Tuesday, July 26, 2011

SCOM- Could Not Determine the FSMO Role Holder

Update June 2012: I've just recently came across a cool workaround blog post on this issue by Stefan Roth that requires a change to each Domain Controller you are managing that creates a symbolic link that would allow this task to be run each time. Check out his post below:

http://blog.scomfaq.ch/2011/12/04/support-tools-task-in-active-directory-management-pack-fails/

When you install the Active Directory (AD) Monitoring Management Pack into your SCOM/OpsMgr environment, from time to time you will come across the error 'Could Not Determine the FSMO Role Holder', followed quickly by the errror 'AD Client Side - Script Based Test Failed to Complete'.


This is an annoying little error that has a relatively easy fix.

Cameron Fuller and the guys behind the 'System Center Operations Manager Unleashed' series have a good post on their blog containing a lot of resolutions to these type of errors generated from the Active Directory Management Pack - see the link below:

http://opsmgrunleashed.wordpress.com/2009/09/29/opsmgr-r2-by-example-the-active-directory-management-pack/

Following the information from the blog post above, we would select the 'Netdom Query FSMO' task on the right hand side of the screen when you have the 'Could Not Determine the FSMO Role Holder' alert highlighted


 This will open a window like the one below. Have a look at the location of the 'Support Tools Install Dir' Value. It is pointing to the '%ProgramFiles%\Support Tools' location


 When we run the task without changing anything, it will come back and fail with an error like below


The reason it fails is because the NetDom utility doesn't exist on the Domain Controller that is raising the alert in the %ProgramFiles%\Support Tools location. It is existent in the '%windir%\system32' location instead. If we choose to re-run the task but this time select the 'Override' button and modify the 'Support Tools Install Dir' value to point to the correct location of the NetDom utility, it will complete successfully as the screens below show.





Most of the time, simply by carrying out the above procedure, this error will go away as the FSMO role holder has been enumerated but in a few instances, we need to make one or two more small changes.

If the alert comes back after the above process, all you need to do is to locate the 'NetDom' utility from within the %windir%\System32 directory, create a new folder under the 'Program Files' folder on the Domain Controller giving the error called 'Support Tools' and then copy the 'NetDom' utility to here like the screenshot below


Now you can run the task again successfully without having to make any overrides or custom changes to your SCOM environment.



Hopefully after these changes, the rule should be able to run the NetDom utility and determine the FSMO role holder of each domain controller.

12 comments:

  1. I changed the directory to windir as suggested and the MMC on both my admin workstation and on the server crashed.

    Any thoughts?

    ReplyDelete
  2. Hi Jeff,

    Thanks for the comment!

    If you changed the location to the Windir and your system crashes, I'd suggest initially looking at your Anti-Virus 'On Access' scanner or possibly even UAC being enabled on the server as a cause of the crash/hang.

    As a workaround, instead of pointing it to the %windir% location, you could simply copy the Netdom utility into the location that the MP is looking for - see the comments above the second graphic from the bottom of this post for more on this.

    Hope this helps!

    ReplyDelete
  3. This helped a lot, thanks

    ReplyDelete
  4. This though does happen to be a manual task each time - anyone found the best way in which to automate this?

    ReplyDelete
  5. I used PowerShell remoting and the mklink utility to create symbolic links from C:\Program Files\Support Tools to C:\Windows\System32.

    With a list of all domain controllers, the Invoke-Command Cmdlet and the mklink utility this shold be easy.

    ReplyDelete
  6. Kevin,

    I have a mix of 2003 and 2008 DC's. The 2003 DC's have the NETDOM.EXE in the "Support Tools" already. The task runs fine with no tweaking on those systems. However, the alert is still being generated by the rule. Any thoughts?

    ReplyDelete
    Replies
    1. Hi there,

      I'd check the event logs on the DC's that the alert is being generated from to ensure that there isn't actually a real problem with ascertaining the FSMO role holder.

      Also, check out Stefan Roth's workaround for this alert - i've linked to his blog post at the top.

      Kevin.

      Delete
  7. Is it a bug or a feature? I hope it gets solved in SP1.
    This helped for me as well!

    ReplyDelete
    Replies
    1. Hi Steven,

      It's a badly written task inside the AD MP. This MP hasn't been updated for a long time so hopefully when they release an update for it, they'll have resolved this issue.

      As it's the AD MP that causes the problem, then SCOM 2012 SP1 will have no affect on its resolution unfortunately.

      Kevin.

      Delete
  8. Worked like a charm!

    ReplyDelete
    Replies
    1. Glad I could help - thanks for the comment!

      Kevin

      Delete