Best practice for Domain Controler monitoring

[Robert_in_MTL]

Hi,
We increased security on our network and we want to avoid using Domain Admins accounts for our services (RMA / run as...) so I want to hear what you suggest before I do anything.

I would like to know your views / best practices to monitor Domain Controlers. (CPU, Disk Space, services, etc...)

Do you recommend having a domain admin user for the service, or to access DCs or you have an alternative?

Should I simply use one RMA on each DC to monitor locally? (around 15 DCs)

Any input from other users are also welcome.

Thanks, and for the 100th time, koodos at HostMonitor !

[KS-Soft Europe]

It depends on test methods, you need to perform and your environment.
E.g. test methods like, CPU Usage, Performance Counter and Process can be performed using regular user account that has access to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows_NT\CurrentVersion\Perflib
on target system.
Ping, TCP, http, SNMP test methods does not require domain user authentication.
Other test methods may require admin rights.
If you do not want to use domain admin account or there are firewalls installed between HostMonitor and target system, we recommend to use RMA agent. Passive RMA requires only one incoming TCP port to be opened for communication, while Active RMA does not require opened incoming ports.
For local (RMA system) monitoring RMA service can be started under local system account.

[Robert_in_MTL]

hmmm, we use a domain account for services and access, and it has no rights on DC's

so, in other words, I would need 1 RMA per DC running as local services ?

[KS-Soft Europe]

Correct.

[Robert_in_MTL]

ok, thanks...