MOM 2005: "AD Replication Monitoring" encountered a permissions error.

  • Article

I was reviewing some of the calls we've been getting lately and this one seems to be popular so I thought I'd post a quick resolution in case you run into it:

=======

Problem: When you use MOM 2005 to monitor a Microsoft Windows 2000-based or Microsoft Windows Server 2003-based domain controller that has the MOM Active Directory Management Pack installed, the following event may appear in the Alerts pane of the MOM Operations Console:

The script "AD Replication Monitoring"encountered a permissions error. The script failed to save the MOMLatencyMonitors container in the naming context "DC=<x>, DC=<y>, DC=<z>" because access was denied.

Alter the permissions for the naming context so that the script can add this container, or change the parameters for this script tot stop monitoring this naming context.
The error returned was: "General access denied error "(0x80070005)

Cause: This error can occur if any of the following are true:

1. The agent is using the Local System account on DCs that don't have the PDC Emulator role, thus it is unable to modify the AD schema to add the MOMLatencyMonitors container.

2. The MOMLatencyMonitors container exists but access to the container has been restricted.

Resolution:   Ideally you should deploy the agent to the PDC Emulator first so that the MOMLatencyMonitors container is properly created.  If this is not possible then you can manually add the container on a domain controller in the domain:

1. Click Start, click Run, and then type adsiedit.msc.

2. In ADSI Edit, double-click Domain [computername], and then right-click DC=domainname,DC=com.

3. Click New, and then click Object.

4. In Select a class, click Container, and then click Next.

5. In Value, type MOMLatencyMonitors, and then click Next.

6. Click Finish.

Note: Ensure that the Action Account and Enterprise Domain Controllers have full control.

If you're receiving this error because permissions have been restricted to the MOMLatencyMonitors container, then like the note above says, ensure that the Action Account and Enterprise Domain Controllers have full control.

For more information see the Microsoft Active Directory Management Pack Guide.

J.C. Hornbeck | Manageability Knowledge Engineer