Chat now with support
Chat with Support

Active Administrator 8.4 - User Guide

Active Administrator Overview Certificates Security & Delegation Azure Active Directory  Active Directory Health
Switching to Active Directory Health Using the Active Directory Health landing page Installing Active Directory Health Analyzer agents Using the Active Directory Health Analyzer agent configuration utility Excluding domain controllers Managing the Remediation Library Analyzing Active Directory health Analyzing Azure Active Directory Managing Active Directory Health Analyzer alerts Managing alert notifications Pushing alerts to System Center Operations Manager and SNMP managers Managing monitored domain controllers Managing data collectors Active Directory Health Templates Managing Active Directory Health Analyzer agents Using the Troubleshooter Recovering Active Directory Health data
Auditing & Alerting Group Policy Active Directory Recovery Active Directory Infrastructure DC Management DNS Management Configuration
Using the Configuration landing page Managing tasks Defining role-based access Setting email server options Configuring SCOM and SNMP Settings Configuring Azure Active Directory Setting notification options Setting Active Template options Setting agent installation options Setting recovery options Setting GPO history options Setting certificate configuration Setting service monitoring policy Managing archive databases Migrating data to another database Setting a preferred domain controller Setting up workstation logon auditing Managing configuration settings Setting user options Managing the Active Directory server
Diagnostic Console Alerts Appendix
Domain controller alerts
Active Directory Certificate Services service is not running Active Directory Domain Services is not running Active Directory Web Services service is not running Consecutive replication failures DC cache hits DC DIT disk space DC DIT log file disk space DC LDAP load DC LDAP response too slow DC Memory Usage DC properties dropped DC RID pool low DC SMB connections DC SYSVOL disk space DC time sync lost Detected NO_CLIENT_SITE record DFS Replication service not running DFS service is not running DFSR conflict area disk space DFSR conflict files generated DFSRS CPU load DFSR RDC not enabled DFSR sharing violation DFSR staged file age DFSR staging area disk space DFSR USN records accepted DFSRS unresponsive DFSRS virtual memory DFSRS working set DNS Client Service is not running Domain controller CPU load Domain controller page faults Domain controller unresponsive File Replication Service is not running File replication (NTFRS) staging space free in kilobytes GC response too slow Group policy object inconsistent Hard disk drive Intersite Messaging Service is not running Invalid primary DNS domain controller address Invalid secondary DNS domain controller address KDC service is not running LSASS CPU load LSASS virtual memory LSASS working set Missing SRV DNS record for either the primary or secondary DNS server NETLOGON not shared NetLogon service is not running Orphaned group policy objects exist Review the reported orphaned GPO folders in the local SYSVOL and remove any that are obsolete. Physical memory Power supply Primary DNS resolver is not responding Secondary DNS resolver is not responding Security Accounts Manager Service is not running SRV record is not registered in DNS SYSVOL not shared W32Time service is not running Workstation Service is not running
Domain alerts Site alerts Forest alerts Azure Active Directory Connect alerts
Event Definitions PowerShell cmdlets

Global catalog server replication latency

Supported on: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
Required permissions: Domain user privileges with rights to list contents, create objects, read and write properties under the AATemp organizational unit in the domain root.

Active Administrator Data Service (ADS) periodically queries to find the elapsed time between changing a distinct object on each domain controller and the time the change appears in every copy of the global catalog. If the elapsed time exceeds the configured threshold, the alert is activated.

This alert applies to all domain controllers that host a replica of the Global Catalog.

Infrastructure operations master hosts a global catalog server

Supported on: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
Required permissions: Domain user privilege is required.
Description

Active Directory Health Analyzer monitors the infrastructure operations master, as well as the global catalog hosting attribute of each server in a domain. When a server is found to have both a global catalog and the infrastructure operations master responsibility, an alert will be generated.

The infrastructure operations master updates references from objects in other domains by comparing local data to data from a global catalog, which is always up to date. If discrepancies are found, the infrastructure operations master updates the local object data from the global catalog, and then replicates the updated object data to all other domain controllers in the domain. If a global catalog exists on the same domain controller as the infrastructure operations master, the infrastructure operations master will never find data that is out of date.

Resolution

Remove the global catalog from the infrastructure operations master domain controller.

Infrastructure operations master inconsistent

Supported on: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
Required permissions: Domain user privilege is required.
Description

The Active Administrator Foundation Service (AFS) periodically checks the consistency of the infrastructure operations master value across all of the domain controllers in the domain. If any of the domain controllers has a differing value for the infrastructure operations master, AFS will issue this alert.

The infrastructure operations master is contained in the fSMORoleOwner property of the infrastructure object contained by each domain object. Every domain controller in the domain has a copy of the infrastructure operations master.

Active Directory objects can contain links to other objects in the directory. Active Directory keeps these links up-to-date even if the linked-to object is moved to another container or is renamed. This update cannot happen if the linked-to object is in another domain.

If the infrastructure operations master is inconsistent, it is possible that two copies will run simultaneously on two different domain controllers, with potentially disastrous consequences.

The Infrastructure operations master can become inconsistent because an administrator used NTDSUTIL.EXE to move the Operations Master when there was incomplete connectivity to all domain controllers in the domain. It can also occur because of replication errors.

Resolution

First, wait to see if the error clears itself. An inconsistent operations master alert can be transitory in nature. If an administrator has moved an operations master to another domain controller, replication to all domain controllers in the domain can take some time. During this period, Active Directory Health Analyzer will indicate this alert condition.

If you have waited long enough for replication to have occurred to all domain controllers in the domain and the alert has not cleared itself, contact your Microsoft Windows support representative.

Related article

https://blogs.technet.microsoft.com/mempson/2007/11/08/how-to-find-out-who-has-your-fsmo-roles/

Infrastructure operations master not responding

Supported on: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
Required permissions: Domain user privilege is required.
Description

The Active Administrator® Foundation Service (AFS) periodically queries to find the response time of the infrastructure operations master. If the response time is above the threshold, an alert is generated.

This error can occur if any of the following occurs:

Active Directory® on the domain controller has failed in some way.
Resolution
Make sure the indicated domain controller actually exists. If it does not exist, run NTDSUTIL and select the metadata cleanup option to clean up the erroneous objects in the directory.
Check the LDAP response time for the domain controller on the Active Directory tab in Active Directory Health Analyzer. If it is too high, you may need to add another domain controller for the same domain in the same site.
Related Documents