AD Trust Monitoring - what generates the alert and why it's not auto resolved

When importing the Microsoft Active Directory Management pack, it normally generates quite a few alerts that needs to be solved and/or tuned.

One of the alerts I often see is the warning 'A problem has been detected with the trust relationship between two domains':

Followed by the critical alert 'A problem with the inter-domain trusts has been detected':

So what is it that generates the alerts?, the rule triggers on the Event ID 83 is the Operations Manager log, which is an event created by the Active Directory Monitor Trusts script when verifying the status of the trust.

 The Active Directory Monitor Trusts script configures the TrustMon WMI provider to return all trusts, and then it queries for all instances of the Microsoft_DomainTrustStatus object in the \root\MicrosoftActiveDirectory WMI namespace.

For each object that is returned; if the TrustType property of the object is not Downlevel or Uplevel (the other options are Kerberos Realm and DCE, which cannot be monitored effectively by TrustMon), the trust is ignored.

If the TrustType of the object indicates that it can be monitored, the TrustStatus property of the object is checked. If TrustStatus is not 0, the trust is in an error state and the trust and its TrustStatusString (a textual description of the current state of the trust) are formatted and relayed as the trust status.

The picture below shows how the WMI class looks like with a functioning and faulty trust:

 

 

So how do you solve the problem, well there can be many reasons to the error like name resolution, connectivity, decommissioned domain controllers etc. So there is no generic rule to solve it. Bottom line is to ensure all domain controllers can resolve and communicate with the PDC/PDCe in the target domain.

When you finally solve the problem with the faulty trust, you might wonder why the critical error doesn't auto-resolve. Well, that's because there unfortunately is an error in the AD management pack. But no worries, a small override and the monitor works like a charm. Just set the LogSuccessEvent on the AD Trust Monitor to 'true' and the monitor will automatically auto-resolve when the trust is verifed and the TrustStatus equals 0.

Click here if you want to read more about the Microsoft DomainTrustStatus Class