What's the best way to monitor AD with Icinga?

I know, could I ask a broader question? With the Icinga for Windows approach, are there any comprehensive checks for AD already setup? I’m looking for things that other tools like solarwinds/netwrix/manageengine tools do out of the box.

The last time I took a look at things, before Icinga for Windows, it pretty much relied on me writing my own powershell and VB scripts to get things done. Even though I’ll sound like an idiot…I don’t always know what I need to monitor when it comes to AD.

Monitoring *nix and network gear is a breeze with Icinga, trying to get a firm grasp on AD monitoring with it seems to be more of a challenge for me.

Anyways, are there any howto’s around for in depth AD checks?


I don’t know of anything straight out of the box, but I am also looking to monitor AD DS and I was planning to make use of the PowerShell framework/plugins and check the state of Windows services related to AD DS (dns, kdc, netlogon, w32time, dfs, etc) as well as performance counters.

I’d be happy to share and collaborate on the useful perfcounters - I plan on building templates for most Windows Server roles/features (ADDS, DNS, DHCP, RRAS, etc…) and I think this could be great to put in the documentation for the PowerShell checks or somewhere suitable for others to contribute to.

1 Like

Here are some checks the AD guys wanted me to monitor:

  • service-adws
  • service-dfs
  • service-dfsr
  • service-dns
  • service-kdc
  • service-netlogon
  • service-ntds

They also wrote themselves a check to check for certificates in the local cert store that are running out.

Yes the up/down checks of services and processes are simple enough, especially with templating. I guess the roadblock I’m hitting is when you start going down the rabbit hole of performance counters and log analysis. Performance counters to me are like trying to take a sip of water out of a fire hose, tons of data I have no idea what to do with. Log analysis…say for instance I wanted to know when there are multiple failed logins (Event ID 4624), how the hell do I easily do that. There’s an example that could be used to search for one EventID, but to do that repeatedly for every ID I might be interested in seems wrong. Plus I’d have to keep up with what IDs are worth caring about. I’m guessing log analysis should be considered a separate product…design something else and have icinga query that.

You can query log events with the Invoke-IcingaCheckEventlog check, but you’re right that Icinga is probably not the best tool for log analysis.

Elasticsearch/Kibana is more what you would use for something like that - see Monitoring Windows Logons with Winlogbeat | Elastic Blog