Monitoring for AD DS via Azure AD Connect Health is now in public preview so it’s time for me to show you how easy it is to use and what it’s good for.
Azure AD Connect Health is a solution that has been GA for about one year now. It comes with the latest versions of Azure AD Connect and is used to easily monitor replications from Windows Server Active Directory to Azure Active Directory. In addition to that it is able to monitor your AD FS infrastructure and inform about authentication issue. Now with monitoring for AD DS in preview you can also monitor the replication health between your on premise domain controllers without needing System Center Operations Manager or Azure Log Analytics.
Create the service
As you can see in the screen shot above I have already configured my solution to monitor Azure AD Connect sync and AD FS. To get startet login into Azure Primary Portal, add a new resource by clicking the “+” in the upper left corner and filter for Azure AD Connect Health. Then select the solution and simply click “create”.
You’ll then have to select your Azure AD directory and Azure AD license and confirm the creation. Be aware of the fact that the user you want to monitor your infrastructure with must have an Azure AD Premium license!
Now let’s get started
After having Azure AD Connect in place you will already have information in Azure AD Connect Health as the sync service exchanges information with the monitoring service in the cloud. AD FS is monitored after having a monitoring agent installed on your AD FS and Web Application Proxy servers. For your AD DS replication to be monitored you need a respective monitoring agent for AD DS as well. What you need to do is to install the Azure AD Connect Health agent for AD DS on you domain controllers.
After installation you are prompted to configure the agent. After confirmation you will see a PowerShell windows in which the CMDLET Register-AzureADConnectHealthADDSAgent is automatically executed. You are prompted to enter your global admin credentials in order to connect to your Azure AD tenant.
Now go back to Azure Primary Portal and refresh it – you’ll realize that something has changed.
You now have an AD DS forest configured in your Azure AD Connect Health service. Now repeat those configuration steps for all of your domain controllers in order to have all of them monitored and to find the monitoring results in one dashboard.
In the monitoring dashboard you can overview replication status, active alerts or your domain controllers’ configuration like the distribution of FSMO roles as well as LDAP binds or NTLM and Kerberos authentications in the past 24 hours.
AD DS monitoring dashboard
If there is something wrong with your domain controllers you can use the monitoring solution to inform your global admins or custom recipients via email. And the best of it: If you synchronize your AD users and groups to Azure AD using Azure AD Connect, e.g. because you want to use Office 365 or Intune with your corporate user accounts, you get your onpremise authentication infrastructure monitored for free! All you need is an Azure AD Premium license for the users that use the monitoring dashboard. Monitoring and alerting does not rely on an Azure AD Premium license.
So get ready for a new monitoring experience today and check it out – it’s really worth a try and I’m sure you will be happy to know that your hybrid identity configuration is working like a charm. And if it is not – you will know very quickly.
Bye for now and happy testing,
Tom
Azure and beyond 