Documentation forHybrid Cloud Observability Essentialsand Server & Application Monitor

AppInsight for Active Directory requirements and permissions

Before using AppInsight for Active Directory, review the following requirements and recommendations.

Requirements
Host systems

Configure systems as DCs running Active Directory (AD) Domain Services on a supported OS, including:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Only Microsoft DNS servers are currently supported.

Add DCs to the SolarWinds Platform as monitored nodes.

  • Select "Windows Servers: WMI and ICMP" as the polling method so AppInsight widgets can display node status and names via WMI. If you select ICMP, nodes cannot supply DNS or SysName values required to compute replications for destination DC FQDN names.
  • If using Discovery to assign AppInsight to nodes, enable WMI on DCs so they can be detected.
Permissions

Provide domain credentials for an account that SAM can use to log into AD to collect data.

  • The account must be in the same domain as the DC, with read/write access to monitored AD instances and services.
  • Local admin permissions are required to assign AppInsight to nodes, but elevated privileges are not needed for monitoring.

Recommended: Use a dedicated AD account with limited permissions. See Set up AppInsight for Active Directory monitoring under the context of a "Least Privileges" account.

Ports

The default ports for AppInsight for Active Directory appear below. To adjust port settings for individual domain controllers, see Configure AppInsight for Active Directory on nodes.

  • LDAP: 389
  • LDAPS: 636
  • Global Catalog (GC): 3268

See also How AppInsight collects Active Directory data, below.

Encryption

AD does not support encryption so the encryption method to connect to domain controllers is set to None, by default.

To use SSL or StartTLS, add an LDAP certificate to the server manually.

Authentication

By default, authentication is set to Negotiate so SAM can use Kerberos or NT LAN Manager (NTLM) authentication.

How AppInsight collects Active Directory data

WinRM is the default transport method for data polled by WMI-based component monitors in the AppInsight for Active Directory template. If WinRM is disabled, WMI uses DCOM/RPC communication to allocate ports within the standard dynamic port range, 1025 — 65536. Enable the Inbound Rules in the WMI group and create firewall exceptions to allow TCP/UDP traffic on ports 1024 — 65535 so monitored objects that use WMI can be mapped.

  • WMI TCP ports 1025 — 5000
  • TCP ports 49152 — 65535

The following diagram shows how AppInsight uses various protocols to collect AD data: