7016 - The Health Service cannot verify the future validity of the RunAs account (Network Steve Forum)

7016 - The Health Service cannot verify the future validity of the RunAs account

Hi,

We have several gateways set up on our other domains (DMZ, Test and Dev) using certificates to connect to the RMS with a few agents reporting to the gateway in it's domain. I am recieving this warning for all gateways and agents that are being monitored (in the other domains). All our servers are either Win 2003 32bit or Win 2003 64bit.

The Health Service cannot verify the future validity of the RunAs account PRODUCTION\username for management group PRODMGMT due to an error retrieving information from Active Directory (for Domain Accounts) or the local security authority (for Local Accounts). The error is The network path was not found.(0x80070035).

From the searching that I've done on the net, a couple of people have mentioned that if you set the password expiration flag on AD users and computers for the account the problem will go away.. This hasn't happened for me.

I have checked the logs on the gateway servers and they report the following messages:

Event Type: Error
Event Source: HealthService
Event Category: Health Service
Event ID: 7016
Date:  15/03/2010
Time:  6:05:25 AM
User:  N/A
Computer: DEMOMMS003
Description:
The Health Service cannot verify the future validity of the RunAs account PRODUCTION\username for management group PRODMGMT due to an error retrieving information from Active Directory (for Domain Accounts) or the local security authority (for Local Accounts). The error is The network path was not found.(0x80070035).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: HealthService
Event Category: Health Service
Event ID: 7020
Date:  15/03/2010
Time:  6:05:25 AM
User:  N/A
Computer: DEMOMMS003
Description:
The Health Service has validated all RunAs accounts for management group PRODMGMT, except those we could not monitor.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

However a few hours later I don't get any error messages and it seems to be working happily.

Event Type: Information
Event Source: HealthService
Event Category: Health Service
Event ID: 7026
Date:  15/03/2010
Time:  9:02:28 AM
User:  N/A
Computer: DEMOMMS003
Description:
The Health Service successfully logged on the RunAs account PRODUCTION\username for management group PRODMGMT

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: HealthService
Event Category: Health Service
Event ID: 7023
Date:  15/03/2010
Time:  9:02:28 AM
User:  N/A
Computer: DEMOMMS003
Description:
The Health Service has downloaded secure configuration for management group PRODMGMT successfully.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: HealthService
Event Category: Health Service
Event ID: 7025
Date:  15/03/2010
Time:  9:02:28 AM
User:  N/A
Computer: DEMOMMS003
Description:
The Health Service has authorized all configured RunAs accounts to execute for management group PRODMGMT.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: HealthService
Event Category: Health Service
Event ID: 7024
Date:  15/03/2010
Time:  9:02:28 AM
User:  N/A
Computer: DEMOMMS003
Description:
The Health Service successfully logged on all accounts for management group PRODMGMT

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Despite the successful logs that appear the gateway still shows up with the same warning.

If i stop and start the service on the gateway it then shows up as healthy in SCOM, but then the next day it the warning comes back.

Is the problem caused by different domain acounts and when it tries to find it in the domain it can't find it?

Cheers,

Phil

March 15th, 2010 2:32am

Anyone got any ideas about this problem? I haven't been able to make any progress on it as of yet..

Free Windows Admin Tool Kit Click here and download it now

March 24th, 2010 3:20am

You are using a wrong runas account in the DMZ environment. I assume there is no trust between the DMZ and the PRODUCTION forest/domains and DNS resolution to the PRODUCTION domain is not setup in the DMZ and the firewall will block ldap queries, etc etc etc. The agent will not be able to validate the runas account.

so to resolve this, specify another runas account (a DMZ domain user) and target that to the agents in the DMZ

July 14th, 2010 11:58pm

This is a common error with GW accounts in other domains. This event is logged when we cross domains and Kerberos boundaries, when using account in other domains for GW profiles and such. This can be safely ignored for events describing these types of accounts.

Free Windows Admin Tool Kit Click here and download it now

July 15th, 2010 2:18am

I am having this problem and the servers are in the same domain as the run as account. Are there any specific diagnostic steps that I can take to try to diagnose why it's not recognizing my run as account? Are there specific security settings that I should check?

December 7th, 2010 11:11pm

I am having the same issue as "Maintech Mike" above. I am getting this message on SQL servers which are in the same domain as the account in question. What can we check to resolve this?

Free Windows Admin Tool Kit Click here and download it now

February 27th, 2012 5:39pm

Can you logon to the computer with the runas account that is having the problem? Or, logon to the computer with some other account and do a runas /user: xxx\xxx notepad.exe in the command prompt. If you see an error returned, this would indicate a permissions/rights issue.

February 27th, 2012 7:16pm

I also have the same problem with my scom 2012 system.
I am getting 7021 and 7016 events.

as mentioned by Jonathan, i am able to open notepad with the user account for which we are getting error.
another thing noted, when we run setspn -l domain\acc , we are getting error
Ldap Error(0x51 -- Server Down): ldap_open
or
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
Could not find account DOMAIN/account

Another point to add, my server is ABC.XXX.company.com and acc i am using us YYY\acc_name. I mean to say my account is of diff domain.
This config is working fine no issues at all in another server which was setup earlier with 2007 r2.

Free Windows Admin Tool Kit Click here and download it now

May 3rd, 2012 12:29am

Worked with somebody who had this problem today.

From Powershell> gwmi win32_ntdomain

This should show you all of the available domain controllers you are trying to connect to. Try to ping all of them, and/or try to run dcdiag specifying each DC in the list returned. If one of them fails, contact your Domain Admin, in our case it was a DNS issue.

Let me know if that works,
-Jess

August 17th, 2012 12:38am

I also have the same problem with my scom 2012 system.
I am getting 7021 and 7016 events.

as mentioned by Jonathan, i am able to open notepad with the user account for which we are getting error.
another thing noted, when we run setspn -l domain\acc , we are getting error
Ldap Error(0x51 -- Server Down): ldap_open
or
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
Could not find account DOMAIN/account

Another point to add, my server is ABC.XXX.company.com and acc i am using us YYY\acc_name. I mean to say my account is of diff domain.
This config is working fine no issues at all in another server which was setup earlier wit

Free Windows Admin Tool Kit Click here and download it now

November 13th, 2012 1:28pm

Just to add to this, I think that if you're in a forest with multiple domains, and some of those domains are having issues, or are in the process of being decommissioned you may run into this error as well.

I'm putting that out there, as I'm seeing this error on my servers that are all in one domain, with no gateway servers. But when I queried the Win32_NTDomain class 5 items were returned, one was a domain that only had a description property listed, another was a domain that had data listed but was in the process of being removed, and one had items listed, but currently we have no access to that domain (politics..sigh).

I'm using the SQL MP and using the Low Priv configuration and hoping that this error doesn't impede data collection and health data.

Anyone have any thoughts on this?

Thanks,

June 2nd, 2014 10:27am

This topic is archived. No further replies will be accepted.