Domain Controller Monitoring: Why, What, How?

Monitoring

There are many great Active Directory Monitoring solutions, however, there are not many great Domain Controller Monitoring solutions.

What’s the difference?

Not every Active Directory Monitoring solution is capable of monitoring what’s going on on the Domain Controllers.

Active Directory Monitoring solutions that are part of bigger monitoring solutions even go as far as treating the Domain Controllers as any other server (or ‘nodes’ as they are known as in some solutions) or as a generic application server that hosts the ‘Active Directory’ application.

What can you expect?

Typical Active Directory monitoring solutions will use performance monitor and event log monitoring to provide you details on the number of connections, errors that occur on domain controllers and whether or not the required services for domain controllers are running.

Better Active Directory Monitoring solutions might also report on:

  • User accounts that have not been used to sign in within the last x days
  • Computer objects that have not had their secure channel password changed within the last x days
  • Group membership changes to privileged groups like Domain Admins, Server Operators, Backup Operators, etc.
  • Dormant accounts with memberships to these privileged groups
  • Empty groups, groups without descriptions and even groups without managers
  • Changes to Group Policy
  • OUs that aren’t protected from accidental deletion.

Great Active Directory Monitoring solutions will even tell you which admin changed what attributes and/or objects within Active Directory and provide point in time overviews of group memberships and attributes per object.

What you can’t expect

Many solutions monitor if the Active Directory-related services run. They’ll typically check the following services:

  • Active Directory Domain Services (NTDS)
  • DNS Server (DNS)
  • DNS Client (Dnscache)
  • DS Role Server (DsRoleSvc)
  • DFS Namespace (Dfs)
  • DFS Replication (DFSR)
  • Intersite Messaging (IsmServ)
  • Kerberos Key Distribution Center (Kdc)
  • Windows Time (W32Time)
  • Security Accounts Manager (SamSs)
  • Server (LanmanServer)
  • Workstation (LanmanWorkstation)
  • Remote Procedure Call (RPC) (RpcSs)
  • Netlogon (Netlogon)

However, they won’t monitor if the right services respond on their designated UDP and/or TCP ports. Typically they don’t differentiate between the number of non-S LDAP vs. LDAPS connections and any NTLM authentication. Abandon all hope of getting a report on the amount of white space in the Active Directory database.

If you’re lucky, your Active Directory Monitoring solution monitors replication by looking at the event logs. Alas, they’ll not provide this functionality based on synthetic transactions like creating or editing an object, replicating it, checking for proper replication, then optionally deleting that object and checking for proper replication again.

Active Directory Monitoring solutions might report on CPU usage, the status of the Windows Firewall, the anti-malware solution and disk encryption, but only because they offer this functionality as part of the bigger monitoring solution and they perform these checks on all servers (or ‘nodes’). Just don’t expect them to warn you when you don’t have anti-malware exceptions defined for the paths where the Active Directory database, system volume (SYSVOL) and logs reside.

What you need

You may need a Domain Controller monitoring solution. Typical Domain Controller Monitoring solutions would be very specific monitoring solutions that target specific areas, like:

  • Group membership changes to the Cloneable Domain Controllers group
  • Changes to Flexible Single Master Operations (FSMO) roles
  • Changes to Active Directory sites, sitelinks and schema
  • Active Directory database whitespace and integrity
  • Changes to Active Directory-related registry values
  • RID Pool depletion

Better solutions would also report on replication issues and Domain Controller hardening settings like the ability to use and usage of NT4Crypto, NTLMv1, RC4, SMBv1, SSL 3.0, TLS 1.0 and TLS 1.1.

Great solutions would include a delegation model and workflows to assist in getting Domain Controllers and the Active Directory functionality that they’re hosting in the most secure state possible, Correlation to CIS benchmark and ISO/NEN frameworks would also be a much needed feature to track the progress toward these organizational goals.

Concluding

When you read about Active Directory Monitoring and their ability to provide quick root problem resolution, don’t believe everything you read. Unless you have a specific solution that is specifically written to monitor Domain Controllers, and not treat them as ‘application servers’ or ‘nodes’ Active Directory Monitoring solutions might actually not provide this value.

When you are concerned about the Domain Controllers themselves, you might need a separate Domain Controller Monitoring solution, next to your Active Directory Monitoring solution.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.