Microsoft Active Directory is used to share user list, provide single sign on and other central features in large Microsoft based workstation and server networks. Active Directory is Microsoft's implementation of existing business standards such as LDAP, Kerberos and DNS. The purpose of this article is describing how op5 Monitor can be used to monitor these core features of an Active Directory and make sure that notifications are sent about common errors.
Watch the HOWTO video:
Monitoring Microsoft servers with op5 Monitor:
In this video we will give you a tour on how to setup monitoring on Microsoft Windows, Active Directory and Microsoft hyper-v. op5 monitor provides you with the ability to monitor software in the Microsoft product line, such as Microsoft Windows, SQL Server, Active Directory, IIS and Exchange.
Prerequisites
To be able to complete this how-to you will need the following files:
The scripts are not officially supported by OP5 Support.
This will be done
The suggested configuration components for monitoring Active Directory are:
- Basic checks for each domain controller
- Advanced checks for each domain controller
- Service group called Active Directory that contains all services for your domain controllers.
Prepare NSClient
- Copy the two files to C:\Program Files\op5\nsclient++\scripts
- Add the following rows to the file C:\Program Files\op5\nsclient++\custom.ini
[NRPE Handlers]check_ad=cscript.exe //T:30 //NoLogo scripts\check_ad.vbscheck_ad_time=cscript.exe //T:30 //NoLogo scripts\check_ad_time.vbs <your.ad.domain> "$ARG1$"
-
- Save the file
- Restart the NSClient++ service
Check commands
Add the required check-commands, if they don't already exist in your configuration, add dem via: ('Configure' -> 'Check Commands' -> 'New command')
Pre-built management pack
If you don't want to configure the monitoring manually, you can use the pre-built management pack "Microsoft AD server"
Basic commands:
| command_name | command_line |
| *check_ad_time | $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ad_time -a $ARG1$ |
| check_nt_service | $USER1$/check_nt -H $HOSTADDRESS$ -p 1248 -v SERVICESTATE -l "$ARG1$" |
| check_ad_ldap | $USER1$/check_ldap -H $HOSTADDRESS$ -b $ARG1$ -w 5 -c 45 -D $ARG2$ -P $ARG3$ |
| check_ad_dns | $USER1$/check_dig -H $HOSTADDRESS$ -l $ARG1$ -a $ARG2$ |
Advanced commands:
| command_name | command_line |
| *check_ad_dcdiag_dc | $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ad |
| **check_ad_kerberos_authentication | $USER1$/check_nt -H $HOSTADDRESS$ -v COUNTER -l "NTDSKerberos Authentications","Kerberos Authentications %d times/sec" -w $ARG1$ -c $ARG2$ |
* Require changes to NSC.ini, see section below.
** This is just one example of performance counters you might want to monitor, for a full list we suggest you take a look at Microsoft own reference list.
Short list of counters we think is good to monitor:
- "NTDSKerberos Authentications","Kerberos Authentications %d times/sec"
- "NTDSLDAP Bind Time","LDAP Bind Time %.2f ms"
- "NTDSLDAP Client Sessions","LDAP Client Sessions: %d"
- "NTDSNTLM Authentications","NTLM Authentications %d times/sec"
Add the required services
Go to 'Configure' -> 'Host: <your-domain-server>' -> 'Go' -> 'Services for host <your-domain-server>' -> 'Add new service' -> 'Go'
Add the following services (Arguments are just examples, you need to adjust them to suite your environment).
| service_description | check_command | check_commands_args |
| AD: Domain Time | check_ad_time | 0.5 |
| AD: Services | check_nt_service | W32Time,Dnscache,IsmServ,kdc,SamSs,lanmanserver,lanmanworkstation,RpcSs,Netlogon |
| AD: LDAP | check_ad_ldap | dc=example,dc=com!monitoruser@example.com!mysecretpassword |
| AD: DNS | check_ad_dns | example.com!<dns-ip> |
| AD: DCdiag dc | check_ad_dcdiag_dc | N/A |
| AD: DCdiag member | check_ad_dcdiag_member | N/A |
| AD: FSMO Roles | check_ad_fsmo | All (Valid options: All, Schema, Domain, PDC, RID, Infrastructure) |
| AD: Kerberos Authentications | check_ad_kerberos_authentication | 3!4 |
Use the "Test this service" button for the services to see if they work. Once they are correct and working as they should, you may add the services to all of your domain controllers with the clone-function.
Configuring the service group
Configuring a service group is not necessary for the monitoring to work, but it will be easier to display the current status on the Active Directory, for instance for the help desk staff.
- From Configure, select Service Groups and add a new service group.
- Enter a service name and a description (alias) that is suitable for your organization.
- Hold down the Control key and select the services you wish to include, preferably, the services you added in this How-To, and some other important services for the domain controllers:
- CPU
- Load
- Disk usage
- Mem usage
- PING
- Swap usage
- Uptime
- Move the selected services to the selected list.
- Click on "Apply Changes" and then "Save".
Comments
0 comments
Please sign in to leave a comment.