Best practices for AppInsight for Active Directory
When using and configuring AppInsight for Active Directory, SolarWinds recommend the following best practices:
- SolarWinds recommends the following limits for AppInsight for Active Directory monitoring:
- Up to 150,000 users and computers per domain controller.
- Starting in SAM 2020.2.1, up to 200 domain controllers.
In earlier SAM versions, 50 domain controllers.
Click here to learn how Advanced settings can impact domain controller performance and scalability.
- When adding nodes for domain controllers, select Windows Servers: WMI and ICMP as the polling method so AppInsight for Active Directory widgets can display node status and names properly via WMI. ICMP-only nodes cannot supply DNS or SysName values required to compute replications for destination domain controller FQDN names. See this article in the SolarWinds Success Center for details.
- Consider limiting usage to a few key domain controllers for this database-intensive feature. For general visibility, applying AppInsight for Active Directory to one domain controller per site is sufficient. However, to track replication status between domain controllers, assign AppInsight for Active Directory to all domain controllers within a site to ensure visibility into the replication status across the site.
- Several "Total" performance counters (for example, Total Inactive Users) are initially disabled in the AppInsight for Active Directory template to avoid performance issues in environments with large quantities of users and computers, especially on clients. You can enable those component monitor for individual nodes, as necessary. See Configure AppInsight for Active Directory on nodes.
- Starting in SAM 2020.2.1, you can configure AppInsight for Active Directory on individual nodes to poll for replication details without collecting domain configuration data, such as sites and trusts. This can improve performance in large environments. Click here to learn more about the Enable Domain Components option, available in Advanced settings for application monitors.
Starting in SAM 2020.2, you can use WinRM as the transport method for AppInsight polling via WMI. To learn more see, Use WinRM for application monitor polling in SAM.
- When first testing alerts, only assign the alerts to your own or other tester email addresses. Watch and monitor the alerts for two weeks to generate stable baselines that you can use to refine monitoring and alert actions for the usage and performance in your specific environment. Your environment's baseline and performance expectations may vary, as compared to the default thresholds.
- Create custom views with different AppInsight for Active Directory widgets for user groups in your organization. See the Orion Platform Administrator Guide for details.
SolarWinds recommends using Active Directory accounts with limited permissions (for example, read-only administrators) for AppInsight for Active Directory monitoring.