toolsignHere's a somewhat obscure issue that took me a little bit of time to figure out so I thought I'd post it here to save you some trouble in case you ran across it as well.  In this scenario, once the Forefront Threat Management Gateway Management Pack was installed into a System Center Operations Manager 2007 environment, none of the associated Forefront objects were discovered.  Examination of the event logs on some of the Forefront servers revealed the following errors:

Data was found in the output, but has been dropped because the Event Policy for the process started at <time> has detected errors.
The 'ExitCode' policy expression:
matched the following output:
Command executed: "C:\Windows\system32\cscript.exe" /nologo "ISPRedundancyComponentDiscovery.vbs" {EF019280-5829-91F5-D82E-
7965B8F26B98} {28DF88FD-49A5-4B7C-5AED-2034958796C4} 9 ISPRedundancyComponentDiscovery.vbs TraceOff ISP-Redundancy
Working Directory: C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 6\5856\
One or more workflows were affected by this.
Workflow name: Microsoft.Forefront.TMG.ISPRedundancy.ServerComponent.Discovery
Instance name: - Firewall Role
Instance ID: {28DF88FD-49A5-4B7C-5AED-2034958796C4}
Management group: ContosoMS


In order to determine the root cause of the Discovery script failures, the Discovery script itself was exported from the Management Pack. With the script exported, it was then executed manually using the same parameters passed during the Discovery process.

As these were workgroup servers, the script was first run under the context of a Local Administrator. This returned the following results:

<DataItem type="System.DiscoveryData" time="2010-11-08T19:26:52.5309728-05:00" s
ity><ClassInstances><ClassInstance TypeId="$MPElement[Name='Microsoft.Forefront.
alue>Local Host</Value></Setting><Setting><Name>$MPElement[Name='System!System.E
ntity']/DisplayName$</Name><Value>ISP-Redundancy - fr01wfwz01</Value></Setting><

The script was then run under the context of Local System. This returned the following results:

<DataItem type="System.DiscoveryData" time="2010-11-10T10:50:51.4956975-05:00" s

There is a clear difference in the XML data that was returned when running under two different accounts. The data returned when run as Local Administrator clearly had a number of objects defined and identified. Upon further examination of the Forefront TMG Management Pack Guide, it would appear that Local Administrator rights are required.

The following was taken directly from the Management Pack Guide:

Security Considerations

All the management pack tasks require that the Action Account have Admin user rights on the Forefront TMG agent computer. No tasks can be run using a low-privilege account.


Ultimately this was resolved by creating a Standard Local Administrator account on each of the Workgroup Forefront TMG servers. With the Local Administrator Account in place on the servers, a new RunAs account was defined using these credentials and distributed to the Forefront TMG servers within the environment. Once the updated configuration was received the Forefront objects were discovered and monitored accordingly.

More Information

Additionally, as a test we added the Local System account to the Local Administrators group on the Forefront TMG servers. This did not resolve the issue and the discoveries continued to fail accordingly.

Hope this helps,

Nicholas Dodge | Senior Support Escalation Engineer

The App-V Team blog:
The WSUS Support Team blog:
The SCMDM Support Team blog:
The ConfigMgr Support Team blog:
The SCOM 2007 Support Team blog:
The SCVMM Team blog:
The MED-V Team blog:
The DPM Team blog:
The OOB Support Team blog:
The Opalis Team blog:
The Service Manager Team blog: http:
The AVIcode Team blog: http:

clip_image001 clip_image002