A high-level comparison of monitoring Active Directory with SCOM / OMS Log Analytics and Azure AD Connect Health


I wrote up this comparison to highlight the key capabilities and differences in each. It's not intended to be an exhaustive list, but as a way to start the conversation.

Note that all the info here is current as of July 2018. Things change all the time, so take that into consideration!

 


Active Directory Monitoring Comparison 
System Center Operations Manager Azure-based solutions (Azure AD Connect Health, Azure Monitor, OMS Log Analytics)
Active Directory Health State
  • Monitors based on Availability, Performance, Configuration, Security
    • AD Forest, Domain, Site, SiteLink, Connection object, Domain controller computer
  • Key Monitoring Scenarios include:
    • Multi-Forest Monitoring
    • Replication
    • Essential Services
    • Trust Monitoring
    • Directory Service Availability
    • Active Directory Database Monitoring
    • Time Skew Monitoring
    • Active Directory Web Service Monitoring
    • Domain Controller Performance
    • Domain Member Perspective
 

 

  • Azure Resource Health (for IaaS VM): https://docs.microsoft.com/en-us/azure/service-health/resource-health-overview
  • OMS offers a wide variety of solutions and on-demand assessments, including AD Assessment and AD Replication Status, and other features beyond the scope of AD monitoring
    • AD Assessment (solution) will assess the risk and health of your server environments on a regular interval.  This solution provides a prioritized list of recommendations specific to your deployed server infrastructure. The recommendations are categorized across four focus areas, which help you quickly understand the risk and take action.
    • AD Replication Status (solution) regularly monitors your Active Directory environment for any replication failures
    • On-Demand Assessment’s Services Hub portal, Executive Summary presentations, and optional PFE engineer delivery
    • http://aka.ms/assessment_setup_service
  • Azure AD Connect Health: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health
    • Monitoring alerts to detect when domain controllers are unhealthy and email notifications for critical alerts
    • The Domain Controllers dashboard, which provides a quick view of the health and operational status of your domain controllers
    • The Replication Status dashboard that has the latest replication information and links to troubleshooting guides when errors are detected
    • Quick anywhere access to performance data graphs of popular performance counters, which are necessary for troubleshooting and monitoring purposes
 Data collection
  • Collects:
    • performance counters and events, including (not full list):
      • AD Database size
      • Primary domain controller (PDC) emulator master availability
      • Replication latency or queue size
      • Available disk space for drive hosting the Active Directory database
 

 

 

  • OMS can collect:
    • Performance data
    •  Windows event logs
    • Custom logs
    • IIS logs
    • Syslog events
    • AD Assessment (solution):
      • Registry
      • LDAP
      • .NET Framework
      • Event log
      • Active Directory Service interfaces (ADSI)
      • Windows PowerShell
      • File data
      • Windows Management Instrumentation (WMI)
      • DCDIAG tool API
      • File Replication Service (NTFRS) API
      • Custom C# code
  • Azure AD Connect Health can collect:
    • Disk Space Usage
    • Domain Services Threads in Use
    • Kerberos Authentications/sec
    • LDAP Active Threads
    • LDAP Bind Time
    • LDAP Searches/sec
    • LDAP Successful Binds/sec
    • LSASS Performance
    • NTML Authentication/sec
    • Replication Queue
    • TCP Connections Established
    • Used Memory (%)
    • Used Processor (%)
Alerting
  • Monitor-based alerts
  • Event-based alerts
  • Performance (metric)-based alerts
  • Typically <1 minute alerting latency
 

 

 

Data visualization  

 

 

  • Use the SCOM console or web console
  • Built-in management pack dashboards, views:
    • Active Alerts, Events, All Performance Data, Health State views
    • Topology diagram
    • Inter-Site Replication Traffic
    • Replication performance
    • ATQ Thread Pool Metrics
    • Database and Log Overview
    • Database Size
    • DC/GC Response
    • DC OS Metrics Overview
    • DC Response Time
    • AD Database and Log Disk Space
    • Global Catalog Response/Search Time
    • PDC Response Times
    • LSASS Processor Time
    • Memory Metrics
    • OpMaster Performance
  • Built-in management pack reports:
    • AD DC Replication Bandwidth
    • DC Disk Space Chart
    • AD Domain Changes
    • Event Analysis by Event ID
  • Ability to custom author dashboards, views, reports
  • Ability to directly query OpsMgr database and datawarehouse
  • Azure AD Connect Health:
    • Domain Controllers Dashboard
    • Replication Status Dashboard
    • Performance Monitors List
  • OMS:
    • AD Assessment (solution)
      • Summary information for focus areas is shown on the AD Health Check dashboard for the infrastructure in your environment
    • AD Replication Status (solution)
      • Replication Errors,  Destination Server Status and Source Server Status, Tombstone Lifetime
    • Assessment solutions:
    • Log Analytics
    • View Designer
    • PowerBI
    • Service Map
Administrative effort
  • Installing and tuning the AD management pack
    • With both SCOM and Azure, a key part of monitoring is knowing what you want to monitor/collect
 

 

 

Data retention
  • Two databases: OpsMgr database and Data Warehouse
  • OpsMgr database holds 7 days by default
  • Data Warehouse holds 400 days by default
 

 

 

  • Azure AD Connect Health does not generate reports, perform analytics, or provide insights beyond 30 days. Therefore, Azure AD Connect Health does not store, process, or retain any data beyond 30 days. This design is compliant with the GDPR regulations, Microsoft privacy compliance regulations, and Azure AD data retention policies.
  • Log Analytics has a retention age of 31 to 730 days

 

 

Comments (0)

Skip to main content