Chat now with support
Chat with Support

Active Administrator 8.4 - User Guide

Active Administrator Overview Certificates Security & Delegation Azure Active Directory  Active Directory Health
Switching to Active Directory Health Using the Active Directory Health landing page Installing Active Directory Health Analyzer agents Using the Active Directory Health Analyzer agent configuration utility Excluding domain controllers Managing the Remediation Library Analyzing Active Directory health Analyzing Azure Active Directory Managing Active Directory Health Analyzer alerts Managing alert notifications Pushing alerts to System Center Operations Manager and SNMP managers Managing monitored domain controllers Managing data collectors Active Directory Health Templates Managing Active Directory Health Analyzer agents Using the Troubleshooter Recovering Active Directory Health data
Auditing & Alerting Group Policy Active Directory Recovery Active Directory Infrastructure DC Management DNS Management Configuration
Using the Configuration landing page Managing tasks Defining role-based access Setting email server options Configuring SCOM and SNMP Settings Configuring Azure Active Directory Setting notification options Setting Active Template options Setting agent installation options Setting recovery options Setting GPO history options Setting certificate configuration Setting service monitoring policy Managing archive databases Migrating data to another database Setting a preferred domain controller Setting up workstation logon auditing Managing configuration settings Setting user options Managing the Active Directory server
Diagnostic Console Alerts Appendix
Domain controller alerts
Active Directory Certificate Services service is not running Active Directory Domain Services is not running Active Directory Web Services service is not running Consecutive replication failures DC cache hits DC DIT disk space DC DIT log file disk space DC LDAP load DC LDAP response too slow DC Memory Usage DC properties dropped DC RID pool low DC SMB connections DC SYSVOL disk space DC time sync lost Detected NO_CLIENT_SITE record DFS Replication service not running DFS service is not running DFSR conflict area disk space DFSR conflict files generated DFSRS CPU load DFSR RDC not enabled DFSR sharing violation DFSR staged file age DFSR staging area disk space DFSR USN records accepted DFSRS unresponsive DFSRS virtual memory DFSRS working set DNS Client Service is not running Domain controller CPU load Domain controller page faults Domain controller unresponsive File Replication Service is not running File replication (NTFRS) staging space free in kilobytes GC response too slow Group policy object inconsistent Hard disk drive Intersite Messaging Service is not running Invalid primary DNS domain controller address Invalid secondary DNS domain controller address KDC service is not running LSASS CPU load LSASS virtual memory LSASS working set Missing SRV DNS record for either the primary or secondary DNS server NETLOGON not shared NetLogon service is not running Orphaned group policy objects exist Review the reported orphaned GPO folders in the local SYSVOL and remove any that are obsolete. Physical memory Power supply Primary DNS resolver is not responding Secondary DNS resolver is not responding Security Accounts Manager Service is not running SRV record is not registered in DNS SYSVOL not shared W32Time service is not running Workstation Service is not running
Domain alerts Site alerts Forest alerts Azure Active Directory Connect alerts
Event Definitions PowerShell cmdlets

Replication latency

Supported on: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
Required permissions: Domain user privileges with rights to list contents, create objects, read and write properties under the AATemp organizational unit in the domain root.

The replication latency data collector checks latency between each domain controller in the domain by creating an object on a domain controller and then checking every other domain controller for the change. Once the change is noticed, the time difference is recorded.

NOTE: On service startup there is a 5 minute delay before Active Administrator® Data Service (ADS) starts checking replication, and then every hour after that. If the latency container does not exist, it is created and there is a 10 minute delay. The latency containers are located at AATemp\Latency under the domain.

There is a timeout for the test. The timeout is the alert value plus three minutes. If the alert is set to 20 minutes and the test is still running at 23 minutes it will terminate.

High replication latency values mean that changes you make in the directory are taking too long to replicate to all of the other domain controllers, which can cause operational difficulties. For example, a user cannot use a new password if the password has not replicated to their domain controller. High replication latency values can also cause directory problems. If you make a change to the Configuration naming context by adding a new site or a new domain controller, the replication process will not work correctly until all domain controllers have a copy of the new site or new domain controller.

High latency times are usually due to poor network connectivity, non-functional domain controllers, or incorrect replication schedules.

Make sure that the replication latency is actually too high. In a site with fewer than five domain controllers, the intra-site replication latency should be around five minutes. As you add domain controllers in a site, the intra-site replication latency should go up to about 20-30 minutes, and then stabilize. Inter-site replication latency depends entirely on the link schedules between the sites.

If the latency truly is too high, make sure there are no domain controllers that are down. If a single domain controller acts as a bridgehead between sites, and it goes down, replication will never actually occur.

RID operations master inconsistent

Supported on: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
Required permissions: Domain user privilege is required.
Description

The Active Administrator Foundation Service (AFS) periodically checks the consistency of the domain RID operations master value across all of the domain controllers in the domain. If any of the domain controllers has a differing value for the domain RID operations master, the alert is generated.

The domain RID operations master is contained in the fSMORoleOwner property of the RID Manager object in the CN=System,DC=<domain> container. Every domain controller in the domain has a copy of the domain RID operations master. The RID operations master allocates sequences of RIDs to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest.

Whenever a domain controller creates a user, group, or computer object, the domain controller assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. If the domain RID operations master is inconsistent, it is possible that two different domain controllers will assign overlapping RID ranges to other domain controllers in the domain, with potentially disastrous consequences.

The domain RID operations master can become inconsistent due to replication errors or if an administrator used NTDSUTIL.EXE to move the operations master when there was incomplete connectivity to all domain controllers in the domain.

Resolution

Wait to see if the error clears. An inconsistent operations master alert can be transitory in nature. If an administrator has moved an operations master to another domain controller, replication to all domain controllers in the domain can take some time. During this period, Active Directory Health Analyzer will indicate this alert condition.

If the alert does not clear, contact your Microsoft Windows support representative.

Related article

https://blogs.technet.microsoft.com/mempson/2007/11/08/how-to-find-out-who-has-your-fsmo-roles/

RID operations master not responding

Supported on: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
Required permissions: Domain user privilege is required.
Description

The Active Administrator® Foundation Service (AFS) periodically queries to find the response time of the RID operations master. If the response time is above the threshold, an alert is issued.

This error can occur if any of the following occurs:

Active Directory® on the domain controller has failed in some way.
Resolution
Make sure the indicated domain controller actually exists. If it does not exist, run NTDSUTIL and select the metadata cleanup option to clean up the erroneous objects in the directory.

RODC allowed password replication policy inconsistent

Supported on: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
Required permissions: Domain user privilege is required.
Description

The msDS-RevealOnDemandGroup property contains a list of groups whose credentials will be replicated to the given RODC. It is recommended that each RODC in a given naming context have the same groups in its msDS-RevealOnDemandGroup property. To facilitate the comparison of the lists of groups among a number of RODCs, the user selects an RODC as the authoritative source for the msDS-RevealOnDemanGroup in a given naming context. The Active Administrator® Foundation Service (AFS) compares all other RODCs in the domain to the authoritative list.

Resolution

Compare the msDS-RevealOnDemandGroup attribute of the authoritative RODC to that of the inconsistent RODC, and modify the msDS-RevealOnDemandGroup on the inconsistent server to match the authority.

Related Documents