Configure AppInsight for Active Directory on nodes
After assigning AppInsight for Active Directory to individual domain controllers, you can customize the settings in the application monitor for each node. Some settings can impact domain controller performance in large environments.
For a related SAM use case, see Domain Controller Health Check and Monitoring.
To set up AppInsight for Active Directory on nodes:
- Click Settings > All Settings > SAM Settings > Manage Application Monitors.
- Select the node, which will list "Active Directory" as the Assigned Application Monitor, and then click Edit Properties.
-
(Optional) Click Advanced to display settings for credentials, ports, encryption, and more.
When working with component monitors, note that AppInsight uses domain controller IP addresses instead of domain names for polling; LDAP components do not include the $DomainName parameter in configuration fields. This use of IP address enables different applications to get data from all monitored domain controllers in a single domain. Click here to learn more about individual component monitors.
- Adjust values and settings, as necessary, and then click Submit to save changes.
- If you changed settings for an existing domain controller, use SolarWinds Platform Service Manager to restart the SolarWinds Collector Service.
Advanced setting options include:
-
LDAP Port Number: The default port to connect to domain controller LDAP services is 389.
-
Global Catalog Port Number: AppInsight can collect trust data for domain controllers configured as Global Catalog (GC) servers on port 3268, as displayed in the Trust Summary widget. To use port 3269 instead, update that setting here.
To determine if a domain controller is a GC server, use PowerShell to check the IsGlobalCatalog flag:
Get-ADDomainController-Filter {Site-eq 'Default-First-Site-Name'}} | FT Name,IsGlobalCatalog
Get-ADDomainController | ft Name,IsGlobalCatalog -
Encryption Method: Active Directory does not support encryption so this value is set to None, by default. To use SSL or StartTLS, add an LDAP certificate to the server manually.
-
Ignore Certificate Errors: By default, the AppInsight ignores certificate errors encountered during polling. Enable this setting if you want users to verify a server connection when SAM encounters an invalid certificate during polling.
-
Authentication Method: By default, authentication is set to Negotiate so SAM can use Kerberos or NT LAN Manager (NTLM) authentication.
- Enable Domain Components: For each domain controller, AppInsight uses component monitors to collect domain-related metrics, as well as metrics about replication. To reduce polling loads, you can limit polling for domain-related metrics to a single domain controller within each domain. See below for details.
- Restart the SolarWinds Collector Service if you change this setting after initial setup. Otherwise, the status of the Active Directory application displays as Down in the SolarWinds Platform Web Console and warnings appear in application logs.
-
Enable Total Counters: By default, some component monitors are disabled in the AppInsight for Active Directory template to avoid performance issues when setting up domain controllers in environments with large quantities of users and computers. After adding AppInsight to individual nodes, you can enable the following counters for a node.
- Total User Accounts
- Total Disabled User Accounts
- Total Computer Accounts
- Total Inactive Users
- Total Inactive Computers
- Total Expired Password User Accounts
Customize AppInsight for Active Directory on individual domain controllers to boost performance
As described in Best practices, adding AppInsight for Active Directory to one domain controller per site is sufficient for general visibility because all domain controllers within a single domain should report identical data.
In SAM 2020.2.1 and later, you can edit application monitors assigned to most domain controllers at a site to turn off the Enable Domain Components setting. AppInsight will continue polling replication-related metrics, but only collect domain-specific data (for example, about sites and trusts) for domain controllers where the setting is in its default state.
By limiting the data that AppInsight polls on domain controllers, you can:
- Reduce redundant data collection.
- Improve performance, especially in large customer environments with numerous Active Directory domain controllers in each domain.
- Enhance scalability. Instead of only 50 domain controllers — the recommended limit in SAM 2020.2 and earlier — you can monitor up to 200 domain controllers.
Note the following details about adjusting the Enable Domain Components setting:
- Although this option is not available at the template level, you can adjust it in application monitors already assigned to individual domain controllers.
- Use the SolarWinds Platform Service Manager to restart the SolarWinds Collector Service if you change this setting after initial deployment. Otherwise, the status of the Active Directory application displays as Down in the SolarWinds Platform Web Console and warnings appear in application logs.
- Domain Controller Details and Site Details widgets are hidden on related Application Details views if this setting is disabled.