Chatta subito con l'assistenza
Chat con il supporto

Foglight for Active Directory 6.3.0 - Release Notes

Remote scripting must be enabled

Prerequisites

The following prerequisite conditions must be in place in order to successfully initialize an Active Directory agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Active Directory dashboards.

Note: The Remote Access Diagnostics utility, provided with this product, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Active Directory agent. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.

Permissions

Note: Make sure to give minimum required privilege to your Active Directory® or Certificate Authority agent; otherwise this agent can not start data collection.

 

An Active Directory account with Administrator permissions  (domain or built-in administrators) must be specified in agent properties. This is the account used to run remote scripts. Foglight for Active Directory uses the userPrincipalName in the agent properties, so the sAMAccountName and the account CN must be identical. Also, they must not contain spaces, or LDAP authentication errors may occur.

 

To run remote scripts, a Certificate Authority agent requires an account with relevant privileges:

  • If the Certificate Authority server is a member server then agent account needs to be member of Domain Admins group.
  • If the Certificate Authority is a Domain Controller then the agent account needs to be member of either Domain Administrators group or Domain Admins group.

Agent must be able to reach the target host

Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.

Configuration steps:

  1. Test Ping by IP. You must be able to ping the collection target from the FglAM hosting the agent instance. If ping by IP fails, there are routing issues.
  2. Test Ping by host name. A DNS server or Hosts file must be available to the FMS server in order to resolve names. If ping by host name fails, there are DNS or Hosts file issues.
  3. If a Hosts file is used it should contain an entry for each domain where hosts reside. For example:
    10.10.10.100 domain.local
    10.10.10.200 childdomain.domain.local
  4. In addition, individual servers must resolve to the unqualified and fully qualified name. For example:
    10.10.10.101 server server.domain.local
    The Hosts file is located at %windir%\system\drivers\etc

Since Foglight for Active Directory uses an agent-less design, remote execution of scripts must be enabled on all domain controllers. If communication fails completely, you will not see server objects. If partial data is collected, the server object will appear in the UI and the metrics with values will be displayed.  

Distributed COM (DCOM) must be enabled on all Domain Controllers (Active Directory Servers) or all Certificate Authority Servers.

To enable Distributed COM (DCOM):

  1. Click Start | Run.
  2. In the Run dialog, enter dcomcnfg and click OK.
  3. Expand Component Services and then Computers.
  4. Right-click the My Computer object and select Properties.
  5. On the Default Properties tab, check the Enable Distributed COM on this computer option.

Configuring Windows Remote Management (WinRM)

For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.

Remote Registry Service must be running

The Remote Registry service must be running to allow agents remote access to the registry.

Windows Server 2008 R2 and Server 2012, 2016, and 2019 prerequisite

The account specified in the agent properties must have Full Control permissions on the registry keys.

Refer to Permissions on registry keys to configure DCOM command shell connection in Foglight Agent Manager Guide for detailed information.

Sample procedure for checking and registering a WMI class

The Extensible Storage Engine (ESE) is the database engine used by Active Directory. Foglight for Active Directory collects metrics and will fire alarms on ESE performance. It is recommended to verify that the Win32_PerfRawData_ESENT_Database WMI class is registered on each monitored domain controller by confirming the 'Database' Performance Object within Performance Monitor (Perfmon) exists. If this class is not registered, ESE queries will fail with 0x80041010 errors.

To check and register the ESENT WMI Class:

  1. Check for the Database performance object.
    1. Start | Run and enter: perfmon
    2. Click the plus (+) toolbar button.
    3. On the Add Counters dialog, click the Performance object drop-down menu and locate the Database entry.
  2. If the Database entry is present, the class is registered and there is likely another problem.
  3. If a Database entry is not present, register the following WMI class: Win32_PerfRawData_ESENT_Database WMI.
    1. Run the RegisterEsentWmiClass.vbs script included with Foglight for Active Directory.
    2. At a command line, enter: mofcomp %windir%\system32\wbem\scm.mof
    3. At a command line, enter: wmiadap /f

This procedure sets registry keys and refreshes the WMI database so it is aware of the change.

Kerberos configuration files

The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:

  •  Windows: %WINDIR%\krb5.ini which typically translates to C:\Windows\krb5.ini
  •  UNIX:
    /etc/krb5.conf
    Or:
    /etc/krb5/krb5.conf

If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.

The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:

[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>

 


Configuring Windows Remote Management (WinRM)

Prerequisites

The following prerequisite conditions must be in place in order to successfully initialize an Active Directory agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Active Directory dashboards.

Note: The Remote Access Diagnostics utility, provided with this product, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Active Directory agent. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.

Permissions

Note: Make sure to give minimum required privilege to your Active Directory® or Certificate Authority agent; otherwise this agent can not start data collection.

 

An Active Directory account with Administrator permissions  (domain or built-in administrators) must be specified in agent properties. This is the account used to run remote scripts. Foglight for Active Directory uses the userPrincipalName in the agent properties, so the sAMAccountName and the account CN must be identical. Also, they must not contain spaces, or LDAP authentication errors may occur.

 

To run remote scripts, a Certificate Authority agent requires an account with relevant privileges:

  • If the Certificate Authority server is a member server then agent account needs to be member of Domain Admins group.
  • If the Certificate Authority is a Domain Controller then the agent account needs to be member of either Domain Administrators group or Domain Admins group.

Agent must be able to reach the target host

Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.

Configuration steps:

  1. Test Ping by IP. You must be able to ping the collection target from the FglAM hosting the agent instance. If ping by IP fails, there are routing issues.
  2. Test Ping by host name. A DNS server or Hosts file must be available to the FMS server in order to resolve names. If ping by host name fails, there are DNS or Hosts file issues.
  3. If a Hosts file is used it should contain an entry for each domain where hosts reside. For example:
    10.10.10.100 domain.local
    10.10.10.200 childdomain.domain.local
  4. In addition, individual servers must resolve to the unqualified and fully qualified name. For example:
    10.10.10.101 server server.domain.local
    The Hosts file is located at %windir%\system\drivers\etc

Remote scripting must be enabled

Since Foglight for Active Directory uses an agent-less design, remote execution of scripts must be enabled on all domain controllers. If communication fails completely, you will not see server objects. If partial data is collected, the server object will appear in the UI and the metrics with values will be displayed.  

Distributed COM (DCOM) must be enabled on all Domain Controllers (Active Directory Servers) or all Certificate Authority Servers.

To enable Distributed COM (DCOM):

  1. Click Start | Run.
  2. In the Run dialog, enter dcomcnfg and click OK.
  3. Expand Component Services and then Computers.
  4. Right-click the My Computer object and select Properties.
  5. On the Default Properties tab, check the Enable Distributed COM on this computer option.

For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.

Remote Registry Service must be running

The Remote Registry service must be running to allow agents remote access to the registry.

Windows Server 2008 R2 and Server 2012, 2016, and 2019 prerequisite

The account specified in the agent properties must have Full Control permissions on the registry keys.

Refer to Permissions on registry keys to configure DCOM command shell connection in Foglight Agent Manager Guide for detailed information.

Sample procedure for checking and registering a WMI class

The Extensible Storage Engine (ESE) is the database engine used by Active Directory. Foglight for Active Directory collects metrics and will fire alarms on ESE performance. It is recommended to verify that the Win32_PerfRawData_ESENT_Database WMI class is registered on each monitored domain controller by confirming the 'Database' Performance Object within Performance Monitor (Perfmon) exists. If this class is not registered, ESE queries will fail with 0x80041010 errors.

To check and register the ESENT WMI Class:

  1. Check for the Database performance object.
    1. Start | Run and enter: perfmon
    2. Click the plus (+) toolbar button.
    3. On the Add Counters dialog, click the Performance object drop-down menu and locate the Database entry.
  2. If the Database entry is present, the class is registered and there is likely another problem.
  3. If a Database entry is not present, register the following WMI class: Win32_PerfRawData_ESENT_Database WMI.
    1. Run the RegisterEsentWmiClass.vbs script included with Foglight for Active Directory.
    2. At a command line, enter: mofcomp %windir%\system32\wbem\scm.mof
    3. At a command line, enter: wmiadap /f

This procedure sets registry keys and refreshes the WMI database so it is aware of the change.

Kerberos configuration files

The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:

  •  Windows: %WINDIR%\krb5.ini which typically translates to C:\Windows\krb5.ini
  •  UNIX:
    /etc/krb5.conf
    Or:
    /etc/krb5/krb5.conf

If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.

The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:

[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>

 


Remote Registry Service must be running

Prerequisites

The following prerequisite conditions must be in place in order to successfully initialize an Active Directory agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Active Directory dashboards.

Note: The Remote Access Diagnostics utility, provided with this product, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Active Directory agent. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.

Permissions

Note: Make sure to give minimum required privilege to your Active Directory® or Certificate Authority agent; otherwise this agent can not start data collection.

 

An Active Directory account with Administrator permissions  (domain or built-in administrators) must be specified in agent properties. This is the account used to run remote scripts. Foglight for Active Directory uses the userPrincipalName in the agent properties, so the sAMAccountName and the account CN must be identical. Also, they must not contain spaces, or LDAP authentication errors may occur.

 

To run remote scripts, a Certificate Authority agent requires an account with relevant privileges:

  • If the Certificate Authority server is a member server then agent account needs to be member of Domain Admins group.
  • If the Certificate Authority is a Domain Controller then the agent account needs to be member of either Domain Administrators group or Domain Admins group.

Agent must be able to reach the target host

Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.

Configuration steps:

  1. Test Ping by IP. You must be able to ping the collection target from the FglAM hosting the agent instance. If ping by IP fails, there are routing issues.
  2. Test Ping by host name. A DNS server or Hosts file must be available to the FMS server in order to resolve names. If ping by host name fails, there are DNS or Hosts file issues.
  3. If a Hosts file is used it should contain an entry for each domain where hosts reside. For example:
    10.10.10.100 domain.local
    10.10.10.200 childdomain.domain.local
  4. In addition, individual servers must resolve to the unqualified and fully qualified name. For example:
    10.10.10.101 server server.domain.local
    The Hosts file is located at %windir%\system\drivers\etc

Remote scripting must be enabled

Since Foglight for Active Directory uses an agent-less design, remote execution of scripts must be enabled on all domain controllers. If communication fails completely, you will not see server objects. If partial data is collected, the server object will appear in the UI and the metrics with values will be displayed.  

Distributed COM (DCOM) must be enabled on all Domain Controllers (Active Directory Servers) or all Certificate Authority Servers.

To enable Distributed COM (DCOM):

  1. Click Start | Run.
  2. In the Run dialog, enter dcomcnfg and click OK.
  3. Expand Component Services and then Computers.
  4. Right-click the My Computer object and select Properties.
  5. On the Default Properties tab, check the Enable Distributed COM on this computer option.

Configuring Windows Remote Management (WinRM)

For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.

Remote Registry Service must be running

The Remote Registry service must be running to allow agents remote access to the registry.

Windows Server 2008 R2 and Server 2012, 2016, and 2019 prerequisite

The account specified in the agent properties must have Full Control permissions on the registry keys.

Refer to Permissions on registry keys to configure DCOM command shell connection in Foglight Agent Manager Guide for detailed information.

Sample procedure for checking and registering a WMI class

The Extensible Storage Engine (ESE) is the database engine used by Active Directory. Foglight for Active Directory collects metrics and will fire alarms on ESE performance. It is recommended to verify that the Win32_PerfRawData_ESENT_Database WMI class is registered on each monitored domain controller by confirming the 'Database' Performance Object within Performance Monitor (Perfmon) exists. If this class is not registered, ESE queries will fail with 0x80041010 errors.

To check and register the ESENT WMI Class:

  1. Check for the Database performance object.
    1. Start | Run and enter: perfmon
    2. Click the plus (+) toolbar button.
    3. On the Add Counters dialog, click the Performance object drop-down menu and locate the Database entry.
  2. If the Database entry is present, the class is registered and there is likely another problem.
  3. If a Database entry is not present, register the following WMI class: Win32_PerfRawData_ESENT_Database WMI.
    1. Run the RegisterEsentWmiClass.vbs script included with Foglight for Active Directory.
    2. At a command line, enter: mofcomp %windir%\system32\wbem\scm.mof
    3. At a command line, enter: wmiadap /f

This procedure sets registry keys and refreshes the WMI database so it is aware of the change.

Kerberos configuration files

The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:

  •  Windows: %WINDIR%\krb5.ini which typically translates to C:\Windows\krb5.ini
  •  UNIX:
    /etc/krb5.conf
    Or:
    /etc/krb5/krb5.conf

If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.

The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:

[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>

 


Windows Server 2008 R2 and Server 2012, 2016, and 2019 prerequisite

Prerequisites

The following prerequisite conditions must be in place in order to successfully initialize an Active Directory agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Active Directory dashboards.

Note: The Remote Access Diagnostics utility, provided with this product, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Active Directory agent. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.

Permissions

Note: Make sure to give minimum required privilege to your Active Directory® or Certificate Authority agent; otherwise this agent can not start data collection.

 

An Active Directory account with Administrator permissions  (domain or built-in administrators) must be specified in agent properties. This is the account used to run remote scripts. Foglight for Active Directory uses the userPrincipalName in the agent properties, so the sAMAccountName and the account CN must be identical. Also, they must not contain spaces, or LDAP authentication errors may occur.

 

To run remote scripts, a Certificate Authority agent requires an account with relevant privileges:

  • If the Certificate Authority server is a member server then agent account needs to be member of Domain Admins group.
  • If the Certificate Authority is a Domain Controller then the agent account needs to be member of either Domain Administrators group or Domain Admins group.

Agent must be able to reach the target host

Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.

Configuration steps:

  1. Test Ping by IP. You must be able to ping the collection target from the FglAM hosting the agent instance. If ping by IP fails, there are routing issues.
  2. Test Ping by host name. A DNS server or Hosts file must be available to the FMS server in order to resolve names. If ping by host name fails, there are DNS or Hosts file issues.
  3. If a Hosts file is used it should contain an entry for each domain where hosts reside. For example:
    10.10.10.100 domain.local
    10.10.10.200 childdomain.domain.local
  4. In addition, individual servers must resolve to the unqualified and fully qualified name. For example:
    10.10.10.101 server server.domain.local
    The Hosts file is located at %windir%\system\drivers\etc

Remote scripting must be enabled

Since Foglight for Active Directory uses an agent-less design, remote execution of scripts must be enabled on all domain controllers. If communication fails completely, you will not see server objects. If partial data is collected, the server object will appear in the UI and the metrics with values will be displayed.  

Distributed COM (DCOM) must be enabled on all Domain Controllers (Active Directory Servers) or all Certificate Authority Servers.

To enable Distributed COM (DCOM):

  1. Click Start | Run.
  2. In the Run dialog, enter dcomcnfg and click OK.
  3. Expand Component Services and then Computers.
  4. Right-click the My Computer object and select Properties.
  5. On the Default Properties tab, check the Enable Distributed COM on this computer option.

Configuring Windows Remote Management (WinRM)

For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.

Remote Registry Service must be running

The Remote Registry service must be running to allow agents remote access to the registry.

The account specified in the agent properties must have Full Control permissions on the registry keys.

Refer to Permissions on registry keys to configure DCOM command shell connection in Foglight Agent Manager Guide for detailed information.

Sample procedure for checking and registering a WMI class

The Extensible Storage Engine (ESE) is the database engine used by Active Directory. Foglight for Active Directory collects metrics and will fire alarms on ESE performance. It is recommended to verify that the Win32_PerfRawData_ESENT_Database WMI class is registered on each monitored domain controller by confirming the 'Database' Performance Object within Performance Monitor (Perfmon) exists. If this class is not registered, ESE queries will fail with 0x80041010 errors.

To check and register the ESENT WMI Class:

  1. Check for the Database performance object.
    1. Start | Run and enter: perfmon
    2. Click the plus (+) toolbar button.
    3. On the Add Counters dialog, click the Performance object drop-down menu and locate the Database entry.
  2. If the Database entry is present, the class is registered and there is likely another problem.
  3. If a Database entry is not present, register the following WMI class: Win32_PerfRawData_ESENT_Database WMI.
    1. Run the RegisterEsentWmiClass.vbs script included with Foglight for Active Directory.
    2. At a command line, enter: mofcomp %windir%\system32\wbem\scm.mof
    3. At a command line, enter: wmiadap /f

This procedure sets registry keys and refreshes the WMI database so it is aware of the change.

Kerberos configuration files

The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:

  •  Windows: %WINDIR%\krb5.ini which typically translates to C:\Windows\krb5.ini
  •  UNIX:
    /etc/krb5.conf
    Or:
    /etc/krb5/krb5.conf

If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.

The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:

[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>

 


Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione