Active Directory Management Pack – Addendum for Trust Monitoring
UPDATE: October 2017 the 3rd – Added an example of the trust list format.
Hi there,
After long time I came back on an issue that some of my customers were facing. They were struggling with the Trust Monitoring scenario included in the Active Directory Management Pack for SCOM.
The problem they had, was pretty simple (as well as its solution). They "just" wanted to monitor trust status, but only for some Trusts. This sounded like: "Hey, I want to monitor my Trusts, but I want to exclude those I know as not working and that I cannot fix. I really do not want to renounce to the entire Trust Monitoring just because I cannot exclude some of them".
Well, that sentence made me thinking about how to delight my customers and do something interesting for other customers as well. So, I came up with the idea of an addendum MP which gives the possibility to specify a trust or a list of trusts to be excluded.
Let's start with a bit of explanation.
The Trust Monitor coming with the Active Directory Management Pack, is using basically 3 components:
- A DataSource module which contains the script used to query and return the status of all existing trusts.
- A UnitMonitorType which parses the output from the DataSource module
- A UnitMonitor which basically reports on the Trust health by creating an alert in case the status is not good.
I will not go deeper, just to not annoy you but if you are interested in the theory you can ping me at my email address or a leave a comment and I will follow up. The small issue inside this mechanism is that, as I wrote in the description of the DataSource task, it checks for all trusts and there's no way to create an override based on a single Trust or list of Trusts. You got it right: You can only disable the monitor that turns into completely shutting down the Trust Monitoring scenario.
What I did is:
I created a new DataSource that takes another input parameter: the single trust or the comma separated list of trusts
And which is using a modified version of the script with the exclusion logic
Then, because of the new parameter, I had to create a new UnitMonitorType and a new UnitMonitor in order to expose and to pass the new overridable parameter
Include some pre-defined overrides to disable the original monitor
Of course, I am giving here the simple version of the story since I had to consider some different possibility for the override value (single trust, Trust list, no value) but luckily, I got it done and working. Using this addendum, you can continue using the Trust Monitoring scenario and bend it to your needs by configuring the necessary override.
Now that you have clear in mind what I have done, let's discuss how to use it.
First of all, it works every version of System Center Operations Manager that the original management pack is working on. Second, I created this solution for all Active Directory Management Pack version, including the completely brand new one.
And now: how do I use it? Simple answer: You just download the file for the management pack version you are using from this post, import it and that's all. As said, the addendum MP contains an override that disables the original monitor since the new one comes enabled. Now you can go ahead with the necessary overrides.
Like other Management Packs, overrides can be created for different targets. For every target you choose, you have the possibility to create one override per trust or a single override with a trust list. The trust list can be passed as a comma separated value list. For instance you can enter "DomainA.Com, DomainB.Local, DomainC.my" without double quotes, and so on.
I intentionally left the management pack files (yes more than one since this solution is available for all Active Directory Management Pack version know so far) unsealed so you can store your overrides in the same file. Should you need this solution any longer, all you have to do is to remove it from your System Center Operations Manager management group.
If you want to give it a try, download the Zip file and import the version you need.
I hope this solution will make your life easier and will make you appreciating Microsoft solution more and more.
Thanks
ActiveDirectory Addendum MP files.zip
Comments
- Anonymous
August 29, 2017
Excellent work! I had this on my todo list but hadn't gotten around to it. Thank you for the contribution.- Anonymous
August 30, 2017
Thanks Ken. I am happy that it helped. Should you find something wrong, please let me know.
- Anonymous
- Anonymous
September 22, 2017
Cool stuff! Thanks for taking the time to write this. - Anonymous
October 03, 2017
Hi Bruno,this could realy help me in one environment. But before implementing this I would like to know how to exclude 10 domains in trust list.How to list them and which separator to use (comma, dot)?- Anonymous
October 03, 2017
Hi Janez_B,thanks for your feedback. The trust list can be passed as a comma separated value list. For instance you can enter "DomainA.Com, DomainB.Local, DomainC.my" and so on.I will add that syntax as part of the post.Thanks,Bruno.- Anonymous
October 03, 2017
Hi Bruno,thanks for quick reply. I tried with comma and vith space without double quote for example: DomainA.com, DomainB.com but it wasn't ok.Now I entered without space beetwen so: DomainA.com,DomainB.com and it is ok.So if i use space i must use double qouta right?- Anonymous
October 03, 2017
The comment has been removed- Anonymous
October 11, 2017
Hi Janez_B,thanks again for your feedback. I tested it again and did not get any error on my side using spaces. Could you please test the following format without double quotes: DomainA.com, DomainB.com,DomainC.comThanks,Bruno.
- Anonymous
- Anonymous
- Anonymous
- Anonymous
- Anonymous
November 15, 2017
Will these changes be added to future updates of the Active Directory MPs?- Anonymous
November 17, 2017
Hi Will,I am working to see if that can happen. Please, keep looking at the post, I will update it in case.Thanks,Bruno.
- Anonymous
- Anonymous
July 30, 2018
Hi BrunoTrying to import the MP for 2016 and getting 4 errors telling me there are errors in the module references and monitor names?The AD 2016 MPs are in SCOM and succesfully doing their job. Here is the first of the 4 errorsError 1:Found error in 1|AD.2016.TrustMonitoring.Addendum|1.0.0.0|AD_Monitor_Trusts.DataSource.Addendum/DS|| with message:Failed to verify module reference [Type=ManagementPackElement=System.CommandExecuterPropertyBagSource in ManagementPack:[Name=System.Library, KeyToken=31bf3856ad364e35, Version=7.5.8501.0], ID=DS] in the MemberModules list.: Cannot find ManagementPackElement [Type=ManagementPackClass, ID=Microsoft.Windows.Server.2016.AD.DomainControllerRole] in management pack ManagementPack:[Name=Microsoft.Windows.Server.AD.2016.Discovery, KeyToken=31bf3856ad364e35, Version=10.0.0.0].Can you please advise if there is something I'm doing wrong?Nick- Anonymous
July 31, 2018
Hi Nick,I just tried to import it on a new environment. I imported ADDS MP version 10.0.2.1 and then the Addendum and everything worked fine. Did you imported all the necessary ADDS MPs?- Anonymous
July 31, 2018
Thanks, realised because of your message I was still using the 10.0.0.0 MP, as that was the version in the SCOM MP Catalog. Switched to using 10.0.2.1 and then your MP has imported in with no issues.Thanks, Nick- Anonymous
July 31, 2018
Glad to have helped and that it worked :)
- Anonymous
- Anonymous
- Anonymous