Monitoring and Alerts

Once the connections between Microsoft Azure, Azure AD Connect Health service, and the agents on the local servers have been established on the network, the servers and other functions appear in the Azure AD Connect Health dashboard. You will also see any alerts and problems. Other servers can be connected with the environment in the same way. When you click on an error in the monitoring window, you are shown more detailed information on the right. After connecting your infrastructure, you can see at a glance in the Azure AD Connect Health portal whether a monitored service is causing problems. Also, you learn when the last synchronization and export operations occurred.

The Settings button gives you more information and options for each connected server. After you select a DC, the Choose Columns section gives you a selection of additional columns to display in the monitoring window. Once a server is connected, it starts to transfer performance data; of course, it may take a while before this information is visualized.

In addition to errors, Azure AD Connect Health analyzes the user logins in Azure AD. Therefore, for those applications that users authenticate through Azure AD, you can see which are used the most. Various filters are available. You can analyze the last six hours, but also the last 24 hours or the last seven days. You can also filter for authentication methods and the servers used. Although the interface is simple, it is constantly being developed by Microsoft. Complex filtering and monitoring tasks are not possible, but you can quickly and easily see whether Azure AD is working, how the service is used, and by whom. Please do not forget your users' privacy, though.

In many cases, the service detects replication problems between DCs on the local network that could affect synchronization with Azure AD. To do this, Azure AD Connect Health also shows links to solutions for the identified problems. The dashboard shows all the connected DCs, the flexible single-master operation (FSMO) roles of the servers, including the global catalogs, and the configured AD location. You can also see the status of the server in the dashboard and display further information, such as the last server update or when the server last booted. The servers can also be grouped by Active Directory locations, which improves the overview, especially in large environments.

For each connected DC, the replication connections can be displayed, along with any replication errors with other DCs. The performance of the DCs can also be monitored using various performance indicators, which helps you identify vulnerabilities and performance issues. You can also see the time periods at which your DCs are busiest. To do so, click on Performance Monitor Collection . On the right side are various filters that can provide interesting information for metrics. This information is important both for DCs that synchronize with Azure AD and for replication between servers.

Special Features for AD FS

To help with comprehensive monitoring of AD FS with Azure AD Connect Health, the service needs access to the AD FS audit logs. Some configuration work is necessary on the AD FS servers to do so. The settings are more or less identical for Windows Server 2008 R2, 2012 (R2), and 2016:

1. Open Local Security Policy in the management program group on the server.

2. Navigate to Security Settings | Local Policies | User Rights Assignment and double-click on Generate security audits .

3. In the Local Security Setting tab, make sure that the AD FS 2.0 service account is included in the list.

4. Open a command prompt window and run the following command to enable auditing:

auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

5. Open the AD FS management console and click Edit Federation Service Properties in the Actions pane.

6. Make sure that the options for Success audits and Failure audits are enabled.

Conclusions

In complex infrastructures with AD, Azure AD, Exchange, and Office 365, you can find and resolve problems more quickly, thanks to Azure AD Connect Health, than with other tools or without any meaningful type of monitoring. Companies that have linked their local AD infrastructure with Azure and work with Azure AD, should take a closer look at Azure AD Connect Health.