Azure AD Domain Services Test

Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

An Azure AD DS managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.

Azure AD DS integrates with your existing Azure AD tenant. This integration lets users sign in to services and applications connected to the managed domain using their existing credentials. You can also use existing groups and user accounts to secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure.

Where Azure AD DS is in use, if users frequently complain about slowness in authentication or delayed / failed access to applications., it is bound to show the cloud-based service in bad light. The consistently poor user experience with the service will also put a spade on the enterprise's plans to shift legacy / business-critical applications to the cloud. If this is to be avoided, then administrators should be able to instantly detect the 'degraded health' of Azure AD DS, and diagnose what could be causing it - is it owing to latencies in LDAP binding / NTLM authentication/ Kerberos authentication? is it because of service errors? or is it due to replication errors? This is exactly what the Azure AD Domain Services test reveals!

This test monitors the operational health of Azure AD DS and alerts administrators if the service is in an 'Unhealthy' state. Additionally, the test points you to the probable reasons for 'poor service health' - is it lethargic authentication? is it because of replication errors? or is it because of numerous open alerts / unresolved errors for the service? Detailed diagnostics of the test provides the details of these active alerts/errors, so you can troubleshoot them and improve overall service health.

Target of the Test: A Microsoft Azure Active Directory Connect

Agent deploying the test: An internal agent

Output of the test: One set of results for the Azure AD Domain service that is monitored

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

Port

The port at which the specified Host listens

Tenant ID

Specify the Directory ID of the Azure AD tenant to be monitored. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor a Microsoft Azure Subscription Using Azure ARM REST API.

Client ID, Client Password, and Confirm Password

To connect to the target tenant, the eG agent requires an Access token in the form of an Application ID and the client secret value. For this purpose, you should register a new application with the Azure AD tenant. To know how to create such an application and determine its Application ID and client secret, refer to Configuring the eG Agent to Monitor a Microsoft Azure Subscription Using Azure ARM REST API. Specify the Application ID of the created Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measures made by the test:
Measurement Description Measurement Unit Interpretation

Status

Indicates the current status of the Azure AD DS.

 

The values that this measure reports and their corresponding numeric values are listed in the table below:

Measure Value Numeric Value
Healthy 1
Unhealthy 0

Note:

By default, this measure reports the Measure Values listed in the table above to indicate the status of the Azure AD DS. In the graph of this measure however, the same is represented using the numeric equivalents only.

Number of active alerts from last 30 minutes

Indicates the number of unresolved alerts for the Azure AD DS during the last 30 minutes.

Number

If the Status measure reports the value Unhealthy, then you can use the detailed diagnosis of this measure to view the type of alerts that were raised on the service, which could have contributed to the abnormal service state.

Number of resolved alerts from last 30 minutes

Indicates the number of resolved alerts for the Azure AD DS during the last 30 minutes.

Number

Use the detailed diagnosis of this measure to view the details of the resolved alerts.

Successful LDAP bind rate

Indicates the rate at which the service performed successful LDAP binds.

Binds/Sec

A high value is desired for this measure. A consistent drop in this value could indicate a potential slowness in LDAP binding.

NTLM authentications rate

Indicates the rate at which the service processes NTLM authentication requests.

Authentications/Sec

A high value is desired for this measure. A consistent drop in this value could indicate potential authentication delays.

Kerberos authentication rate

Indicates the rate at which the service processes Kerberos authentication requests.

Authentications/Sec

A high value is desired for this measure. A consistent drop in this value could indicate potential authentication delays.

Number of domain controllers

Indicates the number of domain controllers managed by the service.

Number

Use the detailed diagnosis to know which domain controllers are used by the service.

Replication status of DCs with errors

Indicates the number of domain controllers with replication errors.

Number

Ideally, the value of this measure should be 0.

Use the detailed diagnosis of the Number of domain controllers measure to know which domain controllers are used by the service.

Figure 1 : The detailed diagnosis of the Number of domain controllers measure