How to Monitor Active Directory on Windows Server 2016

How to Set Up Windows Server 2016 Active Directory Monitoring

Proactive monitoring of Active Directory on Windows Server 2016 ensures that authentication, replication, and policy application continue to function reliably. Unlike reactive troubleshooting, a monitoring framework surfaces problems before users report them, giving administrators time to remediate issues during business hours rather than during incidents. This tutorial covers setting up event log monitoring, Windows Performance Monitor, scheduled health scripts, and integration with Microsoft’s free monitoring tools.

Key Event IDs to Monitor

Windows records critical AD events in the System, Security, and Directory Service event logs. The following event IDs are especially important:

Directory Service log: Event 1083 (replication update conflict), Event 1586 (replication partner change), Event 2042 (replication has not occurred in tombstone lifetime), Event 1988 (lingering object detected).

System log: Event 5719 (no domain controller available), Event 1055 (cannot contact domain controller for user policy).

Security log: Event 4740 (account lockout), Event 4625 (failed logon), Event 4648 (logon with explicit credentials).

Query for critical replication errors with PowerShell:

Get-EventLog -LogName "Directory Service" -EntryType Error,Warning -Newest 50 |
    Select-Object TimeGenerated, EventID, Message |
    Format-List

Configuring Event Subscriptions

Windows Event Forwarding (WEF) collects events from all domain controllers to a central Windows Event Collector server, making centralised monitoring practical. On the collector server, configure the Windows Event Collector service and create a subscription:

wecutil qc /q

Create a subscription XML file targeting the Directory Service critical events, then import it:

wecutil cs C:MonitoringADSubscription.xml

On each domain controller, configure the WinRM service to allow forwarding:

winrm quickconfig -q

Performance Monitor Counters for Active Directory

Windows Performance Monitor exposes AD-specific counters under the NTDS object. Key counters to track continuously include:

NTDSLDAP Searches/sec — high values indicate query load. NTDSKerberos Authentications/sec — spikes may indicate a problem or an attack. NTDSDRA Inbound Bytes Total/sec — measures replication traffic inbound. NTDSDS Directory Reads/sec — overall read load on the directory.

Create a Data Collector Set to log these counters over time:

logman create counter ADBaseline -c "NTDSLDAP Searches/sec" "NTDSKerberos Authentications/sec" `
    "NTDSDRA Inbound Bytes Total/sec" -si 60 -o C:PerfLogsADBaseline.blg -f bincirc

Start and stop the collector set:

logman start ADBaseline
logman stop ADBaseline

Scheduled Health Check Script

Automate a daily replication check using Task Scheduler. Save the following script as C:ScriptsADHealthCheck.ps1:

$date = Get-Date -Format "yyyy-MM-dd"
$log = "C:LogsADHealth_$date.txt"

# Replication summary
repadmin /replsummary | Out-File $log -Append

# DC list and roles
Get-ADDomainController -Filter * | Select-Object Name, IPv4Address, OperationMasterRoles |
    Format-Table -AutoSize | Out-File $log -Append

# Account lockouts in last 24h
$since = (Get-Date).AddHours(-24)
Get-EventLog -LogName Security -InstanceId 4740 -After $since |
    Select-Object TimeGenerated, ReplacementStrings | Out-File $log -Append

Register the script as a scheduled task that runs daily at 06:00:

schtasks /create /tn "AD Daily Health Check" /tr "powershell.exe -File C:ScriptsADHealthCheck.ps1" `
    /sc DAILY /st 06:00 /ru SYSTEM /f

Monitoring Account Lockouts in Real Time

Account lockouts are a common helpdesk escalation. Use the Microsoft Account Lockout and Management Tools (ALTools) package, particularly LockoutStatus.exe, or query with PowerShell:

Search-ADAccount -LockedOut | Select-Object Name, SamAccountName, LockedOut, LastLogonDate

To identify which domain controller processed the lockout, search the PDC emulator’s Security log:

Get-WinEvent -ComputerName PDC01 -FilterHashtable @{LogName='Security';Id=4740} |
    Select-Object TimeCreated, @{N='Account';E={$_.Properties[0].Value}},
                               @{N='CallerComputer';E={$_.Properties[1].Value}} |
    Sort-Object TimeCreated -Descending | Select-Object -First 20

Alerting on Replication Failures

Configure an alert action within a Data Collector Set to send an email when a performance counter threshold is exceeded, or use the following PowerShell snippet to check replication and send email if failures are found:

$failures = repadmin /showrepl * /csv | ConvertFrom-Csv |
    Where-Object {$_."Number of Failures" -gt 0}

if ($failures) {
    Send-MailMessage -To "[email protected]" -From "[email protected]" `
        -Subject "AD Replication Failures Detected" `
        -Body ($failures | Out-String) `
        -SmtpServer "smtp.contoso.com"
}

By combining event forwarding, performance baselines, scheduled scripts, and real-time alerts, you establish a monitoring posture that keeps Active Directory visible and manageable at all times.