Monitor Active Directory with Azure AD Connect Health

Fitness Routine

Setting up Azure AD Connect Health

Once you have completed all the preparations, the setup of Azure AD Connect Health via the Azure web portal is next. Again, you can use a test subscription to gain insights into the service's capabilities. After pressing the plus sign to add a new resource and entering the Azure AD Connect Health search term, you will find the service in the portal. Now select the service. Detailed information about the monitoring environment will appear on the right side of the window. Click on Create to start the service setup in Azure. The Quick Start button displays the page for downloading the required tools for the connection to the local servers (Figure 2), which is also where you will find more information about configuring the service. Additionally, you can download the client directly [5].

Figure 2: Setting up Azure AD Connect Health in the Microsoft Azure web portal.

The agent for monitoring the local domain controllers or AD FS servers must be installed (as mentioned previously) on the servers and DCs that you want to monitor with Azure AD Connect Health. During the installation of the binary files, the agent is not set up; the connection with Azure is set up later. Therefore, the best approach in a production environment is to install the agent on all your DCs and AD Connect servers that are connected to Azure and then rely on data synchronization.

As soon as the agent is installed on a server, you can call the Setup Wizard, which ensures the connection to Azure AD Connect Health. To set up the service, you thus need a connection to the Internet and Azure. The setup comprises two steps: (1) install the agent on the servers and (2) connect the agents with Microsoft Azure. The Configure Now button starts the configuration, which invokes a script in PowerShell that sets up the integration with Azure AD Connect Health.

You can script the setup directly via PowerShell with the Register-AzureADConnectHealthADDSAgent cmdlet (Figure 3). For the integration, you need to log on to your Azure subscription. This can only be done with a business account or an account in Azure AD Premium. You cannot log in with a Microsoft account. The script also creates a logfile, in which you will find any errors that occurred during the setup. The script cannot be terminated during execution, but you can restart it at any time.

Figure 3: Integration with Azure AD Connect Health.

Troubleshooting Setup Errors

After successfully completing the setup and running the script, the integration is complete. If you receive any error messages, use the command

> Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false

If you are setting up the connection to a core server, you cannot log in from a browser – only from PowerShell. In this case, the command is:

> Register-AzureADConnectHealthADDSAgent -Credential $cred

In the scope of the setup, the wizard creates three system services that must be started to transfer data to the cloud: Azure AD Connect Health AD FS Diagnostics Service, Azure AD Connect Health AD FS Insights Service, and Azure AD Connect Health AD FS Monitoring Service. If you want the agent to use a proxy server to access the Internet, the easiest way is to define the proxy settings in Internet Explorer and import them using PowerShell:

> Set-AzureAdConnectHealthProxySettings -ImportFromInternetSettings

You can also specify the proxy directly in PowerShell:

> Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress <Server or IP Address>:<Port>

In PowerShell, you can test the successful integration with Azure AD Connect Health. To verify the connection to AD, use the command:

> Test-AzureADConnectHealthConnectivity -Role ADDS

The ADFS role would let you test the connection between AD FS and Azure AD Connect Health. Next, type

> Test-AzureADConnectHealthConnectivity -Role Sync -ShowResult

to test synchronization with Azure AD.

Delegating Permissions

The service is managed and used via the Azure AD Connect Health web portal. You can reach this fastest by signing in online [1]. To connect servers to Azure AD Connect Health, you must have global administrator privileges. No global administrator rights are necessary for future use of the AD Connect Health dashboard, but the rights can also be delegated. To do so, press the Access icon in the main Azure AD Connect Health window or select the Users tile. In the new Users window, you manage access roles, add new users, and assign roles to users. If you mouse over the role, you can view information on the permissions this role has in Azure AD Connect Health.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=