A feature of ADMP is replication monitoring. The account which will be used for monitoring must have rights on domain controllers in the domains. From a 'lease privilege' point of view, you should only give that account rights to only the objects that are really neccesary for operational monitoring. The ADMP guide luckely describes this in detail.
Doing these steps for multiple domains is kind of a hassle. That's why i wanted to create a ADMP deployment script to help system administrators implement ADMP faster in more complex AD environments.
--- weeks later.......
I must confess that writing a one-for-all implementation script for ADMP is not easy. Eventually after multiple implementations i made my choice. I decided to cancel my journey for the ultimum. Even if i did continue to make such a script, who would use it. Who do you trust enough to automate a Default Domain Controller Policy deployment, in which you delegate some rights for the Replication Monitor account.
My advice:
- Read ADMP implementation guide
- Backup your GPO's
- Know about SDDL's and settings security on EventLog items.
Last but not least
There are some tools to help you deploy the ADMP management pack faster. I gathered all tools and hot links:
ADMP Checlist: http://www.systemcentercentral.com/Downloads/DownloadsDetails/tabid/144/IndexID/7808/Default.aspx
SDDL strings for EventLog security:
Microsoft's article: http://support.microsoft.com/kb/323076
SID tools:
I made some VBscripts for this. I will publish them as soon as possible.
0 reacties:
Post a Comment