Step-By-Step: Monitoring On-Premise Active Directory via Azure AD Connect Health

Many system administrator monitor their Active Directory infrastructure via tools such as SCOM, Event viewer, Performance monitor or even third party application monitors. When the requirement of the Active Directory infrastructure is to grow to meet certain demands, so to grows the cost and effort put forward to monitor the newly increased AD infrastructure. This becomes more complex in a hybrid infrastructure deployment. Enabling Azure AD integration  with on-premises AD provides a reliable and productive identity platform to adhere to said organizations needs.. It also however increases the importance of maintaining a healthy on-premises AD infrastructure and sync service in order to achieve this goal.

Azure AD Connect Health provides a monitoring tool to for on-premises AD infrastructure. It provides the ability to view alerts, performance, sync errors, configuration settings and more. The idea behind this is to build a central, cloud based approach to get more insight about the on-premises AD infrastructure.

The solution also provides support for AD FS 2.0 & 3.0 and can monitor the health of on-premise AD FS configuration.

Azure AD connect health for sync provides following services:

•    View and take action on alerts to ensure reliable synchronizations between your on-premises infrastructure and Azure Active Directory.
•    Email notifications for critical alerts
•    View performance data

Azure AD Connect Health for AD FS provides following services:

•    View and take action on alerts for reliable access to AD FS protected applications including Azure AD
•    Email notifications for critical alerts
•    View performance data to determine capacity planning
•    Detailed views of your AD FS login patterns to determine anomalies or establish baselines for capacity planning

Requirements

In order to use AD health connect service following requirements needs to fulfil:

  1. Azure AD premium subscription
     
  2. Azure AD connect health agent installed in target server (https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-health-agent-install/)
     
  3. If you monitoring AD FS, audit must be enabled (https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-health-agent-install/\#installing-the-azure-ad-connect-health-agent-for-ad-fs)
     
  4. Outbound connectivity to following end points
     
    new: https://management.azure.com
    new: *.blob.core.windows.net
    new: *.queue.core.windows.net
    *.servicebus.windows.net – Port: 5671
    https://*.adhybridhealth.azure.com/
    https://*.table.core.windows.net/
    https://policykeyservice.dc.ad.msft.net/
    https://login.windows.net
    https://login.microsoftonline.com
    https://secure.aadcdn.microsoftonline-p.com
     
  5. Following firewall ports needs to be open in any server running agent
     
    TCP/UDP port 80
    TCP/UDP port 443
    TCP/UDP port 5671

The following are the steps to configure this service. This demo will be using an on-premises AD server which is built on windows server 2016 TP4.

  1. Log in to the Azure portal and search for Azure AD Connect Health
     
    aad1
     

  2. Select the service and in next window click on Create
     
    aad2
     

  3. It can see in portal dashboard once its created
     

    aad3
     

  4. Then click on the shortcut to go to the detail service page. In here click on Quick Start button to start the process
     

  5. In next window it give option to download the relevant agent.  For the demo Download Azure AD Connect (configures Azure AD Connect Health agent for sync) is required
     
    aad5
     

  6. Once it’s downloaded to the target computer, double click it. ( you need to have required permissions on the target computer to do the installation)
     
    aad6
     

  7. In the demo, the target server is do not have Azure AD connect configured. If you already had it, it is not necessary to do the agent install. Once installation is done, double click on the short cut for azure AD connect. Then in first window, accept the terms and click continue.
     
    aad7
     

  8. In next window, use express settings unless customization is required.
     
    aad8
     

  9. In next window, provide the Azure AD connect info 
     
    aad9
     

  10. Then type the AD admin credentials and click next
     
    aad10
     

  11. Then in next window, click install to start the installation and synchronization
     

  12. After the sync completes, log back in to the azure AD connect health and you can see the monitoring info.
     

    aad11 
     
    aad12