My manager has informed me that we've received funding for Microsoft System Center Config and Ops Manager products and wants to extend its use to cover Active Directory.
Apart from standard monitoring and deploying patches, what else do you use these products for in your environment with Active Directory to extract the maximum value from them?
Microsoft SCCM and SCOM and AD
- 113 Views
- Last Post 27 July 2015
Well, I haven't actually used SCOM given what I've read about it, but
one of the very first things I'd investigate is using it to monitor
critical group memberships, and provide notifications of
additions/deletions for them. That, along with performance monitoring
for AD, and alerting on certain eventlog entries all come to mind.
Thank you Kurt.
Monitoring key security groups is one that I've thought about but performance monitoring in my little mind is quite broad, I'm wondering what specifically I should be targeting?
The AD is 2008 R2 single forest domain. we have over 5,000 users.
I don't know what's important in your environment, so some/much of
this might not apply, but off the top of my head, and again, I am not
up on the capabilities of SCOM, but these are some of the things I
would want to measure and potentially be alerted on.
o- Speed/reliability of replication
o- Size of DIT
o- Logon attempts for important accounts (Domain Admin,
Schema/Enterprise Admins, C-level execs, others), especially failures
o- Uptime/availability of DCs
o- Which DCs are getting hit most with auth requests
o- Response times for auth requests by DC
o- DHCP scope utilization and response time by DC, if they're AD-integrated
o- Load on DNS servers and response time, again assuming DNS is
integrated with AD
o- Whether someone has stood up a new subnet and it's not been
included in a site, let alone the correct one (auths from unknown
sites will be noted in the event logs)
o- Memory utilization of each DC
o- Network traffic graphing.for each DC
Depending on how broadly you construe what constitutes AD, and whether
you have one, and whether SCOM can measure it, your PKI
infrastructure. Don't know what metrics might apply there, though.
Others with more experience can specify further and more interesting metrics.
It might be worth looking at "CESG Good Practice Guide 13" or GPG13 for short. I forget where to download it from, but there is a web site
devoted to security logging and alerting. I would want to watch for the security logs being manually cleared.....
Security logs being cleared is an excellent one..hadn't thought of that but would be incredibly useful.
One of the last jobs I did before retiring was to implement the lowest level
of GPG13 monitoring, using Solar Winds LEM. The things folks wanted were:-
Security Group Changes.
Group Policy Changes
Locked Out Accounts
Accounts with "password never expires"
Not sure if MOM can provide those. There were some others...