AppInsight for Active Directory requirements and permissions

Supported versions

Domain controllers should already be running Active Directory Domain Services (AD DS) on:

  • Windows Server 2012 R2, or
  • Windows Server 2016

Ports

  • WMI technology is based on DCOM / Remote Procedure Call (DCOM/RPC) communication that allocates the ports within a dynamic port range, typically between 1025 and 65536. Enable the Inbound Rules in the WMI group and create firewall exceptions to allow TCP/UDP traffic on ports 1024 — 65535 so monitored objects that use WMI can be mapped.
    • WMI TCP ports 1025 — 5000
    • TCP ports 49152 — 65535
  • For LDAP, use the default port for TCP and UDP, 389.
  • For LDAP over SSL (LDAPS), use port 636.

Encryption

Active Directory does not support encryption so the encryption method for connecting to domain controllers is set to None, by default. To use SSL or StartTLS, you can add an LDAP certificate to the server manually.

Authentication

By default, authentication is set to Negotiate so SAM can use Kerberos or NT LAN Manager (NTLM).

Permissions

  • Local administrator permissions are required to add AppInsight to nodes, but are not needed for monitoring after configuration is complete.
  • Application credentials must be from the domain of the monitored node with proper read/write permission for Active Directory services.
  • Domain credentials used for monitoring must have read access to monitored Active Directory instances.

SolarWinds recommends using Active Directory accounts with limited permissions (for example, read-only administrators) for AppInsight for Active Directory monitoring.