You can only get Active Directory Monitoring right if you do Domain Controller Monitoring, too

When ENow launched COMPASS in 2011, the family of products it entered was commonly referred to as Active Directory monitoring. However, in contrast with other Active Directory monitoring solutions, COMPASS is also a Domain Controller monitoring solution. Many of the other Active Directory monitoring solutions on this common list of best Active Directory Monitoring solutions don’t offer that functionality. Which is strange…

 

Domain Controller Monitoring vs. Active Directory Monitoring

Typical Active Directory monitoring solutions delve into the configuration partition of the Active Directory database, but don’t scrutinize the Domain Controllers offering the database and the Active Directory services.

Active Directory Monitoring solutions might report on the status of the common services, CPU usage, the status of the Windows Firewall, the anti-malware solution and disk encryption, but only because they offer this functionality as part of the bigger monitoring solution, and they perform these checks on all servers (or ‘nodes’ as hosts are commonly referred to in these solutions).

Domain Controllers are different from other domain-joined servers (or ‘nodes’), by default:

  • They don’t have local accounts (except for the administrator account that is used in Directory Services Restore Mode)
  • They use specific registry items
  • They use an ESE database with transaction logs
  • They offer specific files as a file server
  • They offer specific services using specific network ports
  • They offer name resolution
  • They communicate between themselves
  • They make sure that all domain-joined devices know what the accurate time is.

On a typical day, a Domain Controller is communicated to on a dozen network ports for as many purposes. If any of these communications protocols are unavailable, people in the organization are bound to be hindered. Therefore, Domain Controllers should not be treated as mere nodes but should be treated as … you guessed it… Domain Controllers.

Alas, you can only get Active Directory Monitoring right if you know Domain Controllers. Unfortunately, you can only get Domain Controller Monitoring right if you know Active Directory. This is where ENow shines.

 

Domain Controller Monitoring and Active Directory Monitoring

COMPASS offers Domain Controller Monitoring and Active Directory Monitoring in one package. It offers all this goodness right out of the box without the need to create monitoring rules from scratch, like you would with other solutions.

Obviously, all the common Active Directory monitoring requirements are met; Metrics like LDAP queries and client sessions are displayed. Events from the logs are pulled. Replication is monitored. Backup status is monitored. On the reporting side of COMPASS, over 50 reports are available for Active Directory.

The Domain Controller Monitoring part of COMPASS is where the magic happens:

Monitoring Services

Domain Controllers run additional services, when compared to member servers. These services should be monitored. If they’re not running, something is wrong. That’s why COMPASS monitors the Active Directory-related services on each Domain Controller and additional services can be added to the monitoring scope. It’s what you can expect from every good monitoring solution.

Monitoring DNS and NTP

Active Directory is highly dependent on the Domain Name System (DNS). Obviously, the DNS settings, the connectivity and the records are monitored, to make sure DNS is not the problem.

Not even in multi-forest environments. The Microsoft recommendation to not point to the loopback address as the primary DNS server address and other DNS recommendations are monitored, so when any admin changes the configuration to something that no longer follows the recommendations, COMPASS tells you.

Every experienced admin knows the cause of trouble is either DNS, PKI or a typo. At least, with COMPASS, you know it’s DNS when it’s DNS; You’ll find it blinking red on your monitoring dashboard. 😉

As DNS SRV records point to LDAP, LDAPS, GC, and GC over TLS, COMPASS monitors these ports. Here, monitoring is different than simply querying. The solution goes above and beyond by not just making sure the port is reachable, but also that the specific process is listening and how fast it’s processing queries.

COMPASS does the same thing for UDP 123 as, by default, all domain-joined hosts look at Domain Controllers for accurate time. This way, COMPASS makes sure you don’t get a green check conveying ‘everything alright’, when it is not.

Monitoring the database

Disk monitoring is optimized for Domain Controllers, too. Sure, monitoring the system drive of a server is important. On a Domain Controller that is configured following recommendations, however, it’s not that important; When following the recommendations, the Active Directory database, its transaction logs and the system volume (SYSVOL) are stored on different drives and monitoring the disk space on these drives is more important on Domain Controllers. These are the common sources for dynamic data on Domain Controllers. COMPASS knows where these files are and monitors them appropriately. Going beyond other solutions, COMPASS also monitors the white space in the database on each Domain Controller. What other integrated Active Directory monitoring solution does that? 🥰

Other monitoring

With years of experience, the team at ENow have also solved a couple of scenarios that typically haunt Active Directory admins. Non-responsive Domain Controllers, replication troubles, and even the typical time issues on virtual Domain Controllers hosted on Hyper-V and vSphere have all been tackled. If these scenarios occur, on the Enow monitoring dashboard, you can quickly drill down and identify the root causes.

 

COMPASS and Active Directory

ENow also knows what ticks you off as an Active Directory admin… Having to install a tool to manage or monitoring things (like the LAPS UI tool), having second thoughts about your monitoring solution because you end up with 95% false positives until you tweak it (Here’s looking at you, ConfigMgr…) and having a tool that only supports one role within your organization (Active Directory Administrative Center, anyone?). That’s the kind of things you typically want to avoid as an admin.

The ENow Monitoring dashboard website allows you to display role-specific information on any screen and ENow consultants make sure the role definition and thresholds are set just right during implementation.

 

Concluding

When looking for a solution that does both Active Directory monitoring and Domain Controller monitoring, COMPASS should be on the top of your shortlist. If you would like to learn more about ENow’s Active Directory Monitoring & Reporting solution, you can contact them directly here.

Posted on January 6, 2023 by Sander Berkouwer in Active Directory

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.