Chat now with support
Chat with Support

Active Administrator 8.4 - Installation Guide

Installation Considerations for Active Administrator Installing and configuring Active Administrator

Troubleshooter

The Active Directory Health Troubleshooter minimum permissions outlined below are required for the logged on user account running the Active Administrator Console.

Directory Service Replication Troubleshooter

The Console user must have rights to perform replication.

The Console user must have directory synchronization rights at the configuration root. See the article at:
https://social.technet.microsoft.com/wiki/contents/articles/21565.active-directory-delegate-replication-rights-to-non-admins.aspx

Enable or disable domain controller replication

The Console user must have read/write access to LDAP://CN=NTDS Settings,CN={DCName},CN=Servers,CN={Site Name},CN=Sites,CN=Configuration,DC={Domain Name} Active Directory object.

Set directory service log levels

The Console user must have read/write access to the following registry key on the remote system: HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics

Set Netlogon Parameters

The Console user must have read/write access to the following registry key on the remote system: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Set startup and recovery options

The Console user must have read/write access to the following registry key on the remote system: HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\

Start metadata cleanup

The Console user must have Domain Administrator rights.

Start online defrag

The Console user must have Domain Administrator rights.

Replication View

The Console user must have Domain User rights.

The reports listed in this section are available only in the Web-based application of Active Directory Health. For more information on these reports, see the Quest® Active Administrator® Web Console User Guide.

The AFS user account must have Enable Account and Remote Enable WMI Security permissions for the target servers. See Authorize WMI users and set permissions (https://technet.microsoft.com/en-us/library/cc771551(v=ws.11).aspx). Be sure the permission entry you create for the AFS account applies to This namespace and subnamespaces so the permissions inherit down the tree.

The following table details the minimum permissions required for each individual report in Active Directory Health web-based application.

Active Directory White Space

The AFS account must have read access to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\ registry key on the remote system or the AFS account should be a member of the Server Operators group in Active Directory.

AD Diagnostic Event Logging Levels

The AFS account must have read access to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\ registry key on the remote system or the AFS account should be a member of the Server Operators group in Active Directory.

AD Disk Space

The AFS account must have read access to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ registry key on the remote system.

The AFS account must have read access to the SYSVOL directory.

The AFS account must have read access to the folder where the Active Directory databases are located.

Application Event Log

The AFS account must be a member of the Event Log Readers group in Active Directory.

Authentication Methods

Domain User rights required.

Bind with RID Master

Domain User rights required.

Conflicting Objects

Domain User rights required.

Connection Object Duplicates

Domain User rights required.

Cross-Domain Linked GPO

Domain User rights required.

DC Adapter Information

Domain User rights required.

The AFS account must have Enable Account and Remote Enable WMI Security permissions for the target servers.

DC Advertising

Domain User rights required.

DC Connection Objects

Domain User rights required.

DC Consistency

Domain User rights required.

DC Information

Domain User rights required.

DC Operating System Information

Domain User rights required.

The AFS account must have Enable Account and Remote Enable WMI Security permissions for the target servers.

DC Replica State

Domain User rights required.

DC Roles

Domain User rights required.

DC RootDSE

Domain User rights required.

DC Security Configuration

Domain user rights, WMI rights, and File System rights required.

DC Services

Domain Administrator rights required.

DC Site Coverage

Domain User rights required.

DC Sites

Domain User rights required.

DC SPNs

Domain User rights required.

Directory Health Alerts

Domain User rights required.

The AFS account must be a member of the AA_Admins group either in the domain or on the database server, depending on the configuration selected during setup.

Directory Objects

Domain User rights required

The AFS account must be a member of the AA_Admins group either in the domain or on the database server, depending on the configuration selected during setup.

Directory Service Event Log

The AFS account must be a member of the Event Log Readers group in Active Directory.

Directory Service Parameters

The AFS account must have read access to HKLM\CurrentControlSet\Services\NTDS\Parameters\ registry key on the remote system or the AFS account should be a member of the Server Operators group in Active Directory.

Disk Drives

The AFS account must have read access to HKLM\CurrentControlSet\Services\NTDS\Parameters\ registry key on the remote system, or be a member of the Server Operators group in Active Directory.

Distributed File System (DFS) Shares

Domain User rights required.

Distributed File System Replication

Domain User rights required and the AFS account must have Enable Account and Remote Enable WMI Security permissions for the target servers.

DNS Configuration

Domain User rights required and the AFS account must have Enable Account and Remote Enable WMI Security permissions for the target servers.

DNS Event Log

Domain Administrator rights required.

DNS Zone Information

The AFS account must have read access rights to all DNS zones on the target DNS servers, and Enable Account and Remote Enable WMI Security permissions for the target servers.

DNS Zones

The AFS account must have read access rights to all DNS zones on the target DNS servers and Enable Account and Remote Enable WMI Security permissions for the target servers.

Domain Advertising

Domain User rights required.

Domain Configuration

Domain User rights required.

Domain Controllers

Domain User rights required.

Domain Controllers without Replication Links

Domain User rights required.

Domain Naming Masters

Domain User rights required.

Domain Role Holders

Domain User rights required.

Domains

Domain User rights required.

Drivers List

Domain Administrator rights required.

Duplicate SIDS

Domain User rights required.

Event Log

The AFS account must be a member of the Event Log Readers group in Active Directory.

Event Log Errors

The AFS account must member of the Event Log Readers group in Active Directory.

Forest Configuration

Domain User rights required.

Forest Inventory

Domain User rights required.

The AFS account must have read and write access to the Active Administrator share.

Global Catalogs

Domain User rights required.

GPO Consistency

Domain User rights required.

Ineffective GPO

Domain User rights required.

Infrastructure Master

Domain User rights required.

Installed Updates

Domain Administrator rights required.

Inter-site Topology Generators

Domain User rights required.

Lost and Found Items

Domain User rights required.

Naming Context Metadata

Domain user rights required.

Naming Context Topology

Domain user rights required.

Naming Context Topology Aliveness

Domain User rights required.

Naming Context Up-to-Dateness

Domain User rights required.

Owner Information

Domain User rights required.

PDC Emulators

Domain User rights required.

Ping Global Catalog

Domain User rights required.

Remote Access Information

Domain Administrator rights required.

Replication Failures

Domain User rights required.

Replication Logon Privileges

Domain User rights required.

Replication Partners

Domain User rights required.

Replication Partner DNS Resolution

Domain User and WMI rights required.

Replication Queue Length

Domain Administrator rights required.

RID Information

Domain User rights required.

RID Masters

Domain User rights required.

RIDs

Domain User rights required.

Schema Master

Domain User rights required.

Security Event Log

The AFS account must be a member of the Event Log Readers group in Active Directory.

System Event Log

The AFS account must be a member of the Event Log Readers group in Active Directory.

SYSVOL Consistency

Domain User, WMI, and File System Access rights required.

Time Synchronization

Domain User and WMI rights required.

Unlinked GPO

Domain User rights required.

AFS service account minimum permissions

The following table details the minimum permissions required for proper functionality of the Active Administrator Foundation Service (AFS) service account.

Account Expiration

Active Templates

Active Directory Health Reports

Active Directory Infrastructure Reports

Alert History Report

Alerts

Archiving and Purging

Assessment Report

Audit Agent

Audit Reports

Auditing

Azure Active Directory

Cache

Certificate Management

Certificate Repository

Certificate Search

Certification report

Conductors

Configuration

Configuration report

Dashboard

DC consistency report

DCRIDInfoReport

DFSR report

DNS Management

DNS Analyzer

DNS Event log

DNS report

DNSConfiguration report

DSParameters report

Event definition

Group Policy

Helpers

Inactive Accounts

Licensing

LockedOutAccounts

LogLevels report

WhiteSpace report

Password Reminder

Recovery

Replication Monitoring

SecConfig Report

DiscSpace Report

Security (All objects) reports

Service Monitoring

Site coverage report

Tasks

TimeSync report

Trustees

User Settings

Workstation Logon

Diagnostic Console minimum permissions

To run the Diagnostic Console, the Domain Administrator permission is recommended.

The Performance Monitor Users and Performance Log Users permissions are the minimum permissions required to collect most, but not all, Active Directory performance data on the target domain controller.

The Domain Administrator permission is needed for the Diagnostic Console to collect data and display the following critical alarms on target domain controllers:

 

Installing and configuring Active Administrator

Quest® Active Administrator® has two main components: Server and Console. Install the Console component on any computer that requires it. The Server component needs to be installed on only one computer. Both the Console and Server components can be installed on the same server.

To install and configure Active Administrator, follow the steps in these sections:

Related Documents