Udostępnij za pośrednictwem


Active Directory Management Pack – Addendum for Trust Monitoring

UPDATE: October 2017 the 3rd – Added an example of the trust list format.

Hi there,

After long time I came back on an issue that some of my customers were facing. They were struggling with the Trust Monitoring scenario included in the Active Directory Management Pack for SCOM.

The problem they had, was pretty simple (as well as its solution). They "just" wanted to monitor trust status, but only for some Trusts. This sounded like: "Hey, I want to monitor my Trusts, but I want to exclude those I know as not working and that I cannot fix. I really do not want to renounce to the entire Trust Monitoring just because I cannot exclude some of them".

Well, that sentence made me thinking about how to delight my customers and do something interesting for other customers as well. So, I came up with the idea of an addendum MP which gives the possibility to specify a trust or a list of trusts to be excluded.

Let's start with a bit of explanation.

The Trust Monitor coming with the Active Directory Management Pack, is using basically 3 components:

  • A DataSource module which contains the script used to query and return the status of all existing trusts.
  • A UnitMonitorType which parses the output from the DataSource module
  • A UnitMonitor which basically reports on the Trust health by creating an alert in case the status is not good.

I will not go deeper, just to not annoy you but if you are interested in the theory you can ping me at my email address or a leave a comment and I will follow up. The small issue inside this mechanism is that, as I wrote in the description of the DataSource task, it checks for all trusts and there's no way to create an override based on a single Trust or list of Trusts. You got it right: You can only disable the monitor that turns into completely shutting down the Trust Monitoring scenario.

What I did is:

  1. I created a new DataSource that takes another input parameter: the single trust or the comma separated list of trusts

    And which is using a modified version of the script with the exclusion logic

  2. Then, because of the new parameter, I had to create a new UnitMonitorType and a new UnitMonitor in order to expose and to pass the new overridable parameter

  3. Include some pre-defined overrides to disable the original monitor

Of course, I am giving here the simple version of the story since I had to consider some different possibility for the override value (single trust, Trust list, no value) but luckily, I got it done and working. Using this addendum, you can continue using the Trust Monitoring scenario and bend it to your needs by configuring the necessary override.

Now that you have clear in mind what I have done, let's discuss how to use it.

First of all, it works every version of System Center Operations Manager that the original management pack is working on. Second, I created this solution for all Active Directory Management Pack version, including the completely brand new one.

And now: how do I use it? Simple answer: You just download the file for the management pack version you are using from this post, import it and that's all. As said, the addendum MP contains an override that disables the original monitor since the new one comes enabled. Now you can go ahead with the necessary overrides.

Like other Management Packs, overrides can be created for different targets. For every target you choose, you have the possibility to create one override per trust or a single override with a trust list. The trust list can be passed as a comma separated value list. For instance you can enter "DomainA.Com, DomainB.Local, DomainC.my" without double quotes, and so on.

I intentionally left the management pack files (yes more than one since this solution is available for all Active Directory Management Pack version know so far) unsealed so you can store your overrides in the same file. Should you need this solution any longer, all you have to do is to remove it from your System Center Operations Manager management group.

If you want to give it a try, download the Zip file and import the version you need.

I hope this solution will make your life easier and will make you appreciating Microsoft solution more and more.

Thanks

ActiveDirectory Addendum MP files.zip

Comments

  • Anonymous
    August 29, 2017
    Excellent work! I had this on my todo list but hadn't gotten around to it. Thank you for the contribution.
    • Anonymous
      August 30, 2017
      Thanks Ken. I am happy that it helped. Should you find something wrong, please let me know.
  • Anonymous
    September 22, 2017
    Cool stuff! Thanks for taking the time to write this.
  • Anonymous
    October 03, 2017
    Hi Bruno,this could realy help me in one environment. But before implementing this I would like to know how to exclude 10 domains in trust list.How to list them and which separator to use (comma, dot)?
    • Anonymous
      October 03, 2017
      Hi Janez_B,thanks for your feedback. The trust list can be passed as a comma separated value list. For instance you can enter "DomainA.Com, DomainB.Local, DomainC.my" and so on.I will add that syntax as part of the post.Thanks,Bruno.
      • Anonymous
        October 03, 2017
        Hi Bruno,thanks for quick reply. I tried with comma and vith space without double quote for example: DomainA.com, DomainB.com but it wasn't ok.Now I entered without space beetwen so: DomainA.com,DomainB.com and it is ok.So if i use space i must use double qouta right?
        • Anonymous
          October 03, 2017
          The comment has been removed
          • Anonymous
            October 11, 2017
            Hi Janez_B,thanks again for your feedback. I tested it again and did not get any error on my side using spaces. Could you please test the following format without double quotes: DomainA.com, DomainB.com,DomainC.comThanks,Bruno.
  • Anonymous
    November 15, 2017
    Will these changes be added to future updates of the Active Directory MPs?
    • Anonymous
      November 17, 2017
      Hi Will,I am working to see if that can happen. Please, keep looking at the post, I will update it in case.Thanks,Bruno.
  • Anonymous
    July 30, 2018
    Hi BrunoTrying to import the MP for 2016 and getting 4 errors telling me there are errors in the module references and monitor names?The AD 2016 MPs are in SCOM and succesfully doing their job. Here is the first of the 4 errorsError 1:Found error in 1|AD.2016.TrustMonitoring.Addendum|1.0.0.0|AD_Monitor_Trusts.DataSource.Addendum/DS|| with message:Failed to verify module reference [Type=ManagementPackElement=System.CommandExecuterPropertyBagSource in ManagementPack:[Name=System.Library, KeyToken=31bf3856ad364e35, Version=7.5.8501.0], ID=DS] in the MemberModules list.: Cannot find ManagementPackElement [Type=ManagementPackClass, ID=Microsoft.Windows.Server.2016.AD.DomainControllerRole] in management pack ManagementPack:[Name=Microsoft.Windows.Server.AD.2016.Discovery, KeyToken=31bf3856ad364e35, Version=10.0.0.0].Can you please advise if there is something I'm doing wrong?Nick
    • Anonymous
      July 31, 2018
      Hi Nick,I just tried to import it on a new environment. I imported ADDS MP version 10.0.2.1 and then the Addendum and everything worked fine. Did you imported all the necessary ADDS MPs?
      • Anonymous
        July 31, 2018
        Thanks, realised because of your message I was still using the 10.0.0.0 MP, as that was the version in the SCOM MP Catalog. Switched to using 10.0.2.1 and then your MP has imported in with no issues.Thanks, Nick
        • Anonymous
          July 31, 2018
          Glad to have helped and that it worked :)