Thursday, July 1, 2010

AD MP throws error: ‘Health Service Credentials Not Found Alert Message’

Had this issue at a customers site. The AD MP had been imported and configured. Also replication monitoring was configured. For this a Run As Profile within SCOM has to be configured (AD MP Account).

All was set as it should but still the DCs raised this Alert in the Console: ‘Health Service Credentials Not Found.’ And: ‘An account specified in the Run As profile "Microsoft.Windows.Server.AD.ActionAccountProfile" cannot be resolved.’.

So time to check everything. An AD account with sufficient permissions was in place and operational. Not blocked, what so ever. The account was neatly added in SCOM as a Windows Run As Account. This account was added to the related Run As Profile.

Of course, for the Run As Account the ‘More Secure’ distribution type was selected. Also the correct DCs for this Run As Accounts were selected.

Time to move on to the Run As Profile. Especially the third option Run As Accounts is important here.
image

Hmm. All seemed to be well. But when the Alert was closed and on the related DC the Health Service was restarted, the Alert reappeared. So somehow it did not work as it should.

Since the account itself and the Run As Account in SCOM are OK, the cause had to be found in the Run As Profile. Perhaps in this case more granular targeting was needed?

So I removed the earlier Run As Account from that Profile and added it. However, this time it was targeted directly at the DCs, like this:
image
At the ‘This Run As Account will be used to manage the following objects: hit the Select button > choose Object.

image 
In the Look for: box select Windows Computer and in the Filter by: box, type the name of the DC and click OK > OK.

Repeat these steps for all DCs. When complete, the list looks a bit like this:
 image

Hit the button Save and be fine.

Close all Alerts from these DCs about ‘Health Service Credentials Not Found.’.

Now when the Health Services of the related DCs are restarted, the Alerts won’t return.

5 comments:

Marnix Wolf said...

Hi there.

Thanks for visiting my blog and your nice comment.

Cheers,
Marnix

Unknown said...

Could a group containing the DC's be used instead of adding each one separately? Thank you.

Marnix Wolf said...

Hi Matt,

It can be done. Have never tried it though. By adding the computers one by one gives me more granular control.

Cheers,
Marnix

Jolivenom said...

"An AD account with sufficient permission"

What are the sufficient permissions needed for the AD MP account?

Marnix Wolf said...

Hi Jolivenom.

Sufficient permissions as stated in the AD MP Guide.

Cheers
Marnix