Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Orion Platform > Create a least privilege service account for updating the virtual hostname in an HA configuration

Create a least privilege service account for updating the virtual hostname in an HA configuration

Table of contents


This article describes how to use a non-administrator account when you need to poll the DNS server without an administrator account. 

The user needs to be added to the DNSAdmin group. HA requires the account to have Read\Write permission for DNS management so that it can write itself to the DNS server as a zone transfer server. The account itself cannot be a domain administrator account in your environment, but the DNS admin is a must for the account within HA.

Permissions for the HA user within their Orion account settings can be specified if you wish to limit them to have a read only access to the DNS portion of HA. Unfortunately, this limitation is based on the user in Orion, and not by the account used to poll the DNS servers, so it is advisable to use a restricted service account for the DNS server and control user rights through the Orion Web console.


SolarWinds Orion High Availability


Use a DNS server administrator (account allowed to make changes on the DNS server) based on your network configuration to enable the account for WMI.


In Standalone DNS, it might be a local administrator (which by default is pre-configured for remote WMI access). Administrators are by default configured to make DNS server management tasks.

In an AD+DNS setup, it should be the account who has full DACL to manage the DNS Server and additionally it has to have an enabled remote WMI for management according to the steps below.


To configure DCOM Services:

  1. Start dcomcnfg.
  2. Expand Component Services\Computers, right-click on My Computer, and select Properties.
  3. Click COM Security Tab.
  4. In the Access Permissions group, click Edit Default, add your account, and Enable Local Access and Remote Access Checkboxes.
  5. In the Access permissions group, click Edit Limits, add your account, and enable Local and Remote Access.
  6. In the Launch and Activation Permissions, click Edit Defaultadd your account, and Allow all check boxes.
  7. In the Launch And Activation Permissions, click Edit Limits, add your account, and Allow all check boxes.


To configure access to the WMI Branch:

  1. Start the MMC console and add WMI Control Snap-in.
  2. Right-click snap-in and click Properties.
  3. In the Security tab, select MicrosoftDNS and CIMV2 branch, and then click the Security button.
  4. Add your account, and allow: Execute Methods, Enable Account, Remote Enable.
  5. Verify that the new user you created has DNSAdmin rights on DNS Security tab.
  6. Start dnsmgmt.msc.
  7. Right-click on Server/Service and view Properties to confirm that all the check boxes for the new user are checked.

        11-27-2012 10-21-06 am.png 

To test connection to a DNS Server with specific credentials, use the wbemtest tool and connect to a machine using a namespace like:


For additional information, see How to update multiple DNS servers when failover occurs.

Last modified