Documentation forServer & Application Monitor

AppInsight for Active Directory requirements and permissions

Operating systems

Domain controllers should already be running Active Directory Domain Services (AD DS) on:

  • Windows Server 2012 R2,
  • Windows Server 2016, or
  • Windows Server 2019.

Nodes

Nodes should already be running Active Directory Domain Services.

If you plan to use the Discovery to add AppInsight for Active Directory to nodes, enable WMI on domain controllers so they can be detected during Discovery.

When adding nodes to the Orion Platform for domain controllers, select Windows Servers: WMI and ICMP as the polling method so AppInsight for Active Directory widgets can display node status and names properly via WMI. ICMP-only nodes cannot supply DNS or SysName values required to compute replications for destination domain controller FQDN names.

Obtain the IP address or fully-qualified domain name (FQDN) of each domain controller.

To access FQDN details, open a Windows command prompt on a computer on the correct network and type nslookup.

Ports

Following are the default ports for AppInsight for Active Directory. If necessary, you can adjust settings for individual domain controllers later. See Configure AppInsight for Active Directory on nodes.

  • LDAP: 389
  • LDAPS: 636
  • Global Catalog (GC): 3268

Starting in SAM 2020.2, WinRM is the default transport method for data polled by WMI-based component monitors. If that functionality is disabled, WMI uses DCOM/RPC communication to allocate ports within a dynamic port range, typically between 1025 and 65536. Enable the Inbound Rules in the WMI group and create firewall exceptions to allow TCP/UDP traffic on ports 1024 — 65535 so monitored objects that use WMI can be mapped.

  • WMI TCP ports 1025 — 5000
  • TCP ports 49152 — 65535

Encryption

Active Directory does not support encryption so the encryption method to connect to domain controllers is set to None, by default. To use SSL or StartTLS, add an LDAP certificate to the server manually.

Authentication

By default, authentication is set to Negotiate so SAM can use Kerberos or NT LAN Manager (NTLM) authentication.

Permissions

Use domain credentials for an account that SAM can use to log into Active Directory.

  • The account does not need elevated privileges.
  • Local admin permissions are required to add AppInsight to nodes, but are not needed for monitoring later.
  • Application credentials must be from the domain of the monitored node with proper read/write permission for Active Directory services.
  • Domain credentials used for monitoring must have read/write access to monitored Active Directory instances.

SolarWinds recommends using Active Directory accounts with limited permissions (for example, read-only administrators) to monitor domain controllers with AppInsight for Active Directory.