Active Directory Management Pack – Addendum for Trust Monitoring

First published on TECHNET on Aug 28, 2017
UPDATE: October 2017 the 3 rd – Added an example of the trust list format.

Hi there,

After long time I came back on an issue that some of my customers were facing. They were struggling with the Trust Monitoring scenario included in the Management Pack for .

The problem they had, was pretty simple (as well as its solution). They “just” wanted to monitor trust status, but only for some Trusts. This sounded like: “Hey, I want to monitor my Trusts, but I want to exclude those I know as not working and that I cannot fix. I really do not want to renounce to the entire Trust Monitoring just because I cannot exclude some of them”.

Well, that sentence made me thinking about delight my customers and do something interesting for other customers as well. So, I came up with the idea of an addendum MP which gives the possibility to specify a trust or a list of trusts to be excluded.

Let's start with a bit of explanation.

The Trust Monitor coming with the Management Pack, is using basically 3 components:

  • A DataSource module which contains the script used to query and return the status of all existing trusts.
  • A UnitMonitorType which parses the output from the DataSource module
  • A UnitMonitor which basically reports on the Trust health by creating an alert in case the status is not good.

I will not go deeper, just to not annoy you but if you are interested in the theory you can ping me at my email address or a leave a comment and I will follow up. The small issue inside this mechanism is that, as I wrote in the description of the DataSource task, it checks for all trusts and there's no way to create an override based on a single Trust or list of Trusts. You got it right: You can only disable the monitor that turns into completely shutting down the Trust Monitoring scenario .

What I did is:

  1. I created a new DataSource that takes another input parameter: the single trust or the comma separated list of trusts

    And which is using a modified version of the script with the exclusion logic

  2. Then, because of the new parameter, I had to create a new UnitMonitorType and a new UnitMonitor in order to expose and to pass the new overridable parameter

  3. Include some pre-defined overrides to disable the original monitor

Of course, I am giving here the simple version of the story since I had to consider some different possibility for the override value (single trust, Trust list, no value) but luckily, I got it done and working. Using this addendum, you can continue using the Trust Monitoring scenario and bend it to your needs by configuring the necessary override.

Now that you have clear in mind what I have done, let's discuss use it.

First of all, it works every version of System Center that the original management pack is working on. Second, I created this solution for all Management Pack version, including the completely brand new one.

And now: how do I use it? Simple answer: You just download the file for the management pack version you are using from this post, import it and that's all. As said, the addendum MP contains an override that disables the original monitor since the new one comes enabled. Now you can go ahead with the necessary overrides.

Like other Management Packs, overrides can be created for different targets. For every target you choose, you have the possibility to create one override per trust or a single override with a trust list. The trust list can be passed as a comma separated value list. For instance you can enter “DomainA.Com, DomainB.Local,” without double quotes, and so on.

I intentionally left the management pack files (yes more than one since this solution is available for all Active Directory Management Pack version know so far) unsealed so you can store your overrides in the same file. Should you need this solution any longer, all you have to do is to remove it from your System Center management group.

If you want to give it a try, download the Zip file and import the version you need.

I hope this solution will make your life easier and will make you appreciating Microsoft solution more and more.


ActiveDirectory Addendum MP


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.