Watch your AD DS replication health with Azure AD Connect Health

Monitoring for AD DS is now in preview! Get an overview over the service and learn how to implement the solution in your environment.

Monitoring for AD DS via Azure AD Connect Health is now in public preview so it’s time for me to show you how easy it is to use and what it’s good for.

Azure AD Connect Health is a solution that has been GA for about one year now. It comes with the latest versions of Azure AD Connect and is used to easily monitor replications from Windows Server Active Directory to Azure Active Directory. In addition to that it is able to monitor your AD FS infrastructure and inform about authentication issue. Now with monitoring for AD DS in preview you can also monitor the replication health between your on premise domain controllers without needing System Center Operations Manager or Azure Log Analytics.

Azure Active Directory Connect Health dashboard

Create the service

As you can see in the screen shot above I have already configured my solution to monitor Azure AD Connect sync and AD FS. To get startet login into Azure Primary Portal, add a new resource by clicking the “+” in the upper left corner and filter for Azure AD Connect Health. Then select the solution and simply click “create”.

This slideshow requires JavaScript.

You’ll then have to select your Azure AD directory and Azure AD license and confirm the creation. Be aware of the fact that the user you want to monitor your infrastructure with must have an Azure AD Premium license!

Make sure you have an Azure AD Premium license

Now let’s get started

After having Azure AD Connect in place you will already have information in Azure AD Connect Health as the sync service exchanges information with the monitoring service in the cloud. AD FS is monitored after having a monitoring agent installed on your AD FS and Web Application Proxy servers. For your AD DS replication to be monitored you need a respective monitoring agent for AD DS as well. What you need to do is to install the Azure AD Connect Health agent for AD DS on you domain controllers.

Install Microsof Azure AD Connect Health agent for AD DS

After installation you are prompted to configure the agent. After confirmation you will see a PowerShell windows in which the CMDLET Register-AzureADConnectHealthADDSAgent is automatically executed. You are prompted to enter your global admin credentials in order to connect to your Azure AD tenant.

Agent configuration

Now go back to Azure Primary Portal and refresh it – you’ll realize that something has changed.

Azure AD Connect Health with active AD DS replication health monitoring

You now have an AD DS forest configured in your Azure AD Connect Health service. Now repeat those configuration steps for all of your domain controllers in order to have all of them monitored and to find the monitoring results in one dashboard.

In the monitoring dashboard you can overview replication status, active alerts or your domain controllers’ configuration like the distribution of FSMO roles as well as LDAP binds or NTLM and Kerberos authentications in the past 24 hours.

This slideshow requires JavaScript.

AD DS monitoring dashboard

If there is something wrong with your domain controllers you can use the monitoring solution to inform your global admins or custom recipients  via email. And the best of it: If you synchronize your AD users and groups to Azure AD using Azure AD Connect, e.g. because you want to use Office 365 or Intune with your corporate user accounts, you get your onpremise authentication infrastructure monitored for free! All you need is an Azure AD Premium license for the users that use the monitoring dashboard. Monitoring and alerting does not rely on an Azure AD Premium license.

So get ready for a new monitoring experience today and check it out – it’s really worth a try and I’m sure you will be happy to know that your hybrid identity configuration is working like a charm. And if it is not – you will know very quickly.

Bye for now and happy testing,

Author: Tom Janetscheck

Cloud Security Enthusiast | Security Advocate

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: