Hi,We have several gateways set up on our other domains (DMZ, Test and Dev) using certificates to connect to the RMS with a few agents reporting to the gateway in it's domain. I am recieving this warning for all gateways and agents that are being monitored (in the other domains). All our servers are either Win 2003 32bit or Win 2003 64bit.The Health Service cannot verify the future validity of the RunAs account PRODUCTION\username for management group PRODMGMT due to an error retrieving information from Active Directory (for Domain Accounts) or the local security authority (for Local Accounts). The error is The network path was not found.(0x80070035).From the searching that I've done on the net, a couple of people have mentioned that if you set the password expiration flag on AD users and computers for the account the problem will go away.. This hasn't happened for me.I have checked the logs on the gateway servers and they report the following messages:Event Type: ErrorEvent Source: HealthServiceEvent Category: Health Service Event ID: 7016Date: 15/03/2010Time: 6:05:25 AMUser: N/AComputer: DEMOMMS003Description:The Health Service cannot verify the future validity of the RunAs account PRODUCTION\username for management group PRODMGMT due to an error retrieving information from Active Directory (for Domain Accounts) or the local security authority (for Local Accounts). The error is The network path was not found.(0x80070035). For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Event Type: WarningEvent Source: HealthServiceEvent Category: Health Service Event ID: 7020Date: 15/03/2010Time: 6:05:25 AMUser: N/AComputer: DEMOMMS003Description:The Health Service has validated all RunAs accounts for management group PRODMGMT, except those we could not monitor. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~However a few hours later I don't get any error messages and it seems to be working happily.Event Type: InformationEvent Source: HealthServiceEvent Category: Health Service Event ID: 7026Date: 15/03/2010Time: 9:02:28 AMUser: N/AComputer: DEMOMMS003Description:The Health Service successfully logged on the RunAs account PRODUCTION\username for management group PRODMGMT For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Event Type: InformationEvent Source: HealthServiceEvent Category: Health Service Event ID: 7023Date: 15/03/2010Time: 9:02:28 AMUser: N/AComputer: DEMOMMS003Description:The Health Service has downloaded secure configuration for management group PRODMGMT successfully. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Event Type: InformationEvent Source: HealthServiceEvent Category: Health Service Event ID: 7025Date: 15/03/2010Time: 9:02:28 AMUser: N/AComputer: DEMOMMS003Description:The Health Service has authorized all configured RunAs accounts to execute for management group PRODMGMT. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Event Type: InformationEvent Source: HealthServiceEvent Category: Health Service Event ID: 7024Date: 15/03/2010Time: 9:02:28 AMUser: N/AComputer: DEMOMMS003Description:The Health Service successfully logged on all accounts for management group PRODMGMT For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Despite the successful logs that appear the gateway still shows up with the same warning.If i stop and start the service on the gateway it then shows up as healthy in SCOM, but then the next day it the warning comes back.Is the problem caused by different domain acounts and when it tries to find it in the domain it can't find it?Cheers, Phil

You are using a wrong runas account in the DMZ environment. I assume there is no trust between the DMZ and the PRODUCTION forest/domains and DNS resolution to the PRODUCTION domain is not setup in the DMZ and the firewall will block ldap queries, etc etc etc. The agent will not be able to validate the runas account. so to resolve this, specify another runas account (a DMZ domain user) and target that to the agents in the DMZCheers, Arie de Haan This posting is provide "AS IS" with no guarantees, warranties, rigths etc. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I am having this problem and the servers are in the same domain as the run as account. Are there any specific diagnostic steps that I can take to try to diagnose why it's not recognizing my run as account? Are there specific security settings that I should check?

I am having the same issue as "Maintech Mike" above. I am getting this message on SQL servers which are in the same domain as the account in question. What can we check to resolve this?

Can you logon to the computer with the runas account that is having the problem? Or, logon to the computer with some other account and do a runas /user: xxx\xxx notepad.exe in the command prompt. If you see an error returned, this would indicate a permissions/rights issue.HTH, Jonathan Almquist - MSFT

I also have the same problem with my scom 2012 system. I am getting 7021 and 7016 events. as mentioned by Jonathan, i am able to open notepad with the user account for which we are getting error. another thing noted, when we run setspn -l domain\acc , we are getting error Ldap Error(0x51 -- Server Down): ldap_open or FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525 Could not find account DOMAIN/account Another point to add, my server is ABC.XXX.company.com and acc i am using us YYY\acc_name. I mean to say my account is of diff domain. This config is working fine no issues at all in another server which was setup earlier with 2007 r2.Manish

Worked with somebody who had this problem today. From Powershell> gwmi win32_ntdomain This should show you all of the available domain controllers you are trying to connect to. Try to ping all of them, and/or try to run dcdiag specifying each DC in the list returned. If one of them fails, contact your Domain Admin, in our case it was a DNS issue. Let me know if that works, -Jess