How to Set Up Windows Server 2019 Active Directory Monitoring

How to Set Up Windows Server 2019 Active Directory Monitoring

Proactive monitoring of Active Directory on Windows Server 2019 ensures that authentication, replication, and directory services operate reliably. AD monitoring encompasses tracking replication health, FSMO role availability, account lockouts, service status, DNS registration, and security events. This guide covers setting up continuous AD monitoring using Windows built-in tools, PowerShell, and integration with monitoring platforms.

Monitoring AD Replication with Repadmin and Scheduled Tasks

Create a scheduled task that continuously monitors replication health and alerts on failures. First, create the monitoring script:

$ErrorActionPreference = "Stop"
$logPath = "C:ADMonitoringreplication-monitor.log"
$alertEmail = "[email protected]"

$replErrors = repadmin /showrepl * /errorsonly 2>&1
$replSummary = repadmin /replsummary 2>&1 | Out-String

Add-Content -Path $logPath -Value "$(Get-Date) | Replication check completed"

if ($replErrors -match "error|failed|Error|FAIL") {
    $body = "AD Replication Issues Detected at $(Get-Date)`n`n$replErrors"
    Send-MailMessage `
        -To $alertEmail `
        -From "[email protected]" `
        -Subject "ALERT: AD Replication Failure" `
        -Body $body `
        -SmtpServer "smtp.contoso.com"
    Add-Content -Path $logPath -Value "$(Get-Date) | ALERT: Replication error detected"
}

Register this script as a scheduled task running every 15 minutes:

$action = New-ScheduledTaskAction `
    -Execute "powershell.exe" `
    -Argument "-NonInteractive -ExecutionPolicy Bypass -File C:ADMonitoringCheck-ADReplication.ps1"

$trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 15) -Once -At (Get-Date)

Register-ScheduledTask `
    -TaskName "AD Replication Monitor" `
    -Action $action `
    -Trigger $trigger `
    -RunLevel Highest `
    -User "SYSTEM"

Monitoring Account Lockouts

Account lockouts are one of the most common AD support issues and can indicate password spray attacks or service account misconfiguration. Monitor lockout events using the Security event log. Event ID 4740 is logged on the PDC Emulator when an account is locked out:

$pdcEmulator = (Get-ADDomain).PDCEmulator

Get-WinEvent -ComputerName $pdcEmulator -FilterHashtable @{
    LogName = 'Security'
    Id = 4740
    StartTime = (Get-Date).AddHours(-1)
} | ForEach-Object {
    $event = [xml]$_.ToXml()
    [PSCustomObject]@{
        Time = $_.TimeCreated
        LockedAccount = $event.Event.EventData.Data[0].'#text'
        CallerComputer = $event.Event.EventData.Data[1].'#text'
    }
} | Format-Table -AutoSize

Find the source of lockouts using the Microsoft Lockout Status tool approach with PowerShell:

function Get-ADLockoutSource {
    param([string]$Username)
    $dcs = Get-ADDomainController -Filter *
    foreach ($dc in $dcs) {
        Get-WinEvent -ComputerName $dc.Name -FilterHashtable @{
            LogName = 'Security'; Id = 4625, 4740
            StartTime = (Get-Date).AddHours(-24)
        } -ErrorAction SilentlyContinue | Where-Object {
            ([xml]$_.ToXml()).Event.EventData.Data[0].'#text' -eq $Username
        } | Select-Object TimeCreated,
            @{N='SourceDC';E={$dc.Name}},
            @{N='Message';E={$_.Message.Substring(0,200)}}
    }
}
Get-ADLockoutSource -Username "jsmith"

Monitoring AD Services with Windows Admin Center

Windows Admin Center provides a GUI dashboard for AD monitoring. Install Windows Admin Center on a management server:

Invoke-WebRequest -Uri "https://aka.ms/WACDownload" -OutFile "C:wac.msi" -UseBasicParsing
msiexec /i "C:wac.msi" /qn /L*v "C:wac-install.log" SME_PORT=6516 SSL_CERTIFICATE_OPTION=generate

After installing WAC, add your domain controllers as managed servers and use the Active Directory extension to monitor users, groups, and domain health.

Monitoring Critical AD Event IDs

Several Security and System event IDs are critical indicators of AD health. Create a monitoring script that checks for these events on all DCs:

$criticalEvents = @{
    1311 = "Replication - Critical errors"
    1388 = "Replication - Lingering objects"
    1925 = "Replication - Inbound partner not available"
    2042 = "Replication - Too long since last replication"
    4625 = "Security - Failed logon"
    4648 = "Security - Logon with explicit credentials"
    4672 = "Security - Special privileges assigned"
    4720 = "Security - User account created"
    4726 = "Security - User account deleted"
    4740 = "Security - Account locked out"
    4756 = "Security - Member added to universal security group"
    4771 = "Security - Kerberos pre-auth failed"
}

$dcs = (Get-ADDomainController -Filter *).Name
$results = @()

foreach ($dc in $dcs) {
    foreach ($eventId in $criticalEvents.Keys) {
        $events = Get-WinEvent -ComputerName $dc -FilterHashtable @{
            LogName = 'Security','System','Directory Service'
            Id = $eventId
            StartTime = (Get-Date).AddHours(-1)
        } -ErrorAction SilentlyContinue

        if ($events.Count -gt 0) {
            $results += [PSCustomObject]@{
                DC = $dc
                EventId = $eventId
                Count = $events.Count
                Description = $criticalEvents[$eventId]
                Latest = ($events | Sort TimeCreated -Descending | Select -First 1).TimeCreated
            }
        }
    }
}

$results | Sort EventId | Format-Table -AutoSize

Monitoring AD with Performance Counters

Collect AD-specific performance counters to baseline and monitor DC performance:

$dcs = (Get-ADDomainController -Filter *).Name
$counters = @(
    "NTDSLDAP Searches/sec",
    "NTDSLDAP Successful Binds/sec",
    "NTDSDRA Inbound Bytes Total/sec",
    "NTDSDRA Outbound Bytes Total/sec",
    "NTDSKerberos Authentications/sec",
    "NTDSNTLM Authentications/sec"
)

$prefixedCounters = $dcs | ForEach-Object { $dc = $_; $counters | ForEach-Object { "\$dc$_" } }

Get-Counter -Counter $prefixedCounters -SampleInterval 10 -MaxSamples 6 |
    Select-Object -ExpandProperty CounterSamples |
    Format-Table InstanceName, CookedValue -AutoSize

Configuring Azure Monitor for AD Monitoring

For larger environments, use Microsoft Defender for Identity (formerly Azure ATP) and Azure Monitor for comprehensive cloud-integrated AD monitoring. Install the Defender for Identity sensor on domain controllers:

Start-Process "Azure ATP Sensor Setup.exe" -ArgumentList "/quiet NetFrameworkCommandLineArguments=/q Reload=1" -Wait

After sensor deployment, configure directory service account credentials in the Defender for Identity portal for in-depth behavioral analytics and attack detection. Active Directory monitoring is most effective when it combines real-time alerting for critical events with regular baselining of performance counters and replication statistics, giving your operations team both the immediate visibility and the trend data needed to maintain a healthy directory environment.