Action Account rights in Forest root Domain

Discussion:

(too old to reply)

Steve

2007-11-05 11:11:06 UTC

I'm a newbie. I have a testenviroment with a forest root domain and a child
domain.
I installed a Ops manager 2007 server in the child domain.
After importing the management pack for AD, everything in the child domain
seems OK. But for the forest domain i get a few warnings. All the servers are
windows 2003 SP1
The action account has domain admin rights in the child domain.
I want to give this account also domain admin rights in the root domain, but
don't know if it is possible.
I tried creating several groups(Global,universal) in the root domain, and
adding the action account to this group, and then make this group member of
domain admin.
Most of the warnings are:
"Script or Executable failed to run", " Script base test failed to
complete" and "AD replication monitoring - Acces denied"
I tried the solutions on this site:
http://ops-mgr.spaces.live.com/Blog/cns!3D3B8489FCAA9B51!194.entry
I also read the AD managment Pack guide, but that didn't work.

Any suggestions?
Thanx

Anders Bengtsson

2007-11-05 12:59:23 UTC

Permalink

Hi Steve,

Running action account as domain admin account is not a good idea, it is
a bad idea. Instead you should use local system as action account. You need
to use a account with local administrator permissions when installing the
agent.

-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se

S> I'm a newbie. I have a testenviroment with a forest root domain and a
S> child
S> domain.
S> I installed a Ops manager 2007 server in the child domain.
S> After importing the management pack for AD, everything in the child
S> domain
S> seems OK. But for the forest domain i get a few warnings. All the
S> servers are
S> windows 2003 SP1
S> The action account has domain admin rights in the child domain.
S> I want to give this account also domain admin rights in the root
S> domain, but
S> don't know if it is possible.
S> I tried creating several groups(Global,universal) in the root domain,
S> and
S> adding the action account to this group, and then make this group
S> member of
S> domain admin.
S> Most of the warnings are:
S> "Script or Executable failed to run", " Script base test failed to
S> complete" and "AD replication monitoring - Acces denied"
S> I tried the solutions on this site:
S> http://ops-mgr.spaces.live.com/Blog/cns!3D3B8489FCAA9B51!194.entry
S> I also read the AD managment Pack guide, but that didn't work.
S> Any suggestions?
S> Than

Steve

2007-11-05 14:39:03 UTC

Permalink

Thanx for the Reply anderson.
I know it's a bad idea runing the AA with domain admin permissions, but this
is a testenviroment, and i just want to get everything up and running, so
that i'll get familiar with Ops Manager 2007.
For now i just want to solve the errors.
How to make the action account local admin on the forest root domain?
Would using the root domain buitin\administrator group be enough?
Would that solve my errors?

Post by Anders Bengtsson
Hi Steve,
Running action account as domain admin account is not a good idea, it is
a bad idea. Instead you should use local system as action account. You need
to use a account with local administrator permissions when installing the
agent.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
S> I'm a newbie. I have a testenviroment with a forest root domain and a
S> child
S> domain.
S> I installed a Ops manager 2007 server in the child domain.
S> After importing the management pack for AD, everything in the child
S> domain
S> seems OK. But for the forest domain i get a few warnings. All the
S> servers are
S> windows 2003 SP1
S> The action account has domain admin rights in the child domain.
S> I want to give this account also domain admin rights in the root
S> domain, but
S> don't know if it is possible.
S> I tried creating several groups(Global,universal) in the root domain,
S> and
S> adding the action account to this group, and then make this group
S> member of
S> domain admin.
S> "Script or Executable failed to run", " Script base test failed to
S> complete" and "AD replication monitoring - Acces denied"
S> http://ops-mgr.spaces.live.com/Blog/cns!3D3B8489FCAA9B51!194.entry
S> I also read the AD managment Pack guide, but that didn't work.
S> Any suggestions?
S> Thanx

Anders Bengtsson

2007-11-07 12:55:21 UTC

Permalink

Hi Steve,

If you add the builtin administrators security groups for both domains to
both domains administrators groups that should do it.

-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se

S> Thanx for the Reply anderson.
S> I know it's a bad idea runing the AA with domain admin permissions,
S> but this
S> is a testenviroment, and i just want to get everything up and
S> running, so
S> that i'll get familiar with Ops Manager 2007.
S> For now i just want to solve the errors.
S> How to make the action account local admin on the forest root domain?
S> Would using the root domain buitin\administrator group be enough?
S> Would that solve my errors?
S> "Anders Bengtsson" wrote:
S>

Post by Anders Bengtsson
Hi Steve,
Running action account as domain admin account is not a good idea, it
is a bad idea. Instead you should use local system as action account.
You need to use a account with local administrator permissions when
installing the agent.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
S> I'm a newbie. I have a testenviroment with a forest root domain and a
S> child
S> domain.
S> I installed a Ops manager 2007 server in the child domain.
S> After importing the management pack for AD, everything in the child
S> domain
S> seems OK. But for the forest domain i get a few warnings. All the
S> servers are
S> windows 2003 SP1
S> The action account has domain admin rights in the child domain.
S> I want to give this account also domain admin rights in the root
S> domain, but
S> don't know if it is possible.
S> I tried creating several groups(Global,universal) in the root domain,
S> and
S> adding the action account to this group, and then make this group
S> member of
S> domain admin.
S> "Script or Executable failed to run", " Script base test failed to
S> complete" and "AD replication monitoring - Acces denied"
S> http://ops-mgr.spaces.live.com/Blog/cns!3D3B8489FCAA9B51!194.entry
S> I also read the AD managment Pack guide, but that didn't work.
S> Any suggestions?
S> Thanx

Steve

2007-11-14 13:13:02 UTC

Permalink

I've been on vacation, so sorry for my lae response. I can't add a user or
group from one domain into the other domain admin group. I can only search in
Contacts and other objects. I have also a isa 2006 server installed for
routing between the subnets. What am i doing wrong.
Thanx

Post by Anders Bengtsson
Hi Steve,
If you add the builtin administrators security groups for both domains to
both domains administrators groups that should do it.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
S> Thanx for the Reply anderson.
S> I know it's a bad idea runing the AA with domain admin permissions,
S> but this
S> is a testenviroment, and i just want to get everything up and
S> running, so
S> that i'll get familiar with Ops Manager 2007.
S> For now i just want to solve the errors.
S> How to make the action account local admin on the forest root domain?
S> Would using the root domain buitin\administrator group be enough?
S> Would that solve my errors?
S>

Post by Anders Bengtsson
Hi Steve,
Running action account as domain admin account is not a good idea, it
is a bad idea. Instead you should use local system as action account.
You need to use a account with local administrator permissions when
installing the agent.
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
S> I'm a newbie. I have a testenviroment with a forest root domain and a
S> child
S> domain.
S> I installed a Ops manager 2007 server in the child domain.
S> After importing the management pack for AD, everything in the child
S> domain
S> seems OK. But for the forest domain i get a few warnings. All the
S> servers are
S> windows 2003 SP1
S> The action account has domain admin rights in the child domain.
S> I want to give this account also domain admin rights in the root
S> domain, but
S> don't know if it is possible.
S> I tried creating several groups(Global,universal) in the root domain,
S> and
S> adding the action account to this group, and then make this group
S> member of
S> domain admin.
S> "Script or Executable failed to run", " Script base test failed to
S> complete" and "AD replication monitoring - Acces denied"
S> http://ops-mgr.spaces.live.com/Blog/cns!3D3B8489FCAA9B51!194.entry
S> I also read the AD managment Pack guide, but that didn't work.
S> Any suggestions?
S> Thanx