XCmd Service - SCOM alert - Unpredictable state

Similar Messages

• SCOM: Service entered unpredictable state

  "The Orchestrator Run Program Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly."
  We are seeing these alerts pop up in SCOM. It isn't a huge deal, more of an annoyance. I'm wondering if anyone can give advice or a best practice on how to react to it. 
  I put in an override to downgrade the alert severity from critical to warning because the server owners weren't interested in notifications. And everything is working properly, but I am thinking of how to avoid any future issues that may occur as well as
  just having one less alert in the console.
  http://www.systemcentercentral.com/research-this-kb-service-entered-unpredictable-state/
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/5fd8d036-3889-4a8a-80aa-7aa3f0c890b4/opsmgr-a-service-has-entered-into-an-unpredictable-state
  I have read that some people are disabling this rule and creating a similar rule that only alerts on specific services. But I was thinking about just giving the Orchestrator service account the "Act as part of the operating system" right in group
  policy. Obviously there are security concerns. so maybe just on a case by case basis instead of for the entire environment.
  Any advice is welcome.
  - Slow is smooth and smooth is fast.

  Hi Pete,
  We had the same, the error is connected to service settings, please look here how to fix:
  http://technet.microsoft.com/en-us/library/cc756339(v=ws.10).aspx
  Natalya

• SCOM Alerts Connector run as failed

  Hi
  I have setup the SCOM alerts connector in SCSM but after that i starts to get wernings in scom on servers there are in a difrent domain. 
  werning: 
  Description:
  The Health Service cannot verify the future validity of the RunAs account Domain1\SCOMAlertsConnectorUser for management group SCOMMG01. The error is Logon failure: the user has not been granted the requested
  logon type at this computer.(1385L). 
  SCSM and scom is in domain1
  the servers i got the werning on is in Domain2
  what can i do to fix this?

  The connectors runas account must be administrator in SCOM (as I recall). Is that the case for Domain2?
  Cheers,
  Anders Spælling
  Senior Consultant
  Blog:  
  Twitter:   LinkedIn:
  Please remember to 'Propose as answer' if you find a reply helpful

• SCOM Alert Connector - not updating the start time and finish time

  When I am monitoring the status of connectors in service manager console, I found that for SCOM Alert Connector the Start Time and Finish Time are not updating. Previously it was updated daily. As of now, service manager is working fine but would like
  to check will it create any issues? Even I have cliked on Synchronize Now, but there is no update. Please guide me on this to trouble shoot further? Thanks.

  Hi,
  Based on my research, the Start Time and Finish Time values are not updated when an alert connector is synchronized. These values are only updated when alert data is transferred between Operations Manager 2007 and Service
  Manager.
  More details, please refer to the link below:
  http://technet.microsoft.com/en-us/library/hh495609.aspx
  In addition, here is a blog about troubleshooting for SCSM and SCOM alert connector:
  http://blogs.technet.com/b/servicemanager/archive/2010/04/14/troubleshooting-tips-for-your-scsm-scom-alert-connector.aspx
  Regards,
  Yan Li
  Regards, Yan Li

• Multiple SCOM Alerts for the same unique Windows Event

  Multiple SCOM Alerts are being raised for a single Windows event.
  For e.g., below is the event :
  Date and Time: Description:
  12/15/2014 5:15:36 PM Initiating move for database 'xxxdb02' (FromServer=xxxdagnode1.dt.inc, ToServer=, MoveComment=<Null>)
  Log Name:
  Microsoft-Exchange-HighAvailability/Operational
  Source:
  Microsoft-Exchange-HighAvailability
  Event Number:
  306
  Level:
  4
  Logging Computer:
  xxxdagnode1.dt.inc
  User:
  NT AUTHORITY\SYSTEM
  Event Data:
  < DataItem type =" System.XmlData " time =" 2014-12-15T17:15:37.9848250-05:00 " sourceHealthServiceId =" 261D34BA-3596-ABCF-3728-B5A0AC035D90 " >
  < UserData >
  < EventXML >
    < UniqueId > 2014.12.15.05.15.35.285#9#xxxdagnode2#4d0ce477-5f5c-4304-8c59-292a4a8ca809 </ UniqueId >
    < DatabaseName > xxxdb02 </ DatabaseName >
    < DatabaseGuid > 4d0ce477-5f5c-4304-8b59-292a4a8ca809 </ DatabaseGuid >
    < ActiveServer > XXXDAGNODE1.dt.inc </ ActiveServer >
    < ActionCategory > Move </ ActionCategory >
    < ActionInitiator > Automatic </ ActionInitiator >
    < ActionReason > StoreStopped </ ActionReason >
    < AmRole > PAM </ AmRole >
    < PAMServer > xxxdagnode2.dt.inc </ PAMServer >
    < MountFlags > None </ MountFlags >
    < DismountFlags > SkipCacheFlush </ DismountFlags >
    < MountdialOverride > None </ MountdialOverride >
    < FromServer > xxxdagnode1.dt.inc </ FromServer >
    < TargetServer />
    < TryOtherHealthyServers > True </ TryOtherHealthyServers >
    < SkipValidationChecks > None </ SkipValidationChecks >
    < MoveComment > <Null> </ MoveComment >
    </ EventXML >
    </ UserData >
    </ DataItem >
  But three alerts were raised for this event.
  I double checked with the Unique ID for the Windows Event.
  Also the Duplicate alerts show the Same event in the 'Alert Context' field.
  My environment:
  3 SCOM 2012 R2 UR3 Management Servers.
  1 SQL DB Server
  Service Manager Connector is configured for Alert Sync. However this issue also affect the alerts that are not synced.
  Anybody else faced this issue?

  Hi,
  It seems like that you are using rule to monitor this event, unlike monitors, rules can continue to send alerts as long as the condition that caused the alert persists or repeats. Depending on what the rule is checking for, a single issue could possibly
  generate a huge number of alerts. To prevent the noise of too many alerts, alert suppression can be enabled for a rule.
  More details, please check article below:
  http://technet.microsoft.com/en-us/library/hh212847.aspx
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Recovery from a SCOM alert - ORCH or task - best practice?

  Hi - wonder if anybody in the "real world" can give me any guidance on this?
  I look after SCOM and have traditionally been tasked with creating recovery scripts for certain custom alerts. I am also involved in the ORCH sphere but not totally responsible. We seem to be creating recovery in SCOM still but not ORCH.
  I would have thought that the idea would be best to monitor for the SCOM alert in ORCH and use the flexibility of the latter to do checks and do a fix.
  Are you limited in ORCH to how many alerts you can monitor or is there reasons to still do in SCOM? Just wondering which way we should really be heading?
  thanks

  I would suggest you keep using both. Recovery scripts in scom work just fine for basic recovery procedures that are performed locally on the monitored node. It is a simple, thus quite reliable framework for responding to incidents. However,
  if your recovery procedure is complex and involves coordination of multiple activities running on different systems, then Orchestrator will be the right tool to handle it.
  Gleb.

• What does it mean "Business Service leak: Web Engine State Properties"

  Hi ,
  We are on the Siebel 8.0.0.2 with extra patches to address the memory Issues. we are experiencing memory Leak, When I increase the logging level to 5 and couple of other parameter enabled, I see statements like "Business Service leak: Web Engine State Properties" ( even for Custom Business Service as well). Also when I enable Trace Statements, I don't see Release statements for the ALLOCS associated with Business Services. I am wondering to know if you have experienced something of this sort? Any thoughts will be greatly appreciated.
  Thanks,
  GS
  Edited by: user4496185 on Jan 20, 2009 12:03 PM

  Agree with everyone's suggestions here. We recently went through a process of reviewing all of our eScript and found a number of occurrences of objects created and never destroyed.
  We applied a standard approach of declaring object type variables at the beginning of each script then destroying them all with a finally() block at the end (oObject=null).
  Initialising objects if and when they are required, instead of all up front at the beginning of a script, may also serve to reduce the impact of this problem. So instead of:
  var oCustBS = TheApplication().GetService("Custom BS");
  if (bIsRecord) {
       oCustBS.InvokeMethod("CustMethod");
  oCustBS = null;
  ...use:
  var oCustBS;
  if (bIsRecord) {
       oCustBS = TheApplication().GetService("Custom BS");
       oCustBS.InvokeMethod("CustMethod");
  oCustBS=null;
  ...There is an Expert Services Review which can be conducted that will identify problems, though it's relatively straight forward to do so yourself with enough time and effort.

• Mapping information to SCOM Alert "Path" field through the connector

  Hello,
  We are using the Oracle Enterprise Manager connector (link to the guide: http://docs.oracle.com/cd/E11857_01/install.111/e14736/toc.htm) to send events from OEM to SCOM.
  According to the Oracle connector documentation, the Target host parameter from OEM can be mapped with one of the SCOM Alert custom fields paramaters.
  The issue is that we need to have this parameter mapped with the SCOM Alert Path field instead of Custom field.
  Is it possible from the SCOM side to accept custom values and assign them to Alert Path field through the connectors?
  Thank you a lot in advance!

  Hi 
  Alert path is read only property for alert, you can not change this parameter. you can use custom field(1 to 9) or Ticket Id for alert.
  Regards
  sridhar v

• SCSM to SCOM Alert Connector Error

  Hello,
  Long story short, the SCSM admin created an Alert Connector between SCSM and SCOM, then uninstalled SCSM and started over.  That means I had an orphaned SCSM connector in SCOM.
  In order to set up a new connection, I followed the instructions found in Kevin Holman's blog post:
  http://blogs.technet.com/b/kevinholman/archive/2012/09/28/opsmgr-2012-how-to-delete-an-old-product-connector.aspx
  Now, when I try to re-create a new Alert Connector, I get this error:
  "Found at least one other alert connector in Operations Manager.  Alerts may not be routed as expected if multiple connectors subscribe to the same alert."
  I checked the SCOM server to make sure there were no orphaned connectors by running this SQL code against the OperationsManager database:
  Aside from the copious number of SCVMM connectors, there were six connectors.  Of those six, the previous SCSM connector is marked as "IsDeleted":
  Next, I checked the "Microsoft.SystemCenter.Notifications.Internal" management pack to verify that there are no orphaned subscriptions.  The ONLY alert referenced is for the "Advisor Data Connector".
  At this point, my questions are as follows:
  1) Will the System Center Advisor (now renamed Azure Operational Insights) connector cause the warning message I listed above when setting up an Alert Connector in SCSM?
  2) Is there another orphaned entry in SCOM that I need to check for and remove before setting up the SCSM alert connector? 

  Hi,
  I would like to suggest you remove the subscription that was orphaned. When remove a connector we should remove the subscriptions first.
  And here is a similar thread
  SCSM 2012 Cannot create SCOM Alert Connector        
  https://social.technet.microsoft.com/Forums/en-US/a5d0b921-bb0a-43b8-99ca-8b0112ab3bf0/scsm-2012-cannot-create-scom-alert-connector?forum=connectors                         
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• The Software Protection service entered the running state.

  I noticed this event fire once in minute.
   I can't see tree from leaves in System Log
  Log Name:      System
  Source:        Service Control Manager
  Date:          18.10.2012 08:44:17
  Event ID:      7036
  Level:         Information
  Keywords:      Classic
  Description:
  The Software Protection service entered the running state.
  Only big before that is that, I enabled BitLocker ??
  Some idea ?

  Hello,
  Has anything been found out about this?  We're running into the same issue except that it's logging every 30 seconds.
  Here's some info from the machines and when it's occurring:
  It only occurs when someone is connected to the machine through Remote Desktop.
  The machines are Amazon EC2 instances.
  Seems to only happen on machines that are connecting to RODC's. 
  Machines have limited connection to RODC's through security groups (machine based firewalls).
  They are Windows Server 2012 instances, small and medium instance types.  (See instance type details here:  http://aws.amazon.com/ec2/instance-types/instance-details/)
  Little or no extra software installed.  These were spun up from a basic WS2012 image and it started occurring shortly after.  There are other machines launched from the same image that do not have this issue.
  There are also some other machines connecting to the same RODC's with the same security group (firewall) settings that are not experiencing this issue.
  We are just using the standard Remote Desktop, not the 2012 Remote Desktop Services.  We have tried to install this but the install always fails.  See: http://social.technet.microsoft.com/Forums/windowsserver/en-US/3ab983ce-9290-49ec-81e6-a3adf34cb8b2/remote-desktop-services-failed-on-windows-2012-server-amazon-vpc-ec2
  The machines (the ones having this issue as well as the ones that do not have it) all have the exact same Windows updates installed.
  Here is the detail of the event:
  NOTE: Every 30 seconds it logs this exact message - entered the RUNNING state.  I do not see other messages stating it entered the Stopped state.
  - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  - <System>
  <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
  <EventID Qualifiers="16384">7036</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2013-08-01T12:23:10.519607800Z" />
  <EventRecordID>35726</EventRecordID>
  <Correlation />
  <Execution ProcessID="520" ThreadID="588" />
  <Channel>System</Channel>
  <Computer>REMOVED</Computer>
  <Security />
  </System>
  - <EventData>
  <Data Name="param1">Software Protection</Data>
  <Data Name="param2">running</Data>
  <Binary>7300700070007300760063002F0034000000</Binary>
  </EventData>
  </Event>
  Any help or insight would be greatly appreciated...
  Thanks!
  Jeff

• Windows service entered the stopped state

  hello,
  my windows service running on Windows Server 2008 R2 SP1 stopps two or three times per month undefined with the Event ID 7036 : service entered the stopped state. 10 mins later it starts again alone: service entered the running state.
  What I also see is that some other services enter in the stopped state and then enter the running state: with Event ID 7036, but more frequently, means several times per day:
  SoftwareProtectionService
  WindowsModuleInstaller
  ApplicationExperience
  WMI Performance Adapter
  Portable Device Enumerator Service
  What is the problem here, I could not find any solution yet.
  thx

  Hi,
  Sometimes services are started only when they are needed. Most services you listed are Manual in startup type which means they will be started manually when it is needed. 
  Also if you disable a service manually, dependency services will also be stopped. 
  Here are 2 threads which mentioned 2 services in your list and they are also start/stop even 10 minutes. 
  Windows Modules Installer Stops & Restarts Frequently
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/d8e192ed-92ff-451b-9646-add8214c4e84/windows-modules-installer-stops-restarts-frequently
  7036 - Service entered the stopped/started state Messages
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/8360b321-8225-42f1-a3e8-a75020dad227/7036-service-entered-the-stoppedstarted-state-messages

• SCOM alerts on disk space C drive only

  Hi,
  My goal is to write a runbook to monitor the SCOM alert on low disk space and then trigger a command to remove a pre-defined list of folders/files on C drive when the free space is below 10%
  On Monitor Alert activity, I have already applied 2 filters
  1. Name Contains Percentage Logic Disk Free Space is low
  2.  Severity Equals Warning (as it has been configured as 10% free space)
  How do I define the filters to trigger this runbook when these new alerts that only happens on C drive
  Thanks,
  Jimmy

  I have tried a filter with  MonitoringObjectDisplayName = C: and  MonitoringObjectDisplayName contains C:, that did not trigger the next activity although I can see that it passed the value of C: to both parameters.
  I am going to try the filter with "Description contains C:" as I did not see the option - "Start with"

• Https service to view salary statement

  I'd like to configure https service to view salary statement pdf file (through ixos). any idea how to do this ?
  Do I need to use SAP Java Cryptographic ?
  kr,
  Ben.J.

  remove

• Dump SCOM Alerts to Text File

  Hi Guys, 
  Is there a way to dump scom alerts to a text file? 
  For example, I have created a monitor to detect a particular eventid. I want to dump this information (date/time, hostname, event description etc.) to a text file instead of the usual email or sms alert. 

  For Export SCOM Alerts to txt files, you can refer below links
  https://marckean.wordpress.com/2012/10/17/export-scom-2010-alerts-to-txtcsv-file-using-powershell/
  http://scug.be/dieter/2011/05/11/scom-dump-alerts-to-text-file-and-mail/
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog:
  Technical | Twitter:
  Mai Ali

• Extension manager would not upgrade. Alert box states could not move old extension out of the way. Suggestions?

  Extension manager would not upgrade. Alert box states could not move old extension out of the way. Suggestions?

  What you said confused me. Which version of Extension Manager do you use? Could you please attach a screenshot?