"Invoke-IcingaCheckService" on Windows Domain Controller: NTDS Service not found

Hello community! :slightly_smiling_face:


I’m building a Service Set for Active Directory Services, using Invoke-IcingaCheckService from Icinga-For-Windows.

I’m able to check all expected AD Services on our Windows Domain Controllers – except one:
NTDS: Service not found


This service is running perfectly fine in Windows.


In a Powershell with Admin Rights, it checks out fine.


However, this look different in a non-administrative Powershell instance.


So, neither the Powershell-native Get-Service NTDS nor the Icinga check Invoke-IcingaCheckService -Service NTDS are able to find the service in a non-admin Powershell.


Do you know of a way to make Invoke-IcingaCheckService “see” this Windows Service?
(Maybe by somehow elevating its privileges?)

Thanks sincerely! :v: – Barney


Icinga for Windows v1.10.1 (agent 2.12.9, framework v1.10.1, plugins 1.10.0, service 1.2)
Microsoft Windows Server 2019 Standard 10.0.17763 (with role “Active Directory Domain Services”)

Did you ever find the solution for this? I also see the same need to monitor NTDS. Is the answer to run the Icinga service as “System” instead?

Hi Niclas,

sadly no. The workaround for one agent was to add the “Networking Service” user (in whose user context the icinga2.exe process is running) to the local admin group.

This worked, but has obvious security and manageability drawbacks; so I’ve never rolled this out to other windows agents.
However, this error is a dealbreaker (not only) for AD monitoring so I’m thinking about writing a bug report once I’ve got some time. :wink:

Hope this helps,

1 Like

Thanks… Adding it to “local admin group” on the DC is not a good option as you say so I will not do that… I’ll figure out another way of monitoring AD DC’s then :slight_smile: Thanks for your reply!

This solved it for me!

1 Like

Awesome, thanks Nic!

Another, maybe more elegant (read: more involved but ultimately securer), solution seems to be JEA profiles


# first enable & configure WinRM service, then...

Also includes a dedicated user for the two services (should be the way to go on fresh IfW installs anyway IMHO).

… Oh well, as I’m already rewriting my agent deployment scripts from scratch, I’ll try that out. :partying_face:

If all else fails, the marked answer is a good fallback. :slight_smile:

1 Like