Discussion:
Cannot verify AD MP Account
(too old to reply)
Keith C. Jakobs
2007-11-08 08:44:01 UTC
Permalink
Greetings:

I have inherited a SCOM project that was a complete mess, to the point that
I convinced the powers that be that we should start over from scratch, making
sure to be very diligent about following all procedures and reviewing all MP
guides ahead of time.

I have finally managed to install what I consider to be an almost pristine
SCOM deployment, that is until I enabled AD replication monitoring per the
instructions in the AD MP Guide.

I am getting event 7015: "the Health service cannot verify the future
validity of the RunAs account {...} for management group {...}. The error is
The specified procedure cannot be found."

This is also accompanied by event 7021: "The Health Service was unable to
validate any accounts in management group {...}"

The event 7015 has caused the health of my Domain controller to appear in a
Warning state per the configuration of the "RunAs Account Monitoring Check"
monitor. But no event 7019 has been posted on the Domain controller to allow
the event to reset.

Now here's the unusual stuff:

1. There are two domain controllers: One is Windows 2000 and the other is
Windows 2003. The environment is in the process of migrating to Windows 2003
AD. The domain functional level is set to WIndows 200 Native, and all FSMO
roles are still on the Windows 2000 DC.

2. The domain is a child domain of an empty root forest domain. Agency
Proxy has been enabled on bo domain controllers to enable detection of
replication objects to the DC's in the parent domain.

3. So here's the really weird part.... both servers should be configured
identically from a SCOM agent standpoint. That is, they both had their
agents installed manually with Management group information specified ahead
during install. They both use the loal System account as their action
account, and both domain controllers use the same RunAs Account in the "AD MP
Account" RunAs Profile. Despite this, I have no problems with the RunAs
account verification on the Windows 2000 Domain Controller, but the Windows
2003 Domain Controller will not resolve the above errors.

So my first question is why is it working on Windows 2000 DC and not Windows
2003 DC? (I obviously ave the credentials entered correctly since it logs on
to at least one other box)

The second question is, how can I force the Health Service on an agent to
re-verify the RunAs accounts for diagnostic purposes?

Thanks in advance.
--
Keith C. Jakobs, MCP
Modesto, CA
Anders Bengtsson
2007-11-09 12:51:08 UTC
Permalink
Hi Keith,

If you restart the health service you should see a event on the agent machine,
in the event viewer, telling you about the run-as accounts.

-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se


KJ> Greetings:
KJ>
KJ> I have inherited a SCOM project that was a complete mess, to the
KJ> point that I convinced the powers that be that we should start over
KJ> from scratch, making sure to be very diligent about following all
KJ> procedures and reviewing all MP guides ahead of time.
KJ>
KJ> I have finally managed to install what I consider to be an almost
KJ> pristine SCOM deployment, that is until I enabled AD replication
KJ> monitoring per the instructions in the AD MP Guide.
KJ>
KJ> I am getting event 7015: "the Health service cannot verify the
KJ> future validity of the RunAs account {...} for management group
KJ> {...}. The error is The specified procedure cannot be found."
KJ>
KJ> This is also accompanied by event 7021: "The Health Service was
KJ> unable to validate any accounts in management group {...}"
KJ>
KJ> The event 7015 has caused the health of my Domain controller to
KJ> appear in a Warning state per the configuration of the "RunAs
KJ> Account Monitoring Check" monitor. But no event 7019 has been
KJ> posted on the Domain controller to allow the event to reset.
KJ>
KJ> Now here's the unusual stuff:
KJ>
KJ> 1. There are two domain controllers: One is Windows 2000 and the
KJ> other is Windows 2003. The environment is in the process of
KJ> migrating to Windows 2003 AD. The domain functional level is set to
KJ> WIndows 200 Native, and all FSMO roles are still on the Windows 2000
KJ> DC.
KJ>
KJ> 2. The domain is a child domain of an empty root forest domain.
KJ> Agency Proxy has been enabled on bo domain controllers to enable
KJ> detection of replication objects to the DC's in the parent domain.
KJ>
KJ> 3. So here's the really weird part.... both servers should be
KJ> configured identically from a SCOM agent standpoint. That is, they
KJ> both had their agents installed manually with Management group
KJ> information specified ahead during install. They both use the loal
KJ> System account as their action account, and both domain controllers
KJ> use the same RunAs Account in the "AD MP Account" RunAs Profile.
KJ> Despite this, I have no problems with the RunAs account verification
KJ> on the Windows 2000 Domain Controller, but the Windows 2003 Domain
KJ> Controller will not resolve the above errors.
KJ>
KJ> So my first question is why is it working on Windows 2000 DC and not
KJ> Windows 2003 DC? (I obviously ave the credentials entered correctly
KJ> since it logs on to at least one other box)
KJ>
KJ> The second question is, how can I force the Health Service on an
KJ> agent to re-verify the RunAs accounts for diagnostic purposes?
KJ>
KJ> Thanks in advance.
KJ>
forrestsjs
2007-11-29 22:40:12 UTC
Permalink
not sure if exactly the same issue, but I had similar errors after a fresh
install of SCOM.

I tried a couple of things when I had this 7015 and 7021 errors. I believe
setting the SCOM runas accounts(service) in ADUC to explicitly not expire
fixed the issue. You might be able to give an expiration date. The check
might just not like a "NULL" value in this field on the service accounts.
Restart the opshealth service on the SCOM box or reset health after changing
the password expiration checkbox on the service accounts in ADUC.

Forrest
Post by Anders Bengtsson
Hi Keith,
If you restart the health service you should see a event on the agent machine,
in the event viewer, telling you about the run-as accounts.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
KJ>
KJ> I have inherited a SCOM project that was a complete mess, to the
KJ> point that I convinced the powers that be that we should start over
KJ> from scratch, making sure to be very diligent about following all
KJ> procedures and reviewing all MP guides ahead of time.
KJ>
KJ> I have finally managed to install what I consider to be an almost
KJ> pristine SCOM deployment, that is until I enabled AD replication
KJ> monitoring per the instructions in the AD MP Guide.
KJ>
KJ> I am getting event 7015: "the Health service cannot verify the
KJ> future validity of the RunAs account {...} for management group
KJ> {...}. The error is The specified procedure cannot be found."
KJ>
KJ> This is also accompanied by event 7021: "The Health Service was
KJ> unable to validate any accounts in management group {...}"
KJ>
KJ> The event 7015 has caused the health of my Domain controller to
KJ> appear in a Warning state per the configuration of the "RunAs
KJ> Account Monitoring Check" monitor. But no event 7019 has been
KJ> posted on the Domain controller to allow the event to reset.
KJ>
KJ>
KJ> 1. There are two domain controllers: One is Windows 2000 and the
KJ> other is Windows 2003. The environment is in the process of
KJ> migrating to Windows 2003 AD. The domain functional level is set to
KJ> WIndows 200 Native, and all FSMO roles are still on the Windows 2000
KJ> DC.
KJ>
KJ> 2. The domain is a child domain of an empty root forest domain.
KJ> Agency Proxy has been enabled on bo domain controllers to enable
KJ> detection of replication objects to the DC's in the parent domain.
KJ>
KJ> 3. So here's the really weird part.... both servers should be
KJ> configured identically from a SCOM agent standpoint. That is, they
KJ> both had their agents installed manually with Management group
KJ> information specified ahead during install. They both use the loal
KJ> System account as their action account, and both domain controllers
KJ> use the same RunAs Account in the "AD MP Account" RunAs Profile.
KJ> Despite this, I have no problems with the RunAs account verification
KJ> on the Windows 2000 Domain Controller, but the Windows 2003 Domain
KJ> Controller will not resolve the above errors.
KJ>
KJ> So my first question is why is it working on Windows 2000 DC and not
KJ> Windows 2003 DC? (I obviously ave the credentials entered correctly
KJ> since it logs on to at least one other box)
KJ>
KJ> The second question is, how can I force the Health Service on an
KJ> agent to re-verify the RunAs accounts for diagnostic purposes?
KJ>
KJ> Thanks in advance.
KJ>
Loading...