Active Directory extended monitoring

Active Directory extended monitoring

Enhance Active Directory services monitoring with advanced metrics.

Extension

Free trial Documentation

Product information
Release notes

Overview

This Dynatrace extension is a companion to the Active Directory services monitoring extension and provides an extended set of AD metrics, obtained through dedicated PowerShell cmdlets. This extension is not intended to work alone - it should be activated as a companion to the Active Directory services monitoring extension.

This is intended for users, who: Want to enhance the Active Directory services monitoring already implemented, with additional metrics that characterize:

AD replication status
DHCP server status and performance
System-dependent services status like time synchronization, volume health and network adapter health
LDAP BIND performance, ATQ thread usage, FSMO consistency, AD database disk usage

Use cases

Enhance Active Directory services monitoring with advanced metrics.

Get started

Start with activating the Active Directory services monitoring extension. Then activate this extension, as it is intended to enhance the the Active Directory services monitoring.

When enabling this extension, you will be prompted for

User name and password to a Windows account
- Able to logon locally
- The account requires KEY_READ permission to read registry keys from HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
- The account requires permission to locally execute PowerShell cmdlets on the AD server
- If collecting DHCP scope metrics, the user must be part of the DHCP Users group
- Note that the account doesn't have to be the local account on an AD server. It can be domain account, but it requires local server privileges (registry key read, PS cmdlet run).
API token to the Dynatrace tenant on which the extension is activated
- API token requires the settings.write, settings.read and entities.read scope
- You need to prepare this token on your Dynatrace tenant (Settings > Integrations > Access tokens) and copy-paste this token into the extension configuration

Details

This extension is intended to work locally on the AD server. It executes:

PowerShell cmdlets, locally, to access Windows registry and specific AD metrics available only through PowerShell. Several of these metrics map to metrics available through commonly used DCDIAG tool.
API calls against the OS Service Monitoring, to report AD services availability
Log ingestion of the AD services logs

The extension package contains:

PowerShell snippets that retrieve metrics from the AD server
Alert templates for time skew monitoring, database file space, ATQ thread usage and replication consistency
Topology rules and screen definitions that weave this extension metrics into the entities managed by the Active Directory services monitoring extension
Log ingest rules, applied on AD hosts monitored with this extension, which further enable alerting on AD services-related issues logged into Windows logs system
Log processing rules, which enrich logs ingested with a field that flag AD-related context where content pertains to AD services
Log event extraction rules, which scan logs ingested for AD-related context and trigger alerts when log information carries potential AD issue or error information

Log ingest configured by this extension By default, this extension sets up log ingestion rules on hosts where it is installed. AD services logs are used to generate events and further alert on service anomalies and malfunctions.

You can disable log ingestion with a settings toggle in the extension configuration screen. Note that this setting does not control any other log ingestion rules that might have been configured on hosts where this extension has been activated.

Following log ingestion rules are being set up by this extension:

Windows Event Log
- source is
  - Active Directory Web Services
  - DFS Replication
  - Directory Service
  - DNS Server
- and log record level is in (ERROR WARN CRITICAL SEVERE)
Windows Log
- source is
  - Windows Application Log
  - Windows System Log,
  - Security

And the following events from each event provider.

|Event Provider|Event IDs|
|Microsoft-Windows-ADFS|102, 104, 111, 356, 385, 509, 546, 549, 1034, 1036|
|Microsoft-Windows-Directory-Services-SAM|12299, 16643|
|Microsoft-Windows-Time-Service|21, 34, 36|
|DNSAPI|11150, 11162, 11151, 11155, 11163, 11167, 11154, 11166, 11152, 11153, 11164, 11165|
|Microsoft-Windows-Kerberos-Key-Distribution-Center|6, 15, 17|
|Microsoft-Windows-Security-Auditing|1102, 4616, 4621, 4649, 4660, 4675, 4707, 4710, 4712, 4715, 4716, 4730, 4740, 4743, 4764, 4766, 4771, 4866, 4867, 4935, 5025, 5030, 5034, 5035, 5037, 5139, 5141, 5483, 5484, 6008, 6145|
|Microsoft-Windows-CertificationAuthority|0, 3, 5, 9, 16, 17, 19, 20, 21, 22, 23, 28, 33, 34, 35, 38, 39, 40, 42, 43, 44, 48, 49, 51, 59, 60, 63, 65, 74, 75, 78, 82, 83, 86, 87, 90, 92, 94, 95, 96, 98, 99, 100, 102, 106, 107, 130, 132|
|Microsoft-Windows-OnlineResponder|39, 60, 92|

Compatibility information

This extension is intended as a companion to the Active Directory services monitoring extension. with advanced metrics.
Only on-premises Active Directory deployments are supported.
Azure AD is not supported.
Verified with Windows Server 2016, 2019 and 2022
Required minimum PowerShell version on AD servers is 5.x and above

Q&A

Q: What is the DDU Consumption of this extension?

A: The formula for DDU consumption of the extension is:

 ( 10
+ (17 * number of Domain Controllers)
+ (11 * number of DHCP servers)
+ ( 2 * number of LDAP instances)
 )  * 525.6 DDUs/year

Typical consumption for a single-domain AD server, hosting one DHCP server and one LDAP instance, amounts to 21,024 DDUs/year

DDU cost above does not include log lines ingested any possible Log events or Custom events triggered by the extension. For more information on this, please visit the DDU log event cost and DDU custom event cost pages.

Q: Does this extension collect KPIs available from DCDIAG?

A: All in all - equivalents of the DCDIAG KPIs are available in Dynatrace:

NTDS Service - monitored through OneAgent OS Service Monitoring
Services - monitored through OneAgent OS Service Monitoring
Replications - similar data is available through parsing of the repadmin outputs, in this extension
FSMO KnowsOfRoleHolders - can be found as part of the FSMO role holder ping/LDAP metrics
Advertising - delivered by the FSMO role holder consistency metric

Q: Why do I need to provide separate credentials in this extension if OneAgent already runs under LocalSystem?

A: An account with additional permissions is required to run this extension due to the kind of metrics it collects. Although OneAgent typically runs as LocalSystem account, Python extensions run as LocalService. The LocalService account has the minimum privileges on the local computer which is why the extension requires an account with enough permissions to read a few registry keys and run cmdlets like repadmin and dcdiag.

Q: Why there is a need to grant KEY_READ permission to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters?

A: KEY_READ permission to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters is required to obtain following metrics:

active-directory.database.diskfree
active-directory.database.disk.total
active-directory.database.diskfree.total
active-directory.replication.consistency.status

Q: What is the Dynatrace API token used for?

A: API token is required to enable integration of the AD-related log ingestion and the OS service monitoring with OOTB host-level reporting. No metrics are ingested using the API token. API token is used to allow the services to be seen on the Dynatrace Host UA screen and the logs on the AD Instance UA screen.

Q: What do I need OS Service Monitoring for?

A: The extension utilizes the API token to add entries into the OneAgent's OS Service Monitoring. The OneAgent will ingest availibility metrics and alerts so you know when a critical service is down. In some cases log events can refer to the OS Service which emitted the event.

Q: Does the extension support Group Managed Service Accounts (gMSA)?

A: No the extension does not suport gMSA accounts. The extension can only use local or domain-joined accounts since gMSA accounts are not meant for interactive use. The extension works by impersonating the account provided in the monitoring configuration to execute commands in that user's security context. gMSA accounts cannot be impersonated and therefore aren't able to be used by the extension.

Subscribe to new releases

Copy to clipboard

Extension content

Content typeNumber of items included

metric query

1

screen logs cards

1

alerts

4

screen chart groups

12

screen properties

1

metric metadata

36

screen injections

12

generic relationship

2

generic type

6

screen layout

1

Feature sets

Below is a complete list of the feature sets provided in this version. To ensure a good fit for your needs, individual feature sets can be activated and deactivated by your administrator during configuration.

Feature setsNumber of metrics included

Metric name	Metric key	Description	Unit
DHCP Scope Delay v4	active-directory.dhcp.server.scope.delay	DHCP Scope Delay v4 in milliseconds	MilliSecond
DHCP Scope Addresses Free v4	active-directory.dhcp.server.scope.addresses.free	Number of DHCPv4 scope addresses free	Count
DHCP Scope Addresses Used v4	active-directory.dhcp.server.scope.addresses.used	Number of DHCPv4 scope addresses used	Count
DHCP Scope Addresses Reserved v4	active-directory.dhcp.server.scope.addresses.reserved	Number of DHCPv4 scope addresses reserved	Count
Percent of DHCP Scope Addresses Used v4	active-directory.dhcp.server.scope.addresses.used.pct	Percent of DHCPv4 scope addresses used	Percent
DHCP Scope Pending Offers v4	active-directory.dhcp.server.scope.pending.offers	Number of DHCPv4 scope pending offers	Count

Metric name	Metric key	Description	Unit
Good Network Adapter Count	active-directory.network.goodadapter.total	The number of enabled network adapters that can ping the Domain DNS Server.	Count
Bad Network Adapter Count	active-directory.network.badadapter.total	The number of enabled network adapters that cannot ping the Domain DNS Server.	Count
Total Network Adapter Count	active-directory.network.adapter.total	The total number of enabled network adapters.	Count

Metric name	Metric key	Description	Unit
Disk Free Space	active-directory.database.diskfree.total	Free disk space of the disk containing the database file.	Byte
Total Disk Space	active-directory.database.disk.total	Total disk space of the disk containing the AD database file.	Byte
Disk Free Space Percentage	active-directory.database.diskfree	Percent of free disk space of the disk containing the database file.	Percent

Metric name	Metric key	Description	Unit
ATQ Average Thread Usage	active-directory.atq.server.average.thread.usage	Average usage of threads in Domain Controller ATQ	Percent

Metric name	Metric key	Description	Unit
Shared Resource Available	active-directory.replication.shared.available	Percentage of replication shared resources that are available	Percent
Replication - Destination Delta	active-directory.replication.destination.delta	Replication time delta between this server and the destination server.	Second
Replication - Source Delta	active-directory.replication.source.delta	Replication time delta between this server and the source server.	Second
Replication Errors	active-directory.replication.errors	-	Count
Replication Attempts	active-directory.replication.total	-	Count

Metric name	Metric key	Description	Unit
LDAP Bind Time	active-directory.ldap.server.bindtime.millis	Time taken to bind to the fsmo role holder using LDAP	MilliSecond
LDAP Bind Availability	active-directory.ldap.bind.availability	Whether or not the domain controller can bind to the domain DNS server	Count

Metric name	Metric key	Description	Unit
Kerberos Replication Partner Count	active-directory.replication.partner.count	Kerberos replication partners count in Active Directory domain	Count
Replication Queue Count	active-directory.replication.queue.count	Count of items in replication queue by Active Directory Domain Controller monitor	Count
Global Catalog Search Response Time	active-directory.globalcatalog.searchtime.millis	Global catalog search response time of Domain Controller	MilliSecond
Replication Consistency Status	active-directory.replication.consistency.status	Whether or not strict replication consistency is enabled	Count
Time Skew in seconds	active-directory.timeskew.secs	Time difference between the local domain controller and a target domain controller	Second
Lost and Found Objects	active-directory.lostandfound.object.count.total	Count of lost and found objects by Active Directory Domain monitor	Count
FSMO Role Holder Consistency	active-directory.fsmoroleholder.consistency	Whether or not the domain controllers agree on who the FSMO role holders are	Count
FSMO Check	active-directory.fsmo.check	Contains a 'message' dimension about whether or not the correct services can be found from the domain controller	Count
SYSVOL Health	active-directory.sysvol.health	The SYSVOL share's health	Count

Metric name	Metric key	Description	Unit
DHCP Scope Addresses Free v6	active-directory.dhcp.server.v6.scope.addresses.free	Number of DHCPv6 scope addresses free	Count
DHCP Scope Addresses Used v6	active-directory.dhcp.server.v6.scope.addresses.used	Number of DHCPv6 scope addresses used	Count
DHCP Scope Addresses Reserved v6	active-directory.dhcp.server.v6.scope.addresses.reserved	Number of DHCPv6 scope addresses reserved	Count
Percent of DHCP Scope Addresses Used v6	active-directory.dhcp.server.v6.scope.addresses.used.pct	Percent of DHCPv6 scope addresses used	Percent
DHCP Scope Pending Advertises v6	active-directory.dhcp.server.v6.scope.pending.advertises	Number of DHCPv6 scope pending advertises	Count

Customer story Village Roadshow

“One of the biggest impacts of partnering with Dynatrace is the amount of time given back to our teams. There are no more sleepless nights on the weekends.”

Michael Fagan

Chief Transformation Officer

Related to Active Directory extended monitoring

Active Directory services

Monitor the health and performance of Microsoft Active Directory services.

Full version history

To have more information on how to install the downloaded package, please follow the instructions on this page.

ReleaseDate

Full version history

Fixed issue with replication metrics.
Fixed issue reading local configuration file.

Full version history

Patch level changes:

Fix error where query method was trying to prematurely access the results cache

Full version history

Note: breaking change. While upgrading to this release, you have to recreate your monitoring configurations.

New features:

Separate feature set replication-summary which controls metrics retrieved through repadmin/replsummary.
- This lets you control and disable these specific metrics if you notice that running their retrievals takes too much time - this situation will likely manifest itself by gaps in metrics timeseries.
- Less frequent data collection might be especially beneficial on highly loaded AD servers.
Choose frequency at which metrics are collected on AD servers.
- Default is 1 minute.
- Change it to less frequent collection, e.g. 5 minutes, if you see that extension execution time exceeds 1 minute - this situation will likely manifest itself by gaps in metrics timeseries.
- Less frequent data collection might be especially beneficial on highly loaded AD servers.

Full version history

Patch level changes

Fixed Lost&Found object counter - report number every minute instead of monotonically growing counter
Added missing ADCS log ingest activation toggle in settings
Updated Q&A with information on OS services monitoring and comprehensive list of imported log events

Full version history

Fixed an issue with the is_read_only dimension having the wrong value
Replaced the Powershell script with a command so users that enforce Powershell script signing can get replication summary metrics

Full version history

Patch level changes:

Fix issue with indexing the domain name returned by one of the WMI queries, which resulted in empty domain name reported

Full version history

Enhancements:

Added monitoring config option for query interval
Added Credential Vault support

Patch level changes:

Fixed bug with services cleanup on shutdown

Full version history

Patch level changes:

Added the source entity type for all metrics
Fixed bug with GC query in FSMO Check
Fix to improve execution time of complex metrics
TrustMonitor metric is based on log events now, as it might have many unique dimensions
Added hub tile information on log ingest rules set up by this extension

Full version history

Now the extension supports running it on the AD non-server nodes, e.g. a separate DHCP server.

Full version history

Fixed irregularities when accessing specific Registry keys required to obtain ReplicationConsistencyMetrics and DatabaseFileDiskSpaceMetrics.

Full version history

Enhance Active Directory services monitoring with advanced metrics.

All

0 Results filtered by:

Reach out to certified Dynatrace partners to solve your unique use-case

Moviri

Certified individuals: 14

Advanced Sales Partner

Alanata

Certified individuals: 30Endorsements: Services Endorsed Partner

Premier Sales Partner

Spica Solutions

Certified individuals: 30Endorsements: Services Endorsed Partner

Authorized Sales Partner

Matrix

Certified individuals: 14

Premier Sales Partner

Omnilogy

Certified individuals: 38Endorsements: Services Endorsed Partner

Premier Sales Partner

AHEAD

Certified individuals: 8

Premier Sales Partner

Arctiq

Certified individuals: 19

Authorized Sales Partner

Eviden

Certified individuals: 79Endorsements: Services Endorsed Partner

Premier Sales Partner

Phenisys

Certified individuals: 32Endorsements: Services Endorsed Partner

Premier Sales Partner

Accenture

Certified individuals: 156

Premier Sales Partner

AsiaPac Technology Pte Ltd

Certified individuals: 3

Advanced Sales Partner

AskMe Solutions & Consultants Co Ltd

Certified individuals: 30Endorsements: Services Endorsed Partner

Authorized Sales Partner

Asper Technologia

Certified individuals: 20

Advanced Sales Partner

Avocado

Certified individuals: 9

Authorized Sales Partner

avodaq AG

Certified individuals: 31Endorsements: Services Endorsed Partner

Advanced Sales Partner

Carahsoft

Certified individuals: 21

Authorized Sales Partner

Deutsche Telekom MMS gmbh

Certified individuals: 18Endorsements: Services Endorsed Partner

Premier Sales Partner

DPM

Certified individuals: 30Endorsements: Services Endorsed Partner, SaaS Upgrade specialization

Premier Sales Partner

DXC

Certified individuals: 341

Premier Sales Partner

Evolane

Certified individuals: 29

Authorized Sales Partner

Galaxy Software Services Corporation (GSS)

Certified individuals: 9

Advanced Sales Partner

ISATEC

Certified individuals: 20Endorsements: Services Endorsed Partner

Premier Sales Partner

Konsalt

Certified individuals: 13

Authorized Sales Partner

Kyndryl

Certified individuals: 202

Premier Sales Partner

PRAGMA INFORMATICA SA

Certified individuals: 10

Authorized Sales Partner

PT. Mitra Integrasi Informatika

Certified individuals: 24

Premier Sales Partner

Scala

Certified individuals: 7

Advanced Sales Partner

Spindox

Certified individuals: 11

Authorized Sales Partner

TestCrew

Certified individuals: 30

Authorized Sales Partner

TI724

Certified individuals: 11

Authorized Sales Partner

Tsoft

Certified individuals: 31

Authorized Sales Partner

VS Data

Certified individuals: 12

Authorized Sales Partner

Your Compass

Certified individuals: 68Endorsements: Services Endorsed Partner, CloudOps specialization

Premier Sales Partner