Active Directory Management Pack: Journal Wrap alert Rule does not work

In the Active Directory Management Pack, there is a Rule named “A journal wrap error has occurred on the Sysvol” (separate rule for Windows 2000, 2003, and 2008 Domain Controllers).  The rule is designed to alert when Event ID 13568 is logged in the File Replication Service log and the Source is “NtFrs” and Parameter 1="DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" .  There is a problem in the XML for this rule which causes it to not alert when the event is logged.  To correct the problem, you’ll need to create a new rule to alert on this event.

Here are the steps to re-create the Rule:

 

1. In the OpsMgr Console, navigate to Authoring\Rules

2. Create a new Rule (Alert Generating Rules\NT Event Log) and select a Management Pack to put it in (your ADMP Overrides MP will be fine):

clip_image002[4]

3. Target the Rule at the 2000, 2003, or 2008 Domain Controller Role…whichever applies to your environment.  If you have a mix of Windows Server versions on your DCs, you’ll need to create separate rules for each one.  In this example, I am targeting Windows Server 2003 DCs, so my target is “Active Directory Domain Controller Server 2003 Computer Role”:

clip_image004[4]

4. For the Event Log name, enter “File Replication Service

clip_image006[4]

5. In the Event Expression window, enter 13568 for the Event ID value and NtFrs for the Event Source value:

clip_image008[4]

6. Next, we need to add criteria for Parameter 1 (this is the part that is broken in the original rule).  Click on “Insert” to insert a new expression, then click on the button next to the Parameter Name field to bring up the Event Property Windows:

clip_image010[4]

7. Select “Specify event specific parameter to use”, and leave the value as “1” and click on OK:

clip_image012[4]

8. Back in the Event Expression Window, set the Parameter 1 expression to “Parameter 1 equals DOMAIN SYSTEM VOLUME (SYSVOL SHARE)”, then click on Next:

clip_image014[4]

9. Leave the “Configure Alerts” window with the default settings, or customize as desired, then click on “Create”

clip_image016[4]

10. Now we are alerted properly when a Journal Wrap error occurs on SYSVOL:

clip_image018[4]