Extend the platform,
empower your team.
Monitor health and performance of the Microsoft Active Directory, all-on-one.
ExtensionGet insights into performance and usage of the Microsoft ActiveDirectory services:
This extension obtains signals through WMI queries and execution of the PowerShell snippets, depending on where is the source of specific metric. It is designed to work on the AD hosts where the OneAgent is already deployed.
⚠️ Note: important change. This extension replaces previously available Active Directory monitoring extensions This Dynatrace extension supersedes both Active Directory services and Active Directory extended monitoring extensions.
This extension is designed to run locally on your AD servers. It doesn't offer remote monitoring of your AD servers. Additionally, compared to typical extensions, which run as LOCAL SERVICE
, this one requires privileges elevated to LOCAL SYSTEM
, in order to obtain AD metrics that can only be obtained through execution of the PowerShell scripts.
To start using this extension:
LOCAL SYSTEM
account privileges. To achieve this, in C:ProgramData\dynatrace\oneagent\agent\config\extensionsuser.conf
file on AD servers where the extension is intended to run, add a line
elevated_privileges_extensions=[com.dynatrace.extension.active-directory-python-unabridged:*]
LOCAL SYSTEM
(instead of the default LOCAL SERVICE
). The format is: <extensionName>:<extensionVersion>
entities.read
and settings.write
scopes
entities.read
and settings.write
scopesAPI key
configuration fieldThis extension is intended to work locally on the AD server. It executes:
Additionally, it delivers:
Log ingest configured by this extension By default, this extension sets up log ingestion rules on hosts where it is installed. AD services logs are used to generate events and further alert on service anomalies and malfunctions.
You can disable log ingestion with a settings toggle in the extension configuration screen. Note that this setting does not control any other log ingestion rules that might have been configured on hosts where this extension has been activated.
Following log ingestion rules are being set up by this extension:
And the following events from each event provider.
Event Provider | Event IDs |
---|---|
Microsoft-Windows-ADFS | 102, 104, 111, 356, 385, 509, 546, 549, 1034, 1036 |
Microsoft-Windows-Directory-Services-SAM | 12299, 16643 |
Microsoft-Windows-Time-Service | 21, 34, 36 |
DNSAPI | 11150, 11162, 11151, 11155, 11163, 11167, 11154, 11166, 11152, 11153, 11164, 11165 |
Microsoft-Windows-Kerberos-Key-Distribution-Center | 6, 15, 17 |
Microsoft-Windows-Security-Auditing | 1102, 4616, 4621, 4649, 4660, 4675, 4707, 4710, 4712, 4715, 4716, 4730, 4740, 4743, 4764, 4766, 4771, 4866, 4867, 4935, 5025, 5030, 5034, 5035, 5037, 5139, 5141, 5483, 5484, 6008, 6145 |
Microsoft-Windows-CertificationAuthority | 0, 3, 5, 9, 16, 17, 19, 20, 21, 22, 23, 28, 33, 34, 35, 38, 39, 40, 42, 43, 44, 48, 49, 51, 59, 60, 63, 65, 74, 75, 78, 82, 83, 86, 87, 90, 92, 94, 95, 96, 98, 99, 100, 102, 106, 107, 130, 132 |
Microsoft-Windows-OnlineResponder | 39, 60, 92 |
A: The formula for DDU consumption of the extension is:
( 67 * Number of Domain Controllers
+ (26 * Number of DNS Servers)
+ (11 * Number of DHCPv6 Servers)
+ (15 * Number of DHCPv4 Servers)
) * 525.6 DDUs/year
DDU cost above does not include log lines ingested any possible Log events or Custom events triggered by the extension. For more information on this, please visit the DDU log event cost and DDU custom event cost pages.
A: Verify whether you have specific services running on your AD server. If a service is not running - disable feature set describing that service in the extension configuration. Example error text you may encounter:
**Cannot execute query: DHCPServerv6 on device ******** err:Exception occurred. (Invalid class )**
means you should disable the DHCPv6 feature set because your AD server does not run DHCPv6 service, so extension won't be able to obtain metrics for this service.
A: Windows Server 2022 brought a change to the metrics set returned by the Win32_PerfRawData_Lsa_SecuritySystemWideStatistics
class. Because of this change, the AD extension is unable to report on "NTLM Authentications" and "Kerberos Authentications" metrics and these metrics have been removed from the extension. Consequently, these metrics won't be reported also when this extension is activated on earlier Windows servers. More information on this change and reasons behind it can be found on Microsoft KB pages.
A: Equivalents of the DCDIAG KPIs are available in Dynatrace:
repadmin
outputs, in this extensionA: Although OneAgent typically runs as LocalSystem account, Python extensions run as LocalService. The LocalService
account has the minimum privileges on the local computer, which means it can't run PowerShell snippets that read AD performance counters, access WMI objects that store AD metrics, or run AD-specific cmdlets like repadmin
and dcdiag
. Therefore, OneAgent needs to be explicitly instructed to run this extension with LocalSystem
privileges.
A: API token is required to enable integration of the AD-related log ingestion and the OS service monitoring with out of the box host-level reporting. No metrics are ingested using the API token. API token is used to allow the services to be seen on the Dynatrace Host UA screen and the logs on the AD Instance UA screen.
A: The extension utilizes the API token to add entries into the OneAgent's OS Service Monitoring. The OneAgent will ingest availibility metrics and alerts so you know when a critical service is down. In some cases log events can refer to the OS Service which emitted the event.
Below is a complete list of the feature sets provided in this version. To ensure a good fit for your needs, individual feature sets can be activated and deactivated by your administrator during configuration.
Metric name | Metric key | Description | Unit |
---|---|---|---|
NTLM Binds per second | active-directory.lsass.server.ntlm.binds.persec.count | Average NTLM binds per second | PerSecond |
Metric name | Metric key | Description | Unit |
---|---|---|---|
Used processor time | active-directory.server.host.cpu.time.processor | Percent of used processor time | Percent |
Idle processor time | active-directory.server.host.cpu.time.idle | Percent of idle processor time | Percent |
User processor time | active-directory.server.host.cpu.time.user | Percent of user processor time | Percent |
Number of Logical Processors | active-directory.server.host.cpu.logical.processors | Number of Logical Processors | Count |
Service processor time | active-directory.service.cpu.time | Percent of processor time spend on a service | Percent |
Metric name | Metric key | Description | Unit |
---|---|---|---|
Kerberos Replication Partner Count | active-directory.replication.partner.count | Kerberos replication partners count in Active Directory domain | Count |
Replication Queue Count | active-directory.replication.queue.count | Count of items in replication queue by Active Directory Domain Controller monitor | Count |
Global Catalog Search Response Time | active-directory.globalcatalog.searchtime.millis | Global catalog search response time of Domain Controller | MilliSecond |
Replication Consistency Status | active-directory.replication.consistency.status | Whether or not strict replication consistency is enabled | Count |
Time Skew in seconds | active-directory.timeskew.secs | Time difference between the local domain controller and a target domain controller | Second |
Lost and Found Objects | active-directory.lostandfound.object.count.total | Count of lost and found objects by Active Directory Domain monitor | Count |
FSMO Role Holder Consistency | active-directory.fsmoroleholder.consistency | Whether or not the domain controllers agree on who the FSMO role holders are | Count |
FSMO Check | active-directory.fsmo.check | Contains a 'message' dimension about whether or not the correct services can be found from the domain controller | Count |
SYSVOL Health | active-directory.sysvol.health | The SYSVOL share's health | Count |
Metric name | Metric key | Description | Unit |
---|---|---|---|
Shared Resource Available | active-directory.replication.shared.available | Percentage of replication shared resources that are available | Percent |
Replication - Destination Delta | active-directory.replication.destination.delta | Replication time delta between this server and the destination server. | Second |
Replication - Source Delta | active-directory.replication.source.delta | Replication time delta between this server and the source server. | Second |
Replication - Destination Errors | active-directory.replication.destination.errors | Replication errors between this server and the destination server. | Count |
Replication - Source Errors | active-directory.replication.source.errors | Replication errors between this server and the source server. | Count |
Metric name | Metric key | Description | Unit |
---|---|---|---|
LDAP Binds | active-directory.ldap.server.ldapbindtime.binds.persec | Time spent to complete LDAP bindings | MilliSecond |
LDAP Successful Binds | active-directory.ldap.server.ldapsuccessfulbinds.persec | Successful binds per second | PerSecond |
LDAP Writes per second | active-directory.ldap.server.ldapwrites.persec | The rate at which LDAP clients perform write operations | PerSecond |
LDAP UDP Operations per second | active-directory.ldap.server.ldapudpoperations.persec | The number of User Datagram Protocol (UDP) operations that the LDAP server is processing per second | PerSecond |
LDAP Active threads total | active-directory.ldap.server.ldapactivethreads.total | The current number of threads in use by the LDAP subsystem of the local directory service | Count |
LDAP Client Sessions | active-directory.ldap.server.ldapclientsessions.total | The number of sessions of connected LDAP clients | Count |
LDAP Searches per second | active-directory.ldap.server.ldapsearches.persec | The number of search operations per second performed by LDAP clients | PerSecond |
LDAP Bind Time | active-directory.ldap.server.bindtime.millis | Time taken to bind to the fsmo role holder using LDAP | MilliSecond |
LDAP Bind Availability | active-directory.ldap.bind.availability | Whether or not the domain controller can bind to the domain DNS server | Count |
Metric name | Metric key | Description | Unit |
---|---|---|---|
Good Network Adapter Count | active-directory.network.goodadapter.total | The number of enabled network adapters that can ping the Domain DNS Server. | Count |
Bad Network Adapter Count | active-directory.network.badadapter.total | The number of enabled network adapters that cannot ping the Domain DNS Server. | Count |
Total Network Adapter Count | active-directory.network.adapter.total | The total number of enabled network adapters. | Count |
Metric name | Metric key | Description | Unit |
---|---|---|---|
DHCP Scope Delay v4 | active-directory.dhcp.server.scope.delay | DHCP Scope Delay v4 in milliseconds | MilliSecond |
DHCP Scope Addresses Free v4 | active-directory.dhcp.server.scope.addresses.free | Number of DHCPv4 scope addresses free | Count |
DHCP Scope Addresses Used v4 | active-directory.dhcp.server.scope.addresses.used | Number of DHCPv4 scope addresses used | Count |
DHCP Scope Addresses Reserved v4 | active-directory.dhcp.server.scope.addresses.reserved | Number of DHCPv4 scope addresses reserved | Count |
Percent of DHCP Scope Addresses Used v4 | active-directory.dhcp.server.scope.addresses.used.pct | Percent of DHCPv4 scope addresses used | Percent |
DHCP Scope Pending Offers v4 | active-directory.dhcp.server.scope.pending.offers | Number of DHCPv4 scope pending offers | Count |
Metric name | Metric key | Description | Unit |
---|---|---|---|
DHCP received renews/s v6 | active-directory.dhcp.server.v6.renews.persec | Rate of DHCP renews received by the DHCP Server v6 | PerSecond |
DHCP received releases/s v6 | active-directory.dhcp.server.v6.releases.persec | Rate of DHCP releases received by the DHCP Server v6 | PerSecond |
DHCP received declines/s v6 | active-directory.dhcp.server.v6.declines.persec | Rate of DHCP declines recevied by the DHCP Server v6 | PerSecond |
DHCP received requests/s v6 | active-directory.dhcp.server.v6.requests.persec | Rate of DHCP requests received by the DHCP Server v6 | PerSecond |
DHCP received solicits/s v6 | active-directory.dhcp.server.v6.solicits.persec | Rate of DHCP solicits received by the DHCP Server v6 | PerSecond |
DHCP received rebinds/s v6 | active-directory.dhcp.server.v6.rebinds.persec | Rate of DHCP rebinds received by the DHCP Server v6 | PerSecond |
Metric name | Metric key | Description | Unit |
---|---|---|---|
ESENT Database I/O reads rate (Local Security Authority) | active-directory.lsass.esent.database.io.reads.persec.count | Number of ESENT Database I/O reads per second for the Local Security Authority | PerSecond |
ESENT Database I/O read latency (Local Security Authority) | active-directory.lsass.esent.database.io.reads.latency.avg.count | ESENT Database I/O read latency for the Local Security Authority | MilliSecond |
ESENT Database I/O writes rate (Local Security Authority) | active-directory.lsass.esent.database.io.writes.persec.count | Number of ESENT Database I/O writes per second for the Local Security Authority | PerSecond |
ESENT Database I/O write latency (Local Security Authority) | active-directory.lsass.esent.database.io.writes.latency.avg.count | ESENT Database I/O write latency for the Local Security Authority | MilliSecond |
ESENT Log I/O reads rate (Local Security Authority) | active-directory.lsass.esent.log.io.reads.persec.count | Number of ESENT Database log I/O reads per second for the Local Security Authority | PerSecond |
ESENT Log I/O read latency (Local Security Authority) | active-directory.lsass.esent.log.io.reads.latency.avg.count | ESENT Log I/O read latency for the Local Security Authority | MilliSecond |
ESENT Log I/O writes rate (Local Security Authority) | active-directory.lsass.esent.log.io.writes.persec.count | Number of ESENT Database log I/O writes per second for the Local Security Authority | PerSecond |
ESENT Log I/O writes latency (Local Security Authorityy) | active-directory.lsass.esent.log.io.writes.latency.avg.count | ESENT Log I/O writes latency for the Local Security Authority | MilliSecond |
Metric name | Metric key | Description | Unit |
---|---|---|---|
DHCP received requests/s | active-directory.dhcp.server.requests.persec | Rate of DHCP requests received by the DHCP server | PerSecond |
DHCP received releases/s | active-directory.dhcp.server.releases.persec | Rate of DHCP releases received by the DHCP server | PerSecond |
DHCP received declines/s | active-directory.dhcp.server.declines.persec | Rate of DHCP declines received by the DHCP server | PerSecond |
DHCP failover ack messages received/s | active-directory.dhcp.server.failover.bndack.received.persec | Number of DHCP failover Binding Ack messages received | PerSecond |
DHCP failover ack messages sent/s | active-directory.dhcp.server.failover.bndack.sent.persec | Number of DHCP failover Binding Ack messages sent | PerSecond |
DHCP binding updates dropped | active-directory.dhcp.server.failover.bndupd.dropped | Number of binding updates dropped | Count |
DHCP failover update pending messages | active-directory.dhcp.server.failover.bndupd.pendinginoutbound.queue | Number of pending outbound DHCP failover Binding Update messages | Count |
DHCP failover update messages received/s | active-directory.dhcp.server.failover.bndupd.received.persec | Number of DHCP failover Binding Update messages received | PerSecond |
DHCP failover update messages sent/s | active-directory.dhcp.server.failover.bndupd.sent.persec | Number of DHCP failover Binding Update messages sent | PerSecond |
Metric name | Metric key | Description | Unit |
---|---|---|---|
DFS Replication conflict files size | active-directory.dfs.server.replicatedfolders.conflictspaceinuse.bytes.total | Total byte size of DFS replication service of conflict files | Byte |
DFS Replication deleted files size | active-directory.dfs.server.replicatedfolders.deletedspaceinuse.bytes.total | Total byte size of DFS replication service of the deleted files | Byte |
DFS Replication staging folder size | active-directory.dfs.server.replicatedfolders.stagingspaceinuse.bytes.total | Total byte size of DFS replication service of staging folder | Byte |
DFS redundant file replication update records | active-directory.dfs.server.replicatedfolders.updates.dropped | Number of redundant file replication update records | Count |
DFS retried file installs | active-directory.dfs.server.replicatedfolders.fileinstalls.retried | Number of retried file installs | Count |
Metric name | Metric key | Description | Unit |
---|---|---|---|
DNS dynamic update queued requests | active-directory.dns.server.dynamicupdate.queued.total.count | Total number of dynamic update requests queued by the DNS server | Count |
DNS caching memory | active-directory.dns.server.caching.memory.total | Total caching memory used by DNS server | Byte |
DNS database node memory | active-directory.dns.server.databasenode.memory.total | Total database node memory used by DNS server | Byte |
DNS Nbstat memory | active-directory.dns.server.nbstat.memory.total | Total Nbstat memory used by DNS server | Byte |
DNS TCP message memory | active-directory.dns.server.tcpmessage.memory.total | Total TCP message memory used by DNS server | Byte |
DNS dynamic update requests | active-directory.dns.server.dynamicupdate.received.total.count | Total number of dynamic update requests received by the DNS server | Count |
DNS rejected dynamic updates | active-directory.dns.server.dynamicupdate.rejected.total.count | Total number of dynamic updates rejected by the DNS server | Count |
DNS dynamic update timeouts | active-directory.dns.server.dynamicupdate.timeouts.total.count | Total number of dynamic update timeouts of the DNS server | Count |
DNS written dynamic updates | active-directory.dns.server.dynamicupdate.writtentodatabase.total.count | Total number of dynamic updates written to the database by the DNS server | Count |
DNS empty dynamic update requests/s | active-directory.dns.server.dynamicupdate.nooperation.persec | Average number of No-operation/Empty dynamic update requests per second | PerSecond |
DNS dynamic update requests/s | active-directory.dns.server.dynamicupdate.received.persec | Average number of dynamic update requests received by the DNS server per second | PerSecond |
DNS written dynamic updates/s | active-directory.dns.server.dynamicupdate.writtentodatabase.persec | Average number of dynamic updates written to the database by the DNS server per second | PerSecond |
DNS recursive queries/s | active-directory.dns.server.recursive.queries.persec | Average number of recursive queries received by DNS server per second | PerSecond |
DNS recursive query failures/s | active-directory.dns.server.recursive.queryfailure.persec | Average number of recursive query failures per second | PerSecond |
DNS recursive query timeouts/s | active-directory.dns.server.recursive.timeout.persec | Average number of recursive query sending timeouts per second | PerSecond |
DNS secure update requests | active-directory.dns.server.secureupdate.received.total | Total number of secure update requests received by the DNS server | Count |
DNS failed secure updates | active-directory.dns.server.secureupdate.failure.total | Total number of secure updates failed of the DNS server | Count |
DNS secure update requests/s | active-directory.dns.server.secureupdate.received.persec | Average number of secure update requests received by the DNS server per second | PerSecond |
DNS TCP responses/s | active-directory.dns.server.tcpresponse.sent.persec | Average number of TCP responses sent by DNS server per second | PerSecond |
DNS queries received/s | active-directory.dns.server.totalquery.received.persec | Average number of queries received by DNS server per second | PerSecond |
DNS responses sent/s | active-directory.dns.server.totalresponse.sent.persec | Average number of responses sent by DNS server per second | PerSecond |
DNS UDP queries received/s | active-directory.dns.server.udpquery.received.persec | Average number of UDP queries received by DNS server per second | PerSecond |
DNS UDP responses sent/s | active-directory.dns.server.udpresponse.sent.persec | Average number of UDP responses sent by DNS server per second | PerSecond |
- | active-directory.dns.server.unmatchedresponses.received.count | - | - |
DNS failed zone transfers | active-directory.dns.server.zonetransfer.failure.total | Total number of failed zone transfers of the master DNS server | Count |
DNS successful zone transfers | active-directory.dns.server.zonetransfer.success.total | Total number of successful zone transfers of the master DNS server | Count |
Metric name | Metric key | Description | Unit |
---|---|---|---|
ATQ Outstanding queued requests total | active-directory.atq.server.atqoutstandingqueuedrequests.total | Current number of requests in the queue | Count |
ATQ Estimated queue delay | active-directory.atq.server.atqestimatedqueuedelay.persec | How long a request has to wait in the queue | Second |
ATQ Request latency | active-directory.atq.server.atqrequestlatency.persec | Time it takes to produce a request | Second |
ATQ Threads LDAP total | active-directory.atq.server.atqthreadsldap.total | The number of threads used by the LDAP server as determined by LDAP policy | Count |
ATQ Threads Other total | active-directory.atq.server.atqthreadsother.total | The number of threads used by the other services | Count |
ATQ Threads total | active-directory.atq.server.atqthreadstotal.total | All Threads currently allocated | Count |
ATQ Average Thread Usage | active-directory.atq.server.average.thread.usage | Average usage of threads in Domain Controller ATQ | Percent |
Metric name | Metric key | Description | Unit |
---|---|---|---|
Database adds per second | active-directory.database.adds.persec.count | Number of Active Directory Database adds per second | PerSecond |
Database modifies per second | active-directory.database.modifies.persec.count | Number of Active Directory Database modifies per second | PerSecond |
Database deletes per second | active-directory.database.deletes.persec.count | Number of Active Directory Database deletes per second | PerSecond |
Database recycles per second | active-directory.database.recycles.persec.count | Number of Active Directory Database recycles per second | PerSecond |
Metric name | Metric key | Description | Unit |
---|---|---|---|
DFS received bytes/s | active-directory.dfs.server.replicationconnections.bytesreceived.persec | Average number of received bytes per second | BytePerSecond |
DFS bytes received on connection | active-directory.dfs.server.replicationconnections.bytesreceived.total | Total number of bytes received on the connection | Byte |
DFS files received on connection | active-directory.dfs.server.replicationconnections.filesreceived.total | Number of files that were received on the connection | Count |
Metric name | Metric key | Description | Unit |
---|---|---|---|
Network Login Profile logons | active-directory.network.login.logons.count | Number of network logons on the network login profile | Count |
Number of logons | active-directory.network.logons.total.count | Number of network logons | Count |
Logons per second | active-directory.network.logons.persec.count | Number of network logons per second | PerSecond |
Metric name | Metric key | Description | Unit |
---|---|---|---|
Disk Free Space | active-directory.database.diskfree.total | Free disk space of the disk containing the database file. | Byte |
Total Disk Space | active-directory.database.disk.total | Total disk space of the disk containing the AD database file. | Byte |
Disk Free Space Percentage | active-directory.database.diskfree | Percent of free disk space of the disk containing the database file. | Percent |
Metric name | Metric key | Description | Unit |
---|---|---|---|
DRA Successful synch requests total | active-directory.dra.server.drasynchrequestssuccessful.total | Number of successful DRA synchronization requests | Count |
DRA Synch requests total | active-directory.dra.server.drasynchrequestsmade.total | Number of total DRA synchronization requests made | Count |
Metric name | Metric key | Description | Unit |
---|---|---|---|
DHCP Scope Addresses Free v6 | active-directory.dhcp.server.v6.scope.addresses.free | Number of DHCPv6 scope addresses free | Count |
DHCP Scope Addresses Used v6 | active-directory.dhcp.server.v6.scope.addresses.used | Number of DHCPv6 scope addresses used | Count |
DHCP Scope Addresses Reserved v6 | active-directory.dhcp.server.v6.scope.addresses.reserved | Number of DHCPv6 scope addresses reserved | Count |
Percent of DHCP Scope Addresses Used v6 | active-directory.dhcp.server.v6.scope.addresses.used.pct | Percent of DHCPv6 scope addresses used | Percent |
DHCP Scope Pending Advertises v6 | active-directory.dhcp.server.v6.scope.pending.advertises | Number of DHCPv6 scope pending advertises | Count |
⚠️IMPORTANT CHANGE: This extension release requires Dynatrace cluster version 1.310 or later.
New features:
New features:
It supersedes both Active Directory services and Active Directory extended monitoring extensions.
Note that this is a Breaking change for those previously available extensions. Revisit any metric alerts and dashboards you've created using AD metrics provided by the previously used extensions. You may need to replace previously used metrics with the new ones, as some metrics might have their IDs changed.