Here is the list with AD Monitor prerequisites
- The device address must be the name of the active directory domain, for example mydomain.local.
- The logon account must be a domain user.
- DCOM MUST be enabled for Active Directory monitoring.
- The KNM gateway machine that is performing the tests on Active Directory MUST itself be a member of the monitored AD.
- The device name MUST be the domain name, NOT the name of a device such as a Domain Controller. The AD device will instead enumerate all assigned DCs and monitor certain aspects of them from this list.
- The Windows account assigned to the device MUST be a domain Windows user.
- The domain Windows user account assigned to the device MUST have read access to all AD devices that is monitored.
- The domain Windows user account assigned to the device MUST be a member of the Administrator, Power User, Print Operator, or Server User group to successfully test the Domain Controllers shares.
- The domain Windows user account assigned to the device MUST have the SE_TCB_NAME ("Actas part of the operating system") privilege to successfully test Kerberos authentication.
- Testing the Global Catalog MAY require Kerberos authentication to succeed.