Forum Discussion

jfmhfa01's avatar
8 months ago

Using a Dedicated Collector for each Windows Domain Controller?

We ran into trouble monitoring our Windows Domain Controllers because we want to use least privilege and we were only receiving ping and Host Status data. It showed “No data” for CPU, disks, etc.

We used the information in the link “” and installed the collector on a DC using the local system account and set it to monitor itself.

I am now receiving CPU, disk, etc. from that domain controller. It appears the only catch is that I cannot monitor other systems with that collector but that is OK for our situation.

Are there others out there that are monitoring DCs using this method and if so, have you run into any trouble (performance, etc.)?

If you are not using this method, how are you monitoring your DCs in Logic Monitor.

THANK YOU very much for your assistance/opinions/guidance.

3 Replies

  • Mirroring TSWisdom,

    We have a few instances where we have a client domain that has some resources registered to the domain, and some not… in those cases, we use local accounts for the unregistered devices and use the device level wmi.user and wmi.pass properties with a <hostname>\<username>  for each device.  It’s a bit more manual management, but gets the job done.  With the RestAPI, you can push that data in for a server when you set it up and have it generate a big secure password and store it in your password vault at the same time so that it’s auto-documenting and that you can give the higher risk devices on your network their own hardcore passwords.  At that point, you could technically even give them randomized usernames :)  How strong is your paranoia?

  • Good morning @jfmhfa01,

    As Mike mentioned, if we’re looking to monitor domain controllers without leveraging a Domain Administrator, we can install a Collector to each DC running as LocalSystem, which would only provide the Collector sufficient permissions to monitor the DC itself.

    For monitoring external servers in this scenario, wmi.pass and wmi.user properties pertaining to relevant credentials for the server would be need to be assigned to these resources, which will be used to authenticate instead of the LocalSystem account.

  • I have used that method with several customers in the past and haven’t seen any issues with it. I don’t think you will have any issues as long as collector is dedicated to just monitoring the local system, using a different collector for monitoring other member servers and equipment.