AD Replication Monitoring – Access Denied

Standard

During the implementation of the Active Directory Management Pack I ran into the following issue.
When you want to monitor replication between domain controllers inside a Forest, the Active directory Management Pack Guide tells you to configure a domain account that will be used for replication monitoring.

1

To ensure the replication monitoring account has the rights to modify the object under the container “OpsMgrLatencyMonitors

  1. Start “Adsiedit.msc” and click “connect to
  2. Under “Connetion Point”, select “Select or type a Distinguished Name or Naming Context:”, fill in “DC=Domain,DC=Domain_Extension
     2
  3. Locate and right click “CN=OpsMgrLatencyMonitors,DC=domain,DC=domain_extension” click “properties
  4. In the “Security” tab click “advanced
     3
  5. Click “Advanced” and click “Add
  6. Under “Select Users, Computers, or Groups” and enter the “Active Directory Management Pack Run As” account and click “OK
  7. Under the “Permission Entry for OpsMgrLatencyMonitors” check the apply to is “This object and all descendant objects
  8. Under permissions, allow “Read all properties”,“ Write all properties”  and “Create All child Objects
     4
  9. Click “OK”, “Apply” and “OK” (twice)
  10. In the adsiedit console click “Action”, “Connect to
  11. Under “Connetion Point”, select “Select or type a Distinguished Name or Naming Context:”, fill in “DC=DomainDNSZones,DC=Domain,DC=Domain_Extension
     5
  12. Locate and right click “CN=OpsMgrLatencyMonitors,DC=DomainDNSZones,DC=domain,DC=domain_extension” click “properties
  13. In the “Security Tab” click “Advanced
  14. Click “Add
  15. Under “Select Users, Computers, or Groups” and enter the “Active Directory Management Pack Run As” account and click “OK
  16. Under the “Permission Entry for OpsMgrLatencyMonitors” check the apply to is “This object and all descendant objects
  17. Under permissions, allow “Read all properties”,“ Write all properties”  and “Create All child Objects
  18. Click “OK”, “Apply” and “OK” (twice)
  19. In the adsiedit console click “Action”, “Connect to
  20. Under “Connetion Point”, select “Select or type a Distinguished Name or Naming Context:”, fill in “DC=ForestDNSZones,DC=Domain,DC=Domain_Extension
     6
  21. Locate and right click “CN=OpsMgrLatencyMonitors,DC=ForestDNSZones,DC=domain,DC=domain_extension” click “properties
  22. In the “Security Tab” click “Advanced
  23. Click “Add
  24. Under “Select Users, Computers, or Groups” and enter the “Active Directory Management Pack Run As” account and click “OK
  25. Under the “Permission Entry for OpsMgrLatencyMonitors” check the apply to is “This object and all descendant objects
  26. Under permissions, allow “Read all properties”,“ Write all properties”  and “Create All child Objects
  27. Click “OK”, “Apply” and “OK” (twice)