MP Update – Totally new Active Directory MP for Windows Server 2012 and 2016

<!--[if lt IE 9]>

<![endif]-->

Comments

• Anonymous
  December 22, 2016
  The comment has been removed
  • Anonymous
    January 10, 2017
    There should no longer be an alert storm while doing maintenance on a DC. We worked hard to trim as many of the excessive alerts and noise generated via the MP. Depending upon the failure or status of your DC you may still get some alerts from other DC’s regarding replication but they are far fewer than the past. One of the ways we did this is via another big change in these MP's over the old ones. We no longer monitor via event logs. All alerts are generated from a synthetic test or performance counter on the DC.
• Anonymous
  December 23, 2016
  Thanks for the information about the release/update.Interesting that the MP Guide still mention the DFS Replication and Group Policy Management Packs as recommended as they are kind of outdated.Regards,Konstantin
  • Anonymous
    December 23, 2016
    The comment has been removed
• Anonymous
  December 23, 2016
  OMG I have been dealing with the replication monitoring issue just recently....going through the pain of tuning all of those monitors/rules as you just described. Looking forward to testing out the new MP!
• Anonymous
  December 24, 2016
  What an epic news. Maybe they will rewrite iis mp too..
• Anonymous
  December 27, 2016
  Hi Kevin, just need a quick clarification on "ADMP supports monitoring Active Directory when yours DC’s are Windows Server 2012, 2012R2, or 2016" comment above. So as long as my domain controllers are running on Win 2012 and up even with "Domain Functional Level at Windows Server 2008 R2" I can use this MP and it will be supported? I went through the guide and didn't find any reference to the domain functional level requirements.As always thanks for keeping us all educated on new SCOM stuff!
  • Anonymous
    December 28, 2016
    I am not aware of any domain functional level requirements for this.
  • Anonymous
    January 10, 2017
    The MP versions are related to the OS versions of the DC's. All forest functional and domain functional levels are supported.
• Anonymous
  January 02, 2017
  Just a sanity check here, for the Domain Member Monitoring Rule, I should only put my DC's in this group as they're the ones I'm worried about replicating with. Correct?
  • Anonymous
    January 10, 2017
    You can put your DC's into the domain member monitoring group but that is not recommended. We recommend dedicating a member server to this group. The purpose of the Domain Member monitoring MP is to check the health of your domain from the perspective of a client. It is not always possible to know if a domain is responding properly to your clients via the DC. So, we implemented the Domain Member Perspective to give more insights into the health of your domain. Also, if you did not want run agents on your DC's for security purposes you could use the Domain Member monitor to verify the health of your domain without running any agents on a DC. One caution for monitoring your domain with the Domain Member monitor by itself...It will not monitor replication health or trust health. It primarily verifies that a client can bind to each DC in your domain and that it can find the FSMO owners.
• Anonymous
  January 04, 2017
  Hi Kevin,In the monitor "AD Show Replication Check" I think we found a mistake.Dim sDomainDN sDomainDN = oRootDSE.Get("rootDomainNamingContext") should be oRootDSE.Get("defaultNamingContext") to make sure it checks the domain with the short delay. (different delays)If we don't change it, it only check the forest replication.'Check for RootDSE and set shorter replication delay for that NC it doesn't check for both delays.Thanks !
• Anonymous
  January 06, 2017
  I can't seem to get these MPs to import properly for some reason. No errors on import, but when the monitoring MPs are imported, I am unable to access Overrides within the Authoring section of the console. I get the dreaded “An object of class ManagementPackClass with ID was not found”. As soon as I remove the monitoring MPs, this error goes away. Running SCOM 2012 R2 UR11.Any suggestions?
  • Anonymous
    January 06, 2017
    Interesting - Mine works fine. But I had a predefined scope in place. When I deleted my scope - I got that same error. However, once I hit the scope button and created a new scope - no issues. Can you try that? It might be something left behind from an old MP in the console cache. So also clear your console cache.
    • Anonymous
      January 10, 2017
      The comment has been removed
      • Anonymous
        January 11, 2017
        Thanks for the info. We have identified the issue and should have an update coming to resolve the override view.
        • Anonymous
          February 01, 2017
          The issue with the override view being broken is now fixed in 10.0.2.0 which is available.
        • Anonymous
          February 06, 2017
          Kevin, can you confirm that this is the only thing fixed in v10.0.2.0? I have an issue with how the Group Policy Update Monitor works in v10.0.1.0 and I'm thinking of opening a support case.
• Anonymous
  January 06, 2017
  Yep - setting a scope stops that error. Clearing cache does not fix it - the error persists if no scope is set.Seems like an issue with this MP!
  • Anonymous
    January 06, 2017
    can you post the full message or at least the ManagementPackClass ID in the error?
    • Anonymous
      January 10, 2017
      Already post on Mark comment :-)
• Anonymous
  January 10, 2017
  Ok, I am running this up the chain.
• Anonymous
  January 11, 2017
  After importing this MP into our test MG, about 15% of our domain controllers are showing an error for “The total number of ATQ threads in use has exceeded one or more thresholds over multiple samples.”, but in the description it states “Failure to retrieve the raw performance data for NTDS via WMI. The error returned was: ‘Object required’ (0x1A8)”. The error can be cleared, but quickly returns, always on the same group of DCs. I can't find any particular problem on the DCs that throw this error in SCOM versus the rest which don't. A web search reveals similar errors attributed to WMI memory leaks on 2012 R2 servers that was supposedly fixed, but little else. Any ideas? Thanks.
  • Anonymous
    January 11, 2017
    Adam,We have seen a similar issue in our testing but it was not related to SCOM or the MP. It was a WMI issue. In our instance the NTDS hive was not there or corrupted. Rebuilding the WMI repository resolved this issue for us.
    • Anonymous
      January 13, 2017
      Thanks, Eric, but when WMI is implicated, verifying the repository is my first step. ;) These ones all came back consistent. I have noticed that vmStatsProvider seems to be taking the WMI Performance Adapter up and down constantly (machines are all virtualized), and additional research seems to indicate that if you're running another performance monitoring solution like SCOM, you might want to turn off some perfmon stuff that vmware can do, as I guess SCOM prompts it to run whenever the agent calls the mothership, or something like that. Working with the vmware guys to sort that might be a bit of a pain point, though, and I was just wondering if anyone else had solved this apparently spurious ATQ thread issue already, so I didn't have to go down that road. I know the MP hasn't been out long, but I thought I'd give it a shot. Thanks again for the suggestion.
      • Anonymous
        February 08, 2017
        So, what's the best solution to check or "repair"? I got this (“The total number of ATQ threads in use has exceeded one or more thresholds over multiple samples.”) after importing new MP as you. Thanks)
      • Anonymous
        February 21, 2017
        Did you solve this issue?
        • Anonymous
          February 23, 2017
          I fixed the error "The total number of ATQ threads in use has exceeded one or more thresholds over multiple samples." for the Monitor "ATQ Average Threads Monitor" after I remove the RegKey "Disable Performance Counters" in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Performance.There were several other issues with this DC and removed the "Disable Performance Counters" for some other values as well and ran the "winmgmt /resyncperf" command. My problems were gone after this procedure and a WMI Service restart....
      • Anonymous
        March 08, 2017
        Adam, I was getting the same error with a quarter of my DCs. After reading the blog below, I ran LODCTR /Q:NTDS and noticed that my NTDS performance counters were missing. I checked the registry and the values under the NTDS\Performance key were indeed missing. I followed the blog, imported the missing values from a good DC, ran LODCTR /R, and restarted the health service. After some time (over ten minutes), the alert auto-cleared. I hope it works for you. https://blogs.technet.microsoft.com/brad_rutkowski/2009/03/19/ntds-performance-counters-missing/
• Anonymous
  January 23, 2017
  Hi Kevin. It looks like you will have to run HSLockdown to allow local system to run the health service, but i don't find any mention of this in the MP guide
  • Anonymous
    January 23, 2017
    That is because that has nothing to do with the Management Pack. That is a core SCOM agent side issue, unrelated to what MP's you might be running. I documented the behavior here: https://blogs.technet.microsoft.com/kevinholman/2016/11/04/deploying-scom-2016-agents-to-domain-controllers-some-assembly-required/
    • Anonymous
      January 24, 2017
      Thank you Kevin. That explains why we did not experience this in our 2012 production environment. Will need to add this to my list of 2016 prereq's
• Anonymous
  February 02, 2017
  If we still have to support 2008 R2 domain controllers, we'll still need the "old" Active Directory Server MP as well. Since that MP also supports 2012 domain controllers do you recommend disabling the "AD DC Local Discovery (DC Role)" discovery rule for 2012 and 2012 R2 servers? If we don't, won't both sets of workflows be active for 2012 domain controllers?
  • Anonymous
    February 02, 2017
    If you are still supporting old 2008R2 domain controllers, I'd probably be inclined to just continue using the old MP and not use the new one until all DC's are 2012 or later.
    • Anonymous
      March 02, 2017
      Hi Kevin, thanks for clarifying this as I too had the same query, we basically have a mixture of 2008R2 and 2012R2 Domain Controllers and I wasn't 100% sure what best practise was on whether running both MPs together etc.Thanks
      • Anonymous
        March 05, 2018
        Hi Chris, Is it possible to share your approach for upgrade ADDS Management Pack? Since I'm in process to migrate AD MP to ADDS MP.
• Anonymous
  February 22, 2017
  Hi,There is mention "action account" in management pack guide. Does it mean Agent action account which you can configure for example when installing agent or should be there separate run as profile like in previous AD MP? Can't see that kind of profile anymore with this MP.
• Anonymous
  February 24, 2017
  Does this management release the need for the action account to be a domain admin in order to collect performance data, run the script or generating alerts based on security logs events?
• Anonymous
  March 14, 2017
  Hi Kevin, for the old MP is there a Custom Add: "Active Directory Server Common Library (Custom Add Ons to 6.0.7065.0) " unsealed.This is for "Additions to make AD Discovery work with Gateways placed in untrusted AD forests"Is this contain in the new MP 10.0.2.0 ?
• Anonymous
  April 18, 2017
  In old Client Monitoring, which is now Domain Member Monitoring, I would override AD Client Update DCs rule to set one of four client monitoring modes, but I can't seem to find that option in new MP although it says global setting can be configured in Console. Also, there are only 3 rules altogether for Active Directory Domain Member Perspective, where for old Active Directory Client Perspective we had around 30. Is this normal? There are more monitors in new one though...
  • Anonymous
    June 30, 2017
    Is the same set of rules/monitors infact monitoring scenarios are followed if AD is installed on Windows 2016 core version when it is monitored under SCOM 2012 R2?
• Anonymous
  August 09, 2017
  Hi KevinI have imported this MP on a brand new SCOM 2016 UR3 setup. The DCs get discovered fine (after running HSLockdown.exe on the DC). However topology does not get discovered. When the "AD Topology Discovery" runds on the RMS it generates an event 1000 with the text "ADTopologyDiscovery : Cannot create Discovery Data". Googling has brought me to a) fix the "Operations Manager install path" (how can something like that get past QA?) and b) install .net 3.5 on the OM servers. However I still get the above error. Any ideas?
  • Anonymous
    October 22, 2017
    @Kim Wohlert: did you ever get a resolution to this? I am having the same "issue" - The AD Topology Root is not monitored. SCOM 2016 UR3 and 2016 DC's. .Net 3.5 was installed on the DC's but has not resolved the issue. Event ID 1000 - ADTopologyDiscovery : Cannot create System.Collection.Stack
• Anonymous
  March 05, 2018
  Hi Kevin,I'm in process of upgrading to ADDS MP in my environment. Have few queries - Alert from DC 2012 R2 is showing under old AD MP 6.1.0 version. Do we need to do any specific settings after import of MP?Is AD MP 6.1.0 and ADDS MP 10.0.1.0 will works together ?Appreciate your valuable feedback.