specifying comma-delimited sites
In the following example, the client monitors dc1 and dc2, as well as all the domain controllers in site1 and site2:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Microsoft Operations Manager\ AD Management Pack\ Client Monitoring\ Configuration\ Domain Controllers=dc1,dc2 Sites=site1,site2
The test key may include a number of keys, each with the name of a different script in MOM 2005. Each of these keys may contain one or more values. The name of each value corresponds to a script parameter. Any value that is provided in any of these keys overrides the corresponding value that is set in the MOM 2005 Administrator console.
In the following example, the registry values for the BindThreshold, FailureThreshold, LogSuccessEvent, and SearchThreshold parameters that are given for the AD Client Connectivity script override the values for those same parameters that are set in the MOM 2005 Administrator console:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Microsoft Operations Manager\ AD Management Pack\ Client Monitoring\ Tests\ AD Client Connectivity\ BindThreshold=1000 FailureThreshold=3 LogSuccessEvent=True SearchThreshold=500
ADMP client-side monitoring includes the scripts in the following table.
Script |
Processing Rule |
Frequency |
|---|---|---|
AD Client Update DCs |
Script - AD Client Update DCs |
Once per day |
AD Client Connectivity |
Script - AD Client Connectivity |
Every 5 minutes |
AD Client Serverless Bind |
Script - AD Client Serverless Bind |
Every 15 minutes |
AD Client PDC response |
Script - AD Client PDC Response |
Every 10 minutes |
AD Client GC Availability |
Script - AD Client GC Availability |
Every 5 minutes |
The following sections describe each of these scripts.
AD Client Update DCs
The AD Client Update DCs script runs once per day by default, and it discovers the domain controllers for a client computer performing client-side monitoring. If domain controllers are specified in the configuration on the client, these domain controllers are stored in the DCTargets variable. If the DCTargets variable is empty, the domain controllers that are specified in the AD Client Update DCs script parameter are added to the DCTargets variable. If there are sites that are specified in the configuration on the client, the domain controllers in each of the specified sites are added to the DCTargets variable.
The population of the DCTargets variable also depends on the ADMP mode of operation for client-side monitoring:
If the discovery mode is Full and the DCTargets variable is empty, the domain controllers for the entire domain that the client is joined to are added to the DCTargets variable.
If the discovery mode is Specific Site, the domain controllers in the specified sites (as specified in the Sites parameter in the AD Client Update Domain Controllers script in MOM 2005) are added to the DCTargets variable.
If the discovery mode is Local Site, the domain controllers in the local site are added to the DCTargets variable.
If the discovery mode is Specific, only the specified domain controllers are added to the DCTargets variable.
If the discovery mode is Specific Domain, the domain controllers in the specified domain (as specified in the Domain parameter in the AD Client Update Domain Controllers script in MOM 2005) are added to the DCTargets variable.
The script then runs tests against all the domain controllers in the DCTargets variable.
AD Client Connectivity
By default, the AD Client Connectivity script runs at five-minute intervals to verify that the targeted domain controllers are available to clients.
Each of the test runs is based on default parameters that are stored in MOM 2005. These defaults can be overridden in the registry.
The tests that are run by the script for each tested domain controller include the following:
ICMP ping
net use to the SYSVOL
LDAP ping
ADSI bind/search
ICMP Ping
For each domain controller being tested, the script gets the IP address of the domain controller from a DNS server and performs an ICMP ping against the domain controller. If the attempt to get the IP address fails, a Warning alert is generated that indicates the configured DNS servers for the client.
If the client is successful in getting the IP address, but the ping fails, the script tries the ping again after half a second. If the second attempt fails, a Warning alert is generated.
If the ICMP ping test fails for that domain controller, the script moves on to test the next domain controller.
net use
For each domain controller being tested, the script attempts to connect to the SYSVOL share of the domain controller.
If the connection test fails, a Warning alert is generated.
LDAP Ping
For each domain controller being tested, an LDAP ping is performed. If the ping fails, the script waits half a second and then tries the ping again. If the second attempt fails, a Warning alert is generated for the domain controller being tested.
If the LDAP ping test fails for that domain controller, the script moves on to test the next domain controller.
ADSI Bind/Search
For each domain controller being tested, the script attempts to bind to the rootDSE of the domain controller using ADSI.
If the bind succeeds, the script performs a search for the domain controller (using a subtree search in the default directory partition and cn=computernameas the filter) that is retrieved from the rootDSE object. The time necessary to perform this search is recorded as performance data. If the time necessary to perform the search is greater than the specified absolute maximum search time allowed, the script generates a Warning alert.
If the bind fails, no search is attempted.
If either the search or the bind fails, the script generates a Warning alert.
AD Client Serverless Bind
Each computer running the Active Directory Management Pack Client Pack performs a serverless bind on the rootDSE object. If the domain controller resides outside the site of the client computer that is running the script, the script generates a Warning alert. If the domain controller cannot be contacted, the script generates an Error alert.
If the bind succeeds, the script records the time taken to perform the bind. If this time exceeds the specified absolute maximum bind time allowed, the script generates a Warning alert.
AD Client PDC Response
In this test, the script attempts to discover and ping the PDC emulator operations master for the domain. If the script finds the PDC emulator operations master, the script uses ADSI to perform an LDAP bind. If either the ping or the bind fails, the script generates a Warning alert.
AD Client GC Availability
The AD Client GC Availability script runs every five minutes by default to discover and contact all global catalogs in the forest.
If there are fewer global catalogs contacted than the number of global catalogs specified in the minimum available GCs parameter in the AD Client GC Availability script, an Error alert is generated.
Note
The number of global catalogs defined in the minimum available GCs parameter should be less than the actual number of global catalogs that are configured in the forest.
Reporting Failures
When a failure occurs in any test that is run by the AD Client Connectivity client-side monitoring script, an error is generated, with the domain controller being tested as the source of the error. This causes any alerts that are generated to be assigned to the appropriate domain controller in MOM 2005. When a failure occurs in any test that is run by the AD Client Update DCs, AD Client Serverless Bind, AD Client PDC Response, and AD Client GC Availability client-side monitoring scripts, an error is generated, with the computer that ADMP is running on as the source of the error.
The information in the alerts includes the following:
The time that the failure occurred
The domain controller to which the failure relates
The client computer (identified by IP address and computer name) that detected the failure
The type of failure and, where applicable, any other relevant test results
If a test fails, a MOM 2005 alert is generated at the MOM Operator console. The severity of the alert depends on the test and how it failed. Alerts that are generated from a single test are suppressed at the MOM console.
To prevent flooding the MOM Operator console with alerts, the tests are carried out in such an order that if a more basic test fails, subsequent tests that rely on that basic functionality are not performed. For example, if an ICMP ping fails, no other network-based tests are run. The only alert that is generated in such a case is for the ping failure.
Permissions
For each of the client-side monitoring scripts to run successfully, the Agent Action Account must be a member of the Administrators group on both the computer on which the client pack is running and the domain controller that is being monitored.
Events
The client-side scripts report the events in the following table.
Event Number |
Purpose |
|---|---|
25000 |
This event is logged to indicate that a script finished running successfully. |
25001 |
This event is logged to indicate that an error occurred while the script was running. This does not indicate an error in the script, merely that an error was encountered, usually returned by ADSI or WMI. |
25002 |
This event is logged to indicate that the script can only be run from an event rule in MOM. This error only appears if someone manually makes this script a response to a nonevent rule. |
25003 |
This event is logged to indicate that a parameter has been configured incorrectly. The event text indicates the actual configuration error. |
21001 |
One of the client connectivity tests failed. The event text indicates which test failed and the reason for the failure. One event is generated for each failure. This event does not generate an alert. To view these events, use the Client Side Events public view. |
21002 |
The number of consecutive client connectivity tests has exceeded the threshold. This event generates an alert. |
21003 |
This event is generated when the client connectivity script completes successfully, after an event 21002 has occurred. |
21004 |
Indicates that the PDC emulator operations master could not be contacted from the client computer. |
21006 |
This event is logged to indicate that an error occurred during domain controller discovery. The affected computer (or site, or domain) is identified in the event text. Other domain controllers are not affected by this failure, and they will continue to be monitored. |
29002 |
This event is logged to indicate that there are not enough global catalogs that can be contacted by the AD Client GC Availability script. |
20098 |
This event is logged to indicate that ADMP does not run in agent-less mode. |
These events can be viewed in the Client Side Events public view, which is located in the Client Side Monitoring public view group in the MOM 2005 Operator console.