AppInsight for Active Directory

This template monitors and reports on physical and virtual Active Directory environments to identify issues about domain controllers, replication, and more. You can use it to track many key aspects of Active Directory by getting relevant performance data from the server level.

Note the following details about the AppInsight for Active Directory template:

  • To avoid performance issues in large environments, several "total" counters, such as Total User Accounts and Total Inactive Users, are initially disabled in the AppInsight for Active Directory template. After adding AppInsight for Active Directory to nodes, you can enable these component monitors.
  • AppInsight templates include several component monitors with default settings that cannot be modified due to dependencies. Also, you cannot add component monitors to AppInsight templates.

To learn more, see Monitor with AppInsight for Active Directory in the SAM Administration Guide.

Component monitors

For details on monitors, see SAM component monitors.

Naming Contexts

Total number of naming contexts in the domain.

Replication Details

This component gathers Active Directory replication data, such as replication direction and the replication transport protocol.

FSMO Role - Schema Master

Total number of Schema Master roles in the domain.

FSMO Role - Domain Naming Master

Total number of Domain Naming Master roles in the domain.

FSMO Role - RID Master

Total number of RID Master roles in the domain.

FSMO Role - Infrastructure Master

Total number of Infrastructure Master roles in the domain.

FSMO Role - PDC Emulator

Total number of PDC Emulator roles in the domain.

Total User Accounts

Total number of Active Directory users in the domain.

Total Disabled Accounts

Total number of disabled user accounts in the domain.

Total Computer Accounts

Total number of computer accounts in the domain.

Total Domain Controllers

Total number of domain controllers in the domain.

Total Inactive Users

Total number of inactive users in the domain.

Total Inactive Computers

Total number of inactive computers in the domain.

Sites

Total number of sites in the domain.

Subnets

Total number of subnets in the domain.

Links

Total number of site links in the domain.

Servers

Total number of Active Directory servers in the domain.

Total Expired Password User Accounts

Total number of user accounts which currently have an expired password.

Machine Account authentication failure event

This monitor returns the number of events that indicate a machine account failed to authenticate, which is usually caused by either multiple instances of the same computer name, or the computer name has not replicated to every domain controller.

If you do not find multiple instances of the computer name, verify that replication is functioning for the domain that contains the computer account.

Replication Duplicate Object found event

This monitor returns the number of events that indicate a duplicate object is present in the Active Directory of the replication partner of the local domain controller, so updating it is impossible. See Troubleshooting Directory Data problems to learn more. (©2019 Microsoft Corp., available at http://technet.microsoft.com, obtained on March 4, 2019)

Failed Replication Event

This monitor returns the number of events that indicate replication failed for the reason stated in the message text. Use the Windows Server tool Repadmin.exe to further identify the problem.

Replication configuration does not reflect topology event

This monitor returns the number of events that occur when the replication configuration information in Active Directory Sites and Services does not accurately reflect the physical topology of the network.

Lingering objects disconnection error event

This monitor returns the number of events usually generated by a lingering object which resulted from disconnecting a domain controller for too long.

If the domain controller does not also function as a global catalog server, see "Remove Lingering Objects from an Outdated Writable Domain Controller" in Troubleshooting Active Directory Replication Problems. If the domain controller also functions as a global catalog server, see "Remove Lingering Objects from a Global Catalog Server." (©2019 Microsoft Corp., available at http://technet.microsoft.com, obtained on March 4, 2019)

Replication Link GUID mismatch event

This monitor returns the number of events that occur over an existing replication link when the GUID of the NTDS Settings object of a replication partner does not match the GUID defined in the Service Principal Name (SPN) attributes of the computer object of this replication partner.

User Account cannot be resolved event

This monitor returns the number of events that indicate a user account in one or more Group Policy objects (GPOs) cannot be resolved to a security identifier (SID). This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights Assignment or Restricted Groups branch of a GPO.

User Account was created event

This monitor returns the number of events of creating new user accounts. Event ID: 4720.

Only authorized people and processes should create network accounts. Examine the Primary User Name field to detect whether an authorized person or process created an account. This event also detects if administrators create accounts outside organizational policy guidelines.

Attempt to change Account password event

This monitor returns the number of events when somebody tries to change accounts password. Event ID: 4723.

This event is logged as a failure if his new password fails to meet the password policy. This event results from a password change request in which the user supplies the original password to the account. Compare Primary Account Name to Target Account Name to determine whether the account owner or someone else attempted to change the password. If Primary Account Name does not equal Target Account Name, someone other than the account owner tried to change the password.

Attempt to reset Account password

This monitor returns the number of events when a user or process resets an account password through an administrative interface such as Active Directory Users and Computers, rather than through a password change process. Event ID: 4724.

This event is logged as a failure if the new password fails to meet the password policy.

Only authorized people or processes should carry out this process, such as help desk or user self-service password reset.

Account was disabled event

This monitor returns the number of events when account becomes disabled. Event ID: 4725. Always investigate this event.

Account was deleted event

This monitor returns the number of events of deleting user accounts. Event ID: 4726.

Only authorized people and processes should delete network accounts. Search for these events and examine the Primary Account Name field to detect if unauthorized people have deleted accounts.

An attempt was made to set the Directory Services Restore Mode administrator password

This monitor returns the number of events when someone attempts to change the Directory Services Restore Mode password on a domain controller. Event ID: 4794.

Check Workstation IP and Account Name and investigate immediately.

Clearing the Security Event Logs event

This monitor returns the number of times security logs have been cleared. Event ID: 517.

Administrators should not clear security event logs without authorization. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.

Changing system time event

This monitor returns the number of times the system time has been changed. Event ID: 520.

This action can mislead forensic investigation or provide an attacker with a false alibi. The process name is %windir %\system32\svchost.exe. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.

Changing audit policy event

This monitor returns the number of times audit policies have been changed. Event ID: 612.

This event does not necessarily indicate a problem. However, an attacker can change audit policy as part of a computer system attack. You should monitor for this event on high value computers and domain controllers.

Changing the domain security policy event

This monitor returns the number of attempts to modify a password policy or other domain security policy settings. Event ID: 643.

Check user name of subject and correlate with authorization.

LDAP Active Threads

The current number of threads in use by the LDAP subsystem of the local directory service.

You can provide a value for the warning and critical thresholds based on your current environment and your requirements.

LDAP Bind Time

The time (in milliseconds) required for the completion of the last successful LDAP binding.

This counter should be as low as possible. If it is not, it usually indicates that hardware or network-related problems are occurring.

LDAP Client Sessions

The number of currently connected LDAP client sessions.

This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.

You can provide a value for the warning and critical thresholds based on your current environment and your requirements.

Directory Service Threads in Use

The current number of threads in use by the directory service.

This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.

You can provide a value for the warning and critical thresholds based on your current environment and your requirements.

Address Book Client Sessions

The number of connected Address Book client sessions.

Directory Service Notify Queue Size

The number of pending update notifications that are queued, but not yet transmitted to clients.

This counter should be as low as possible.

DRA Inbound Full Sync Objects Remaining

The number of objects remaining until the full synchronization is completed (while replication is done).

This counter should be as low as possible.

DRA Inbound Values (DNs only)/sec

The number of object property values received from inbound replication partners that are distinguished names (DNs) that reference other objects. DN values, such as group or distribution list memberships, are generally more expensive to apply than other types of values.

DRA Outbound Values (DNs only)/sec

The number of object property values containing DNs sent to outbound replication partners. DN values, such as group or distribution list memberships, are generally more expensive to read than other kinds of values.

DS Threads in Use

Indicates the current number of threads in use by the directory service.

LDAP successful binds/sec

The number of LDAP bindings (per second) that occurred successfully.

This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.

LDAP searches/sec

The number of search operations per second performed by LDAP clients.

This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.

Directory Services directory reads/sec

The number of directory reads per second.

Directory Services directory writes/sec

The number of directory writes per second.

DRA pending replication synchronizations

The number of directory synchronizations that are queued for this server but not yet processed.

Context switches/sec

Used to determine if the processor handles an excessive amount of applications.

Interpret this data cautiously. A thread that is heavily using the processor lowers the rate of context switches because it does not allow much processor time for other process threads. A high rate of context switching means that the processor is being shared repeatedly-for example, by many threads of equal priority. It is a good practice to minimize the context switching rate by reducing the number of active threads on the system. The use of thread pooling, I/O completion ports, and asynchronous I/O can reduce the number of active threads. Consult your in-house developers or application vendors to determine if the applications you are running provide tuning features that include limiting the number of threads.

A context switching rate of 300 per second per processor is a moderate amount; a rate of 1000 per second or more is high. Values at this high level may be a problem.

You can provide a value for the warning and critical thresholds based on your current environment and your requirements.

Processor Queue Length

Indicates if the system can handle processing requests.

This counter is a rough indicator of the number of threads each processor is servicing. The processor queue length, sometimes called processor queue depth, reported by this counter is an instantaneous value that is representative only of a current snapshot of the processor, so it is necessary to observe this counter over a long period of time.

This counter reports a total queue length for all processors, not a length per processor. To learn more, see http://technet.microsoft.com/en-us/library/cc938643.aspx.

Distributed File System

Enables you to group shared folders located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders.

DNS Server

Enables DNS clients to resolve DNS names by answering DNS queries and dynamic DNS update requests. If this service is stopped, DNS updates will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.

Intersite Messaging

Enables messages to be exchanged between computers running Windows Server sites. If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services. If this service is disabled, any services that explicitly depend on it will fail to start.

Kerberos Key Distribution Center

On domain controllers, this service enables users to log on to the network using the Kerberos authentication protocol. If this service is stopped on a domain controller, users will be unable to log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.

Windows Time

Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

DNS Client

The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.

Security Accounts Manager

The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.

Server

Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Workstation

Creates and maintains client network connections to remote servers using the SMB protocol. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Remote Procedure Call (RPC)

The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activation requests, object exporter resolutions, and distributed garbage collection for COM and DCOM servers. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the RPCSS service running

Net Logon

Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services, and the domain controller cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start.

Active Directory Domain Services

This is a core AD DS Domain Controller service. If this service is stopped, users will be unable to log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.

Active Directory Web Services

This service provides a Web Service interface to instances of the directory service (AD DS and AD LDS) that are running locally on this server. If this service is stopped or disabled, client applications, such as Active Directory PowerShell, will not be able to access or manage any directory service instances that are running locally on this server.