A customer recently sent us the following question:

“What permissions are required for dfsrdiag queries? When running a dfsrdiag backlog query, a user is getting ‘[ERROR] Failed to connect to WMI services on computer: [FQDN]’.  Does the user need admin or some lesser permission on the server being queried, some permissions for the replication group, or something else?”

By default, to check backlogs using Dfsrdiag you must be part of the local Administrators group on the servers being queried. However, you can also delegate permissions to a user to query servers by using the following procedure:

1. Add the user account to the Distributed COM Users local group on each machine by running the following command:

Net localgroup "Distributed COM Users" /add domain\username                                               

2. Add the user account to the WMI namespace security for \\root\microsoftdfs and grant the user Execute Methods, Provider Write, Enable Account, and Remote Enable using the following steps: 

a. Open Wmimgmt.msc.

b. Right-click WMI Control (Local), and then click Properties.

c. On the Security tab, expand the namespace and select the Root\MicrosoftDfs node.

d. Click the Security button, and then click Add.

e. Add the account of your choice and ensure the permissions listed above are granted. 

3. Using the DFS Management snap-in, delegate permission to manage the desired replication group to domain\username.

4. Wait for the new delegated permissions to be replicated to other members via Active Directory replication. The amount of time this takes depends on Active Directory replication latency as well as the polling interval.

Many thanks to Richard Chinn, Dan Boldo, and Ram Natarajan for contributing to this post!