The Active Directory monitor is capable of monitoring several key aspects of an Active Directory server, including replication latency, domain controller time variance and verification of Kerberos authentication.
The device address must be the name of the active directory domain, for example mydomain.local.
The logon account must be a domain user.
DCOM MUST be enabled for Active Directory monitoring.
The KNM gateway machine that is performing the tests on Active Directory MUST itself be a member of the monitored AD.
The device name MUST be the domain name, NOT the name of a device such as a Domain Controller. The AD device will instead enumerate all assigned DCs and monitor certain aspects of them from this list.
The Windows account assigned to the device MUST be a domain Windows user.
The domain Windows user account assigned to the device MUST have read access to all AD devices that is monitored.
The domain Windows user account assigned to the device MUST be a member of the Administrator, Power User, Print Operator, or Server User group to successfully test the Domain Controllers shares.
The domain Windows user account assigned to the device MUST have the SE_TCB_NAME ("Act as part of the operating system") privilege to successfully test Kerberos authentication.
Testing the Global Catalog MAY require Kerberos authentication to succeed.
Monitor specific properties
Logon account - The logon account contains the credentials to use when testing the active directory server. The account must be a domain user or the test fails.
Kerberos authentication - If checked, tests if the Active Directory can perform a Kerberos authentication successfully. Any authentication error is written to the error report, and an alarm is raised.
Global catalog - If checked, tests if the Global Catalog Domain Controller is found. Any error is written to the error report, and an alarm is raised.
DC:s published in DNS - If checked, tests if the Domain Controller's service DNS SRV records are found in the DNS ("_ldap._tcp.DOMAIN.", "_kerberos._tcp.DOMAIN.", "_ldap. _tcp.dc._msdcs.DOMAIN.", "_kerberos._tcp.dc._msdcs.DOMAIN.", "_ldap._tcp.Default-First-Site._sites.DOMAIN.", etc.)
Replication - If checked, tests if the last replication attempt was successful.
Max DC time variance - Measure the time variance in seconds between domain controllers. If the time difference between the domain controllers are above this value the test fails.
LDAP query option
An optional LDAP query statement can be executed and its output compared to a predefined value using a compare operation.
LDAP query - LDAP query to perform.
Compare value - Value to compare query result with.
Value type - Type of value that is compared with the retrieved value from the database.
Operation - Operation to evaluate the returned query result and the compare value to determine if the test succeeded or failed.