"Invoke-IcingaCheckService" on Windows Domain Controller: NTDS Service not found

Service Monitoring
1

Hello community! :slightly_smiling_face:

 

I’m building a Service Set for Active Directory Services, using Invoke-IcingaCheckService from Icinga-For-Windows.

I’m able to check all expected AD Services on our Windows Domain Controllers – except one:
NTDS: Service not found

Screenshot

ntds-fehler-4
ntds-fehler-4812×463 66.8 KB

This service is running perfectly fine in Windows.

Screenshot

ntds-fehler-3
ntds-fehler-31152×709 188 KB

In a Powershell with Admin Rights, it checks out fine.

Screenshot

ntds-fehler-2
ntds-fehler-21089×253 35.7 KB

However, this look different in a non-administrative Powershell instance.

Screenshot

ntds-fehler-1
ntds-fehler-11077×597 163 KB

So, neither the Powershell-native Get-Service NTDS nor the Icinga check Invoke-IcingaCheckService -Service NTDS are able to find the service in a non-admin Powershell.

 

Do you know of a way to make Invoke-IcingaCheckService “see” this Windows Service?
(Maybe by somehow elevating its privileges?)

Thanks sincerely! :v: – Barney

 

Icinga for Windows v1.10.1 (agent 2.12.9, framework v1.10.1, plugins 1.10.0, service 1.2)
Microsoft Windows Server 2019 Standard 10.0.17763 (with role “Active Directory Domain Services”)

2

Did you ever find the solution for this? I also see the same need to monitor NTDS. Is the answer to run the Icinga service as “System” instead?

3

Hi Niclas,

sadly no. The workaround for one agent was to add the “Networking Service” user (in whose user context the icinga2.exe process is running) to the local admin group.

This worked, but has obvious security and manageability drawbacks; so I’ve never rolled this out to other windows agents.
However, this error is a dealbreaker (not only) for AD monitoring so I’m thinking about writing a bug report once I’ve got some time. :wink:

Hope this helps,
Barney

1 Like
4

Thanks… Adding it to “local admin group” on the DC is not a good option as you say so I will not do that… I’ll figure out another way of monitoring AD DC’s then :slight_smile: Thanks for your reply!

5

This solved it for me!

1 Like
6

Awesome, thanks Nic!

7

Another, maybe more elegant (read: more involved but ultimately securer), solution seems to be JEA profiles

https://icinga.com/docs/icinga-for-windows/latest/doc/130-JEA/01-JEA-Profiles/

# first enable & configure WinRM service, then...
Install-IcingaSecurity;

Also includes a dedicated user for the two services (should be the way to go on fresh IfW installs anyway IMHO).

… Oh well, as I’m already rewriting my agent deployment scripts from scratch, I’ll try that out. :partying_face:

If all else fails, the marked answer is a good fallback. :slight_smile:

1 Like