With our Active Directory integration, you can easily monitor the health of your directory services environment and proactively alert on potential issues.
Built with our infrastructure agent, the Active Directory integration gives you a set of pre-built and that let you view your most critical performance data, all in one place.
Tip
This integration falls under the Community project designation in our Open Source categories. This code is developed in the open with input from the community through issues and PRs. There is an active maintainer team within New Relic, as well as troubleshooting support in the New Relic Explorers Hub and documentation available in the project repository.
After setting up the Active Directory integration with New Relic, see your data in a dashboard like this, right out of the box.
Install the infrastructure agent
To see your Active Directory data in New Relic, install our infrastructure agent. The infrastructure agent collects data from Performance Counters, Windows Services, PowerShell scripts, and Windows Event Logs and sends that data to New Relic, where you can use the telemetry to measure the health of your Active Directory environment..
There are two methods to install the infrastructure agent:
- Follow our guided install to instrument your system with the infrastructure agent.
- Install the infrastructure agent via the command line using our docs.
Instrument Active Directory with New Relic
To instrument Active Directory with the infrastructure agent, follow the below procedures between this doc and the New Relic Active Directory integration repository.
Once you've followed all these steps, you can install the Active Directory quickstart from the New Relic I/O catalog to add the relevant dashboard and alerts.
Find and use data
The collection of telemetry from Active Directory depends on various configuration and script files located in the infrastructure agent's directory structure like this:
C:\Program Files\New Relic\newrelic-infra\ ├── integrations.d │ ├── windows-active-directory-performance-counters.ps1 │ ├── windows-active-directory-performance-counters.yml │ ├── windows-active-directory-replication-checks.yml │ ├── windows-active-directory-replication-failures.ps1 │ ├── windows-active-directory-replication-partners.ps1 │ └── windows-active-directory-services.yml └── logging.d └── windows-active-directory.ymlEach of these files works together to present a full observability footprint. The resulting telemetry in New Relic consists of Metrics, Events, and Log data.
Performance Counters
Collection of Active Directory Performance Counters is accomplished via Flex using this PowerShell script and associated configuration file:
windows-active-directory-performance-counters.ps1windows-active-directory-performance-counters.ymlThe results of this collection are stored as events named activeDirectoryPerformanceCounters.
Event details
EVENT ATTRIBUTE | COUNTER NAME | DESCRIPTION |
|---|---|---|
|
| Number of connected address book client sessions |
|
| The number of objects remaining until the full synchronization is completed |
|
| The number of object property values received from inbound replication partners that are DNs that reference other objects |
|
| The number of object property values containing DNs sent to outbound replication partners |
|
| The number of directory synchronizations that are queued for this server but not yet processed |
|
| The number of directory reads per second |
|
| The number of directory writes per second |
|
| The number of pending update notifications that are queued but not yet transmitted to clients |
|
| The current number of threads that the directory service is using |
|
| The current number of threads that the LDAP subsytem of the local directory service uses |
|
| The time (in milliseconds) that is taken to complete the last LDAP bind |
|
| The number of currently connected LDAP client sessions |
|
| The rate at which LDAP clients perform search operations |
|
| The number of LDAP binds per second |
|
| The combined rate at which all processors on the computer are switched from one thread to another |
|
| The number of threads waiting to be executed in queue |
See your data
In New Relic, you can query your results with this NRQL pattern:
FROM activeDirectoryHealthChecks SELECT latest(addressBookClientSessions), latest(inboundFullSyncObjectsRemaining), latest(draInbound), latest(draOutbound), latest(draPendingReplicationSync), latest(directoryReadsPerSec), latest(directoryWritesPerSec), latest(directoryNotifyQueueSize), latest(directoryThreadsInUse), latest(ldapActiveThreads), latest(ldapBindTime), latest(ldapClientSessions), latest(ldapSearchesPerSec), latest(ldapSuccessfulBindsPerSec), latest(contextSwitchesPerSec), latest(processorQueueLength)SINCE 1 DAY AGOLIMIT MAXWindows Services
Collection of Active Directory Windows Services is accomplished via the native Windows Services integration using this configuration file:
windows-active-directory-services.ymlThe results of this collection are stored as dimensional metrics with the decorated label: label.primary_app = 'active_directory'.
Metric details
SERVICE NAME | DESCRIPTION |
|---|---|
| Active Directory Web Services |
| Distributed File System |
| DFS Replication |
| DNS Server |
| DNS Client |
| Intersite Messaging |
| Kerberos Key Distribution Center |
| Server |
| Workstation |
| Net logon |
| Active Directory Domain Services |
| Remote Procedure Call (RPC) |
| Security Accounts Manager |
| Windows Time |
See your data
In New Relic, you can query your results with this NRQL pattern:
FROM Metric SELECT latest(timestamp) AS 'Reporting Time', latest(state) AS 'Current State', latest(start_mode) AS 'Start Mode'FACET hostname AS 'Host', display_name AS 'Display Name', service_name AS 'Service Name', process_id AS 'Parent PID', run_as AS 'Service Account'WHERE label.primary_app = 'active_directory'SINCE 1 DAY AGOLIMIT MAXActive Directory Replication status
Collection of Active Directory Performance Counters is accomplished via Flex using these two PowerShell scripts and associated configuration file:
windows-active-directory-replication-checks.ymlwindows-active-directory-replication-failures.ps1windows-active-directory-replication-partners.ps1The results of this collection are stored as events named activeDirectoryReplicationFailures and activeDirectoryReplicationPartners.
Event details
EVENT NAME | ATTRIBUTE | DESCRIPTION |
|---|---|---|
|
| Integer indicating the total count of replication failures that have occurred on the specified domain controller. |
|
| String representation of the latest type of replication failure experienced by the specified domain controller. |
|
| Timestamp ( |
|
| Integer indicating the last error code received for a replication failure on the specified domain controller. |
|
| String name of the domain controller where the replication failure occurred. |
|
| Timestamp ( |
|
| Timestamp ( |
|
| Short name of the remote partner for replication. |
|
| Short name of the local server for |
See your data
In New Relic, you can query your replication statistics with these NRQL patterns:
FROM activeDirectoryReplicationFailures SELECT latest(failureType) AS 'Type', latest(failureError) AS 'Error', latest(firstFailureTime) AS 'First Failure', latest(failureCount) AS 'Attempts Made'FACET serverSINCE 1 DAY AGOLIMIT MAXFROM activeDirectoryReplicationPartners SELECT latest(lastReplicationAttempt) AS 'Last Attempt', latest(lastReplicationSuccess) AS 'Last Success'FACET server AS 'Source', partner AS 'Partner', if(lastReplicationSuccess != lastReplicationAttempt, 'Failed Replication', 'Successful Replication') AS 'Current Status'SINCE 1 DAY AGOLIMIT MAXWindows Event Logs
Collection of Active Directory Windows Events is performed with the integrated log forwarder on the infrastructure agent using this configuration file:
windows-active-directory.ymlThe results of this collection are stored as logs with the decorated label: logtype = 'active_directory'.
Log details
CHANNEL | EVENT ID | DESCRIPTION |
|---|---|---|
Security |
| Windows is shutting down |
Security |
| The system time was changed |
Security |
| An account failed to log on |
Security |
| A logon was attempted using explicit credentials |
Security |
| A replay attach was detected |
Security |
| An IPsec Main Mode security association was established |
Security |
| A service was installed in the system |
Security |
| Kerberos policy was changed |
Security |
| Encrypted data recovery policy was changed |
Security |
| System audit policy was changed |
Security |
| A user account was created |
Security |
| An attempt was made to change an account's password |
Security |
| An attempt was made to reset an accounts password |
Security |
| A user account was disabled |
Security |
| A user account was deleted |
Security |
| A user account was changed |
Security |
| Domain Policy was changed |
Security |
| A user account was locked out |
Security |
| A computer account was created |
System |
| The security descriptor version number could not be determined |
System |
| Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done |
System |
| The attempt to establish a replication link for the following writable directory partition failed |
System |
| The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition |
System |
| During the past [number] days; replication errors in one or more directory partitions have caused replication to be disabled for the specified naming context on the current domain controller |
System |
| Active Directory Domain Services has detected that the domain is still using the default password for the 'Administrator' account |
System |
| The session setup from the computer [computer name] failed to authenticate |
System |
| During the past [number] days; there have been a few replication errors in the forest. There may be network or connectivity problems in the forest |
See your data
In New Relic, you can query your results with this NRQL pattern:
FROM Log SELECT hostname AS 'Host', Channel, EventID, message AS 'Message'WHERE logtype = 'active_directory'SINCE 1 DAY AGOLIMIT MAXCheck the source code
This integration is open source software. That means you can browse its source code and send improvements, or create your own fork and build it.