I recently found that many Event Log rules in the Active Directory Management Pack for Windows Server 2008 (version 6.0.7065.0) do not work correctly, resulting no alert being generated for these rules. This is happening because the MP uses the old event sources from Server 2003 in its event rules, rather than the new ones for Server 2008/R2.
The existing event monitoring rules filter on the PublisherName property rather than the EventSourceName property.
<ValueExpression><XPathQuery>PublisherName</XPathQuery></ValueExpression> <Operator>Equal</Operator> <ValueExpression><Value>NTDS Replication</Value></ValueExpression>
should read: <ValueExpression><XPathQuery>EventSourceName</XPathQuery></ValueExpression> <Operator>Equal</Operator> <ValueExpression><Value>NTDS Replication</Value></ValueExpression>
I’ve written an “Addendum” Management Pack that contains corrected versions of all of these rules. You’ll just need to import this MP into your environment and leave the original one in place.
This problem should be fixed with the next release of the ADMP.
Attached to this blog is an unsealed version of my “Addendum” MP.
first of all i find it pretty remarkable, that finally at least someone recognized, that there is something wrong with AD monitoring. Thank you for the "workaround". But that leads me to some questions:
* does anybody test a MP before it is released?
* in this case, you jumped in and delivered 137 "updated" rules - thanks again. But what about the remaining 249 rules not "fixed"?
* what about the other MPs not working smoothly under 2008 R2, like DNS, WDS, ...
I don't want to add to the pain, but there are organizations out there, that rely on SCOM in terms of operations. I hope, this is not a fault, but stuff like this does not exactly build confidence.
Thanks for the fix!
In response to 'does anybody test a MP before it is released?':
Disclaimer: Personal guesses, not actual experience with/within Microsoft. but i'd love to hear how they test their packs...
I've been working various monitoring tools for about a decade and my general feeling is that the answer is 'a little testing is done' depending on the vendor. If the vendor maintains all the packs/modules/plug-ins/etc, they generally have more flawless implementations than 3rd party packs in general (which can be horrid and barely functioning), but even if the vendor certifies the packs, has extensive documentation, and the pack comes from the 3rd party vendor (or in this case, the vendor itself) there seems to be an excessive reliance on the pack developer (probably just one guy) performing all the testing. The core product may have more time/resources put into it, but all the plugin developers seem to be left to fend for themselves.
In my experience, if only 1 guy does all the testing, then only a few spot tests are run to prove core functions work as desired ;). Few people seem to set up a test environment and then simulate issues, especially in the case of event log monitoring where a lot of stuff on the web suggests using a script to generate 'fake" events. Ok, I'll generate a single 'fake" event, see the alert get generated...testing of functionality is complete! You cant test *everything* (who has all that time?) so release it into the wild and let the customers find the *obviously small* bugs. Project complete on time.
In this case, I'm going to hazard a guess the AD rules/pack were generated by a script?, and someone made something similar to a typo when they generated the rules for the 2008 pack...and no one spot tested against any of these specific rules.
What really annoys me is, it's 7 months on and the buggy MP is still sitting on PinPoint ready to inflict pain and confusion on all new Operations Manager 2007 users. Jimmy's worked out how to fix it, they just need someone to get in there, sort it out, and release the fixed MP already!