Zenoss ZenTech Community

I'm monitoring my whole domain controllers infrastructure (6 domain controllers).
I'm using the ZenPacks.zenoss.Microsoft.Windows, which one based on WinRM to monitor the servers.

Everything works fine with exceptions of some tests performed by the "Active Directory" template and particulart it fails the following checks performed via DCdiag:

1. DCDiag /test:KnowsOfRoleHolders' failed
2. DCDiag /test:NCSecDesc' failed
3. DCDiag /test:Replications' failed
4. DCDiag /test:RidManager' failed
5. DCDiag /test:FsmoCheck' failed

All the above checks made run fine if performed directly on the server from a command shell with administrative privileges.

The user provided to Zenoss in the zWinRM properties has administrative privileges on the server.

Subject:	please paste output from
Author:	Andrew Kirch
Posted:	2015-04-16 10:11

please paste output from zenmodeler/zencommand

Andrew Kirch

akirch@gvit.com

Need Zenoss support, consulting or custom development Look no further. Email or PM me!

Ready for Distributed Topology (collectors) for Zenoss 5 Coming May 1st from GoVanguard

Subject:	I experienced the same DCDiag
Author:	[Not Specified]
Posted:	2015-04-17 16:29

I experienced the same DCDiag tests failed after upgrading to the latest 2.4.0 Microsoft Windows ZenPack. I did not receive those before the upgrade so I rolled back. Does 2.4.0 do some new checks that the older 2.3.1 version shipped with Zenoss didn't do

Subject:	I was having no errors too,
Author:	[Not Specified]
Posted:	2015-04-27 12:19

I was having no errors too, on 2.3.2.

After upgrading to this 2.4.1 i now see this error, and also errors while checking ports 636, 3236 and 9389 (i have 3 DCs, one is of an older domain).

This started with no changes made to the servers, only the upgrade of the zenpack.

Subject:	AD checks
Author:	Dave Bouchillon
Posted:	2015-05-21 15:02

Hello,

We did add a new datasource to run DCDiag on domain controllers starting with version 2.4.0. We are opening a Remote Shell on the target DC using the admin credentials, but that may not run with sufficient elevated privileges. We're currently investigating how to get around this issue. For the time being you may want to disable those datasources in the AD template.

We also added a port check datasource in the Active Directory template to check for certain ports that AD depends upon to be open and listening. See here for a description of these ports: https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx. If you do not want to check for certain ports, you can remove them from the PortCheck datasource in the AD template or disable the datasource altogether.

Thanks

Subject:	Did anyone fix this 'UAC'
Author:	[Not Specified]
Posted:	2015-06-23 15:48

Did anyone fix this 'UAC' issue with running DCDIAG via WinRS

Subject:	I have set the following via
Author:	[Not Specified]
Posted:	2015-06-23 16:20

I have set the following via Group Policy for Domain Controllers only:
ComputerConfiguration>Policies>WindowsSettings>SecuritySettings>LocalPolicies>SecurityOptions>
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (ELEVATE WITHOUT PROMPTING)
User Account Control: Switch to the secure desktop when prompting for elevation (DISABLED)

Unfortunately this doesn't appear to have worked:
'DCDiag /test:KnowsOfRoleHolders' failed: [DCNAME] DsBindWithSpnEx() failed with error 5, Access is denied

Subject:	I added the service account
Author:	[Not Specified]
Posted:	2015-07-07 09:26

I added the service account to 'Enterprise Admins' -> fewer errors.. but still a couple reside.
Adding to 'Administrators' (built in group) -> no errors at all.

happy this is working now.

Subject:	WindowsActive Directory Monitoring
Author:	[Not Specified]
Posted:	2015-04-13 13:40

WindowsActive Directory Monitoring