locked
runas account permissions for dfs replication monitoring (backlog monitor) RRS feed

  • Question

  • Good Day

    We have some dfsr replication groups configured. replication is between the fileserver in our Headquarter and other replication partners are located in our branch offices. branch offices  have an rodc which also acts as fileserver (replication Partner).

    have imported the correct management pack and also activated the Monitoring rule for backlog Monitoring. Monitoring agent on all affected servers are running under local system. with this configuration, backlog Monitor does not list any backlogs. (it stays completely empty) next i configured an Action account and added it to the "DFS Replication Monitoring Account" Profile. the configured account also had domain admin rights (because of the rodc). from this Point on, backlog Monitoring does work as expected.

    But i don't want the acction account to run with Domain admin rights for security reason. I made it a normal Domain user with logon localy rights on the rodc and file server. but this seems not to be enough.

    Question: Does the runas account for dfs Monitoring has to have local admin rights on the Servers? is there any documentation which rights the runas account Needs? i havent found those Information yet.

    thanks in advance

    andre

    Thursday, August 20, 2015 12:16 PM

All replies

  • you can check this in the Management Pack guide that comes along with the MP.

    http://www.microsoft.com/en-in/download/details.aspx?id=4231


    Thanks, S K Agrawal

    Thursday, August 20, 2015 12:50 PM
  • thanks. i have read this paper before. i know this part

    ".... create run as account that has administrative privileges on all the monitored Servers.... can connect to the dfs replication wmi Provider on all monitored Computers. you are not required to use Domain Administrator credentials for this purpose"

    but as we have dfsr running on a rodc there is no local admin account. this would mean i have to give Domain admin rights but thats not what i want to... i just want to understand how exactly this Management pack is working... maybe we can the just modify wmi Access for example for the Action account and grant logon locally rights.?

    • Edited by andre_80 Thursday, August 20, 2015 1:06 PM
    Thursday, August 20, 2015 1:05 PM
  • Hi Andre,

    I am curious did you manage to find a solution on this? I am in exactly the same situation.

    Regards,

    Nik

    Thursday, April 20, 2017 8:15 AM
  • Hi Nik

    Unforumately no, there was no solution for this. i received a custom made solution from our it Partner which does Monitor the dfsr backlog now.

    Regards

    André

    Thursday, April 20, 2017 9:15 AM