ad_server ObjectiveMonitor/AD Trusts: (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
search cancel

ad_server ObjectiveMonitor/AD Trusts: (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

book

Article ID: 377588

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

We are monitoring Active Directory (AD) Domain Controllers (DC) with the ad_server probe 2.06. 

When looking at the the Objective Monitor > AD Trust we are seeing the error: 

'Access Is Denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))'

Environment

  • DX UIM 23.4.*
  • ad_server 2.06

 

Cause

When the probe attempts to access the (Primary Domain Controller) PDC, it is failing because the user runing the Nimsoft Service where the probe is running does not enough permissions to access it.

Background: 

•  Domain Controllers (DCs) replicate data between each other and from the Primary Domain Contoller (PDC).  Every Domain Controller contains a full copy of the Active Directory database.

•  For collecting the AD Trust data, the ad_server probe, by default, attempts to access the Primary Domain Contoller (PDC) wmi services. 

•  The ad_server probe, which doesn't require configuration, is deployed locally on to the AD server/Domain Controller and uses the Nimsoft Service logged-on user. In your case this is the Local System user. 

Resolution

Possible Solutions in upcoming ad_server hotfix (on top of ad_server 2.06)

Solution 1: Change user logged-on to Nimsoft Robot Watcher (member of administrators)

--> Log-on the Nimsoft Service not as the default System account, but with an administrator User that has the access to the PDC. This way the probe should be able to access the PDC DATA. 

 

Solution: 2: Monitor replicated data on the current DC

--> Download and deploy the attached ad_server probe build and add the key "usecurrentdc = yes" in the AD Trust Profile to monitor the replicated data on the current Domain Controller.