Last month I wrote a Blog Post regarding the necessary steps required to properly configure security permissions for the Active Directory Replication Monitoring Run As account.  I realized that I was not accurate when I indicated you needed to grant "Change" rights to the specific objects.  In actuality, you need to give it the following specific permissions at the most:

  • Read
  • Write
  • Create All Child Objects
  • Delete All Child Objects

Also remember that you need to define an account that will be used for for the monitoring of replication in Active Directory by the Replication Monitoring Monitor in the ADMP.  The RunAs account in Operations Manager is not created by default, but the AD MP Account RunAs Profile is.  This is documented in the ADMP Deployment Guide and can be found, starting on Page 11.  I would not recommend using the Management Server Action Account.

The VBScript that is executed to monitor replication and collects performance data is so named AD_Replication_Monitoring.vbs and is located in a folder under the %ProgramFiles%\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files <numeric>\<numeric> folder. I don't recommend making any modifications to this script, by the way.  My referencing its location is to simply help you understand the inner workings of how we perform replication monitoring.