The following prerequisite conditions must be in place in order to successfully initialize an Active Directory agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Active Directory dashboards.
Note: The Remote Access Diagnostics utility, provided with this product, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Active Directory agent. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.
Note: Make sure to give minimum required privilege to your Active Directory® or Certificate Authority agent; otherwise this agent can not start data collection.
An Active Directory account with Administrator permissions (domain or built-in administrators) must be specified in agent properties. This is the account used to run remote scripts. Foglight for Active Directory uses the userPrincipalName in the agent properties, so the sAMAccountName and the account CN must be identical. Also, they must not contain spaces, or LDAP authentication errors may occur.
To run remote scripts, a Certificate Authority agent requires an account with relevant privileges:
Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.
Configuration steps:
Since Foglight for Active Directory uses an agent-less design, remote execution of scripts must be enabled on all domain controllers. If communication fails completely, you will not see server objects. If partial data is collected, the server object will appear in the UI and the metrics with values will be displayed.
Distributed COM (DCOM) must be enabled on all Domain Controllers (Active Directory Servers) or all Certificate Authority Servers.
To enable Distributed COM (DCOM):
For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.
The Remote Registry service must be running to allow agents remote access to the registry.
The account specified in the agent properties must have Full Control permissions on the registry keys.
Refer to Permissions on registry keys to configure DCOM command shell connection in Foglight Agent Manager Guide for detailed information.
The Extensible Storage Engine (ESE) is the database engine used by Active Directory. Foglight for Active Directory collects metrics and will fire alarms on ESE performance. It is recommended to verify that the Win32_PerfRawData_ESENT_Database WMI class is registered on each monitored domain controller by confirming the 'Database' Performance Object within Performance Monitor (Perfmon) exists. If this class is not registered, ESE queries will fail with 0x80041010 errors.
To check and register the ESENT WMI Class:
This procedure sets registry keys and refreshes the WMI database so it is aware of the change.
The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:
If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.
The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:
[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>
The following prerequisite conditions must be in place in order to successfully initialize an Active Directory agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Active Directory dashboards.
Note: The Remote Access Diagnostics utility, provided with this product, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Active Directory agent. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.
Note: Make sure to give minimum required privilege to your Active Directory® or Certificate Authority agent; otherwise this agent can not start data collection.
An Active Directory account with Administrator permissions (domain or built-in administrators) must be specified in agent properties. This is the account used to run remote scripts. Foglight for Active Directory uses the userPrincipalName in the agent properties, so the sAMAccountName and the account CN must be identical. Also, they must not contain spaces, or LDAP authentication errors may occur.
To run remote scripts, a Certificate Authority agent requires an account with relevant privileges:
Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.
Configuration steps:
Since Foglight for Active Directory uses an agent-less design, remote execution of scripts must be enabled on all domain controllers. If communication fails completely, you will not see server objects. If partial data is collected, the server object will appear in the UI and the metrics with values will be displayed.
Distributed COM (DCOM) must be enabled on all Domain Controllers (Active Directory Servers) or all Certificate Authority Servers.
To enable Distributed COM (DCOM):
For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.
The Remote Registry service must be running to allow agents remote access to the registry.
The account specified in the agent properties must have Full Control permissions on the registry keys.
Refer to Permissions on registry keys to configure DCOM command shell connection in Foglight Agent Manager Guide for detailed information.
The Extensible Storage Engine (ESE) is the database engine used by Active Directory. Foglight for Active Directory collects metrics and will fire alarms on ESE performance. It is recommended to verify that the Win32_PerfRawData_ESENT_Database WMI class is registered on each monitored domain controller by confirming the 'Database' Performance Object within Performance Monitor (Perfmon) exists. If this class is not registered, ESE queries will fail with 0x80041010 errors.
To check and register the ESENT WMI Class:
This procedure sets registry keys and refreshes the WMI database so it is aware of the change.
The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:
If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.
The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:
[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>
This section provides information about problems that you might encounter while monitoring your environment with Foglight for Active Directory, and describes the solutions available to troubleshoot these problems.
Symptom: In some circumstances, DCs on Windows Server 2012/2012 R2 systems may experience high CPU usage when monitored by the Active Directory agent. This issue only appears when using WinRM connections. Using WMI/DCOM connections prevents this issue.
Resolution:
If this issue is encountered, contact Support for assistance.
To troubleshoot this issue directly, use the Windows Task Manager to look for an increasing number of active conhost.exe or svchost.exe processes. If this problem is observed, the problem can be confirmed by adding the optional "Command Line" column to Task Manager (View > Select Columns > [ x ] Command Line). You should then see WinRM commands associated with the conhost.exe or svchost.exe instances.
If many of these processes are observed, increase the WinRM message envelope size from the default size of 500, as follows:
winrm set winrm/config @{MaxEnvelopeSizekb="1000"}
Microsoft® offers a workaround for this issue in the "Svchost.exe uses excessive CPU resources on a single-core Windows Server 2012 domain controller" article (KB 3118385).
The following procedure is a best practice that is recommended for optimal performance.
Do NOT allow the Microsoft® automatic update feature to force an update of the server hosting the Foglight Management Server. This automatic update feature does not allow enough time for the Foglight Management Server to shutdown gracefully, which may leave your agents in a broken state.
Symptom: Cartridge agents will appear to be deactivated on the Agent Status dashboard.
Resolution: Using the Agent Status dashboard, select the deactivated agent and select the Activate button. If you cannot activate the selected agent, delete and reinstall the agent.
Symptoms:
When upgrading to version 6.3.0, you encounter an error message similar to the following message (actual values may vary):
Error deploying package … Cause: The addition of 2097152kb to the negotiated JVM Max heap size would adjust to 2359296kb, which would exceed the total available physical memory of 1780736kb. Rejecting memory request.
Resolution:
This message indicates that the Agent Manager does not have sufficient heap memory to allocate to the requesting Foglight for Active Directory agent package. It is not possible to directly increase the amount of heap memory available to the Agent Manager, as it uses as much memory as the monitoring host can provide to it before issuing this message. The amount of memory available to be allocated to the Agent Manager must be increased, for example by adding more physical memory to the host. If the monitoring host is a virtual machine, more memory may be allocated to the VM.
If this is not possible, consider moving some agents, or the Agent Manager and all agents, to another monitoring host which has more memory capacity.
Symptoms:
2013-12-19 17:57:56.129 ECHO <ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent INFO> [Thread-33] com.quest.agent.ad.ActiveDirectoryAgent - Validate credentials for host: dc7.domain7.local
2013-12-19 17:57:56.130 ECHO <ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent> ERROR [Thread-33] com.quest.agent.ad.ActiveDirectoryAgent - Could not establish a connection to host : dc7.domain7.local.
2013-12-19 17:57:56.130 ECHO <ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent> ERROR [Thread-33] com.quest.agent.ad.ActiveDirectoryAgent - Data collection failure.
com.quest.glue.api.services.NoCredentialsException: Could not establish a connection to host : dc7.domain7.local
at com.quest.agent.ad.ActiveDirectoryAgent.buildConfigOnCredential(ActiveDirectoryAgent.java:1290)
at com.quest.agent.ad.ActiveDirectoryAgent.access$000(ActiveDirectoryAgent.java:128)
at com.quest.agent.ad.ActiveDirectoryAgent$1.run(ActiveDirectoryAgent.java:1262)
at java.lang.Thread.run(Thread.java:662)
"A Credential with purpose xxxx has been encrypted with a lockbox that has not been granted to this Agent Manager"
. Resolution:
Symptom:
The following exception message may be found in the Active Directory agent log.
2013-12-19 18:00:02.317 ECHO <ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent> ERROR [Thread-35] com.quest.agent.ad.ActiveDirectoryAgent - Data collection failure.
java.util.concurrent.TimeoutException: Time out when query AD / EXC credentials.
at com.quest.agent.service.auth.impl.CredentialQueryResultImpl.get(CredentialQueryResultImpl.java:54)
at com.quest.agent.service.auth.impl.CredentialManagerImpl.queryCredential(CredentialManagerImpl.java:56)
at com.quest.agent.ad.ActiveDirectoryAgent.buildConfigOnCredential(ActiveDirectoryAgent.java:1285)
at com.quest.agent.ad.ActiveDirectoryAgent.access$000(ActiveDirectoryAgent.java:128)
at com.quest.agent.ad.ActiveDirectoryAgent$1.run(ActiveDirectoryAgent.java:1262)
at java.lang.Thread.run(Thread.java:662)
Resolution: Re-start the data collection.
This section provides information about problems that you might encounter while monitoring your environment with Foglight for Active Directory, and describes the solutions available to troubleshoot these problems.
Symptom: In some circumstances, DCs on Windows Server 2012/2012 R2 systems may experience high CPU usage when monitored by the Active Directory agent. This issue only appears when using WinRM connections. Using WMI/DCOM connections prevents this issue.
Resolution:
If this issue is encountered, contact Support for assistance.
To troubleshoot this issue directly, use the Windows Task Manager to look for an increasing number of active conhost.exe or svchost.exe processes. If this problem is observed, the problem can be confirmed by adding the optional "Command Line" column to Task Manager (View > Select Columns > [ x ] Command Line). You should then see WinRM commands associated with the conhost.exe or svchost.exe instances.
If many of these processes are observed, increase the WinRM message envelope size from the default size of 500, as follows:
winrm set winrm/config @{MaxEnvelopeSizekb="1000"}
Microsoft® offers a workaround for this issue in the "Svchost.exe uses excessive CPU resources on a single-core Windows Server 2012 domain controller" article (KB 3118385).
The following procedure is a best practice that is recommended for optimal performance.
Do NOT allow the Microsoft® automatic update feature to force an update of the server hosting the Foglight Management Server. This automatic update feature does not allow enough time for the Foglight Management Server to shutdown gracefully, which may leave your agents in a broken state.
Symptom: Cartridge agents will appear to be deactivated on the Agent Status dashboard.
Resolution: Using the Agent Status dashboard, select the deactivated agent and select the Activate button. If you cannot activate the selected agent, delete and reinstall the agent.
Symptoms:
When upgrading to version 6.3.0, you encounter an error message similar to the following message (actual values may vary):
Error deploying package … Cause: The addition of 2097152kb to the negotiated JVM Max heap size would adjust to 2359296kb, which would exceed the total available physical memory of 1780736kb. Rejecting memory request.
Resolution:
This message indicates that the Agent Manager does not have sufficient heap memory to allocate to the requesting Foglight for Active Directory agent package. It is not possible to directly increase the amount of heap memory available to the Agent Manager, as it uses as much memory as the monitoring host can provide to it before issuing this message. The amount of memory available to be allocated to the Agent Manager must be increased, for example by adding more physical memory to the host. If the monitoring host is a virtual machine, more memory may be allocated to the VM.
If this is not possible, consider moving some agents, or the Agent Manager and all agents, to another monitoring host which has more memory capacity.
Symptoms:
2013-12-19 17:57:56.129 ECHO <ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent INFO> [Thread-33] com.quest.agent.ad.ActiveDirectoryAgent - Validate credentials for host: dc7.domain7.local
2013-12-19 17:57:56.130 ECHO <ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent> ERROR [Thread-33] com.quest.agent.ad.ActiveDirectoryAgent - Could not establish a connection to host : dc7.domain7.local.
2013-12-19 17:57:56.130 ECHO <ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent> ERROR [Thread-33] com.quest.agent.ad.ActiveDirectoryAgent - Data collection failure.
com.quest.glue.api.services.NoCredentialsException: Could not establish a connection to host : dc7.domain7.local
at com.quest.agent.ad.ActiveDirectoryAgent.buildConfigOnCredential(ActiveDirectoryAgent.java:1290)
at com.quest.agent.ad.ActiveDirectoryAgent.access$000(ActiveDirectoryAgent.java:128)
at com.quest.agent.ad.ActiveDirectoryAgent$1.run(ActiveDirectoryAgent.java:1262)
at java.lang.Thread.run(Thread.java:662)
"A Credential with purpose xxxx has been encrypted with a lockbox that has not been granted to this Agent Manager"
. Resolution:
Symptom:
The following exception message may be found in the Active Directory agent log.
2013-12-19 18:00:02.317 ECHO <ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent> ERROR [Thread-35] com.quest.agent.ad.ActiveDirectoryAgent - Data collection failure.
java.util.concurrent.TimeoutException: Time out when query AD / EXC credentials.
at com.quest.agent.service.auth.impl.CredentialQueryResultImpl.get(CredentialQueryResultImpl.java:54)
at com.quest.agent.service.auth.impl.CredentialManagerImpl.queryCredential(CredentialManagerImpl.java:56)
at com.quest.agent.ad.ActiveDirectoryAgent.buildConfigOnCredential(ActiveDirectoryAgent.java:1285)
at com.quest.agent.ad.ActiveDirectoryAgent.access$000(ActiveDirectoryAgent.java:128)
at com.quest.agent.ad.ActiveDirectoryAgent$1.run(ActiveDirectoryAgent.java:1262)
at java.lang.Thread.run(Thread.java:662)
Resolution: Re-start the data collection.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center