The Active Directory Replication Status Tool is making the move to the Operations Management Suite

Reading Time: 5 minutes

Active DirectoryI’m a big fan of the free Active Directory Replication Status Tool. So much so that I install it in every Active Directory environment I scan and troubleshoot. Together with the Active Directory PowerShell module, the built-in tools, and the Active Directory Topology Diagrammer, it completes my toolbox. It’s a nice gift to leave behind for every Active Directory admin.

Since last week, when starting the free Active Directory Replication Status Tool, I was greeted with a message before it opened it’s functional replication troubleshooting and root cause analysis interface:

Active Directory Replication Status Tool - This version of the tool will expire. A newer version of the AD Replication Status Tool is now available. Please download it from https://aka.ms/oms/support/adreplstatus

Apparently, the Active Directory Replication Status Tool is making the move to the Operations Management Suite (OMS).

I feel this is good news, since running the Active Directory Replication Status Tool was always a tool for a moment in time, but not a thorough let’s check things proactively, let’s avoid trouble, proactive tool. It’s perfect for what I do, but for day-to-day Active Directory admins, the tool can be so much more.

 

About the Operations Management Suite

Microsoft’s Operations Management Suite (OMS) offers simplified IT management for any organization. Using OMS, you can gain control over any hybrid cloud. Manage and protect Azure or Amazon Web Services (AWS), Windows Server or Linux, VMware or OpenStack with this cost-effective, all-in-one cloud IT management solution.

Monitor Active Directory replication using OMS

Now you can monitor replication in your Active Directory environment right from the dashboard of the new Operations Management Suite. Quickly identify domain controllers that are experiencing replication errors from anywhere, using any device.

Use OMS's powerful search functionality to dive into the details. Link to documentation that helps you fix the problems you find. All from an easy-to-use console that you can access from anywhere. Get started in minutes, for free.

Replication Errors, Right On Your Dashboard

See the number of current replication errors in your environment, right from a tile on your OMS dashboard. We'll even identify errors that are approaching tombstone lifetime (TSL), so you know when you need to take immediate action to avoid problems in your environment.

Classify Your Replication Errors

View your replication errors grouped by destination server, source server, error type, or last successful replication date. Quickly identify your largest clusters of errors, so you can develop a plan for addressing them first.

Get All The Details

Use OMS's powerful search functionality to zero in on specific errors. Filter the list of errors any way you'd like. View detailed information about each error, including a link to documentation that helps you fix it.

All for free!

The best thing: When you use Operations Management Suite (OMS) to monitor Active Directory, the functionality is free. Typically a Domain Controller would send less than 10MB of data per day to OMS, but you can send as much as 500MB of data per day in the Free Plan of OMS.

 

Steps to get started

To get started with Microsoft’s Operations Management Suite (OMS), simply create an
OMS Workspace for free. following browse manually on your management workstation to the Active Directory Replication Status Tool now in Operations Management Suite page. (this is where the http://aks.ms/oms/support/adreplstatus link in the message points to.)

An empty Microsoft Operations Management Suite Workspace (click for original screenshot)

In the OMS portal, click on the Solutions Gallery tile.

From the Solutions Gallery, select the AD Replication Status solution.

On the AD Replication Status page, click on the Add button. This will add the AD Replication tile to your OMS Dashboard.

Of course, OMS won’t have anything useful to chew on, unless you connect one or more Active Directory Domain Controllers to it. The Settings tile on your dashboard still reports 0 Data sources connected, so let’s do this.

Click on the cog or the 0 in the Settings tile to go to Settings. In the left pane, click on Connect a data source. In the first column, you’ll find the Windows Agents (both x64 and x86) and the Linux Agent (Preview). In the second column you can connect an existing on-premises System Center Operations Manager (OpsMgr) deployment. The third column allows you to attach an Azure storage account or connect to AWS storage (Coming soon).

For 64bit Active Directory Domain Controllers download the 27,3MB-weighing MMASetup-AMD64.exe. After downloading it, run it.

Welcome to the Microsoft Monitoring Agent Setup Wizard

In the Welcome to the Microsoft Monitoring Agent Setup Wizard, click on Next >.

License Terms for the Microsoft Monitoring Agent

On the page with the License Terms click on I Agree.

Microsoft Monitoring Agent Destination Folder

On the Destination Folder page, click Next > to accept the default location in C:\Program Files\Microsoft Monitoring Agent\.

Microsoft Monitoring Agent Setup Options

On the Agent Setup Options page, select the Connect the agent to Microsoft Azure Operational Insights. Then, click Next >.

Note:
Microsoft’s Operations Management Suite was previously called Microsoft Azure Operational Insights.

Microsoft Monitoring Agent - Connect to Azure Operational Insights

On the Operational Insights page, enter both the WorkSpace ID and the WorkSpace Key, mentioned on the Settings page of your OMS Dashboard. When you use an authenticated proxy, use the Advanced button to specify it. Press Next > afterwards.

Note:
The Microsoft Management Agent reports to Operations Management Suite using TCP443 to:

  • *.ods.opinsights.azure.com
  • *.oms.opinsights.azure.com
  • ods.systemcenteradvisor.com
  • *.blob.core.windows.net/

Make sure this traffic is allowed.

Microsoft Monitoring Agent - Choosing an Update Mechanism

On the Microsoft Update page, select Use Microsoft Update when I check for updates (recommended) and click Next >.

Ready to Install the Microsoft Monitoring Agent

On the Ready to Install page, click Install.

Microsoft Monitoring Agent configuration completed successfully.

When installation is done, click Finish.

In the OMS Dashboard, click on the Home icon. After some time, the AD Replication Status tile will show you the information you crave, in near real-time:

Microsoft Operations Managment Suite Dashboard with AD Replication Status (click for original screenshot)

 

Concluding

Starting next week, the Active Directory Replication Status Tool is living up to the promise of the let’s check things proactively, let’s avoid trouble, proactive tool to keep Active Directory replication in check: As part of the online Operations Management Suite (OMS).

Further reading

Microsoft Operations Management Suite
Download Active Directory Replication Status Tool from Microsoft
Download Active Directory Topology Diagrammer from Microsoft
Troubleshooting Active Directory Replication Problems

11 Responses to The Active Directory Replication Status Tool is making the move to the Operations Management Suite

  1.  

    Don't you think that some of us are now left without this useful tool, because for example our chief Security Officer doesn't like to have agents installed on DCs ?

    • I think the consensus among many CSOs is they don't want agents on Domain Controllers connecting to the Internet.
      I believe not every agent is 'bad' persé, because most of them would install the OpsMgr agent, backup agent, etc. The part that most likely influences their decision is this agent sends data outside.

      However, many mitigating measures can be applied in this area. You could 1. Restrict traffic to only the necessary endpoints in Azure, 2. Send traffic though a monitored proxy to inspect the traffic sent and received and/or 3. Restrict access to the OMS portal to only an approved team of personnel.

      That said, I've seen the familiar Active Directory Replication Status Tool's GUI show up after people clicked the 'close' menu-item or the 'Exit' button in the Active Directory Replication Status Tool's license expiration message box. I didn't show up 100% of the time, but when it did the tool was useable like before.

       
  2.  

    I think the tool is great! But making it only availabe through OMS is bad. There are many companies that have a policy not allowing DCs connecting to the "outside". And changing the policies is not easy sometimes. Just my 2 cents.

  3.  

    While this sounds like a great tool, Microsoft has failed to consider that not everyone has a fast unlimited connection to the internet at all times. Nor does everyone feel comfortable (or is able to) send information up to the cloud at all times. Fail. Microsoft. Fail.

  4.  

    This is really bad. I don't think anyone will connect a Domain Controller (!) to a cloud Service. We are now left without this very useful tool. Thanks Microsoft 🙁

  5.  

    Great, this tool is now unusable – as a financial institution we are not going to be connecting our DCs to the internet…

  6.  

    Expiring the on-prem replication tool was a mistake.

    My domain controllers are busy enough. And now you want me to open them to the internet and constantly send replication stats to the cloud ?

    No way.

    • I understand.
      Many admins feel the same way.

      You don't have to connect the (V)LAN with your Domain Controllers to the Internet if you use Microsoft System Center Operations Manager (OpsMgr) 2012 SP1 Update Rollup 7 or 2012 R2 Update Rollup 3. You can connect it through the Operational Insights Connection functionality.

      Additionally, I have dug up the latest non-expiring version of the Active Directory Replication Status Tool. I've made it available here.

       
  7.  

    You don't have to connect DCs to OMS if you don't want. There's a registry key you can set on *any* machine that is 1) connected to OMS and 2) a member of the domain that you want to evaluate. The registry key will let that server collect replication status data and send it to OMS:

    Key: HKLMSOFTWAREMicrosoftAzureOperationalInsightsAssessments_Targets
    Value: ADReplication

    (Changes take effect the next time HealthService restarts.)

  8.  

    This is not good. For years we have become dependent on this tool as part of our daily work. Each morning we report on AD replication.
    I work in healthcare, and with concerns for PKI and the HIPAA requirements, our security team will be reluctant to allow any DC to connect to the internet. Our security policy is to not allow any DC connection to the internet.

    I understand that MS is pushing EVERYTHING to the cloud, but for some, the cloud is not the answer.
    This is a MAJOR FAIL for Microsoft as they have pulled the rug out from a large user base of this tool.
    If MS wants people to get the extra features then offer them to those that can/will modify their firewalls and security to allow connection to the cloud. For those of us that don't want the extra features, we should be allowed to continue to use this tool.
    The option of "Buy moe stuff from MS" in order to do what you used to do is not right!

  9.  

    I'd like to believe this is some kind of progress for most admins. However, why to expire the local version or let it for OMS only?

    For those like me who don't use OMS at all for server monitoring (not all the companies get marry with Microsoft products) this is quite the opposite of progress.

    Thanks Microsoft!

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.