Again - Active Directory Management Pack - AD MP - SCOM 2012R2 - AD 2012R2 - Action / RunAs Account permissions

Similar Messages

• Active directory management pack and 2012 R2

  I'm getting the following alert from SCOM 2012 R2:
  "Alert description: AD Op Master Response : The script 'AD Op Master Response' could not determine the PDC Op Master.The error returned was: 'LDAP://server01.domain.local/RootDSE' (0x8007203A)"
  DCDiag shows no errors.
  The error did not show up when we were running 2012 DC:s.

  Resolution: Logged into the server, attempted to open Active Directory Domains and Trusts and received the message: “The configuration information describing this enterprise is not available. The server is not operational.” Debugging, rebooting the server.
  After reboot the issue opening Active Directory Domains and Trusts no longer occurred. Closed the alerts generated to see if they would recur
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Active Directory Management Gateway Service installation error

  Hey,
  When I attempt to install the 32 bit Server 2008 package from http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=2852 I get an error saying that it's not the correct version. Just in case I tried the 3 other versions, but as
  expected they give the same error. Any ideas?
  Thanks In Advance,

  Hi,
  Based on the description, we can try to contact Microsoft Customer Support Services to obtain the hotfix to see if it helps.
  A hotfix rollup package for Active Directory Web Service is available for the .NET Framework 3.5 SP1
  http://support.microsoft.com/kb/969166
  Besides, the following thread focused on the similar issue with ours and can be referred to for more information.
  Active Directory Management Gateway Service - install problem
  http://answers.microsoft.com/en-us/windows/forum/windows_other-windows_install/active-directory-management-gateway-service/d02c3ee7-ee4d-e011-8dfc-68b599b31bf5?tab=question&status=AllReplies
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Issue with Reset Password from Active Directory Integration Pack

  I seem to be having some issues with a subscription in the Reset Password activity from the Active Directory Integration Pack. The "User Password" field refuses to take a value from a subscription provided earlier in a Generate Random
  Text activity. As you will see in the screenshot below, when the Reset Password activity runs, the User Password value is blank.
  Any idea why this might be happening? It looks like a possible bug with the Active Directory Integration Pack.

  Hi John,
  I think this is not a bug, this should be by design because the password is a secure string. If you look for the Published data for Reset User Password activity at
  http://technet.microsoft.com/en-us/library/hh553463.aspx it is not listed there as well.
  If you need the the string (e.g. to send it via email) use the
  data from the "Generate Random Text" Activity.
  Regards,
  Stefan
  www.sc-orchestrator.eu ,
  Blog sc-orchestrator.eu

• AlwaysOn Management Pack not functioning - SCOM 2007R2

  Hi all
  I am a DBA but am new to SCOM and have been trying to get the AlwaysOn Management pack to work.  I manually installed some agents on the 2 boxes I want to manage and can see they are being monitored in the inventory.
  The management pack was already pre-installed by another employee but when I looked into the Administration > Management Packs and clicked on Import I could see that for that particular pack the AlwaysOn features were not installed.  Thinking this
  was the reason why it was not working I installed them.
  I can now see when I go to Discovered Inventory and Change Target Type the AlwaysOn components however they are not monitoring anything.  The only one with an entry is the AlwaysOn seed which shows the 2 boxes, but in a not monitored state.
  Does anyone have any suggestions about how to get this to work?
  Many thanks

  Hi
  SQL needs Run As Accounts and Profiles configuring:
  http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx
  Is the SQL DBEngine discovered and do you see discovered databases on the server. I suspect you do as it seems to have discovered the Always On components but just want to check.
  Also have you enabled the Agent Proxy setting - Admininstration, Agent Managed, double click - security tab.
  Have you run through page 43 onwards from the guide:
  http://www.microsoft.com/en-us/download/details.aspx?id=10631
  Cheers
  Graham
  Regards Graham New System Center 2012 Blog! -
  http://www.systemcentersolutions.co.uk
  View OpsMgr tips and tricks at
  http://systemcentersolutions.wordpress.com/

• Active Directory Error 0x51 occurred when trying to check the suitability of server ' servername '. Error: 'Active directory response: The LDAP server is unavailable'. It was running the command 'Get-OwaVirtualDirectory'.

  This issue is driving us nuts - there are no issues with Domain Controllers or AD in this environment.  The server it is citing in the error has been retired - it was gracefully dcpromo'ed down and removed from the environment.  DNS has no record of it, nor is it located anywhere else.  We are not able to log into Outlook Web App either with authentication failed errors - and I can't help but expect these 2 issues are related?  I tried hard coding the Configuration Domain Controller at the org level, as well as using the -staticdomaincontrollers and -staticglobalcatalogservers with the "Set-ExchangeServer" powershell command - no luck....  System settings of the exchange 2010 servers show they are pointing to the correct DCs - but I still get this error accompanied with long delays in rendering windows in EMC.  Extremely frustrating.....  I have an issue logged with MS now, but they aren't looking at them until Nov 9.  Has anyone seen this issue at all?  More info on the OWA config - using Form based auth, and I'm not able to perform a simple test-owaconnectivity -mailboxcredential (get-credential\username) -allowuntrustedcertificate -allowinsecurelogon - please help

  Create a "global catalog" on the 2nd domain contoller, will fix this problem. 
  To create a new global catalog:
  On the domain controller where you want the new global catalog, start the Active Directory Sites and Services snap-in. To start the snap-in, click Start , point to Programs , point to Administrative Tools , and then click Active Directory Sites and Services .
  In the console tree, double-click Sites , and then double-click <var>sitename</var> .
  Double-click Servers , click your domain controller, right-click NTDS Settings , and then click Properties .
  On the General tab, click to select the Global catalog check box to assign the role of global catalog to this server.
  Restart the domain controller.

• UCS management pack for SCOM

  I've installed the UCS management pack for Microsoft SCOM 2007 R2. It appears to be working, however I now keep seeing all computers that have the SCOM agent installed trying to run the cisco.ucs.computer.probeaction.vbs script, which fails and generates alerts. Does anyone know why these servers that are unrelated to UCS would be trying to run these scripts, or how to fix this problem?

  The Problem is that you use an “&” string in a name of one of the protection Groups.
  Change the name of the protection Group where you have used an “&” symbol
  . Restart the “System Center Management” and you should see that the discovery success.
  If still have same issue, started to register the differtent dll’s again on the machine and apparently registering the MOMScriptAPI.dll
  http://scug.be/dieter/2012/11/08/scom-event-id-21406-file-name-or-class-not-found/
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• How to manage Active directory and tools to manage Active Directory

  How to manage Active directory and which tools we use?

  You can use Microsoft Active Directory management tools:
  http://technet.microsoft.com/en-us/library/aa998508(EXCHG.65).aspx
  http://technet.microsoft.com/en-us/library/aa998508(EXCHG.65).aspx
  erview of Server Message Block signing
  http://support.microsoft.com/kb/887429/en-us
  Remote Server Administration Tools for Windows 7:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
  AD Admin Center:
  http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx
  http://technet.microsoft.com/en-us/library/dd560652(WS.10).aspx
  Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

• How do I create Local Network Home Folders for Users from an Active Directory binding?

  My situation is this... I run an iMac lab at my school.  I have a server set up to manage the network user accounts in the lab.  Currently, I can sucessfully create Local Network Users and log in to them from any of the iMacs.  My school has an Active Directory set up for all the students on campus.  What I'd like to be able to do is configure the server to allow the students to use their user names and passwords from their school accounts to log in to the iMacs and have it automatically build a network user folder on the server for them to use during the lab. 
  So far, I have been able to configure access for the Active Directory accounts to use the services on the server, mainly File Sharing, but I cannot figure out how to allow them to log into a user account on the client's machines using their same Active Directory credentials.  I have even attempted to allow the user accounts to create mobile accounts, but that's not working out either.  Entering indivual network user accounts into the server for every student every semester will be a nightmare.  I'm sure there's a way to do it automatically using the exisitng Active Directory structure.
  The live server is running 10.8.5 Server still, but I've also got a clone running OS X Server in case it matters.  Please help!

  ok reinstalled everything dns seems to be working have done sudo changeip -checkhostname and it says that both names match but then i started open directory and can't seem to get Kerberos started, i've tried changing it to stand alone then back again but it does nothing. I'm wondering why this would happen? i've tried adding a kerberos record but it doesn't do it just does nothing so i don't know what i'm doing wrong. I wondered if it might be a problem with the two network cards and dns as on ethernet one it is getting the dns name xserve.xxxx.ac.uk (which matches what the college server wants to call us) but on ethernet 2 gets xserve-2.local because it tells me that it already exists on ethernet one and renames it to this. I need to set up NAT so have ethernet coming in on port one and out again on port two. I wonder if my dns is backwards as its got the 192. address the NAT uses but its linked to the ethernet port one dns maybe this is the problem. would this cause open directory not to start kerberos?

• Active Directory user passwords on mobile account with File Vault

  Hi all,
  I enabled file vault when I moved to my MacBook Pro. I joined the computer to the domain (after enabling file vault), and logged in with my domain account, creating a managed, mobile account so that I could use the computer when not connected to the domain.
  Active Directory has forced a change in my password for the domain account but I cannot get the password on the Mac to change the password and sync with the domain.
  My account (the one with the changed network password) on the Mac is a standard user account. When I open system preferences, go to Security & Preferences, General, click on the lock to unlock and allow change and then click Change Password  ..., I receive the following error message after going through the steps to change the password:
  The password for the account "user" was not changed. There was a problem with your password. It's possible your system administrator doesn't allow you to change your password. Contact your system administrator for help.
  For Old Password, I used the old network password, the one that I use to log into the Mac. For New Password, I used my new, current password.
  The same result happens when I attempt to change the password from the Users & Groups section of the System Preferences.
  I have logged out and logged in with the user account that is identified as the admin and get a similar (same ?) error when attempting to change the password.
  Any suggestions? How do I get the passwords to be one so that I can forget the old password?

  Thanks for your insights.
  The Tech Tool report happened after AppleJack, and never showed up before that. Restarting again just now, it showed up again.
  I had not emptied the trash, but did now, and the 'get info' on my hard drive still shows that I have used nearly all of my 160 GB.
  Re Disk Warrior: I do have it and just ran it. I emptied trash again and checked to see available disk space: I have 2.47 GB, so the problem still exists.
  Here is the disk warrior report for the first part of its tests:
  DiskWarrior has successfully built a new optimized directory for the disk named "Hildegarde." The new directory is
  ready to replace the original directory.
  There is not enough contiguous free space for a fail-safe replacement of the directory. It is highly recommended that
  you create 204 MB of contiguous free space before replacing the original directory.
  All file and folder data was easily located.
  Comparison of the original and replacement directories indicates that there will be changes to the number, the
  contents and/or the attributes of the files and folders. It is recommended that you preview the replacement
  directory and examine the items listed below. All files and folders were compared and a total of 14,627,488
  comparison tests were performed.
  • Errors, if any, in the directory structure such as tree depth, header node, map nodes, node size, node counts, node
  links, indexes and more have been repaired.
  • 1 folder had a directory entry with an incorrect custom icon flag that was repaired.
  Disk Information:
  Files: 552,652
  Folders: 131,014
  Free Space: 2.47 GB
  Format: Mac OS Extended
  Block Size: 4 K
  Disk Sectors: 321,410,736
  Media: HDT722516DLAT80
  Time: 11/28/08 6:54:19 PM
  DiskWarrior Version: 4.1

• The selected management pack cannot be deleted.

  I'm having problems deleting a custom management pack in SCOM 2012. The error is the following:
  The selected management pack cannot be deleted. This might be because it is currently being deleted or it has already been deleted. If you think this message is in error, try again later.
  Any ideas?

  I face the same problem in SCOM 2012 SP1
  The selected management pack cannot be deleted. This might be because it is currently being deleted or it has already been deleted. If you think this message is in error, try again later.
  I only have the problem with one unsealed MP.
  I can delete other sealed MPs and import them again. So I hope my environment with DB is working well.
  I also have deleted all overrides for this pack (in the same MP/xml because it is unsealed), restarted the DB-Server and the SCOM Management Server and also started the SCOM console with switch "/clearcache". All without success
  Any idea how I can remove this MP from my SCOM environment.
  Remark:
  I tried the idea from AndreasZuckerhut
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/166c3560-c3ae-4510-8e25-1b6f1b57e3bc/unable-to-delete-mp-in-scom-2012?forum=operationsmanagermgmtpacks
  created an own MP with the same ID but a newer version and started the "Import Management Pack"  from the SCOM -Management GUI.
  This time I got the Import-error  called  "The transaction log for database 'OperationsManager' is full due to 'ACTIVE_TRANSACTION'.  I also see the same eventlog entry 9002 on the SQL-Server System.  Could this be also an hint to
  the upper problem of an failed deletion of an MP?  A guide how to solve this is on
  http://www.codeproject.com/Articles/380879/About-transaction-log-and-its-truncation-in-SQL-Se . But I not tried it yet whether it solves the problem. I will ask an SQL expert first and will note the result here later. 

• HP Storage Management Pack woes

  I seem to be having an issue since I imported this management pack into my test environment. I'm running SCOM 2012 R2 with v3 of the Storage pack and installed the SNMP Collector on an agent managed server. However when I installed the management
  pack (3PAR) and enabled the 3PAR SNMP Trap Catcher discovery I did it against the Windows Computer Class instead of the specific server I wanted to target. Now all computers running the service SNMP TRAP are showing as discovered inventory generating alerts
  of OpsMgr failed to run a WMI Query for WMI events.
  I tried to stop this by creating a new override for disabling the discovery and setting it to enforce. Then using the Remove-SCOMDisabledClassInstances cmdlet but it's made no difference.
  I've also tried clearing the cache on individual agents.
  Any ideas?
  Thanks 

  I had exactly the same issue this week. My DB filled up with event logs. Once I realised I had targeted the whole Windows Computer Class, I removed the enable override for the SNMP Trap Catcher object discovery, but the events continued to pile in.
  In the end I had to remove all of the HP Storage v3.1 MPs and start again.
  Currently having new issues now with a P2000 that is reporting in via SCOM's Native Discovery, but won't appear under the HP Storage MP. Now looking to use a collection point for the traps that ISN'T one of the SCOM Management servers, as it appears there
  is a known issue with this......
  On page 123 of the HP Storage MP user guide:
  Known Behavior
  Unable to collect SNMP traps from HP Storage Management Pack for System Center. Microsoft has implemented a workaround from OpsMgr to move the SNMP trap collection server to a separate Management server which is not a part of Network Resource Pool/Discovery
  Server. This will allow the SNMP Trap service to listen on port 162 and collect traps.
  Sheeeesh..
  And just realised that ther is now a new MP called HP StoreFront Manager 4.0 which seems to effectively be the latest version of HP Storage MP:
  http://www.systemcentercentral.com/hp-storefront-manager-for-microsoft-4-0-hp-storage-management-integration-with-ms-system-center/

• Joining 10.8.5 with existing account to Active Directory domain

  Hi-
  I have a MacBook Pro that I am using as a test computer to figure out how to introduce the growing population of Mac's into our Active Directory environment in our small company. This comptuer is running OSX 10.8.5
  There is a test account in AD that I will be using to connect to the windows domain. I am able to get the Laptop binded to AD, and have no problem authenticating, and seeing all the network resources required.
  Here is the part that has me stumped:
  Is there any way to take my existing "local" account that was configured when I began using my MBP without Active Directory and continue to use it, but logon to the laptop using my Active Directory account?
  Perhaps copy all the settings and preferences from the local account ontop of the AD account on the laptop?
  I have been using this laptop as my personal machine for many months and have quite a few customizations made to my deskop preferences, icon layouts, etc. This will be same case with all of the users that will soon be authenticating on the domain. We need this for centralized management of network shares, password policies, and number of other security features.
  There is some limited information on the web, but nothing that I have tried really works, here's some of what i found and the difficulty that resulted.
  http://community.spiceworks.com/how_to/show/37886-convert-mac-local-user-into-ac tive-directory-network-user
  - The script mentioned in step 3 was not able to copy local account to the destination folder.
  http://robotcloud.screenstepslive.com/s/2459/m/5322/l/112415-convert-local-accou nts-to-network-mobile-accounts
  - The sudo mv /Users/USERNAME /Users/DIRUSERNAME command was not able to make the "DIRUSERNAME" directory, and did not have any effect if this directory already existed due to a prior logon.
  I'm just looking for some help making it so that my users can retain their desktop layouts that they are used to, but logon to the domain using AD credentials.
  Seems simple, but is pretty difficult to get done.
  Thanks in advance for any help....
  -Aaron

  This might help:
  http://www.afp548.com/article.php?story=20060517222656622&query=radius

• Creating Active Directory Accounts for vSphere 5.1 Services

  To set up the management pieces of vSphere, I need to have an account or accounts created in Active Directory.  I need to determine how many to create and what permissions they need.
  In Single Sign on Server, I need to choose an account that vCenter server will use when it connects to SSO.  I can use the default admin@system-domain.  Or I can add an account that is configured in Active Directory.  Or, I can also use an active directory group instead of an individual user.  What is the best way to do this and if I use an AD account, what permissions does it need at the domain level and at the local level on the Single Sign on Server?  (I'm using multisite mode, so I can't use local accounts)
  In SQL Server, I need to choose an account to use for the SQL server service.  Should this account be an active directory account or a local user account?  If so, what permissions should be assigned to the account in Active Directory and what permissions should be assigned to it on the local machine?  What AD group, if any should it be a part of?  What local permissions does it need?
  In vCenter Server, I need to choose an account to run the "vCenter Server Service" in.  Is it best to use the default "system" account or to use an account from Active Directory, or a local account?
  I'm trying to get a big picture of an AD account/group strategy to use that covers the main management pieces of vSphere - vCenter Server, Single Sign on, Inventory Service, Web Client Services.
  For example, create one group called "vSphere Services", then create separate accounts for each management piece, and assign them specific permissions on specific systems.  Or create separate groups for each management piece and assign permissions to the groups.  Is it better to consolidate some of these user names or split them out?  Any experiences / suggestions welcome.  Thanks.

  Hello,
  For general services I use a service specific account within AD. This was before SSO and I use the same after SSO. SSO is used by only two services that I know about at the moment (Inventory Service and perhaps vCloud). However, there are many other service accounts that should be created. You want one account per service and I use AD for this, this way I can create a service account group and give it the appropriate roles and privileges. FOr example I have service accounts for:
  VMware View
  XenDesktop
  vCops
  HPSIM
  Solarwinds
  VMTurbo
  NetApp
  etc.
  One service, one service account, each with either a general role or custom role depending on access requirements to vCenter.
  For SSO, I to am waiting on general information, but I set mine up fairly basically to cover only those resources that make use of SSO. Since the vast majority of items do not use SSO, the rule still applies.  Once SSO is supported by more than one or two tools, you still need to maintain that separation.
  So I say yes, tie SSO to AD and do everything in one place, unfortunately, that is not very clear, or at least was not to me and these SSO issues are either beng fixed, documented, or both.
  Best regards,
  Edward L. Haletky aka Texiwill

• Active Directory + Resource action to delete home directory

  Hi all,
  I am trying to delete home directory from the disk physically after the user is deleted from AD. I followed the link http://docs.sun.com/app/docs/doc/820-6551/bzbuc?a=view and implemented the delete resource action as mentioned in the link.
  here are the steps i followed (For testing, I mentioned delete >> C:\test.txt to see if it deletes the text file)
  1. Enter delete after action in the Identity Manager User Attribute column of the resource’s schema map.
  2. In the Attribute Type column, select string.
  3. In the Resource User Attribute column, enter IGNORE_ATTR. Leave the Required, Audit, Read Only, and Write Only columns unchecked.
  4. Add this to the Deprovision Form user form after the </Include> tag:
  <Field name= ’resourceAccounts.currentResourceAccounts[AD].attributes.
  delete after action’>
  <Expansion>
  <s>AfterDelete</s>
  </Expansion>
  </Field>
  5. Create the following XML file and import into Identity Manager. (Change file paths according to your environment.)
  <?xml version=’1.0’ encoding=’UTF-8’?> <!DOCTYPE Waveset PUBLIC
  ’waveset.dtd’ ’waveset.dtd’>
  <Waveset>
  <ResourceAction name=’AfterDelete’>
  <ResTypeAction restype=’Windows Active Directory’ timeout=’6000’>
  <act>
  echo delete >> C:\test.txt
  exit
  </act>
  </ResTypeAction>
  </ResourceAction>
  </Waveset>
  6. Edit the XML for the Active Directory resource and add information to the “delete after action” schema mapping. Here is an example of a complete schema mapping for this resource with the new additions. (You will be adding the views-related information.)
  <AccountAttributeType id=’12’ name=’delete after action’ syntax=’string’
  mapName=’IGNORE_ATTR’ mapType=’string’>
  <Views>
  <String>Delete</String>
  </Views>
  </AccountAttributeType>
  To test, I deleted a user from AD and I was expecting the file c:\test.txt to be deleted as it invokes the Resource action after delete. Has anyone been successful in deleting the home directory from drive after the user is deleted. Any pointers or help
  Thanks,
  Ani

  Hi Gaurav,
  I have to implement Resource Action functionality for Solaris system. I followed the link http://download.oracle.com/docs/cd/E19225-01/820-6551/bzbuc/index.html and the first message of this thread. I am using 8.1 IDM.
  But unfortunately I can’t trigger any bash commands on the resource like echo deleting of user wiht next name - $WSUSER_accountId >> /tmp/resultFile.txt.
  There are any errors on log file.
  Can you share your work configuration and steps to reproduce?
  I have done next but Resource Action doesn’t triggered:
  1. My Action:
  <?xml version='1.0' encoding='UTF-8'?>
  <!DOCTYPE Waveset PUBLIC 'waveset.dtd' 'waveset.dtd'>
  <Waveset>
  <ResourceAction name='AST-ResAct-SOL-AfterDelete'>
  <ResTypeAction restype='Solaris' timeout='6000'>
  <act>
  #!/usr/bin/bash
  echo deleting of user wiht next name - $WSUSER_accountId >> /tmp/resultFile.txt
  exit 0
  </act>
  </ResTypeAction>
  </ResourceAction>
  </Waveset>
  2. Added next line to “Deprovision Form”
  <Field name='resourceAccounts.currentResourceAccounts[SOLARIS 10].attributes.delete after action'>
  <Expansion>
  <s>AST-ResAct-SOL-AfterDelete</s>
  </Expansion>
  </Field>
  3. Added a new attribute mapping on the resource:
  <AccountAttributeType id='12' name='delete after action' syntax='string' mapName='IGNORE_ATTR' mapType='string'>
  </AccountAttributeType>
  4. Assigned role (this role provisioned resource to user) to user, delete user from resource via Deprovision IDM page. But my Action commands didn’t trigger on resource.
  Thanks’ in advance!