Forum Discussion

Andy_C's avatar
Andy_C
Icon for Neophyte rankNeophyte
2 months ago

Can't install collectors on Windows core DC's

 

As it says on the tin. Error installing watchdog service. On separate customers core DC's, different networks,  different proxies, same error. Failed to install watchdog. Browser access to LM works and we're installing as system.

Proxies do not require auth and we're installing with domain admin rights. We've had/have support tickets opened but we haven't been able to resolve this.

Anybody got any ideas.

 

10 Replies

  • I don't have a solution to that issue, I've not tried deploying to Windows Server core before.

    But could you avoid installing the collector on the DC entirely?  We treat domain controllers the same as any other Windows Server - we apply least privilege access using a PowerShell script that's very similar to what LM describe here: https://www.logicmonitor.com/support/getting-started/advanced-logicmonitor-setup/windows-server-monitoring-and-principle-of-least-privilege

    As long as we've got a domain user (not a domain admin), we have the relevant Win Firewall ports open and the user in the right domain groups (both done in GPO) and have run the NonAdmin script (which we push out using GPO) we can monitor DCs from an external collector.

    Might be worth a look and avoiding collectors on DCs entirely.

    Dave

    • Andy_C's avatar
      Andy_C
      Icon for Neophyte rankNeophyte

      Unfortunately the clients want the AD visibility/management that installing provides , otherwise we'd need a service account with Dom Admin rights and that's not happening.

      • Dave_Lee's avatar
        Dave_Lee
        Icon for Advisor rankAdvisor

        I'm pretty sure the AD modules work just fine when polled from a remote collector without domain admin rights.  I think there was one permission we had to set to allow some custom stuff to run, but the built-in LM modules seem to work OK for us if the user account has been assigned permissions by the Non-Admin script.

        Dave

  • We have a handful running server core but they are not DC's.  I'm unable to recall if we encountered any issues during the install as it's been years.

    Are you using the full package or bootstrap?  Are you logged in as an admin?

    • Andy_C's avatar
      Andy_C
      Icon for Neophyte rankNeophyte

      Full package locally copied and installed with Domain Admin rights

  • We monitor DC's just fine without Domain Admin privliges. You just need to ensure you have given the service account all the required permissions, set the WMI permissions and set the service permissions. The script that comes with the collectors does a good job at granting most of the local permissions.

    • Andy_C's avatar
      Andy_C
      Icon for Neophyte rankNeophyte

      The issue we've had several times to "all the required permissions" is customers don't want service accounts having any rights on DC's so we just use system and it manages itself.

  • The collector would need to have the RSAT tools installed to get the get-ad* cmdlets in powershell.  It's in the add roles/features of server manager.  That allows for the remote collection of AD data.

    We've also avoided installing collectors directly on DCs as LM is extremely TCP Port hungry, as is Active Directory.  Combining them on the same box is bad for both.  With the DC being the heart of any windows enterprise deployment, it's detrimental to the whole domain to use the DC for LM.

    • Andy_C's avatar
      Andy_C
      Icon for Neophyte rankNeophyte

      The only issues i have are, core wont install and those who insist on running a 2019+ DC , with Veeam or CRM or some other stuff and giving it 4GB ofr ram. All 220 odd DC's I have are fine.

      • Andy_C's avatar
        Andy_C
        Icon for Neophyte rankNeophyte

        Replying to myself, DC's only manage themselves, no others are connected.