How to Monitoring Microsoft Active Directory
Microsoft Active Directory is used to share user list, provide single sign on and other central features in large Microsoft based workstation and server networks. Active Directory is Microsoft's implementation of existing business standards such as LDAP, Kerberos and DNS. The purpose of this article is describing how op5 Monitor can be used to monitor these core features of an Active Directory and make sure that notifications are sent about common errors.
To be able to complete this how-to you will need the following files:
The scripts are not officially supported by op5 Support, but we will help you as good as we can.
This will be done
The suggested configuration components for monitoring Active Directory are:
- Basic checks for each domain controller
- Advanced checks for each domain controller
- Service group called Active Directory that contains all services for your domain controllers.
- Copy the two files to C:Program Filesop5nsclient++scripts
- Add the following rows to the file C:Program Filesop5nsclient++custom.ini
check_ad=cscript.exe //T:30 //NoLogo scriptscheck_ad.vbs
check_ad_fsmo=cscript.exe //T:30 //NoLogo scriptspluginscheck_ad_time.vbs" example.com "$ARG1$"
- Save the file
- Restart the NSClient++ service
Add the required check-commands, if they don't already exist in your configuration, add dem via: ('Configure' -> 'Check Commands' -> 'New command')
|*check_ad_time||$USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ad_time -a $ARG1$|
|check_nt_service||$USER1$/check_nt -H $HOSTADDRESS$ -p 1248 -v SERVICESTATE -l "$ARG1$"|
|check_ad_ldap||$USER1$/check_ldap -H $HOSTADDRESS$ -b $ARG1$ -w 5 -c 45 -D $ARG2$ -P $ARG3$|
|check_ad_dns||$USER1$/check_dig -H $HOSTADDRESS$ -l $ARG1$ -a $ARG2$|
|*check_ad_dcdiag_dc||$USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ad|
|**check_ad_kerberos_authentication||$USER1$/check_nt -H $HOSTADDRESS$ -v COUNTER -l "NTDSKerberos Authentications","Kerberos Authentications %d times/sec" -w $ARG1$ -c $ARG2$|
* Require changes to NSC.ini, see section below.
** This is just one example of performance counters you might want to monitor, for a full list we sugest you take a look at Microsoft own reference list.
Short list of counters we think is good to monitor:
- "NTDSKerberos Authentications","Kerberos Authentications %d times/sec"
- "NTDSLDAP Bind Time","LDAP Bind Time %.2f ms"
- "NTDSLDAP Client Sessions","LDAP Client Sessions: %d"
- "NTDSNTLM Authentications","NTLM Authentications %d times/sec"
Add the required services
Go to 'Configure' -> 'Host:
Add the following services (Arguments are just examples, you need to adjust them to suite your environment).
|AD: Domain Time||check_ad_time||0.5|
|AD: DCdiag dc||check_ad_dcdiag_dc||N/A|
|AD: DCdiag member||check_ad_dcdiag_member||N/A|
|AD: FSMO Roles||check_ad_fsmo||All (Valid options: All, Schema, Domain, PDC, RID, Infrastructure)|
|AD: Kerberos Authentications||check_ad_kerberos_authentication||3!4|
Use the "Test this service" botton for the services to see if they work. Once the are correct and working as they should you may add the services to all of your domain controllers with the clone-function.
Configuring the service group
Configuring a service group is not necessary for tde monitoring to work, but it will be easier to display tde current status on tde Active Directory – for instance for help desk staff.
From Configure, select Service Groups and add a new service group.
Enter a service name and a description (alias) tdat is suitable for your organization.
Hold down tde Control key and select tde services you wish to include – preferably tde services you added in tdis How-To, and some otder important services for tde domain controllers:
Move tde selected services to tde selected list.
Click on "Apply Changes" and tden "Save".