System Center Operations Manager by Jonathan Hambrook

July 12, 2007

Error: Replication Monitoring – Access Denied

Filed under: Errors, Microsoft, SCOM 2007 — opsmgr @ 5:38 pm

So you have followed the Active Directory Management Pack Guide for Operations Manager 2007 to the letter and you get Access Denied errors. You also get the same error in Event Veiwer as seen in the Screen Shot:
AD Replication Monitoring Error

Here are some things you will also need to check above an beyound the supplied documentation.

Container Permissions
1. On page 9 of the AD MP Guide it mentions that you need to create the MomLatencyMonitors container. I have found that in a heavely locked down environment you will need to add Read/Write permission to this container. (DC=Domain, DC=com). The permission need to be of the account specified under the ‘Configure an Account for Replication Monitoring’ of Page 9 of the AD MP Guide.

2. Also you may like to check the ForestDNSZones as well. This can be done via ADSI Edit by connecting to DC=ForestDNSZones, DC=Domain, DC=com. You will see MOMLatencyMonitors, right click and select security.

Agent Permissions
If you deployed all your agents using Local as per the following screenshot:
Agent Install Local System
You will also find you will have some issues as the Health Service will start with Local System, which is fine but the Agent Action Account will also be specified as account to do all the processing by that agent. This is fine for all other servers if you require it but you will need do the following on the Domain Controllers

1. Add/Remove Programs
2. Select the System Center Operations Manager Agent and click Change
3. Select Modify
4. Select Modify Management Group
5. Click Next on the next 2 screens until you get to the Ready to Install screen
6. Click Back
7. Specify a Domain Account. (See the deployment Guide page 31 for the permission of the Agent Action Account)
8. Click Next then Install

By doing the above steps, The Service will still start with the Local System Account but will do all its proccessing using the Domain Agent Action Account. You should now be able to restart the Health Service and your permissions issues should go away.

I do however recommend that all Agents be deployed using a domain Agent Action Account.



  1. Jonathan,

    I’m curious to know your experiences that led you to the recommendation to use a domain account for the Agent Actions.

    We’re running into permissions issues using local system accounts – specifically with SQL monitoring, and our topology is similar to your reference one in May.

    Since we’re using multiple gateways, we decided on local system rather than trying to create accounts within each DMZ. I’m wondering if we made a poor choice.

    Comment by Cooper V — July 26, 2007 @ 7:14 am

  2. Good question and one that I have spend time pondering. However, I feel the answer can be made simple. SCOM has the ability to allow you to change the Action Account so some server can have a local account and others can have a domain account.

    The main reason for having a Domain account is that you can administer the access via Group Policy on multiple machines from the one place.

    Comment by opsmgr — July 31, 2007 @ 1:28 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at

%d bloggers like this: