Back to OP5 Monitor FAQ

How to monitor Microsoft Active Directory

Microsoft Active Directory is used to share user lists, provide single sign-on and other central features in large Microsoft-based workstation and server networks. Active Directory is Microsoft’s implementation of existing business standards such as LDAP, Kerberos and DNS. The purpose of this article is to describe how op5 Monitor can be used to monitor these core features of an Active Directory and make sure that notifications are sent about common errors.

Watch the HOWTO video Copied

Monitoring Microsoft servers with op5 Monitor:

In this video we will give you a tour on how to set up monitoring on Microsoft Windows, Active Directory and Microsoft hyper-v. op5 monitor provides you with the ability to monitor software in the Microsoft product line, such as Microsoft Windows, SQL Server, Active Directory, IIS and Exchange.

Prerequisites

To be able to complete this how-to you will need the following files:

The scripts are not officially supported by OP5 Support.

This will be done Copied

The suggested configuration components for monitoring Active Directory are:

Prepare NSClient Copied 

[NRPE Handlers]check_ad=cscript.exe //T:30 //NoLogo scripts\check_ad.vbscheck_ad_time=cscript.exe //T:30 //NoLogo scripts\check_ad_time.vbs <your.ad.domain> "$ARG1$"

Check commands Copied

Add the required check-commands, if they don’t already exist in your configuration, add them via: (‘Configure’ -> ‘Check Commands’ -> ‘New command’)

Pre-built management pack

If you don’t want to configure the monitoring manually, you can use the pre-built management pack “Microsoft AD server”

Basic commands Copied

command_name command_line
*check_ad_time $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ad_time -a $ARG1$
check_nt_service $USER1$/check_nt -H $HOSTADDRESS$ -p 1248 -v SERVICESTATE -l “$ARG1$”
check_ad_ldap $USER1$/check_ldap -H $HOSTADDRESS$ -b $ARG1$ -w 5 -c 45 -D $ARG2$ -P $ARG3$
check_ad_dns $USER1$/check_dig -H $HOSTADDRESS$ -l $ARG1$ -a $ARG2$

Advanced commands Copied

command_name command_line
*check_ad_dcdiag_dc $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ad
**check_ad_kerberos_authentication $USER1$/check_nt -H $HOSTADDRESS$ -v COUNTER -l “NTDSKerberos Authentications”,“Kerberos Authentications %d times/sec” -w $ARG1$ -c $ARG2$

* Require changes to NSC.ini, see section below.

** This is just one example of performance counters you might want to monitor, for a full list we suggest you take a look at Microsoft own reference list.

Short list of counters we think is good to monitor:

Add the required services Copied

Go to ‘Configure’ -> ‘Host: ’ -> ‘Go’ -> ‘Services for host ’ -> ‘Add new service’ -> ‘Go’

Add the following services (Arguments are just examples, you need to adjust them to suit your environment).
service_description check_command check_commands_args
AD: Domain Time check_ad_time 0.5
AD: Services check_nt_service W32Time,Dnscache,IsmServ,kdc,SamSs,lanmanserver,lanmanworkstation,RpcSs,Netlogon
AD: LDAP check_ad_ldap dc=example,dc=com!monitoruser@example.com!mysecretpassword
AD: DNS check_ad_dns example.com!
AD: DCdiag dc check_ad_dcdiag_dc N/A
AD: DCdiag member check_ad_dcdiag_member N/A
AD: FSMO Roles check_ad_fsmo All (Valid options: All, Schema, Domain, PDC, RID, Infrastructure)
AD: Kerberos Authentications check_ad_kerberos_authentication 3!4

Use the “Test this service” button for the services to see if they work. Once they are correct and working as they should, you may add the services to all of your domain controllers with the clone-function.

Configuring the service group Copied

Configuring a service group is not necessary for the monitoring to work, but it will be easier to display the current status on the Active Directory, for instance for the help desk staff.

["Geneos"] ["FAQ"]

Was this topic helpful?