Chat now with support
Chat with Support

Foglight for Active Directory 5.8.3 - User Guide

Navigation basics Exploring Foglight for Active Directory dashboards Managing Active Directory agents Reporting on your Active Directory enterprise Foglight for Active Directory views
Forest views Domain views Site views Domain Controller views Description of embedded views
Address Book view Agent State view Asynchronous Thread Queue view Core Services view Database Access view Database Cache view Database Log Access view Database Performance Health view Defragmentation Tasks view DFS Namespace Service API Queue view DFS Namespace Service API Requests view DFS Namespace Service Referrals view DFS Replicated Folders view DFS Replication Connections view DFS Replication Service Volumes view DFS-R Performance Health view Directory Replication Inbound view Directory Replication Outbound view Directory Replication Sync view Directory Replication USN view Directory Services General view Directory Services Performance Health view Directory Services Reads view Directory Services Searches view Directory Services Writes view Domain Controller Details view Domain Controllers view FileReplicaConn Authentications/Bindings view FileReplicaConn Change Orders view FileReplicaConn Fetch view FileReplicaSet Authentications/Bindings view FileReplicaSet Change Orders view FileReplicaSet DS Communications view FileReplicaSet Files view FileReplicaSet Local Change Orders view FileReplicaSet Packets view FileReplicaSet Remote Change Orders view FRS Performance Health view FRS Replica Sets view FRS Staging Files view FSMO Roles view (Domain) FSMO Roles view (Forest) Host Monitor view Inter-Site Transports view Inventory By Category view IP Subnets view Key Distribution Center view LDAP view Memory view Network view Processor view Replication Performance Health view Resource Utilization view Security Accounts Manager view Server Health view Statistics view Storage view Summary and Resource Information view Top AD Metrics view Top 3 Consumers view Top 3 CPU Consumers view Top 3 DS Directory Reads/sec view Top 3 LDAP Bind Times view Top 3 Memory Consumers view Top 3 Network Consumers view Top 3 Replication Queue Length view Top 3 Storage Consumers view Trusts view USN Records view
Foglight for Active Directory rules Running diagnostic tests Managing Active Directory metrics

Agent Management view

Once Active Directory® agent or Certificate Authority agents are added, the Agent Management list displays all of the agent instances configured to monitor metrics.

The Agent Management view contains the following information for each configured Active Directory or Certificate Authority agent instance.

Use the selection check boxes to select agent instances for activation/deactivation, starting/stopping data collection, editing properties, or removal.

Domain Controller (Active Directory only)

Displays the name of the DCs being monitored by an Active Directory agent instance.

Host Name (Certificate Authority only)

Displays the name of the server being monitored by a Certificate Authority agent instance.

Status

Indicates whether the agent instance for a Domain Controller or a Host is activated. A green check mark in this check box indicates that the agent is active.

Collecting Data

Indicates whether the agent instance is currently collecting data. A green check mark in this check box indicates that the agent is collecting data.

Agent Name

Displays the name of the agent instance created for a DC or a host.

Agent Manager

Displays the name of the Foglight Agent Manager Host assigned to each agent instance.

Edit

Click the icon in this column to update agent properties using the Agent Edit wizard. For more information, see Edit private agent properties.

Log File

Click the icon in this column to download the agent log.

Version

Displays the agent version. A green check mark icon indicates that the agent version is up to date.

Alarms

Displays the number of alarms occurred on each agent instance.

Use the buttons at the top of this list to manage your Active Directory or Certificate Authority agent instances, as described in the following table.

Select to launch the Agent Setup wizard to add and configure new Active Directory agent instances. For more information, see Add and configure new Active Directory agents.

Select to activate the selected agent instance(s).

Select to deactivate the selected agent instance(s).

Select to start collecting data on the selected agent instance(s).

Select to stop collecting data on the selected agent instance(s).

Select to remove the selected agent instance(s).

Create and assign credentials for an Active Directory agent created before version 5.6.6.

Verify agent configuration. For more information, see Inspect agent prerequisites.

NOTE: This button is only available in the Agents > Active Directory tab.

Search for an Active Directory agent using the Search filter.

The Agent Setup wizard steps you through the process of adding and configuring Active Directory® agent instances on one of more Domain Controllers (DCs).

1
At the top of the Agent Management view, click Active Directory, and then click Add to launch the Agent Setup wizard.
2
On the Prepare page, carefully read the instructions about the steps that you need to take before proceeding with the wizard.
3
On the Auto-Discovery or Manual page, indicate if you want to manually configure an Active Directory agent to monitor a single Domain Controller, or search your domain and auto-discover Domain Controllers via LDAP. Click Next.
If you selected Auto-discover, continue with Step 4.
If you selected Manual, continue with Step 6.
4
On the Select the Search Domain page, specify the domain to search for Domain Controllers, where Active Directory agent instances are to be created and activated.
Domain: Type the fully qualified name (myDomain.com) of a domain to search for Domain Controllers (DCs).
User Name: Type the user principal name of the account to be used to query Active Directory® on the selected domain.The following formats are accepted for the user principal name: myUser@myDomain.com, myUser, and myDomain.com\myUser.
Password: Enter the password associated with the above user account.
Enable SSL For LDAP: Selecting this check box if security LDAP is required.
Click Next.
NOTE:
1. When selecting
Enable SSL For LDAP, import the root certificate of the monitoring domain into both FglAM and Foglight keystore.
2. Ensure that the Subject Alternative Name of the certificate used by LDAP service includes both server FQDN and Domain name.
For detailed information on how to import certificate into both FMS and FglAM keystore in FIPS-compliant mode, refer to Managing certificates for FglAM and Managing certificates for FMS in FIPS-compliant mode .
For detailed information on how to import certificate into both FMS and FglAM keystore in non-FIPS mode, refer to Managing certificates for FglAM and Managing certificates for FMS in non-FIPS mode .
5
On the Select Servers page, select one or more DCs that you want to monitor.
Domain Controller: Displays the name of the DCs found on the selected domain.
Active Directory Agent Exists: Indicates whether an Active Directory agent instance has already been created for a DC. A green check mark in this check box indicates that an agent instance has already been created for the DC. DCs already monitored by other Active Directory agents are unavailable for selection in the list.
Click Next.
6
On the Configure Agent Properties page, review the Active Directory agent properties, and edit them, as necessary. select the agent properties, as necessary.
Domain Controller(s): The name of the domain controller found on the selected domain.
Communication Protocol: Selects to run the WMI query through DCOM or WinRM.
WinRM Port: The WinRM port number on the monitored Domain Controller. This property only appears if the Communication Protocol is set to WinRM through HTTP or WinRM through HTTPS.
NOTE:
1. When setting
Communication Protocol as WinRM through HTTPs, import the root certificate of the monitoring domain into FglAM keystore.
2. Ensure that the Subject Alternative Name of the certificate used by LDAP service includes both server FQDN and Domain name.
For detailed information on how to import certificate into FglAM keystore, refer to Managing certificates for FglAM .
LDAP Authentication Mechanism: The authentication scheme used to connect to the LDAP server: Simple (default) or Kerberos.
Enable SSL For LDAP: Indicates if the LDAP connection is secure or not (default).
NOTE:
1. When selecting
Enable SSL For LDAP, import the root certificate of the monitoring domain into both FglAM and Foglight keystore.
2. Ensure that the Subject Alternative Name of the certificate used by LDAP service includes both server FQDN and Domain name.
For detailed information on how to import certificate into both FMS and FglAM keystore in FIPS-compliant mode, refer to Managing certificates for FglAM and Managing certificates for FMS in FIPS-compliant mode .
For detailed information on how to import certificate into both FMS and FglAM keystore in non-FIPS mode, refer to Managing certificates for FglAM and Managing certificates for FMS in non-FIPS mode .
Is a Virtual Host?: Indicates if the selected Domain Controller runs on a virtual host.
Virtual Environment: The type of the virtual environment: VMware or Hyper-V. This property only appears if the selected Domain Controller runs on a virtual host.
7
On the Select the Agent Manager Host page, select the Foglight Agent Manager Host to be used for the new Active Directory agent instances.
The Active Directory Agent Package Deployed column indicates whether the Active Directory agent package has been deployed to the Foglight Agent Manager host(s). A green check in this column indicates that the Active Directory agent package has been deployed.
The Windows Agent Package Deployed column indicates whether the Windows agent package is already deployed to the Agent Manager host(s). A green check in this column indicates that the Windows agent package has been deployed. This column is displayed only if the selected Domain Controller runs on a physical host.
Click Next.
8
On the Assign and Validate Credentials page, review the available credentials, and edit them, as necessary.
To create a new credential, click Add host(s) to a new credential.
In the Create New Credential and Assign dialog box, create a credential that you want to use to access the monitored resource. Type a new credential name, domain, user name, password, and lockbox, and click Submit.
To select an existing credential, click Add host(s) to an existing credential.
In the Select Existing Credential dialog box, select an existing credential, and click Submit.
To bypass the prerequisites verification, select the Do not check for prerequisites check box.
Click Next.
9
On the Summary page, review the configuration settings chosen for the new agent, and its prerequisite diagnostics, including:
Active Directory Agent: The name of the selected Active Directory agent instance.
Windows Agent: The name of the selected Windows agent instance.
Success: The agent instance can connect to the monitored Domain Controller and collect data.
Error: The agent instance cannot connect to the monitored Domain Controller instance and collect data. Click this link to find out what causes this error. Carefully review the information in the popup that appears in order address the problem.
Click Finish.

The Agent Setup wizard steps you through the process of adding and configuring Certificate Authority agent instances on one of more host servers.

NOTE:  
Foglight for Active Directory only supports the monitoring of the environment installed with the Certificate Authority Enterprise Edition. Before creating a CA agent, click the Script for configuring the Active Directory settings link on the Administration > Tasks list to download and run a script that automatically configures the DCOM and WinRM. For more information, see the readme.txt file included in the script ZIP file.
To run remote scripts, a Certificate Authority agent requires an account with relevant privileges:
1
At the top of the Agent Management view, click Certificate Authority, and then click Add to launch the Agent Setup wizard.
2
On the Configure CA Agent Properties page, specify the host where Certificate Authority agent instances are to be created and activated.
Host Name: Type the fully qualified name of a Certificate Authority server.
Communication Protocol: Selects to run the WMI query through DCOM or WinRM.
WinRM Port: The WinRM port number on the monitored Host. This property only appears if the Communication Protocol is set to WinRM through HTTP or WinRM through HTTPS.
NOTE:
1. When setting
Communication Protocol as WinRM through HTTPs, import the root certificate of the monitoring domain into FglAM keystore.
2. Ensure that the Subject Alternative Name of the certificate used by LDAP service includes both server FQDN and Domain name.
For detailed information on how to import certificate into FglAM keystore, refer to Managing certificates for FglAM .
Click Next.
3
On the Select the Agent Manager Host page, select the Foglight Agent Manager Host to be used for the new Certificate Authority agent instances.
The Certificate Authority Agent Package Deployed column indicates whether the Certificate Authority agent package has been deployed to the Foglight Agent Manager host(s). A green check in this column indicates that the Certificate Authority agent package has been deployed.
Click Next.
4
On the Assign and Validate Credentials page, review the available credentials, and edit them, as necessary.
To create a new credential, click Add host(s) to a new credential.
In the Create New Credential dialog box, create a credential that you want to use to access the monitored resource. Type a new credential name, domain, user name, password, and lockbox, and click Submit.
To select an existing credential, click Add host(s) to an existing credential.
In the Assign Credential dialog box, select an existing credential, and click Assign.
Click Next.
5
On the CA Summary page, review the configuration settings chosen for the new agent, and its prerequisite diagnostics, including:
Host Name: The name of the selected Certificate Authority agent instance.
Communication Protocol: The communication protocol selected to run the WMI query.
WinRM Port: The WinRM port number on the monitored Host. This property only appears if the Communication Protocol is set to WinRM through HTTP or WinRM through HTTPS.
Agent Manager: The name of the selected Foglight Agent Manager Host to be used for the new Certificate Authority agent instances.
Click Finish.

The Agent Setup wizard closes. The Certificate Authority agent is now added and configured, and appears in the Agent Management view, on the Administration > Certificate Authority tab.

The Agent Edit wizard guides you through the process of editing private agent properties.

2
In the Agent Edit wizard, on the Configure Agent Properties page, review the Active Directory agent properties, and edit them, as necessary.
Domain Controller(s): The name of the domain controller found on the selected domain.
Communication Protocol: Selects to run the WMI query through DCOM or WinRM.
WinRM Port: The WinRM port number on the monitored Domain Controller. This property only appears if the Communication Protocol is set to WinRM through HTTP or WinRM through HTTPS.
NOTE:
1. When setting
Communication Protocol as WinRM through HTTPs, import the root certificate of the monitoring domain into FglAM keystore.
2. Ensure that the Subject Alternative Name of the certificate used by LDAP service includes both server FQDN and Domain name.
For detailed information on how to import certificate into FglAM keystore, refer to Managing certificates for FglAM .
LDAP Authentication Mechanism: The authentication scheme used to connect to the LDAP server: Simple (default) or Kerberos.
Enable SSL For LDAP: Indicates if the LDAP connection is secure or not (default).
NOTE:
1. When selecting
Enable SSL For LDAP, import the root certificate of the monitoring domain into both FglAM and Foglight keystore.
2. Ensure that the Subject Alternative Name of the certificate used by LDAP service includes both server FQDN and Domain name.
For detailed information on how to import certificate into both FMS and FglAM keystore in FIPS-compliant mode, refer to Managing certificates for FglAM and Managing certificates for FMS in FIPS-compliant mode .
For detailed information on how to import certificate into both FMS and FglAM keystore in non-FIPS mode, refer to Managing certificates for FglAM and Managing certificates for FMS in non-FIPS mode .
Is a Virtual Host?: Indicates if the selected Domain Controller runs on a virtual host.
Virtual Environment: The type of the virtual environment: VMware or Hyper-V. This property only appears if the selected Domain Controller runs on a virtual host.
Host Info Provider: Indicates the host metrics collected by the Windows agent or the Active Directory agent.
Click Next.
3
On the Assign and Validate Credentials page, review the available credentials, and edit them, as necessary.
To create a new credential, click Add host(s) to a new credential.
In the Create New Credential and Assign dialog box, create a credential that you want to use to access the monitored resource. Type a new credential name, domain, user name, password, and lockbox, and click Submit.
To select an existing credential, click Add host(s) to an existing credential.
In the Select Existing Credential dialog box, select an existing credential, and click Submit.
Click Next.
4
On the Summary page, review the newly updated configuration settings, then click Finish.
The Agent Edit wizard closes. The agent properties are now updated.

The Agent Edit wizard guides you through the process of editing CA agent properties.

1
In the Agent Management > Certificate Authority view, in the row containing the agent whose properties you want to edit, click the Edit column.
2
In the Agent Edit wizard, on the Configure CA Agent Properties page, review the Certificate Authority agent properties, and edit them, as necessary.
Host Name: Type the fully qualified name of a Certificate Authority server.
Communication Protocol: Selects to run the WMI query through DCOM or WinRM.
WinRM Port: The WinRM port number on the monitored Host. This property only appears if the Communication Protocol is set to WinRM through HTTP or WinRM through HTTPS.
NOTE:
1. When setting
Communication Protocol as WinRM through HTTPs, import the root certificate of the monitoring domain into FglAM keystore.
2. Ensure that the Subject Alternative Name of the certificate used by LDAP service includes both server FQDN and Domain name.
For detailed information on how to import certificate into FglAM keystore, refer to Managing certificates for FglAM .
Click Next.
3
On the Assign and Validate Credentials page, review the available credentials, and edit them, as necessary.
To create a new credential, click Add host(s) to a new credential.
In the Create New Credential dialog box, create a credential that you want to use to access the monitored resource. Type a new credential name, domain, user name, password, and lockbox, and click Submit.
To select an existing credential, click Add host(s) to an existing credential.
In the Assign Credential dialog box, select an existing credential, and click Assign.
Click Next.
4
On the CA Summary page, review the configuration settings chosen for the new agent, and its prerequisite diagnostics, including:
Host Name: The name of the selected Certificate Authority agent instance.
Communication Protocol: The communication protocol selected to run the WMI query.
WinRM Port: The WinRM port number on the monitored Host. This property only appears if the Communication Protocol is set to WinRM through HTTP or WinRM through HTTPS.
Agent Manager: The name of the selected Foglight Agent Manager Host to be used for the new Certificate Authority agent instances.
Click Finish.

The Agent Edit wizard closes. The Certificate Authority agent is updated automatically in the Agent Management view, on the Administration > Certificate Authority tab.

If any monitoring agents are unable to collect data or connect to the monitored Domain Controllers, you can inspect the underlying cause using the Prerequisites Diagnostic button on the Agent Management toolbar.

2
Review the results in the Prerequisites Diagnostic dialog box.
Agent Name: The name of the selected Active Directory agent instance.
Monitored Host: The name of the host on which the monitored Domain Controller is running.
Success: The agent instance can connect to the monitored Domain Controller and collect data.
Error: The agent instance cannot connect to the monitored Domain Controller and collect data. Click this link to find out what causes this error. Carefully review the information in the popup that appears in order address the problem.

Managing certificates

In order to successfully make use of the Foglight commands in your monitoring environment, review the syntax conventions before getting started. The syntax conventions are as follows:

<foglight_home> is a placeholder that represents the path to the Foglight Management Server installation.
<foglight_agent_mgr_home> is a placeholder that represents the path to the Foglight Agent Manager installation. This can be the location of the Foglight Agent Manager installation on a monitored host, or the home directory of the Foglight Agent Manager that comes embedded with the Foglight Management Server. For example:

Foglight Evolve agents use Foglight Agent Manager (FglAM) to manage certificates for SSL encryption connection.

All the certificate-related command line options require that FglAM be up and running.

bin/fglam --add-certificate "user alias 1"=/path/to/certificate/file

The alias is required and is used in the list and delete operations to refer to the certificate. It can be anything.

bin/fglam --list-certificates

Print out a list of certificates and the aliases that refer to them.

Refer to the example output below:

Remove a certificate referred to by an alias.

bin/fglam --delete-certificate "user alias 1"

Use the keytool utility shipped with Foglight to create, import, or export certificates. This utility can be found at: <foglight_home>\jre\bin\keytool.

There are two FMS running modes:

The KeyStore Foglight used under non-FIPS mode is located at: <foglight_home>/jre/lib/security/cacerts (default password: changeit)

Use the keytool command in FMS JRE located in <foglight>/jre/bin

keytool -import -trustcacerts -alias "<alias>" -file "<certificate path>" -keystore <foglight_home>/jre/lib/security/cacerts -storepass changeit

<alias>: The alias is required and is used in the list and delete operations to refer to the certificate. It can be anything.
<foglight_home>: The folder path where the Foglight is installed.
<certificate path>: Your custom certificate path.

keytool -list -keystore <foglight_home>/jre/lib/security/cacerts -storepass changeit

Remove a certificate referred to by an alias.

keytool -delete -alias <alias> -keystore <foglight_home>/jre/lib/security/cacerts -storepass changeit

The KeyStore Foglight used in FIPS-compliant mode is located at: <foglight_home>/config/security/trust.fips.keystore (default password: nitrogen)

Use the keytool command in FMS JRE located in <foglight>/jre/bin.

keytool -import -trustcacerts -alias "<alias>" -file "<certificate path>" -keystore "<Foglight_home>/config/security/trust.fips.keystore" -deststoretype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "<Foglight_home>/server/core/bc-fips.jar" -storepass nitrogen

<alias>: The alias is required and is used in the list and delete operations to refer to the certificate. It can be anything.
<Foglight_home>: The folder path where Foglight is installed.
<certificate path>: Your custom certificate path.

keytool -list -keystore "<Foglight_home>/config/security/trust.fips.keystore" -deststoretype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "<Foglight_home>/server/core/bc-fips.jar" -storepass nitrogen

Prints out a list of certificates and the aliases that refer to them.

Refer to the example output below:

Remove a certificate referred to by an alias.

keytool -delete -alias <alias> -keystore "<Foglight_home>/config/security/trust.fips.keystore" -deststoretype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "<Foglight_home>/server/core/bc-fips.jar" -storepass nitrogen

C:\Quest\Foglight\jre\bin>keytool -import -trustcacerts -alias "Evolve-Test" -file "D:/Evolve-test.crt" -keystore "C:/Quest/Foglight/config/security/trust.fips.keystore" -deststoretype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath "C:/Quest/Foglight/server/core/bc-fips.jar" -storepass nitrogen

Owner: CN=CA, DC=ca, DC=local

Issuer: CN=CA, DC=ca, DC=local

Serial number: xxxx

Valid from: Sun Jan 06 23:07:06 CST 2019 until: Wed Apr 06 23:07:06 CST 2022

Certificate fingerprints:

...

 

Extensions:

...

Trust this certificate? [no]: yes

Certificate was added to keystore

Active Directory agent properties

The primary properties for an Active Directory® agent instance are required to connect to the target server from which data is to be collected. These properties are either specified when the agent instance is configured or they have a pre-defined default value.

To display an agent’s properties page, use one of the following methods:

From the navigation panel, navigate to Dashboards > Administration > Agents > Agent Properties. On the Agent Properties dashboard, select an agent. The Properties panel is displayed, showing the current properties for the selected agent instance.
From the navigation panel, navigate to Dashboards > Administration > Agents > Agent Status. On the Agent Status dashboard, select an agent from the list and click Edit > Edit Properties. The Agent Status dashboard refreshes, showing the current properties for the selected agent instance.

For more information on using the Agent Status dashboard to edit agent properties, see the Foglight Administration and Configuration Help.

The following tables describe the properties that can be modified for either an individual or all Active Directory agent instances, by clicking Modify the private properties for this agent or Modify the properties of all ActiveDirectory agents links, respectively.

For additional information, see these topics:

Configuration

Use the properties in the Configuration panel to specify the target server from which data is to be collected, to define what cartridge is to be used to collect the host metrics, and specify whether the target server is a virtual machine.

Host Name

N/A

The fully qualified domain name (myServer.myDomain.com) of the target server from which data is to be collected.

Host Collector

 

The host metrics (CPU, Memory, Network, Storage) displayed in Foglight for Active Directory can be collected by the Foglight for Active Directory, Foglight for Hyper-V, Foglight for VMware, or Foglight for Infrastructure cartridge.

Select the host collector to be used to collect host metrics:

AD (included) - if selected, all host collections are collected based on the interval set in the collection schedule.
Hyper-V (must be installed) - if selected, the logical disk space metrics are collected based on the interval set in the collection schedule; all other host metrics are collected based on the settings in the Foglight for Hyper-V cartridge. The “Memory In Use” is not available and will be blank in this configuration.
VMWare (must be installed) - if selected, the host collections are skipped regardless of the value in the collection schedule. That is, all host collections are collected based on the settings in the Foglight for VMWare cartridge.
Infrastructure (must be installed) - if selected, the host collections are skipped regardless of the value in the collection schedule. That is, all host collections are collected based on the settings in the Foglight for Infrastructure cartridge.

Communication Protocol

WinRM Through HTTPS

Selects to run the WMI query through DCOM, WinRM Through HTTP, or WinRM Through HTTPS.

WinRM Port

5986

Determines the WinRM port number in the monitored server.

Enable SSL For LDAP

False

Enables/ disables security LDAP connection.

LDAP Authentication Scheme

Basic

Supports both Basic and Kerberos authentication schemes, when connected to LDAP server.

Activate adobjects Collector

True

Turns on/ off the adobjects (user count, groups count, computer count) collection. In one domain, it only needs one agent to collect such information.

Network Connection TimeOut

51,000

Specifies how long (milliseconds) the system waits for a response from the remote server before it times out. That is, this is the time in milliseconds that a data collection query will run before it is presumed to have failed and the network connection is terminated.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating