Using a Dedicated Collector for each Windows Domain Controller?

Question

We ran into trouble monitoring our Windows Domain Controllers because we want to use least privilege and we were only receiving ping and Host Status data. It showed “No data” for CPU, disks, etc.

We used the information in the link “https://www.logicmonitor.com/support/monitoring/os-virtualization/monitoring-a-domain-controller-dc” and installed the collector on a DC using the local system account and set it to monitor itself.

I am now receiving CPU, disk, etc. from that domain controller. It appears the only catch is that I cannot monitor other systems with that collector but that is OK for our situation.

Are there others out there that are monitoring DCs using this method and if so, have you run into any trouble (performance, etc.)?

If you are not using this method, how are you monitoring your DCs in Logic Monitor.

THANK YOU very much for your assistance/opinions/guidance.

tswisdom · Accepted Answer

Good morning @jfmhfa01,As Mike mentioned, if we’re looking to monitor domain controllers without leveraging a Domain Administrator, we can install a Collector to each DC running as LocalSystem, which would only provide the Collector sufficient permissions to monitor the DC itself.For monitoring external servers in this scenario, wmi.pass and wmi.user properties pertaining to relevant credentials for the server would be need to be assigned to these resources, which will be used to authenticate instead of the LocalSystem account.https://www.logicmonitor.com/support/getting-started/advanced-logicmonitor-setup/credentials-for-accessing-remote-windows-computers

mike_moniz · Answer

I have used that method with several customers in the past and haven’t seen any issues with it. I don’t think you will have any issues as long as collector is dedicated to just monitoring the local system, using a different collector for monitoring other member servers and equipment.

cole_mcdonald · Answer

Mirroring TSWisdom,We have a few instances where we have a client domain that has some resources registered to the domain, and some not…&nbsp;in those cases, we use local accounts for the unregistered devices and use the device level wmi.user and wmi.pass properties with a &lt;hostname&gt;\&lt;username&gt;&nbsp; for each device.&nbsp; It’s a bit more manual management, but gets the job done.&nbsp; With the RestAPI, you can push that data in for a server when you set it up and have it generate a big secure password and store it in your password vault at the same time so that it’s auto-documenting and that you can give the higher risk devices on your network their own hardcore passwords.&nbsp; At that point, you could technically even give them randomized usernames :)&nbsp; How strong is your paranoia?

Forum Discussion

Using a Dedicated Collector for each Windows Domain Controller?

3 Replies

Related Content

Bug early release Collector Update V34.500

Container-based Collector - DNS issues in 35.001

Stop collector or batshscript queued tasks from collector debug?

AWS EC2 cloud collector vs local collector

Collectors Capacity review

Recent Discussions

Issues with Set-LMWebsiteGroup

ESX Host Services?

What not to do when developing code

REST API 503 errors

Anyone else have issues logging into these new forums with Firefox?