I’m building a Service Set for Active Directory Services, using
Invoke-IcingaCheckService from Icinga-For-Windows.
I’m able to check all expected AD Services on our Windows Domain Controllers – except one:
NTDS: Service not found
This service is running perfectly fine in Windows.
In a Powershell with Admin Rights, it checks out fine.
However, this look different in a non-administrative Powershell instance.
So, neither the Powershell-native
Get-Service NTDS nor the Icinga check
Invoke-IcingaCheckService -Service NTDS are able to find the service in a non-admin Powershell.
Do you know of a way to make
Invoke-IcingaCheckService “see” this Windows Service?
(Maybe by somehow elevating its privileges?)
Thanks sincerely! – Barney
Icinga for Windows v1.10.1 (agent 2.12.9, framework v1.10.1, plugins 1.10.0, service 1.2)
Microsoft Windows Server 2019 Standard 10.0.17763 (with role “Active Directory Domain Services”)
Did you ever find the solution for this? I also see the same need to monitor NTDS. Is the answer to run the Icinga service as “System” instead?
sadly no. The workaround for one agent was to add the “Networking Service” user (in whose user context the icinga2.exe process is running) to the local admin group.
This worked, but has obvious security and manageability drawbacks; so I’ve never rolled this out to other windows agents.
However, this error is a dealbreaker (not only) for AD monitoring so I’m thinking about writing a bug report once I’ve got some time.
Hope this helps,
Thanks… Adding it to “local admin group” on the DC is not a good option as you say so I will not do that… I’ll figure out another way of monitoring AD DC’s then Thanks for your reply!
Another, maybe more elegant (read: more involved but ultimately securer), solution seems to be JEA profiles…
# first enable & configure WinRM service, then...
Also includes a dedicated user for the two services (should be the way to go on fresh IfW installs anyway IMHO).
… Oh well, as I’m already rewriting my agent deployment scripts from scratch, I’ll try that out.
If all else fails, the marked answer is a good fallback.