Read Access to Replication

[Tim]

I've got a large AD forest (102 servers). I've got a
domain admin in Europe that wants to be able to
troubleshhot problems outside of his domain. Is there a
way to grant read-only access to view/monitor replication
especially in sites & services to the whole forest?
He says that he can see all of the EU and child domain
(he's a domain admin there). EU domain admin's have rights
granted in S&S (Read, write, create, delete and special.
The only rights not granted are Modify Premissions and
Full Control.

At the root of the forest in AD Users & Compters, I
granted the right to Monitor AD Replication. Not sure what
this does or how to find out what these rights allow.

 

[Dave Shaw [MVP]]

That's a pretty good-sized deployment! (I have 132 DCs in mine)

Just a few questions:

1 - How centralized is your administration? How are you limiting access to
administrative features right now?

2 - Have you considered a centralized monitoring solution?

We chose Microsoft Operations Manager to keep things in line, and although I
can tell you that it keeps us pretty busy, it is an outstanding product and
beats the heck out of living in the dark ...

We also chose a 3rd party tool to help us with controlling things and
simplifying administration: Aelita's Enterprise Directory Manager (EDM) and
thier Emergency Repair Disk (ERD) for disaster recovery.

-ds

 

[Guest]

1 - We have different Enterprise, Schema and Domain
Admins. I have domains for root, continent, & each
business unit (BU). NA, Europe (EU), SA, China and
Australia (AU). 4 BU's in NA & EU. No subdomains in China
or AU. 1 in SA.
Domain Admins are free to do what they want. I'm an
Enterprise, Schema admin & admin of one subdomain. Not
normally a member of Schema Admins.

2 - We've not really looked at MOM, not too sure what
it'll do for us. We are looking at Quest's tools and
NetIQ's. We'll be adding in 400 more servers starting late
spring or summer and so I'm trying to get a good handle on
things now.