Chat now with support
Chat with Support

Active Administrator 8.7 - Installation Guide

Installation Considerations for Active Administrator Installing and configuring Active Administrator Appendix: Active Administrator Server Manager

Active Directory Health Module Configuration

Agents

Install agents

Uninstall agents

View agent status

Stop/Start/Restart agents

Upgrade agents

Set agent startup account

Set agent port number

Test connection

View agent log

Agent online verification

Domain User rights required.

Agent workload deployment

Domain User rights required.

Check agent service status

Using a group policy, assign the Start, Stop, and Query status permissions to the AFS account for the Active Administrator Active Directory Health Analyzer Agent service.

Restart agent service

Using a group policy, assign the Start, Stop, and Query status permissions to the AFS account for the Active Administrator Active Directory Health Analyzer Agent service.

Stop/start process

The AFS account must have local administrator rights to stop or start a process on the target system.

Stop/start/restart service

Using a group policy, assign the Start, Stop, and Query status permissions to the AFS account for the target service.

Reboot server

The AFS account must be assigned the Force shutdown from a remote system right on the target system which can be applied from a Group Policy: Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | User Rights Assignment | Force shutdown from a remote system.

Notifications

Send alert notifications

Domain User rights required

Mute notifications

Domain User rights required

Limit notifications

Domain User rights required

Routing

Domain User rights required

Alert processing

Domain User rights required

Troubleshooter

The Active Directory Health Troubleshooter minimum permissions outlined below are required for the logged on user account running the Active Administrator Console.

Directory Service Replication Troubleshooter

The Console user must have rights to perform replication.

The Console user must have directory synchronization rights at the configuration root. See the article at:
https://social.technet.microsoft.com/wiki/contents/articles/21565.active-directory-delegate-replication-rights-to-non-admins.aspx

Enable or disable domain controller replication

The Console user must have read/write access to LDAP://CN=NTDS Settings,CN={DCName},CN=Servers,CN={Site Name},CN=Sites,CN=Configuration,DC={Domain Name} Active Directory object.

Set directory service log levels

The Console user must have read/write access to the following registry key on the remote system: HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics

Set Netlogon Parameters

The Console user must have read/write access to the following registry key on the remote system: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Set startup and recovery options

The Console user must have read/write access to the following registry key on the remote system: HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\

Start metadata cleanup

The Console user must have Domain Administrator rights.

Start online defrag

The Console user must have Domain Administrator rights.

Replication View

The Console user must have Domain User rights.

The reports listed in this section are available only in the Web-based application of Active Directory Health.

The AFS user account must have Enable Account and Remote Enable WMI Security permissions for the target servers. See Authorize WMI users and set permissions (https://technet.microsoft.com/en-us/library/cc771551(v=ws.11).aspx). Be sure the permission entry you create for the AFS account applies to This namespace and subnamespaces so the permissions inherit down the tree.

The following table details the minimum permissions required for each individual report in Active Directory Health web-based application.

Active Directory White Space

The AFS account must have read access to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\ registry key on the remote system or the AFS account should be a member of the Server Operators group in Active Directory.

AD Diagnostic Event Logging Levels

The AFS account must have read access to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\ registry key on the remote system or the AFS account should be a member of the Server Operators group in Active Directory.

AD Disk Space

The AFS account must have read access to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ registry key on the remote system.

The AFS account must have read access to the SYSVOL directory.

The AFS account must have read access to the folder where the Active Directory databases are located.

Application Event Log

The AFS account must be a member of the Event Log Readers group in Active Directory.

Authentication Methods

Domain User rights required.

Bind with RID Master

Domain User rights required.

Conflicting Objects

Domain User rights required.

Connection Object Duplicates

Domain User rights required.

Cross-Domain Linked GPO

Domain User rights required.

DC Adapter Information

Domain User rights required.

The AFS account must have Enable Account and Remote Enable WMI Security permissions for the target servers.

DC Advertising

Domain User rights required.

DC Connection Objects

Domain User rights required.

DC Consistency

Domain User rights required.

DC Information

Domain User rights required.

DC Operating System Information

Domain User rights required.

The AFS account must have Enable Account and Remote Enable WMI Security permissions for the target servers.

DC Replica State

Domain User rights required.

DC Roles

Domain User rights required.

DC RootDSE

Domain User rights required.

DC Security Configuration

Domain user rights, WMI rights, and File System rights required.

DC Services

Domain Administrator rights required.

DC Site Coverage

Domain User rights required.

DC Sites

Domain User rights required.

DC SPNs

Domain User rights required.

Directory Health Alerts

Domain User rights required.

The AFS account must be a member of the AA_Admins group either in the domain or on the database server, depending on the configuration selected during setup.

Directory Objects

Domain User rights required

The AFS account must be a member of the AA_Admins group either in the domain or on the database server, depending on the configuration selected during setup.

Directory Service Event Log

The AFS account must be a member of the Event Log Readers group in Active Directory.

Directory Service Parameters

The AFS account must have read access to HKLM\CurrentControlSet\Services\NTDS\Parameters\ registry key on the remote system or the AFS account should be a member of the Server Operators group in Active Directory.

Disk Drives

The AFS account must have read access to HKLM\CurrentControlSet\Services\NTDS\Parameters\ registry key on the remote system, or be a member of the Server Operators group in Active Directory.

Distributed File System (DFS) Shares

Domain User rights required.

Distributed File System Replication

Domain User rights required and the AFS account must have Enable Account and Remote Enable WMI Security permissions for the target servers.

DNS Configuration

Domain User rights required and the AFS account must have Enable Account and Remote Enable WMI Security permissions for the target servers.

DNS Event Log

Domain Administrator rights required.

DNS Zone Information

The AFS account must have read access rights to all DNS zones on the target DNS servers, and Enable Account and Remote Enable WMI Security permissions for the target servers.

DNS Zones

The AFS account must have read access rights to all DNS zones on the target DNS servers and Enable Account and Remote Enable WMI Security permissions for the target servers.

Domain Advertising

Domain User rights required.

Domain Configuration

Domain User rights required.

Domain Controllers

Domain User rights required.

Domain Controllers without Replication Links

Domain User rights required.

Domain Naming Masters

Domain User rights required.

Domain Role Holders

Domain User rights required.

Domains

Domain User rights required.

Drivers List

Domain Administrator rights required.

Duplicate SIDS

Domain User rights required.

Event Log

The AFS account must be a member of the Event Log Readers group in Active Directory.

Event Log Errors

The AFS account must member of the Event Log Readers group in Active Directory.

Forest Configuration

Domain User rights required.

Forest Inventory

Domain User rights required.

The AFS account must have read and write access to the Active Administrator share.

Global Catalogs

Domain User rights required.

GPO Consistency

Domain User rights required.

Ineffective GPO

Domain User rights required.

Infrastructure Master

Domain User rights required.

Installed Updates

Domain Administrator rights required.

Inter-site Topology Generators

Domain User rights required.

Lost and Found Items

Domain User rights required.

Naming Context Metadata

Domain user rights required.

Naming Context Topology

Domain user rights required.

Naming Context Topology Aliveness

Domain User rights required.

Naming Context Up-to-Dateness

Domain User rights required.

Owner Information

Domain User rights required.

PDC Emulators

Domain User rights required.

Ping Global Catalog

Domain User rights required.

Remote Access Information

Domain Administrator rights required.

Replication Failures

Domain User rights required.

Replication Logon Privileges

Domain User rights required.

Replication Partners

Domain User rights required.

Replication Partner DNS Resolution

Domain User and WMI rights required.

Replication Queue Length

Domain Administrator rights required.

RID Information

Domain User rights required.

RID Masters

Domain User rights required.

RIDs

Domain User rights required.

Schema Master

Domain User rights required.

Security Event Log

The AFS account must be a member of the Event Log Readers group in Active Directory.

System Event Log

The AFS account must be a member of the Event Log Readers group in Active Directory.

SYSVOL Consistency

Domain User, WMI, and File System Access rights required.

Time Synchronization

Domain User and WMI rights required.

Unlinked GPO

Domain User rights required.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating