The opinions expressed in this blog are strictly personal and reflect the author's point of view, based on his own experience and knowledge. In the same way, attachments must be considered as Proof of Concepts. Therefore, the author declines any responsibility for problems arising from their use and recommends caution and testing before using them in the production environment. The content of this blog also does not represent (necessarily) Microsoft's views, does not provide any warranty, nor does it confer any rights.

Active Directory Management Pack – Addendum for Trust Monitoring

UPDATE: October 2017 the 3rd – Added an example of the trust list format.

Hi there,

After long time I came back on an issue that some of my customers were facing. They were struggling with the Trust Monitoring scenario included in the Active Directory Management Pack for SCOM.

The problem they had, was pretty simple (as well as its solution). They "just" wanted to monitor trust status, but only for some Trusts. This sounded like: "Hey, I want to monitor my Trusts, but I want to exclude those I know as not working and that I cannot fix. I really do not want to renounce to the entire Trust Monitoring just because I cannot exclude some of them".

Well, that sentence made me thinking about how to delight my customers and do something interesting for other customers as well. So, I came up with the idea of an addendum MP which gives the possibility to specify a trust or a list of trusts to be excluded.

Let's start with a bit of explanation.

The Trust Monitor coming with the Active Directory Management Pack, is using basically 3 components:

  • A DataSource module which contains the script used to query and return the status of all existing trusts.
  • A UnitMonitorType which parses the output from the DataSource module
  • A UnitMonitor which basically reports on the Trust health by creating an alert in case the status is not good.

I will not go deeper, just to not annoy you but if you are interested in the theory you can ping me at my email address or a leave a comment and I will follow up. The small issue inside this mechanism is that, as I wrote in the description of the DataSource task, it checks for all trusts and there's no way to create an override based on a single Trust or list of Trusts. You got it right: You can only disable the monitor that turns into completely shutting down the Trust Monitoring scenario.

What I did is:

  1. I created a new DataSource that takes another input parameter: the single trust or the comma separated list of trusts

    And which is using a modified version of the script with the exclusion logic

  2. Then, because of the new parameter, I had to create a new UnitMonitorType and a new UnitMonitor in order to expose and to pass the new overridable parameter

  3. Include some pre-defined overrides to disable the original monitor

Of course, I am giving here the simple version of the story since I had to consider some different possibility for the override value (single trust, Trust list, no value) but luckily, I got it done and working. Using this addendum, you can continue using the Trust Monitoring scenario and bend it to your needs by configuring the necessary override.

Now that you have clear in mind what I have done, let's discuss how to use it.

First of all, it works every version of System Center Operations Manager that the original management pack is working on. Second, I created this solution for all Active Directory Management Pack version, including the completely brand new one.

And now: how do I use it? Simple answer: You just download the file for the management pack version you are using from this post, import it and that's all. As said, the addendum MP contains an override that disables the original monitor since the new one comes enabled. Now you can go ahead with the necessary overrides.

Like other Management Packs, overrides can be created for different targets. For every target you choose, you have the possibility to create one override per trust or a single override with a trust list. The trust list can be passed as a comma separated value list. For instance you can enter "DomainA.Com, DomainB.Local," without double quotes, and so on.

I intentionally left the management pack files (yes more than one since this solution is available for all Active Directory Management Pack version know so far) unsealed so you can store your overrides in the same file. Should you need this solution any longer, all you have to do is to remove it from your System Center Operations Manager management group.

If you want to give it a try, download the Zip file and import the version you need.

I hope this solution will make your life easier and will make you appreciating Microsoft solution more and more.


ActiveDirectory Addendum MP

Comments (14)

  1. Ken Rappold says:

    Excellent work! I had this on my todo list but hadn’t gotten around to it. Thank you for the contribution.

    1. Thanks Ken. I am happy that it helped. Should you find something wrong, please let me know.

  2. Tyson Paul says:

    Cool stuff! Thanks for taking the time to write this.

  3. Janez_B says:

    Hi Bruno,
    this could realy help me in one environment. But before implementing this I would like to know how to exclude 10 domains in trust list.
    How to list them and which separator to use (comma, dot)?

    1. Hi Janez_B,
      thanks for your feedback. The trust list can be passed as a comma separated value list. For instance you can enter “DomainA.Com, DomainB.Local,” and so on.

      I will add that syntax as part of the post.


      1. Janez_B says:

        Hi Bruno,
        thanks for quick reply. I tried with comma and vith space without double quote for example:, but it wasn’t ok.
        Now I entered without space beetwen so:, and it is ok.
        So if i use space i must use double qouta right?

        1. Janez_B says:

          Another update.
          The right sintax is:,DomainB.Com,
          If you enter “,” you get an error: The number of command line arguments is incorrect: Expected: 3 Actual: 4

          1. Hi Janez_B,
            thanks again for your feedback. I tested it again and did not get any error on my side using spaces. Could you please test the following format without double quotes:,,


  4. Will Klohe says:

    Will these changes be added to future updates of the Active Directory MPs?

    1. Hi Will,
      I am working to see if that can happen. Please, keep looking at the post, I will update it in case.


  5. Hi Bruno
    Trying to import the MP for 2016 and getting 4 errors telling me there are errors in the module references and monitor names?
    The AD 2016 MPs are in SCOM and succesfully doing their job. Here is the first of the 4 errors
    Error 1:
    Found error in 1|AD.2016.TrustMonitoring.Addendum||AD_Monitor_Trusts.DataSource.Addendum/DS|| with message:
    Failed to verify module reference [Type=ManagementPackElement=System.CommandExecuterPropertyBagSource in ManagementPack:[Name=System.Library, KeyToken=31bf3856ad364e35, Version=7.5.8501.0], ID=DS] in the MemberModules list.
    : Cannot find ManagementPackElement [Type=ManagementPackClass, ID=Microsoft.Windows.Server.2016.AD.DomainControllerRole] in management pack ManagementPack:[Name=Microsoft.Windows.Server.AD.2016.Discovery, KeyToken=31bf3856ad364e35, Version=].

    Can you please advise if there is something I’m doing wrong?

    1. Hi Nick,
      I just tried to import it on a new environment. I imported ADDS MP version and then the Addendum and everything worked fine. Did you imported all the necessary ADDS MPs?

      1. Thanks, realised because of your message I was still using the MP, as that was the version in the SCOM MP Catalog. Switched to using and then your MP has imported in with no issues.
        Thanks, Nick

        1. Glad to have helped and that it worked 🙂

Skip to main content