Monitor Active Directory with Azure AD Connect Health
Fitness Routine
The monitoring focus of Azure Active Directory Connect Health [1] is the Azure AD Connect servers that synchronize data from Active Directory (AD) with Microsoft Azure. Information and performance data from local domain controllers (DCs) also are monitored and displayed in the web interface. In addition to modern operating systems such as Windows Server 2016 and 2012 (R2), you can connect Server 2008 R2 Active Directory Federation Services (AD FS) servers and DCs. The service does not target companies that do not use Microsoft Azure and Azure AD, however.
Where organizations synchronize usernames and passwords between different forests and the Azure AD, the tool provides detailed insights into whether the data is replicated properly. This kind of tool is necessary to provide synchronization support, especially when using multiple DCs, sites, and domains, because it keeps an eye on server data and performance information and notifies you in case of problems. Because monitoring takes place in the cloud, enterprises do not need their own server infrastructure for the service. Instead, the data is transferred via an agent that is installed on the servers. Last but not least, the service ensures superior security, because unsuccessful and failed login attempts against Azure AD and AD FS can be logged.
Monitoring Local and Azure AD
Hybrid deployments with Exchange and Office 365, SharePoint, and SharePoint Online in Office 365 also can be monitored. Wherever authentication against Azure AD is intended and an exchange of usernames and passwords with a local AD occurs, you need to create an option for verifying the exchange of the authentication data, in particular for local changes to passwords that need to be synchronized in the cloud. Even if only small volumes of data are being synchronized, problems in this area would mean that users could not access critical cloud services and thus would have to turn to support and the IT department for help.
In detail, you can use Azure AD Connect Health to monitor errors in your DC connections to the cloud, the replication of data between local DCs, problems with synchronization between Azure AD and a conventional AD, and the performance of DCs with regard to authentication and replication. You can also keep an eye on AD FS, which, with Azure AD Connect Health, plays an important role in combination with cloud services.
In principle, the more servers you connect, the more interesting Azure AD Connect Health becomes, because you receive a full complement of relevant information for monitoring your environment through its web portal. The service detects errors not only in the synchronization between your local network and the cloud, but also between the DCs (Figure 1). Azure AD Connect Health also can send email notifications as soon as problems arise. This keeps you up-to-date, even if you don't happen to be sitting in front of the monitoring tool.
After setting up Azure AD Connect Health, you can enable notifications via the Azure Portal in the cloud. If the local mail or Exchange server fails, the cloud portal can still deliver the email, thanks to Azure. You can specify the internal email addresses of your administrators or external addresses. Thanks to the option that all Azure administrators receive email by default, you will never forget to enable email notifications when creating new admin accounts.
Premium Subscription
To use this service, you need an Azure AD premium subscription [2]. If you want to see how the cloud service works first, you can get a trial version. The agent for Azure AD Connect Health [3] is installed on the servers in the infrastructure that you want to monitor. This process is quick and does not require complex configuration work. The agent collects the required data and sends it to the cloud. The connection is initially set up via the domain controllers on the network, which must be connected to the Internet. Because Microsoft Azure is the basis for the service, the server should already have Internet connectivity.
If you also want to monitor AD FS with Azure AD Connect Health, you need to connect your AD FS infrastructure with the agent [4]. To do so, install the AD FS proxy and web application proxy servers on AD FS; only then can you read all the AD FS data. Again, the setup is through the Azure AD Connect Health web portal. If you use AD FS and connect it to Azure AD Premium, Azure AD Connect Health offers further useful features. For example, you can read performance data and perform trend analysis and capacity planning.
Enabling Internet Communication
Because monitoring sends some data to the cloud, you need to pay attention when configuring security and communications. The following endpoints must be allowed on your enterprise firewalls, as well as in the Microsoft Azure firewall settings:
- https://management.azure.com
- *.blob.core.windows.net
- *.queue.core.windows.net
- *.servicebus.windows.net – port 5671
- https://*.adhybridhealth.azure.com/
- https://*.table.core.windows.net/
- https://policykeyservice.dc.ad.msft.net/
- https://login.windows.net
- https://login.microsoftonline.com
- https://secure.aadcdn.microsoftonline-p.com
Additionally, you need to enable the following ports in the firewalls on the servers:
- TCP/UDP 80
- TCP/UDP 443
- TCP/UDP 5671
Communication occurs between Microsoft Azure and the servers on the network on which the AD Connect Health Agent is installed. To allow this, the connections must already be working when you set up the agent. Because the configuration relies on Internet servers, advanced security for Internet Explorer is enabled. You need to allow the following URLs to be able to call the respective administration pages:
- https://login.microsoftonline.com
- https://secure.aadcdn.microsoftonline-p.com
- https://login.windows.net
- The federation server for your organization that Azure AD trusts (e.g., https://sts.contoso.com ).
Buy this article as PDF
(incl. VAT)