Active Directory Management Pack for Microsoft Windows (Domain Member Monitoring)
AD Domain Member Monitoring Management Pack
The purpose of the Active Directory Domain Member Monitoring MP is to augment the server-side monitoring capabilities of the Active Directory Management Pack with a domain member view of the health of the Active Directory® directory service.
The rules that are contained in this rule group are used to test the availability of Active Directory from a client perspective, for example, the availability of Active Directory from directory-enabled application servers.
This MP should be deployed manually into an environment where it is necessary (or desirable) to actively monitor the availability of domain controllers and Active Directory.
AD Monitoring Domain Members should always be enabled on or near Microsoft Exchange servers to ensure that global catalog servers and domain controllers are always available to Microsoft Exchange.
Features
Each Windows computer (a computer that is not a domain controller) can be configured to monitor only the domain controllers of interest. You can:
Monitor a specific list of domain controllers.
Monitor domain controllers in the domain member’s local site.
Monitor domain controllers in a list of specified sites.
Monitor all domain controllers in the domain member’s domain or in a specified list of domains.
The domain member computer determines whether the domain controllers are available by:
Pinging (both Internet Control Message Protocol (ICMP) and Lightweight Directory Access Protocol (LDAP)).
Performing a net use connection to the Sysvol share.
Performing LDAP binds.
Performing LDAP searches.
Thresholds can be specified for the LDAP bind and search. If multiple consecutive failures (or binds or searches that exceed the specified thresholds) occur, an alert is generated.
In addition, the domain member computer also determines whether:
The domain member can contact a domain controller in its local site.
There is a sufficient number of global catalog servers available.
Configuration
To deploy this rule group to domain member computers, override the AD Domain Member Perspective Discovery Rule.
To monitor Active Directory from the domain member’s perspective, tests are run from a domain member that is targeted at servers in which the domain member is interested. There are four modes of operation:
Full mode: all domain controllers in the specified domains are targeted. If no domains are specified, the local domain is targeted.
Specific Site mode: only domain controllers in the specified sites are targeted.
Local Site mode: only domain controllers in the domain member’s site are targeted.
Specific mode: only domain controllers that are specified are targeted.
The configuration for these modes can be performed globally through the console. If individual configurations are required, they can be specified through a configuration file on the domain member computer. Any parameters that are specified at the Console can be overridden by writing specified values in the registry on individual domain member computers.
In the Full, Local Site, and Specific Site modes, discovery of domain controllers is performed once per day, by default.
It is possible to configure both a list of specific domain controllers and a list of sites to target. In this case, the union of the list of domain controllers and the domain controllers in each of the sites will be targeted.
Registry Configuration Format
The configuration in the registry is contained under the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Operations Management\AD Management Pack\Domain Member Monitoring
There are two keys under this base:
Configuration
Tests
Configuration Key
Under the Configuration key, there are also three entries:
Domain Controllers: a string specifying (comma-delimited) domain controller names.
Sites: a string specifying (comma-delimited) sites.
Domains: a string specifying (comma-delimited) domains.
The settings are overrides in the AD Domain Member Update DCs rule.
The AD Domain Member Update DCs rule is run periodically and can be changed as needed. The purpose of this script is to discover the domain controllers for a domain member computer. Discovery of the domain controllers to be tested occurs as follows:
If there are domain controllers specified in the configuration on the domain member computer, these domain controllers are stored in the DCTargets collection.
If the DCTargets collection is empty, the domain controllers that are specified in the Domain Controllers script parameter for the AD Domain Member Update DCs script in MOM are added to the DCTargets collection.
If there are sites specified in the configuration on the domain member computer, the domain controllers in each of the sites that are specified are added to the DCTargets collection.
If the discovery mode is Specific Site, the domain controllers in the sites specified (as the Sites parameter to the AD Domain Member Update DCs script in MOM) are added to the DCTargets collection.
If the discovery mode is Local Site, the domain controllers in the local site are added to the DCTargets collection.
If the discovery mode is Full and the DCTargets collection is empty, the domain controllers for the specified domains (or if no domains are specified, the domain that the domain member is joined to) are added to the DCTargets collection.
The test suite is run against all the domain controllers in the DCTargets collection.
DisplayName | ID | ParentFolder | Accessibility | |
---|---|---|---|---|
Domain Member Monitoring | Microsoft.Windows.Server.AD.DomainMemberMonFolder | Microsoft.Windows.Server.AD.ViewFolder | Public |