Active Directory Monitoring

Creating a new Active Directory monitor

Prerequisites for monitoring Active Directory metrics: Click here

Using the REST API to add a new Active Directory monitor: Click here

To create a new Active Directory monitor, follow the steps given below:

Click on New Monitor link. Choose Active Directory under Services .
Enter the DisplayName of the host in which the Monitor is running.
Enter the HostName on which the monitor is running.
Enable the Use CredSSP Authentication option only when the monitored AD Server is a non-primary Domain Controller.This is applicable When the remote server is located in a domain that differs from that of the Applications Manager's server domain, or is in the same domain and experiences a 'double-hop' issue. Click here for the steps to enable CredSSP
If Authentication is enabled, enter the Username and Password.
Select the Enable Kerberos Authentication checkbox if you want to monitor Active Directory server through Kerberos authentication.
Provide the Timeout period for running the datacollection scripts. By default, it is 300 seconds.
Provide the Polling interval for monitoring the Active Directory montior.
If you are adding a new monitor from an Admin Server, select a Managed Server.
Choose the Monitor Group from the combo box to which you want to associate the Monitor (optional). You can choose multiple groups to associate your monitor.
Click Add Monitor(s). This discovers the Monitor from the network and starts monitoring them.

Note: Kindly ensure that for User accounts, relevant privileges must be provided before creating Active Directory monitor. If you have added Monitors and not associated them with a Monitor Group, you can do this manually anytime. For information on associating a Monitor with a Monitor Group, refer to Associating Monitor with Monitor Groups topic.

Monitored Parameters

Go to the Monitors Category View by clicking the Monitors tab. Click on the Active Directory instance available in the Services section. Displayed is the Active Directory monitor's bulk configuration view distributed into three tabs:

Availability tab gives the availability history for the past 24 hours or 30 days.
Performance tab gives the health status and events for the past 24 hours or 30 days.
List view tab enables you to perform bulk admin configurations.

Active Directory Monitor connects to the Active Directory server and checks its availability. Active Directory Counters that are monitored by Applications Manager are given below:

Performance Overview
Replication Statistics
Connectivity
Diagnostic Tests

Performance Overview

Parameters	Description
Time Synchronization *
Primary DC	Name of the Primary Domain Controller in the domain.
Time Offset from Primary DC	Offset time from the Primary Domain Controller.
Network Monitors
AB Client Sessions	AB Client Sessions is the number of connected Address Book client sessions.
DS Notify Queue Size	The number of pending update notifications that have been queued, but not yet transmitted to clients
Database Monitors
Database Disk Free Space	Shows the total usable space on the selected logical disk drive that was free (in MB).
Database File Size	Shows the Database File Size (in MB).
Database Disk Total Size	Shows the Total Size of the disk drive (in MB).
NTFRS Process Monitors
NTFRS CPU Usage	Percentage of elapsed time that all of the threads of NTFRS process used the processor to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run. Code executed to handle some hardware interrupts and trap conditions is included in this count.
NTFRS Handle Count	Total number of handles the NTFRS process has open. This number is the sum of the handles currently open by each thread in the process.
NTFRS Process File Reads	Rate at which the NTFRS process is reading bytes from I/O operations. This property counts all I/O activity generated by the NTFRS process to include file, network, and device I/Os.
NTFRS Process File Writes	Rate at which the NTFRS process is writing bytes to I/O operations. This property counts all I/O activity generated by the NTFRS process to include file, network, and device I/Os
NTFRS Process Memory	Amount of memory in bytes that a NTFRS process needs to execute efficiently—for an operating system that uses page-based memory management. If the system does not have enough memory (less than the working set size), thrashing occurs. If the size of the working set is not known, use NULL or 0 (zero).
DFSR Process Monitors
DFSR CPU Usage	Percentage of elapsed time that all of the threads of DFSR process used the processor to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run. Code executed to handle some hardware interrupts and trap conditions is included in this count.
DFSR Handle Count	Total number of handles the DFSR process has open. This number is the sum of the handles currently open by each thread in the process.
DFSR Process File Reads	Rate at which the DRSR process is reading bytes from I/O operations. This property counts all I/O activity generated by the DRSR process to include file, network, and device I/Os.
DFSR Process File Writes	Rate at which the DFSR process is writing bytes to I/O operations. This property counts all I/O activity generated by the DFSR process to include file, network, and device I/Os.
DFSR Process Memory	Amount of memory in bytes that a DFSR process needs to execute efficiently—for an operating system that uses page-based memory management. If the system does not have enough memory (less than the working set size), thrashing occurs. If the size of the working set is not known, use NULL or 0.
System Monitors
CPU Utilization	Percentage of time that the processor is executing a non-idle thread. This property was designed as a primary indicator of processor activity. It is calculated by measuring the time that the processor spends executing the thread of the idle process in each sample interval and subtracting that value from 100%.
Disk Utilization	It is calculted as follows ((size-freesize)/size)*100 where size - It is the total Size of the disk drive on Logical Disk freesize - Space, in bytes, available on the logical disk
Memory Utilization	It is calculated as follows ((TotalVisibleMemorySize- FreePhysicalMemory)/TotalVisibleMemorySize)*100 where TotalVisibleMemorySize - Total amount, in kilobytes, of physical memory available to the operating system. This value does not necessarily indicate the true amount of physical memory, but what is reported to the operating system as available to it. FreePhysicalMemory - Number, in kilobytes, of physical memory currently unused and available.
Number of Processes	Number of process contexts currently loaded or running on the operating system.
OS Processor Queue Length	Number of threads in the processor queue. There is a single queue for processor time even on computers with multiple processors. Unlike the disk counters, this property counts ready threads only, not threads that are running.
Performance Counter Monitors
DS Client Binds	Shows the number of Ntdsapi.dll binds per second serviced by this domain controller.
DS Server Binds Per Sec	Shows the number of domain controller–to–domain controller binds per second that are serviced by this domain controller.
Directory Reads Per Sec	Shows the number of directory reads per second.
Directory Writes Per Sec	Shows the number of directory writes per second.
NTLM Authentications	Shows the number of NTLM authentications per second serviced by this domain controller.
Kerberos Authentications	Shows the number of times per second that clients use a ticket to this domain controller to authenticate to this domain controller.
LSASS Process Monitors
LSASS CPU Usage	Percentage of elapsed time that all of the threads of LSASS process used the processor to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run. Code executed to handle some hardware interrupts and trap conditions is included in this count.
LSASS Handle Count	Total number of handles the LSASS process has open. This number is the sum of the handles currently open by each thread in the LSASS process.
LSASS Process File Reads	Rate at which the LSASS process is reading bytes from I/O operations. This property counts all I/O activity generated by the LSASS process to include file, network, and device I/Os.
LSASS Process File Writes	Rate at which the LSASS process is writing bytes to I/O operations. This property counts all I/O activity generated by the LSASS process to include file, network, and device I/Os
LSASS Process Memory	Amount of memory in bytes that a LSASS process needs to execute efficiently—for an operating system that uses page-based memory management. If the system does not have enough memory (less than the working set size), thrashing occurs. If the size of the working set is not known, use NULL or 0 (zero).
LDAP Stats
LDAP Active Threads	Shows the current number of threads in use by the LDAP subsystem of the local directory service.
LDAP Bind Time	Shows the time, in milliseconds, taken for the last successful LDAP bind.
LDAP Client Sessions	Shows the number of currently connected LDAP client sessions
LDAP Searches Per Sec	Shows the rate at which LDAP clients perform search operations
LDAP UDP operations Per Sec	Shows the number of User Datagram Protocol (UDP) operations that the LDAP server is processing per second.
LDAP Writes Per Sec	Shows the rate at which LDAP clients perform write operations.
Replication Stats
Replication Objects Applied Per Sec	Shows the rate at which replication updates received from replication partners are applied by the local directory service. This counter excludes changes that are received but not applied
Replication Objects Remaining	Shows the number of object updates received in the current directory replication update packet that have not yet been applied to the local server.
Total Replication Objects In /Sec	Shows the number of objects received from neighbors through inbound replication. A neighbor is a domain controller from which the local domain controller replicates locally.
Total Replication Objects Out /Sec	Shows the number of objects replicated out.
Replication Traffic In	Shows the total number of bytes replicated in. This counter is the sum of the number of uncompressed bytes (never compressed) and the number of compressed bytes (after compression).
Replication Traffic Out	Shows the total number of bytes replicated out. This counter is the sum of the number of uncompressed bytes (never compressed) and the number of compressed bytes (after compression)
Active Directory Services
Kerberos Key Distribution Center Service	The Kerberos Key Distribution Center (KDC) is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services (AD DS). .
Server Service	This service enables the computer to connect to other computers on the network based on the SMB protocol
Net Logon Service	This service supports pass-through authentication of account logon events for computers in a domain
Workstation Service	This service enables the computer to connect to other computers on the network based on the SMB protocol.
Remote Procedure Call (RPC) Service	This service provides the name services for RPC clients.
Security Accounts Manager Service	This service signals other services that the Security Accounts Manager subsystem is ready to accept requests.
File Replication Service	This service maintains file synchronization of file directory contents among multiple servers
DNS Client Service	This service resolves and caches (Domain Name Server) DNS names.
Intersite Messaging Service	This service is used for mail-based replication between sites. Active Directory includes support for replication between sites by using SMTP over IP transport.
Windows Time service	The service synchronizes the time between domain controllers, which prevents time skews from occurring.
Active Directory Domain Services	Service of the Active Directory Domain Controller.
Active Directory Web Services	Service that provides Web Service interface to instances of the directory service (AD DS and AD LDS) that are running locally on the server.

* Time Synchronization data is available only if the monitored AD server is a Secondary Domain Controller. These metrics are mapped under Settings → Performance Polling → Optimize Data Collection → Monitor Type → Active Directory

Replication Statistics

Replication is the process of sending update information for data that has changed in the directory to other domain controllers. It is important to have a firm understanding of replication and how it takes place, both within the domain and in multiple-site environments.

Monitoring for Active Directory Replication - If there are two or more domain controllers,that are replicating changes to each other, the replication statistics information will be displayed in the Replication Statistics tab. In a Single-Domain-controller setup,no replication stats will be shown.

Parameters	Description
Domain Controller
Domain Controller Site	The Site that the host domain controller resides in.
Is Global Catalog Server	Provides a value of true / false. True,if the domain controller is a global catalog server.
Percent of RIDs Left	The percentage of Relative Identifiers left in RID Pool.
Pending Replication Operations	The count of Pending Replication Operations.
Replication Partners
Partition Name	DN of the Naming Context(Partition) for which the partners replicate.
Source DC	CN of directory system agent (DSA) that represents the source domain controller (DC).
Source DC Domain	The canonical name of the domain of the replicated NC.
Source DC Site	The site that contains the source DC.
Time of Last Sync Attempt	The timestamp for the last replication attempt.
Time of Last Sync Success	The timestamp for the last successful replication attempt.
Consecutive Failure Count	The number of consecutive failed replication attempts.
Last Sync Result	Values can be Success or Failed.
Pending Replications
Partition Name	The X.500 path of the naming context (NC) that is associated with this operation.
Source DC	CN of directory system agent (DSA) that represents the source domain controller (DC).
Time Enqueued	The time at which this operation was added to the queue.
Operation Start Time	The time when the operation was started.NULL if operation is still in Queue.
Position in Queue	The position of this operation in the queue.

Connectivity

Parameters	Description
Port Connectivity *
Port Name	The name of the port monitored.
Port Number	The port number specified for that port.
Connectivity Status	Specifies if the connection is UP / DOWN.
Response Time(ms)	The time taken to check the connectivity status in milliseconds.
Network Interface
Name	The display name of the network connector
Speed (Mbps)	The interface's current bandwidth in megabits per second (Mbps).
Input Traffic (MBps)	The rate at which bytes are received on the interface, including framing characters.
Output Traffic (MBps)	The rate at which bytes are sent on the interface, including framing characters.

* Metrics for Port Connectivity are mapped under Settings → Performance Polling → Optimize Data Collection → Monitor Type → Active Directory

Follow these steps to add, remove or edit the ports monitored:

Go to <appmanager-home>\working\conf\application\script\powershell folder and open ActiveDirectoryPorts.ps1 file in an editor.
To add new port to be monitored, add the port name and port numberin the below format along with the other ports:
"<portname>:<portnumber>" Example: "DNS:53"
To remove any ports which are monitored, comment the respective line by using '#' in the beginning of the line.
Example: # "DNS:53"
If any ports have been changed from the default port number in the server, please edit the respective port numbers.
Save the file after the changes are done.
Changes will be effective from the next poll in the monitor.

Diagnostic Tests *

Basic Tests

Connectivity Check - Tests whether DSAs(Directory System Agent) are DNS registered, pingeable, and have LDAP/RPC
Advertising Status Check - Checks whether each DSA is advertising itself, and whether it is advertising itself as having the capabilities of a DSA.
SYSVOL Status Check - This test checks that the SYSVOL is ready.
Knowledge Consistency Check - This test checks that the Knowledge Consistency Checker is completing without errors.
RID Master Accessibility Check - Check to see if RID master is accessable and to see if it contains the proper information.
Machine Account Information Check - Check to see if the Machine Account has the proper information.
Global Role-holders Locator Check - Checks that global role-holders are known, can be located, and are responding.

Replication Tests

File Replication System Check - This test checks to see if there are any operation errors in the file replication system (FRS). Failing replication of the SYSVOL share, can cause Policy problems.
Distributed File System Check - This test checks to see if there are any operation errors in the DFS(Distributed File System).
Logon Priviledges (NetLogons) Check - Checks that the appropriate logon priviledges allow replication to proceed.
Object Replication Check - Check that Machine Account (AD only) and DSA objects have replicated.
Verify References for FRS and Replication Infrastructure - This test verifies that certain system references are intact for the FRS and Replication infrastructure.
Intersite Replication Error Check - Checks for failures that would prevent or temporarily hold up intersite replication.

Cross Reference Check Tests

CrossRefValidation- This test looks for cross-refs that are in some way invalid.
- DomainDnsZones CrossRefValidation
- ForestDnsZones CrossRefValidation
- Configuration CrossRefValidation
- Schema CrossRefValidation
- <Domain-Name> CrossRefValidation

Security Descriptor Reference Check Tests

CheckSDRefDom- This test checks that all application directory partitions have appropriate security descriptor reference domains.
- DomainDnsZones CheckSDRefDom
- ForestDnsZones CheckSDRefDom
- Configuration CheckSDRefDom
- Schema CheckSDRefDom
- <Domain-Name> CheckSDRefDom

* Metrics for Diagnostic Tests are mapped under Settings → Performance Polling → Optimize Data Collection → Monitor Type → Active Directory. Default polling interval is 60 minutes.