Shortly before the Christmas holiday, a colleague from Premier had reached out to me to verify that in the Active Directory management pack, when a DC is demoted some cleanup actions are automatically performed upon detection.  I responded by saying I vaguely remember that such a script existed in the ADMP and that it would execute upon detecting a DC demotion event, but I needed to double-check before I could say for sure.  Well, I decided to fire up my console and review the latest ADMP (6.0.6452.0) and sure enough such a rule and script existed.  However, upon testing of the rule - AD DC Demoted in my lab environment, I uncovered the following:

  • No alerts were generated indicating the cleanup script completed successfully or failed. 
  • Testing the script manually, I uncovered a minor syntax error in the logic for the CreateEvent method when the successful removal of the replication monitoring objects for that DC were removed from the DC.  You would never see an alert indicating it completed successfully.
  • The script would never completed successfully after a DC demotion process is complete because the script runs under Local System security context of the agent action account (by default). It would need to authenticate to another DC in the domain using alternative credentials (Run As account as an example).  This is important because once the demotion is complete, there is no local copy of the DS and the script is configured to perform a serverless bind to the domain without hardcoding a DC.  Since the server is no longer a DC, it can't bind to itself but to another DC in the domain the server is a member of. 
  • The latest version of the ADMP changed the name of the replication monitoring container in the DS to - OpsMgrLatencyMonitors.  The script in the ADMP was still referencing the old naming standard - MOMLatencyMonitors. 

So I fired-up my old custom MP- Extended Windows Server OS Monitoring management pack (If you remember, I had uncovered a different, but similar issue with the first release of the ADMP - 6.0.6246.0) to refresh my memory and test it to make sure it would work. However, upon review I determined that my logic was flawed and it needed to be re-written from the ground up (being the critical person I am, even of my own work).  Therefore, I started to evaluate the scenario and develop a workable solution.  This management pack has undergone testing for two weeks now and I can say with certainty it works and meets my high-quality bar. 

This management pack provides the following capabilities:

  1. Has the rule - AD DC Demoted, targeted at the Windows Server Operating System class, so that it will monitor Windows Server 2000/2003/2008.
  2. An override so that you can change the parameter for the replication container (i.e. MOMLatencyMonitors or OpsMgrLatencyMonitors) to support the old and new versions of the ADMP.
  3. The script has been corrected so it will generate an informational alert if successful and includes the complete path - MOMLatencyMonitors or OpsMgrLatencyMonitors.  The default script would not include the replication container name in the alert details. The same can be said if it fails.
  4. Two alert rules based on outcome of the cleanup script - success or failure respectively. 
  5. A Run As Profile so that you can associate an existing Run As Account (preferably the ADMP Replication Monitoring Account) and target it against the domain controllers in your environment.  Additional rights will need to be granted to this account in order for it to successfully delete the object(s) from the container in the DS.
  6. Also has two tasks - Reboot Windows Server and Shutdown Windows Server.

If you used the Extended Windows Server Operating System management pack (6.0.6246.0), delete it from the management group before importing this one, as it won't upgrade to this new version.  The zip file contains the sealed MP and the deployment guide for your review.