AppInsight for Active Directory
Assign this SAM application monitor template to nodes to monitor physical and virtual Active Directory environments to identify issues about domain controllers, replication, and more. You can use it to track many key aspects of Active Directory by getting relevant performance data from the server level, as described in Monitor with AppInsight for Active Directory.
To configure target servers:
- Review AppInsight for Active Directory requirements and permissions.
- Assign AppInsight to domain controllers.
- Configure AppInsight for Active Directory on nodes.
- (Recommended) Set up Active Directory monitoring under the context of a "Least Privileges" account.
Note the following details about this template:
-
You can configure AppInsight for Active Directory on individual nodes to poll for replication details without collecting domain configuration data, such as sites and trusts. This can improve performance in large environments. Click here to learn more about the Enable Domain Components option.
-
To avoid performance issues in large environments, several "total" counters, such as Total User Accounts and Total Inactive Users, are initially disabled. After assigning this template to nodes, you can enable those component monitors for individual domain controllers. See Configure AppInsight for Active Directory on nodes.
-
When working with component monitors, note that AppInsight for Active Directory uses domain controller IP addresses instead of domain names for polling; LDAP components do not include the $DomainName parameter in configuration fields. This method enables different applications to get data from all monitored domain controllers in a single domain.
Note the following details about AppInsight templates, in general:
-
Due to the complexity of AppInsight templates:
- You cannot add component monitors.
- Some component monitors have default settings that cannot be modified.
- You cannot import or export AppInsight templates.
- AppInsight templates are updated automatically during upgrades.
-
WinRM is the default transport method for WMI-based component monitors.
-
For component-based SAM licenses, AppInsight applications consume licenses at flat rates.
-
All AppInsight templates support the SolarWinds Platform agent for Windows.
- To learn about AppInsight widgets, see SAM online help.
Additional learning resources include:
- Deep Dive on using AppInsight Templates (webcast)
- Managing Active Directory Health and Performance (webcast)
- Troubleshoot AppInsight for Active Directory. (SAM Administrator Guide)
A Microsoft Azure Active Directory API Poller template is also available. To learn more about API pollers, watch API Pollers: When SNMP Won't Cut It.
Component monitors
Naming Contexts
Total number of naming contexts in the domain.
Replication Details
Gathers Active Directory replication data, such as replication direction and the replication transport protocol.
FSMO Role - Schema Master
Total number of Schema Master roles in the domain.
FSMO Role - Domain Naming Master
Total number of Domain Naming Master roles in the domain.
FSMO Role - RID Master
Total number of RID Master roles in the domain.
FSMO Role - Infrastructure Master
Total number of Infrastructure Master roles in the domain.
FSMO Role - PDC Emulator
Total number of PDC Emulator roles in the domain.
Total User Accounts
Total number of Active Directory users in the domain.
Total Disabled User Accounts
Total number of disabled user accounts in the domain.
Total Computer Accounts
Total number of computer accounts in the domain.
Total Domain Controllers
Total number of domain controllers in the domain.
Trusts
Total number of domain trust relationships in the domain.
AppInsight can collect trust data for domain controllers configured as Global Catalog (GC) servers on port 3268, as displayed in the Trust Summary widget. If your domain controllers use port 3269 instead, update that in individual application monitors.
Total Inactive Users
Total number of inactive users in the domain.
Total Inactive Computers
Total number of inactive computers in the domain.
Sites
Total number of sites in the domain.
Subnets
Total number of subnets in the domain.
Links
Total number of site links in the domain.
Servers
Total number of Active Directory servers in the domain.
Total Expired Password User Accounts
Total number of user accounts which currently have an expired password.
Machine Account authentication failure event
The number of events that indicate a machine account failed to authenticate, which is usually caused by either multiple instances of the same computer name, or the computer name has not replicated to every domain controller.
If you do not find multiple instances of the computer name, verify that replication is functioning for the domain that contains the computer account.
Replication Duplicate Object found event
The number of events that indicate a duplicate object is present in the Active Directory of the replication partner of the local domain controller, so updating it is impossible. See Troubleshooting Directory Data problems (© 2019 Microsoft Corp., available at technet.microsoft.com).
Failed Replication Event
The number of events that indicate replication failed for the reason stated in the message text. Use the Repadmin tool included in Windows Server to investigate issues.
Replication configuration does not reflect topology event
The number of events that occur when the replication configuration information in Active Directory Sites and Services does not accurately reflect the physical topology of the network.
Lingering objects disconnection error event
The number of events generated by a lingering object if a domain controller remains disconnected for too long. For reference, see Information about lingering objects in a Windows Server Active Directory forest.
Replication Link GUID mismatch event
The number of events that occur over an existing replication link when the GUID of the NTDS Settings object of a replication partner does not match the GUID defined in the Service Principal Name (SPN) attributes of the computer object of this replication partner.
User Account cannot be resolved event
The number of events that indicate a user account in one or more Group Policy Objects (GPOs) cannot be resolved to a security identifier (SID). This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights Assignment or Restricted Groups branch of a GPO.
User Account was created event
The number of events of creating new user accounts. Event ID: 4720.
Only authorized people and processes should create network accounts. Examine the Primary User Name field to detect whether an authorized person or process created an account. This event also detects if administrators create accounts outside organizational policy guidelines.
Attempt to change Account password event
The number of events when somebody tries to change accounts password. Event ID: 4723.
This event is logged as a failure if a new password fails to meet the password policy, which occurs during a password change request in which the user supplies the original password to the account. Compare Primary Account Name to Target Account Name to determine whether the account owner or someone else attempted to change the password. If Primary Account Name does not equal Target Account Name, someone other than the account owner tried to change the password.
Attempt to reset Account password
The number of events when a user or process resets an account password through an administrative interface such as Active Directory Users and Computers, rather than through a password change process. Event ID: 4724.
This event is logged as a failure if the new password fails to meet the password policy.
Only authorized people or processes should carry out this process, such as help desk or user self-service password reset.
Account was disabled event
The number of events when account becomes disabled. Event ID: 4725.
Note: Always investigate this event.
Account was deleted event
The number of events of deleting user accounts. Event ID: 4726.
Only authorized people and processes should delete network accounts. Search for these events and examine the Primary Account Name field to detect if unauthorized people have deleted accounts.
Account was changed event
The number of events when changes were made to security-related properties of user accounts. Event ID: 4738.
Account was locked out event
The number of events of locked out user accounts. Event ID: 4726.
Account name was changed event
The number of events when a user changes the normal logon name or the pre-Win2k logon name. Event ID: 4781.
When an account name is changed, the SID remains the same but the Target ID in this event indicates the new name. This is because when the OS displays this event, it queries the database where the SID is stored and translates the SID to the domain\username.
A rogue admin might change his account name or computer name to cover up activity.
Account failed to logon event
The number of failed login events with incorrect username or password. Event ID: 4625.
It check for attempts where Target Account Name equals Administrator or the renamed default administrator account. Check multiple logon failures that are below the account lockout threshold.
Replay Attack detected event
The number of events when the authentication package (usually Kerberos) detects an attempt to log on by replay of a user's credentials. Event ID: 4649.
Investigate immediately. Alternatively, this could be a sign of incorrect network configuration.
Attempted to logon using explicit credentials event
The number of the following events:
- A user connects to a server or runs a program locally using alternate credentials (that is "run as");
- A process logs on as a different account; for example, if the Scheduled Tasks service starts a task as the specified user;
- With User Account Control enabled, an end user runs a program requiring admin authority.
Event ID: 4648.
Domain Policy was changed event
The number of events when the computer's Security Settings\Account Policy or Account Lockout Policy was modified - either via Local Security Policy or Group Policy in Active Directory. Event ID: 4739.
The Subject fields cannot identify who actually changed the policy because this policy isn't directly configured by administrators. Instead, it is edited in a Group Policy Object (GPO) that is then applied to the computer. Therefore, this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
Kerberos Policy was changed event
The number of events when Windows detects a change to the domain's Kerberos policy. Kerberos policy is defined in GPOs linked to the root of the domain under Computer Configuration\Windows Settings\Security Settings\Account Policy\Kerberos Policy. Event ID: 4713.
The Subject fields cannot identify who actually changed the policy because this policy isn't directly configured by administrators. Instead, it is edited in a Object (GPO) that is then applied to the computer. Therefore, this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
System Audit Policy was changed event
The number of events when a computer's system-level audit policy was modified - either via Local Security Policy, Group Policy in Active Directory or the audipol command. Event ID: 4719.
This event is logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. If group policy was used to configure audit policy unfortunately the Subject fields don't identify who actually changed the policy. In such cases this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
This event does not necessarily indicate a problem. However, an attacker can change audit policy as part of a computer system attack. You should monitor for this event on high value computers and domain controllers.
Encrypted Data Recovery Policy was changed event
The number of events when computer's Security Settings\Public Key Policies\Encrypting File System data recovery agent policy was modified - either via Local Security Policy or Group Policy in Active Directory. Event ID: 4714.
The Subject fields cannot identify who actually changed the policy because this policy isn't directly configured by administrators. Instead, it is edited in a Object (GPO) that is then applied to the computer. Therefore, this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
Windows Firewall setting has changed event
The number of events when changes were made via the Windows Firewall with Advanced Services MMC console. Event ID: 4950.
The system time was changed event
The number of events when somebody changes system time. Event ID: 520.
This event indicates the old and new system time as well as who did it as specified in the Subject: section. It is routine to see this event where subject is "LOCAL SERVICE" and can probably be ignored. It's common to see this event logged twice in a row.
An attempt was made to set the Directory Services Restore Mode administrator password
The number of events when someone attempts to change the Directory Services Restore Mode password on a domain controller. Event ID: 4794.
Check Workstation IP and Account Name. Investigate immediately.
Clearing the Security Event Logs event
The number of times security logs were cleared. Event ID: 517.
Administrators should not clear security event logs without authorization. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.
Changing system time event
The number of times the system time changed. Event ID: 520.
This action can mislead forensic investigation or provide an attacker with a false alibi. The process name is %windir %\system32\svchost.exe. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.
Changing Audit Policy event
The number of times audit policies were changed. Event ID: 612.
This event does not necessarily indicate a problem. However, an attacker can change audit policy as part of a computer system attack. You should monitor for this event on high value computers and domain controllers.
Changing the Domain Security Policy event
The number of attempts to modify a password policy or other domain security policy settings. Event ID: 643.
Check user name of subject and correlate with authorization.
LDAP Active Threads
The current number of threads in use by the LDAP subsystem of the local directory service.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements. See Set thresholds.
LDAP Bind Time
The time (in milliseconds) required for the completion of the last successful LDAP binding.
This counter should be as low as possible. If it is not, it usually indicates that hardware or network-related problems are occurring.
LDAP Client Sessions
The number of currently connected LDAP client sessions.
This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements. See Set thresholds.
Directory Service Threads in Use
The current number of threads in use by the directory service.
This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements. See Set thresholds.
Address Book Client Sessions
The number of connected Address Book client sessions.
Directory Service Notify Queue Size
The number of pending update notifications that are queued, but not yet transmitted to clients.
This counter should be as low as possible.
DRA Inbound Full Sync Objects Remaining
The number of objects remaining until the full synchronization is completed (while replication is done).
This counter should be as low as possible.
DRA Inbound Values (DNs only)/sec
The number of object property values received from inbound replication partners that are distinguished names (DNs) that reference other objects. DN values, such as group or distribution list memberships, are generally more expensive to apply than other types of values.
DRA Outbound Values (DNs only)/sec
The number of object property values containing DNs sent to outbound replication partners. DN values, such as group or distribution list memberships, are generally more expensive to read than other kinds of values.
LDAP successful binds/sec
The number of LDAP bindings (per second) that occurred successfully.
This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.
LDAP searches/sec
The number of search operations per second performed by LDAP clients.
This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.
Directory Services directory writes/sec
The number of directory writes per second.
Directory Services directory reads/sec
The number of directory reads per second.
DRA pending replication synchronizations
The number of directory synchronizations that are queued for this server but not yet processed.
Context switches/sec
Indicates if the processor is handling an excessive amount of applications.
Interpret this data cautiously. A thread that is heavily using the processor lowers the rate of context switches because it does not allow much processor time for other process threads. A high rate of context switching means that the processor is being shared repeatedly (for example, by many threads of equal priority).
It is a good practice to minimize the context switching rate by reducing the number of active threads on the system. The use of thread pooling, I/O completion ports, and asynchronous I/O can reduce the number of active threads. Determine if applications include options to limit the number of threads.
A context switching rate of 300 per second per processor is a moderate amount; a rate of 1000 per second or more is high. Values at this high level may be a problem.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements. See Set thresholds.
Processor Queue Length
Indicates if the system can handle processing requests.
This counter is a rough indicator of the number of threads each processor is servicing. The processor queue length, sometimes called processor queue depth, reported by this counter is an instantaneous value that is representative only of a current snapshot of the processor, so it is necessary to observe this counter over a long period of time.
This counter reports a total queue length for all processors, not a length per processor.
Distributed File System
Monitors the DFS service used to group shared folders located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders.
DNS Server
Monitors the service that enables DNS clients to resolve DNS names by answering DNS queries and dynamic DNS update requests. If this service stops, DNS updates will not occur. If this service is disabled, any services that explicitly depend on it will not start.
Per AppInsight for Active Directory requirements and permissions, only Microsoft DNS servers are supported. Third-party DNS servers are not supported.
Intersite Messaging
Monitors the service that enables messages to be exchanged between computers running Windows Server sites. If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services. If this service is disabled, any services that explicitly depend on it will fail to start.
Kerberos Key Distribution Center
On domain controllers, this service enables users to log on to the network using the Kerberos authentication protocol. If this service is stopped on a domain controller, users will be unable to log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.
Windows Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
DNS Client
The DNS Client service (dnscache) tracks DNS names and registers the full computer name for the system. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.
Security Accounts Manager
The startup of this service signals other services that the Security Accounts Manager (also called SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the Security Accounts Manager is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.
Server
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Workstation
Creates and maintains client network connections to remote servers using the SMB protocol. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Remote Procedure Call (RPC)
The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activation requests, object exporter resolutions, and distributed garbage collection for COM and DCOM servers. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the RPCSS service running
Net Logon
Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services, and the domain controller cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start.
Active Directory Domain Services
This is a core AD DS Domain Controller service. If this service is stopped, users cannot log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.
Active Directory Web Services
This service provides a Web Service interface to instances of the directory service (AD DS and AD LDS) that are running locally on this server. If this service is stopped or disabled, client applications such as Active Directory or PowerShell cannot access or manage any directory service instances running locally on this server.