AppInsight for Active Directory requirements and permissions

Supported versions

Domain controllers should already be running Active Directory Domain Services (AD DS) on:

  • Windows Server 2012 R2, or
  • Windows Server 2016
  • Windows Server 2019

To collect trust data for the Trust Summary widget, configure domain controllers with the Global Catalog (GC) role. You can use PowerShell to check if the IsGlobalCatalog flag is set to True:

    Get-ADDomainController-Filter {Site-eq 'Default-First-Site-Name'}} | FT Name,IsGlobalCatalog

    Get-ADDomainController | ft Name,IsGlobalCatalog

Ports

  • WMI uses DCOM / Remote Procedure Call (DCOM/RPC) communication to allocate ports within a dynamic port range, typically between 1025 and 65536. Enable the Inbound Rules in the WMI group and create firewall exceptions to allow TCP/UDP traffic on ports 1024 — 65535 so monitored objects that use WMI can be mapped.
    • WMI TCP ports 1025 — 5000
    • TCP ports 49152 — 65535
  • For LDAP, use the default port for TCP and UDP, 389.
  • For LDAP over SSL (LDAPS), use port 636.
  • The default port to collect trust summary data is 3268. If your domain controllers use port 3269, update that setting in the AppInsight for Active Directory template.

Encryption

Active Directory does not support encryption so the encryption method for connecting to domain controllers is set to None, by default. To use SSL or StartTLS, add an LDAP certificate to the server manually.

Authentication

By default, authentication is set to Negotiate so SAM can use Kerberos or NT LAN Manager (NTLM).

Permissions

  • Local admin permissions are required to add AppInsight to nodes, but are not needed for monitoring afterward.
  • Application credentials must be from the domain of the monitored node with proper read/write permission for Active Directory services.
  • Domain credentials used for monitoring must have read access to monitored Active Directory instances.

SolarWinds recommends using Active Directory accounts with limited permissions (for example, read-only administrators) for AppInsight for Active Directory monitoring.