Documentation forServer & Application Monitor

Configure AppInsight for Active Directory on nodes

After assigning AppInsight for Active Directory to individual domain controllers, you can customize the settings in the application monitor for each node. Some settings can impact domain controller performance in large environments.

  1. Click Settings > All Settings > SAM Settings > Manage Application Monitors.
  2. Select the node, which will list "Active Directory" as the Assigned Application Monitor, and then click Edit Properties.
  3. (Optional) Click Advanced to display settings for credentials, ports, encryption, and more.

    When working with component monitors, note that AppInsight uses domain controller IP addresses instead of domain names for polling; LDAP components do not include the $DomainName parameter in configuration fields. This use of IP address enables different applications to get data from all monitored domain controllers in a single domain. Click here to learn more about component monitors in this template.

  4. Adjust values and settings, as necessary, and then click Submit to save changes.
  5. If you changed settings for an existing domain controller, use the Orion Service Manager to restart the SolarWinds Collector Service.

Options in Advanced settings include:

  • LDAP Port Number: The default port to connect to domain controller LDAP services is 389.
  • Global Catalog Port Number: AppInsight can collect trust data for domain controllers configured as Global Catalog (GC) servers on port 3268, as displayed in the Trust Summary widget. To use port 3269 instead, update that setting here.
    To determine if a domain controller is a GC server, use PowerShell to check the IsGlobalCatalog flag:
      Get-ADDomainController-Filter {Site-eq 'Default-First-Site-Name'}} | FT Name,IsGlobalCatalog
      Get-ADDomainController | ft Name,IsGlobalCatalog
  • Encryption Method: Active Directory does not support encryption so this value is set to None, by default. To use SSL or StartTLS, add an LDAP certificate to the server manually.
  • Ignore Certificate Errors: By default, the AppInsight ignores certificate errors encountered during polling. Enable this setting if you want users to verify a server connection when SAM encounters an invalid certificate during polling.
  • Authentication Method: By default, authentication is set to Negotiate so SAM can use Kerberos or NT LAN Manager (NTLM) authentication.
  • Enable Domain Components: Available since SAM 2020.2.1, this setting determines if SAM polls LDAP domain configuration components, such as sites and trusts. Enabled by default, you can disable this setting to reduce redundant LDAP polling in your environment; only replication details are polled. See below for details.
    • Use the Orion Service Manager to restart the SolarWinds Collector Service if you change this setting later. Otherwise, the status of the Active Directory application displays as Down in the Orion Web Console and warnings appear in application logs.
    • Domain Controller Details and Site Details widgets are hidden on the Application Details page if this setting is disabled.
  • Enable Total Counters: By default, some component monitors are disabled in the AppInsight for Active Directory template to avoid performance issues when setting up domain controllers in environments with large quantities of users and computers. After adding AppInsight to individual nodes, you can enable the following counters for a node.
    • Total User Accounts
    • Total Disabled User Accounts
    • Total Computer Accounts
    • Total Inactive Users
    • Total Inactive Computers
    • Total Expired Password User Accounts

    Restart the SolarWinds Collector Service if you change this setting later. Otherwise, the status of the Active Directory application displays as Down in the Orion Web Console and warnings appear in application logs.

Customize AppInsight for Active Directory on individual domain controllers to boost performance

As described in Best practices, adding AppInsight for Active Directory to one domain controller per site is sufficient for general visibility. However, if you want to track replication status between domain controllers across a site, you may decide to assign AppInsight to all domain controllers. In earlier versions of SAM, the amount of polling involved could strain available resources.

Starting in SAM 2020.2.1, you can turn off the Enable Domain Components setting for individual domain controllers to reduce polling; only replication details will be polled. LDAP data (for example, sites and trusts) won't be collected.

By limiting that data that AppInsight need to poll on most domain controllers, you can:

  • Reduce redundant LDAP data collection.
  • Improve performance, especially in large customer environments with numerous Active Directory domain controllers in each domain.
  • Enhance scalability. Instead of only 50 domain controllers — the recommended limit in SAM 2020.2 and earlier, you can monitor up to 200 domain controllers.

Remember to restart the SolarWinds Collector Service if you change polling options. Otherwise, the Active Directory application appears as Down in the Orion Web Console and warnings appear in application logs.