Monitoring Microsoft Active Directory
You're a systems administrator, and you've been getting calls all week that a user continues to get their account locked out. Initially, you just unlocked them, but now this is getting annoyingly frustrating. Where do you start? Browsing endless event logs on every domain controller you have? That's like finding a needle in several haystacks. Maybe doing a packet capture using Wireshark hoping you will catch it? But, what would you be looking for? Maybe you feel your powershell-fu is strong, and decide to start running commands to attempt to find it.
Have you ever wondered how well your Global Catalog or authentication response times are? Has your Exchange Server shown signs of slow email delivery and you are not sure why? How do you determine when you need another Domain Controller or Global Catalog server in your environment?
If these sound familiar, you are not alone. Most people do not even know they can monitor Active Directory, let alone, actually do it. Active Directory is complex and has a ton of moving parts, which usually doesn't have problems. Or, at least, have problems that you are aware of. What if you can get deeper visibility into how exactly your Active Directory infrastructure is operating in real time?
Because ExtraHop can see and analyze the data moving over the wire in your data center, any participation with Active Directory is already there, just waiting to be tapped and exploited. This incredible visibility allows you to change your culture from a reactive service desk to a pro-active one, seeing symptoms and errors before users have an opportunity to tell you. Adding AD visibility is as simple as downloading the bundle and applying it. The key services you should be monitoring in Active Directory are:
- Global Catalog
- KDC - Key Distribution Center (Kerberos)
- Group Policy
The Global Catalog (usually known as just GC) is a critical part of LDAP partitioned as its own service. It's a table-of-contents, or perhaps better yet, and index for your Active Directory forest. Not only can we tell you the number of requests and responses, but we analyze the full payload telling you if there were any errors, showing you the response times of your GC. If this service gets overloaded, we can tell you who your top clients are and how many requests they make.
This is crucial data to identify whether you have rogue servers causing performance degradation, or if you should look into adding more resources to your existing infrastructure. A slow Global Catalog server can severely impact your Exchange performance as well as accessing resources in other domains of your forest.
KDC - Key Distribution Center
The KDC is built on Kerberos, the single most important service of Active Directory. After all, what good is a solid infrastructure, if you cannot authenticate or authorize your users and computers? Wouldn't it make sense to monitor it to identify any authorization problems you have in your environment? Every time a computer or user requests access to a resource, an exchange of credentials, handed out by the KDC, happens. This visibility gives you access to data, in real time, in a way that you may have never seen before.
We can answer questions like:
- I have a disabled user, but they used their account to run critical business tasks which no longer run. Where are they using this account?
- Where did my user account lockout happen?
- Which computers have a time difference (skew) preventing them from accessing resources?
- Which computers have their passwords out-of-sync?
LDAP / DNS
Active Directory is built on, you guessed it, a directory accessible using the Lightweight Directory Access Protocol. Nearly everything a system or user needs to know or learn about your AD environment is stored here. We can parse LDAP as easy as buttering bread, showing you response times, errors, queries, and many others. This data is crucial to identifying not only who your top talkers are, but also for deciding whether you need to expand your domain controllers or just fix a rogue system.
And, of course, you cannot run Active Directory without DNS. This service is designed to be a "Yellow Pages," telling computers where to find Active Directory, and the services it publishes. Critical information about your AD environment is stored in DNS records called service records (SRV). In real time, we show you how your current DNS servers are performing, which lookups are generating errors, and which clients are receiving those errors.
Have you ever wondered how your GPO's are performing before they actually get to your clients? There are ways to identify how long it takes to process a GPO when a client loads it, but what about where the GPO's live? A slow or heavily-loaded domain controller can affect how long it takes for a GPO to be accessed by a client, before it's loaded. Did the client get an error loading the GPO, and if so, who was it? What are your top GPO's that are being loaded?
We can answer these questions using some simple-to-understand graphs on a dashboard:
If you were to put a heat-map of your entire infrastructure services on a wall, including SQL Server, Sharepoint, Exchange, Servers, Applications, Files and others, you will see that Active Directory is smack-dab in the middle as a blue hyper-giant star about ready to go super-nova. This is because everything needs Active Directory for authentication, authorization, and lookups. A poorly performing Active Directory infrastructure, without the right visibility, will mask itself as problems with other servers, wasting away valuable labor time with your teams, and possibly increasing frustration levels.
As you can see, ExtraHop can put simplicity into understanding your complex Active Directory infrastructure, giving you critical visibility that you may not have even known was possible or even needed.
If you've already got ExtraHop in your environment, and want to try monitoring Active Directory, you can download the solution bundle here.
Don't have ExtraHop? Get a 30-day Free Trial and you can start monitoring Active Directory and over 50 enterprise protocols today!
This is a companion discussion topic for the original entry at https://www.extrahop.com/community/blog/2016/active-directory-monitoring/