AppInsight for Active Directory

This template monitors and reports on physical and virtual Active Directory environments to identify issues about domain controllers, replication, and more. You can use it to track many key aspects of Active Directory by getting relevant performance data from the server level. For details, see Monitor with AppInsight for Active Directory.

To avoid performance issues in large environments, several "total" counters, such as Total User Accounts and Total Inactive Users, are initially disabled. After assigning the AppInsight for Active Directory template to nodes, edit the template to enable those component monitors.

Note the following details about AppInsight templates:

  • WMI is the preferred polling method because some node metrics, such as Disk I/O, are only available via WMI polling.
  • All AppInsight templates support the Orion agent for Windows. See Monitor with Orion agents in SAM.
  • Due to the complexity of AppInsight templates:
    • You cannot add component monitors to them.
    • Some component monitors have default settings that cannot be modified.
    • You cannot import or export them in the Orion Web Console.
  • For component-based SAM licenses, AppInsight applications consume licenses at flat rates.
  • Unlike most SAM templates, AppInsight templates are updated automatically when you upgrade SAM.

To learn more, see Monitor with AppInsight applications.

Additional learning resources include:

Component monitors

To learn more about default component monitors included in SAM, see SAM online help.

Naming Contexts

Total number of naming contexts in the domain.

Replication Details

This component gathers Active Directory replication data, such as replication direction and the replication transport protocol.

FSMO Role - Schema Master

Total number of Schema Master roles in the domain.

FSMO Role - Domain Naming Master

Total number of Domain Naming Master roles in the domain.

FSMO Role - RID Master

Total number of RID Master roles in the domain.

FSMO Role - Infrastructure Master

Total number of Infrastructure Master roles in the domain.

FSMO Role - PDC Emulator

Total number of PDC Emulator roles in the domain.

Total User Accounts

Total number of Active Directory users in the domain.

Total Disabled User Accounts

Total number of disabled user accounts in the domain.

Total Computer Accounts

Total number of computer accounts in the domain.

Total Domain Controllers

Total number of domain controllers in the domain.

Trusts

Total number of domain trust relationships in the domain.

AppInsight for Active Directory can collect trust data for domain controllers configured as Global Catalog (GC) servers on port 3268, as displayed in the Trust Summary widget. If your domain controllers use port 3269 instead, update that setting in the template.

Total Inactive Users

Total number of inactive users in the domain.

Total Inactive Computers

Total number of inactive computers in the domain.

Sites

Total number of sites in the domain.

Subnets

Total number of subnets in the domain.

Links

Total number of site links in the domain.

Servers

Total number of Active Directory servers in the domain.

Total Expired Password User Accounts

Total number of user accounts which currently have an expired password.

Machine Account authentication failure event

The number of events that indicate a machine account failed to authenticate, which is usually caused by either multiple instances of the same computer name, or the computer name has not replicated to every domain controller.

If you do not find multiple instances of the computer name, verify that replication is functioning for the domain that contains the computer account.

Replication Duplicate Object found event

The number of events that indicate a duplicate object is present in the Active Directory of the replication partner of the local domain controller, so updating it is impossible. See Troubleshooting Directory Data problems for details. (©2019 Microsoft Corp., available at http://technet.microsoft.com, obtained on March 4, 2019)

Failed Replication Event

The number of events that indicate replication failed for the reason stated in the message text. Use the Windows Server tool Repadmin.exe to further identify the problem.

Replication configuration does not reflect topology event

The number of events that occur when the replication configuration information in Active Directory Sites and Services does not accurately reflect the physical topology of the network.

Lingering objects disconnection error event

The number of events generated by a lingering object if a domain controller remains disconnected for too long. For details about lingering objects, click here. (©2019 Microsoft Corp., available at http://technet.microsoft.com, obtained on March 4, 2019)

Replication Link GUID mismatch event

The number of events that occur over an existing replication link when the GUID of the NTDS Settings object of a replication partner does not match the GUID defined in the Service Principal Name (SPN) attributes of the computer object of this replication partner.

User Account cannot be resolved event

The number of events that indicate a user account in one or more Group Policy objects (GPOs) cannot be resolved to a security identifier (SID). This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights Assignment or Restricted Groups branch of a GPO.

User Account was created event

The number of events of creating new user accounts. Event ID: 4720.

Only authorized people and processes should create network accounts. Examine the Primary User Name field to detect whether an authorized person or process created an account. This event also detects if administrators create accounts outside organizational policy guidelines.

Attempt to change Account password event

The number of events when somebody tries to change accounts password. Event ID: 4723.

This event is logged as a failure if his new password fails to meet the password policy. This event results from a password change request in which the user supplies the original password to the account. Compare Primary Account Name to Target Account Name to determine whether the account owner or someone else attempted to change the password. If Primary Account Name does not equal Target Account Name, someone other than the account owner tried to change the password.

Attempt to reset Account password

The number of events when a user or process resets an account password through an administrative interface such as Active Directory Users and Computers, rather than through a password change process. Event ID: 4724.

This event is logged as a failure if the new password fails to meet the password policy.

Only authorized people or processes should carry out this process, such as help desk or user self-service password reset.

Account was disabled event

The number of events when account becomes disabled. Event ID: 4725.

Note: Always investigate this event.

Account was deleted event

The number of events of deleting user accounts. Event ID: 4726.

Only authorized people and processes should delete network accounts. Search for these events and examine the Primary Account Name field to detect if unauthorized people have deleted accounts.

Account was changed event

The number of events when changes were made to security-related properties of user accounts. Event ID: 4738.

Account was locked out event

The number of events of locked out user accounts. Event ID: 4726.

Account name was changed event

The number of events when a user changes the normal logon name or the pre-Win2k logon name. Event ID: 4781.

When an account name is changed, the SID remains the same. However the Target ID in this event indicates the new name. This is because when the OS displays this event, it queries the database where the SID is stored and translates the SID to the domain\username.

A rogue admin might change his account name or computer name to cover up activity.

Account failed to logon event

The number of failed login events with incorrect username or password. Event ID: 4625.

It check for attempts where Target Account Name equals Administrator or the renamed default administrator account. Check multiple logon failures that are below the account lockout threshold.

Replay Attack detected event

The number of events when the authentication package (usually Kerberos) detects an attempt to log on by replay of a user's credentials. Event ID: 4649.

Investigate immediately. Alternatively, this could be a sign of incorrect network configuration.

Attempted to logon using explicit credentials event

The number of the following events:

-- A user connects to a server or runs a program locally using alternate credentials (that is "run as");

-- A process logs on as a different account; for example, if the Scheduled Tasks service starts a task as the specified user;

-- With User Account Control enabled, an end user runs a program requiring admin authority.

Event ID: 4648.

Domain Policy was changed event

The number of events when the computer's Security Settings\Account Policy or Account Lockout Policy was modified - either via Local Security Policy or Group Policy in Active Directory. Event ID: 4739.

The Subject fields cannot identify who actually changed the policy because this policy isn't directly configured by administrators. Instead, it is edited in a Group Policy Object (GPO) that is then applied to the computer. Therefore, this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.

Kerberos Policy was changed event

The number of events when Windows detects a change to the the domain's Kerberos policy. Kerberos policy is defined in GPOs linked to the root of the domain under Computer Configuration\Windows Settings\Security Settings\Account Policy\Kerberos Policy. Event ID: 4713.

The Subject fields cannot identify who actually changed the policy because this policy isn't directly configured by administrators. Instead, it is edited in a Object (GPO) that is then applied to the computer. Therefore, this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.

System Audit Policy was changed event

The number of events when a computer's system-level audit policy was modified - either via Local Security Policy, Group Policy in Active Directory or the audipol command. Event ID: 4719.

According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. If group policy was used to configure audit policy unfortunately the Subject fields don't identify who actually changed the policy. In such cases this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs. This event does not necessarily indicate a problem. However, an attacker can change audit policy as part of a computer system attack. You should monitor for this event on high value computers and domain controllers.

Encrypted Data Recovery Policy was changed event

The number of events when computer's Security Settings\Public Key Policies\Encrypting File System data recovery agent policy was modified - either via Local Security Policy or Group Policy in Active Directory. Event ID: 4714.

The Subject fields cannot identify who actually changed the policy because this policy isn't directly configured by administrators. Instead, it is edited in a Object (GPO) that is then applied to the computer. Therefore, this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.

Windows Firewall setting has changed event

The number of events when changes were made via the Windows Firewall with Advanced Services MMC console. Event ID: 4950.

The system time was changed event

The number of events when somebody changes system time. Event ID: 520.

This event indicates the old and new system time as well as who did it as specified in the Subject: section. It is routine to see this event where subject is "LOCAL SERVICE" and can probably be ignored. It's common to see this event logged twice in a row.

An attempt was made to set the Directory Services Restore Mode administrator password

The number of events when someone attempts to change the Directory Services Restore Mode password on a domain controller. Event ID: 4794.

Check Workstation IP and Account Name. Investigate immediately.

Clearing the Security Event Logs event

The number of times security logs have been cleared. Event ID: 517.

Administrators should not clear security event logs without authorization. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.

Changing system time event

The number of times the system time has been changed. Event ID: 520.

This action can mislead forensic investigation or provide an attacker with a false alibi. The process name is %windir %\system32\svchost.exe. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.

Changing Audit Policy event

The number of times audit policies have been changed. Event ID: 612.

This event does not necessarily indicate a problem. However, an attacker can change audit policy as part of a computer system attack. You should monitor for this event on high value computers and domain controllers.

Changing the Domain Security Policy event

The number of attempts to modify a password policy or other domain security policy settings. Event ID: 643.

Check user name of subject and correlate with authorization.

LDAP Active Threads

The current number of threads in use by the LDAP subsystem of the local directory service.

You can provide a value for the warning and critical thresholds based on your current environment and your requirements.

LDAP Bind Time

The time (in milliseconds) required for the completion of the last successful LDAP binding.

This counter should be as low as possible. If it is not, it usually indicates that hardware or network-related problems are occurring.

LDAP Client Sessions

The number of currently connected LDAP client sessions.

This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.

You can provide a value for the warning and critical thresholds based on your current environment and your requirements.

Directory Service Threads in Use

The current number of threads in use by the directory service.

This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.

You can provide a value for the warning and critical thresholds based on your current environment and your requirements.

Address Book Client Sessions

The number of connected Address Book client sessions.

Directory Service Notify Queue Size

The number of pending update notifications that are queued, but not yet transmitted to clients.

This counter should be as low as possible.

DRA Inbound Full Sync Objects Remaining

The number of objects remaining until the full synchronization is completed (while replication is done).

This counter should be as low as possible.

DRA Inbound Values (DNs only)/sec

The number of object property values received from inbound replication partners that are distinguished names (DNs) that reference other objects. DN values, such as group or distribution list memberships, are generally more expensive to apply than other types of values.

DRA Outbound Values (DNs only)/sec

The number of object property values containing DNs sent to outbound replication partners. DN values, such as group or distribution list memberships, are generally more expensive to read than other kinds of values.

LDAP successful binds/sec

The number of LDAP bindings (per second) that occurred successfully.

This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.

LDAP searches/sec

The number of search operations per second performed by LDAP clients.

This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.

Directory Services directory writes/sec

The number of directory writes per second.

Directory Services directory reads/sec

The number of directory reads per second.

DRA pending replication synchronizations

The number of directory synchronizations that are queued for this server but not yet processed.

Context switches/sec

Indicates if the processor is handling an excessive amount of applications.

Interpret this data cautiously. A thread that is heavily using the processor lowers the rate of context switches because it does not allow much processor time for other process threads. A high rate of context switching means that the processor is being shared repeatedly (for example, by many threads of equal priority). It is a good practice to minimize the context switching rate by reducing the number of active threads on the system. The use of thread pooling, I/O completion ports, and asynchronous I/O can reduce the number of active threads. Consult your in-house developers or application vendors to determine if the applications you are running provide tuning features that limit the number of threads.

A context switching rate of 300 per second per processor is a moderate amount; a rate of 1000 per second or more is high. Values at this high level may be a problem.

You can provide a value for the warning and critical thresholds based on your current environment and your requirements.

Processor Queue Length

Indicates if the system can handle processing requests.

This counter is a rough indicator of the number of threads each processor is servicing. The processor queue length, sometimes called processor queue depth, reported by this counter is an instantaneous value that is representative only of a current snapshot of the processor, so it is necessary to observe this counter over a long period of time.

This counter reports a total queue length for all processors, not a length per processor. To learn more, see http://technet.microsoft.com/en-us/library/cc938643.aspx.

Distributed File System

Enables you to group shared folders located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders.

DNS Server

Enables DNS clients to resolve DNS names by answering DNS queries and dynamic DNS update requests. If this service is stopped, DNS updates will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.

Intersite Messaging

Enables messages to be exchanged between computers running Windows Server sites. If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services. If this service is disabled, any services that explicitly depend on it will fail to start.

Kerberos Key Distribution Center

On domain controllers, this service enables users to log on to the network using the Kerberos authentication protocol. If this service is stopped on a domain controller, users will be unable to log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.

Windows Time

Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

DNS Client

The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.

Security Accounts Manager

The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.

Server

Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Workstation

Creates and maintains client network connections to remote servers using the SMB protocol. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Remote Procedure Call (RPC)

The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activation requests, object exporter resolutions, and distributed garbage collection for COM and DCOM servers. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the RPCSS service running

Net Logon

Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services, and the domain controller cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start.

Active Directory Domain Services

This is a core AD DS Domain Controller service. If this service is stopped, users cannot log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.

Active Directory Web Services

This service provides a Web Service interface to instances of the directory service (AD DS and AD LDS) that are running locally on this server. If this service is stopped or disabled, client applications, such as Active Directory PowerShell, cannot access or manage any directory service instances running locally on this server.