Active Directory Management Pack - Replication Monitoring Account Permissions

I have been monitoring some of the blogs lately in the management community and came across some entries around guiding customers with respect to properly configuring the Run As account for the Replication Monitoring Rule in the Active Directory Management Pack for Operations Manager 2007.  Unfortunately some of the recommendations I reviewed were technically inaccurate.  My efforts here are to help clarify the specific permissions that need to be granted to the Replication Monitoring Run As Account.  Otherwise, the Replication Monitoring script will generate an alert indicating "Event ID 67 - Access Denied" in trying to create the Domain Controller object, the replication container, or modify the attributes of the DC object. 

Update:   The latest version of the Active Directory management pack, version 6.0.6452.0 has changed the name of the replication container used for replication monitoring in Operations Manager. It is now OpsMgrLatencyMonitors and was not pointed out in the ADMP deployment guide. Therefore, this blog has been updated to reflect that name change and has been updated to recommend the appropriate minimum security rights that should be granted to the Run As account.

In order to monitor replication between domain controllers in the forest, the Active Directory Management Pack Guide instructs you to configure a domain account that will be used only for replication monitoring.  This is found on page 10.  However, what is not clearly detailed are the partitions in Active Directory that you must ensure the security permissions are granted correctly for the replication monitoring account to allow it to modify the OpsMgrLatencyMonitors container within each of those partitions.  If the agent is running under Local System security context on your domain controllers and that built-in account is not restricted or removed from the security permissions of each partition, then in most instances all you are required to do is pre-create the OMLatencyMonitors container in each partition outlined below.  Otherwise, if your directory services team is requiring least-privileged permission with the Operations Manager agent, follow the steps below to grant the domain account associated with the replication monitoring account the permissions required. 

By default, the Replication Monitoring script will monitor the Domain partition, and application partitions in the directory service.  The Configuration partition is not monitored by default and is optional.  The following steps must be completed to ensure the replication monitoring account has rights to modify the objects and attributes under the OpsMgrLatencyMonitors container:  (Note: Steps 2 and 3 are only necessary if you are using Microsoft DNS that is running on your domain controllers and configured with AD Integrated DNS.)

1. Set permissions for the Replication Monitoring Run As account on the Domain partition in each domain in the forest. 

To do this, follow these steps on a domain controller in the domain:

a. Click Start, click Run, type Adsiedit.msc, and then click OK.

b. In the task pane, right-click ADSI Edit, and then click Connect to.

c. Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click OK:

DC=Domain,DC=Domain_extension

d. In the task pane, locate and right-click

CN=OpsMgrLatencyMonitors,DC=Domain,

DC=Domain_extension and then click Properties.

e. In the Permissions tab, click Add.

f. In the Enter the object name to select box, type the name of the replication monitoring Run As account, and then click Check Names to verify the name.

g. Click OK.  The Permissions Entry for OpsMgrLatencyMonitors dialog box appears.

h. In the Apply onto drop-down list, click This object and all child objects.

i. Click to select the Allow check box for the Read, Write, Create All Child Objects permission, and then click OK.

j. In the Advanced Security Settings for OpsMgrLatencyMonitors dialog box, click Apply, and then click OK.

k. Close the ADSI Edit window.

2. Set permissions for the Replication Monitoring Run As account on the DomainDNSZones application partition in each domain in the forest.  To do this, follow these steps on a domain controller in the domain:

a. Click Start, click Run, type Adsiedit.msc, and then click OK.

b. In the task pane, right-click ADSI Edit, and then click Connect to.

c. Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click OK:

     DC=DomainDNSZones,DC=Domain, DC=Domain_extension

d. In the task pane, locate and right-click

CN=OpsMgrLatencyMonitors,DC=DomainDNSZones,DC=Domain,

DC=Domain_extension and then click Properties.

e. In the Permissions tab, click Add.

f. In the Enter the object name to select box, type the name of the replication monitoring Run As account, and then click Check Names to verify the name.

g. Click OK.  The Permissions Entry for OpsMgrLatencyMonitors dialog box appears.

h. In the Apply onto drop-down list, click This object and all child objects.

i. Click to select the Allow check box for the Read, Write, Create All Child Objects permission, and then click OK.

j. In the Advanced Security Settings for OpsMgrLatencyMonitors dialog box, click Apply, and then click OK.

k. Close the ADSI Edit window.

3. Set permissions for the Replication Monitoring Run As account on the ForestDNSZones application partition.

To do this, follow these steps on a domain controller in the domain:

a. Click Start, click Run, type Adsiedit.msc, and then click OK.

b. In the task pane, right-click ADSI Edit, and then click Connect to.

c. Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click OK:

     DC=ForestDNSZones,DC=Domain,DC=Domain_extension

d. In the task pane, locate and right-click

CN=OpsMgrLatencyMonitors,DC=ForestDNSZones,DC=Domain,

DC=Domain_extension and then click Properties.

e. In the Permissions tab, click Add.

f. In the Enter the object name to select box, type the name of the replication monitoring Run As account, and then click Check Names

to verify the name.

g. Click OK.  The Permissions Entry for OpsMgrLatencyMonitors dialog box appears.

h. In the Apply onto drop-down list, click This object and all child objects.

i. Click to select the Allow check box for the Read, Write, Create All Child Objects permission, and then click OK.

j. In the Advanced Security Settings for OpsMgrLatencyMonitors dialog box, click Apply, and then click OK.

k. Close the ADSI Edit window.

Hopefully you find this helpful and it clarifies the permissions you need to grant to the Run As account specific to the replication monitoring container in the directory service. 

Note:   Once the replication monitoring script in the management pack creates an object for each DC and monitoring begins to operate under normal parameters, you can go ahead and remove the old replication monitoring container in the directory service - MOMLatencyMonitors from each domain in the forest and the applicable application partitions that was being monitored as well.