MOM Warning Alert: AD Replication is occurring slowly

SYMPTOMS

You  may see a warning alert in MOM Operator Console;
Severity:  Warning
Status:  New
Source:  AD Replication Monitoring
Name:  AD Replication is occurring slowly
Description:  The following DCs took more than three times the expected replication time to replicate.

DESCRIPTION
The following DCs took more than three times the expected replication time to replicate.
Format: DC, Naming Context, Calculated Replication Time (in minutes). Intersite, expected replication time is 15 minutes.

CAUSE

This is due to IntersiteExpectedMaxLatency of 15 threshold of 15 minutes in AD Replication Monitoring script

WORKAROUND

 

AD Replication Monitoring script Detects slow replication and replication problems. You can find AD Replication Monitoring VBSscript in the Scripts Container under Management Packs. The parameters can be customized for IntersiteExpectedMaxLatency based on the WAN links for Inter Sites. IntersiteExpectedMaxLatency is the expected maximum time that replication will take to occur between sites and by default it is set to 15 minutes.

 

DO NOT EDIT THE SCRIPT DIRECTLY and instead click on Parameters – Click on IntersiteExpectedMaxLatency and enter the new value.

Configuring DHCP Management Pack to use Low-Privilege account or normal user account

If you are wondering to configure DHCP Management Pack to use Low-Privilege (MOM Action) account or normal user account without administrative privileges then that’s not supported.


Monitoring functionality on an agent computer is provided by both the MOM Service (MOMService.exe) and the agent Action Account. To work properly, the DHCP Management Pack requires that the Action Account and the MOM Service account both have local Administrator rights on the monitored computer. Configurations with low-privileged accounts are not supported.


MORE INFORMATION


Monitoring in Low-Privilege Configuration with the Windows DHCP Management Pack
http://www.microsoft.com/technet/prodtechnol/mom/mom2005/Library/807086f1-8e1d-4f1f-b040-e07129a6a35b.mspx

Access denied to MOM Operator Console

After enabling access to MOM2005 Operations Console for users, the users are still unable to access / open MOM Operator Console with error;


Access denied to server: <server name>


MOM2005 is installed on Windows Server 2003 SP# 1 and due to changes in DCOM security on Windows 2003 Server SP1, the users connecting to the management Server must now also be in the “Distributed COM Users” local security group on the Management Server.


MORE INFORMATION


You receive a “You do not have the appropriate privilege” error message when you try to open the Microsoft Operations Manager (MOM) 2005 Administrator Console;
http://support.microsoft.com/kb/895952/

HOW TO enable access to the Operations Console for users

The console Scopes defines which computer groups that user of the operator console can view and manage and depending on that you might want to add the users to the following local groups created during MOM2005 installation;


  1. MOM Administrators: MOM Administrators can view and modify settings in the Operations Console and in the Operations node, Management Packs node, and Administration nodes in the MOM Administration Console
  2. MOM Authors: MOM Authors can view and modify settings in the Operations Console, and in the Operations node and Management Packs node in the MOM Administration Console
  3. MOM Users: MOM Users can view and modify settings in the Operations Console and the Operations node of the MOM Administration Console

Add the users to specific group and the users will be able to access it accordingly.

The MOM Server failed to install agent



DESCRIPTION


While trying to push agent install from MOM2005 Server, you may see the following errors;


SYMPTOMS


The MOM Server failed to install agent on remote computer <FQDN>.
Error Code: -2147023174
Error Description: The RPC server is unavailable.
Microsoft Installer Error Description: No Description Available

The MOM Server failed to perform specified operation on computer <FQDN>.
Error Code: 5
Error Description: Access is denied. 

CAUSE

This is seen if MOM ACTION is account is not having the required privileges on the remote computer.



WORKAROUND


  1. Add MOM ACTION account to ‘Performance Monitor Users’ group (Members of this group have remote access to monitor this computer).
  2. Add MOM ACTION account to Local ‘Users’ group (Users are prevented from making accidental or intentional system-wide changes.  Thus, Users can run certified applications, but not most legacy applications).
  3. Grant MOM ACTION account ‘Manage auditing and security log’ permission (SeSecurityPrivilege).
  4. Grant MOM ACTION account ‘Allow log on locally’ permission (SeInteractiveLogonRight).
  5. Add MOM ACTION account to ‘Administrators’ group. (This is generally not recommended but if you  have tried all the 4 points above and still MOM agent install fails, then you might want try this last step).

DISCLAIMER



This procedure worked for me on member servers.

MOM2005 Agent Install failed with Error Code: -2147023283

Before installing MOM2005 Agent, make sure Windows Installer 3.1 is installed. I just installed an agent on Windows 2000 server with old version of windows installer and saw this error;


Failed:
The MOM Server detected that remote computer <FQDN>has older version of Windows Installer installed. Please update to Windows Installer 3.1 version.Please refer to release notes for more details. 
 
Error Code: -2147023283
Error Description: This installation package cannot be installed by the Windows Installer service.  You must install a Windows service pack that contains a newer version of the Windows Installer service.


DOWNLOAD


http://www.microsoft.com/downloads/details.aspx?FamilyID=889482fc-5f56-4a38-b838-de776fd4138c&displaylang=en&Hash=F3N3X85#filelist



 

AD MP: The script ‘AD Replication Monitoring’ encountered a permissions error.

DESCRIPTION


The script ‘AD Replication Monitoring’ encountered a permissions error. The script failed to update this DCs monitoring object in the naming context ‘DC=DomainDnsZones,DC=sadad,DC=com’ because access was denied. Alter the permissions for this naming context so that the script can add this container, or change the parameters for this script to stop monitoring this naming context.

The error returned was: ‘General access denied error’ (0x80070005)

 

CAUSE

 

This is due to lack of permissions for MOM ACTION account on MOMLatencyMonitors container in Active Directory (this container is hidden).

 

WORKAROUND

  1. Open Active Directory Users & Computers (DSA.msc).
  2. Click on view and select Advanced Features.
  3. Click on MOMLatencyMonitors container and click on properties (you should see your DC’s in this container).
  4. Click on security tab and add MOM ACTION account and give it Full Control.
  5. Restart the MOM service.

SQL2000 MP: SQL Server 2000 Block Analysis is unable to successfully connect to the SQL Server instance

DESCRIPTION


The SQL Server management pack script “SQL Server 2000 Block Analysis” is unable to successfully connect to the SQL Server instance “MSSQLSERVER”. The error message returned is “Login failed for user.”

 

CAUSE

 

This might be due to login failure or lack of Windows user rights for the SQL Service Account to Log on as a service (SeServiceLogonRight).

 

WORKAROUND

 

Use Lockoutstatus.exe from Windows 2003 Resource Kit Tools which gives a statistics of Bad PWD Count and if the account is locked. If everything is clear, make sure SQL Service Account is having the prvillege to Log on as a service from the Group Policy.

 

MORE INFORMATION

 

AD MP: An error occurred while executing AD Remote Topology Discovery Failed to CreateObject OOMADs (0x1AD)

DESCRIPTION

 

An error occurred while executing ‘AD Remote Topology Discovery’ Failed to CreateObject ‘OOMADs’. The error returned was: ‘ActiveX component can’t create object’ (0x1AD) 0x1AD.

 

CAUSE

 

This occurs when domain controllers do not have the OOMADS.DLL registered which is required for Active Directory Management Pack. As soon as the rules associated with this computer group are deployed, a script automatically runs to install and register this DLL and if you dont have ACTIVE DIRECTORY HELPER OBJECT installed, you will see such error.

 

WORKAROUND

 

Install oomads.msi (Active Directory Helper Object) from MOM Support Tools.

 

 

SQL2000 MP: MOM2005 SQL Server management pack failed to execute the SQL Server 2000 Replication Monitoring script successfully

DESCRIPTON

The “Microsoft SQL Server” management pack failed to execute the SQL Server 2000 Replication Monitoring script successfully. The following error event was returned “Access denied while reading registry value [\\Your-MOM-Server\HKLM\Software\Microsoft\MSSQLServer\Setup\ProductCode]“. The following additional error details were returned “”. Please refer to the events associated with this alert to view the computers that have experienced this problem.

 

WORKAROUND

 

In reality, on my SQL2000 SP4 installation, this registry path does not exists. Looks like a BUG. My knowledge to SQL Scripting is very limited and so I have disabled SQL Server 2000 Replication Monitoring Script from MOM Admin Console:-). This script is located in State Monitoring and Service Discovery Event Rules container.

 

BEST PRACTICE

 

Make sure MOM ACTION account is a member of Built-in Users group on MOM Server. Built-in Users group has read permissions on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer.