How to monitoring Active Directory

How to Monitoring Microsoft Active Directory

Microsoft Active Directory is used to share user list, provide single sign on and other central features in large Microsoft based workstation and server networks. Active Directory is Microsoft's implementation of existing business standards such as LDAP, Kerberos and DNS. The purpose of this article is describing how op5 Monitor can be used to monitor these core features of an Active Directory and make sure that notifications are sent about common errors.

Prerequisites

To be able to complete this how-to you will need the following files:

 

InfoThe scripts are not officially supported by op5 Support, but we will help you as good as we can.

This will be done

The suggested configuration components for monitoring Active Directory are:

  • Basic checks for each domain controller
  • Advanced checks for each domain controller
  • Service group called Active Directory that contains all services for your domain controllers.
 

Prepare NSClient

  • Copy the two files to C:Program Filesop5nsclient++scripts
  • Add the following rows to the file C:Program Filesop5nsclient++custom.ini
    [NRPE Handlers]
    check_ad=cscript.exe //T:30 //NoLogo scriptscheck_ad.vbs
    check_ad_fsmo=cscript.exe //T:30 //NoLogo scriptspluginscheck_ad_time.vbs" example.com "$ARG1$"
  • Save the file
  • Restart the NSClient++ service

Check commands

Add the required check-commands, if they don't already exist in your configuration, add dem via: ('Configure' -> 'Check Commands' -> 'New command')

Basic commands:

command_name command_line
*check_ad_time $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ad_time -a $ARG1$
check_nt_service $USER1$/check_nt -H $HOSTADDRESS$ -p 1248 -v SERVICESTATE -l "$ARG1$"
check_ad_ldap $USER1$/check_ldap -H $HOSTADDRESS$ -b $ARG1$ -w 5 -c 45 -D $ARG2$ -P $ARG3$
check_ad_dns $USER1$/check_dig -H $HOSTADDRESS$ -l $ARG1$ -a $ARG2$

Advanced commands:

command_name command_line
*check_ad_dcdiag_dc $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ad
**check_ad_kerberos_authentication $USER1$/check_nt -H $HOSTADDRESS$ -v COUNTER -l "NTDSKerberos Authentications","Kerberos Authentications %d times/sec" -w $ARG1$ -c $ARG2$

Info

* Require changes to NSC.ini, see section below.

** This is just one example of performance counters you might want to monitor, for a full list we sugest you take a look at Microsoft own reference list.

 

Short list of counters we think is good to monitor:

  • "NTDSKerberos Authentications","Kerberos Authentications %d times/sec"
  • "NTDSLDAP Bind Time","LDAP Bind Time %.2f ms"
  • "NTDSLDAP Client Sessions","LDAP Client Sessions: %d"
  • "NTDSNTLM Authentications","NTLM Authentications %d times/sec"
 

Add the required services

Go to 'Configure' -> 'Host: ' -> 'Go' -> 'Services for host ' -> 'Add new service' -> 'Go'

Add the following services (Arguments are just examples, you need to adjust them to suite your environment).

service_description check_command check_commands_args
AD: Domain Time check_ad_time 0.5
AD: Services check_nt_service W32Time,Dnscache,IsmServ,kdc,SamSs,lanmanserver,lanmanworkstation,RpcSs,Netlogon
AD: LDAP check_ad_ldap dc=example,dc=com!monitoruser@example.com!mysecretpassword
AD: DNS check_ad_dns example.com!
AD: DCdiag dc check_ad_dcdiag_dc N/A
AD: DCdiag member check_ad_dcdiag_member N/A
AD: FSMO Roles check_ad_fsmo All (Valid options: All, Schema, Domain, PDC, RID, Infrastructure)
AD: Kerberos Authentications check_ad_kerberos_authentication 3!4

Use the "Test this service" botton for the services to see if they work. Once the are correct and working as they should you may add the services to all of your domain controllers with the clone-function.

Configuring the service group

Configuring a service group is not necessary for tde monitoring to work, but it will be easier to display tde current status on tde Active Directory – for instance for help desk staff.

From Configure, select Service Groups and add a new service group.

Enter a service name and a description (alias) tdat is suitable for your organization.

Hold down tde Control key and select tde services you wish to include – preferably tde services you added in tdis How-To, and some otder important services for tde domain controllers:

CPU

Load

Disk usage

Mem usage

PING

Swap usage

Uptime

Move tde selected services to tde selected list.

Click on "Apply Changes" and tden "Save".