Microsoft Operations Management Suite is Azure Cloud-based solution which is to manage and monitor Cloud and on-premise workload while not limiting to a specific vendor or a specific Operating system. OMS Supports hybrid and multi-cloud environments, including Microsoft's Azure, Amazon Web Services (AWS), OpenStack, Windows Server, Linux, and VMware.

Active directory is the baseline directory service on many organizations. Regardless of Microsoft services, other applications and services also highly depend on Active Directory as their identity provider. Undouble it’s the most critical platform in an organization which needs careful monitoring and auditing.

Why OMS for monitoring Active Directory

There are many tools to monitor and audit Active directory operations. Tools from SolarWinds, Manage Engines ADManager are much more popular and provide detail information on AD operations. But these are much more sophisticated solutions which have a higher licensing cost. I cannot say OMS is a better tool but rather simple and if you use it correctly you can get the same result as like an enterprise tool.

Auditing and Monitoring Active Directory

OMS is with four components, Log analytics, Automation, Protection & Recovery and Security & Compliance. These components can be used to monitor and manage various workloads. And OMS management solutions provide rich output while combining these solutions. Currently, there are two Active directory related management solutions provided by Microsoft. These come with Azure log analytics part of OMS. So, prices are applied only to log analytics. Also, AD auditing can be performed using azure log analytics search queries. It’s a rich language which you can easily write a query to get the desired output in a printable manner.

• Active Directory Health Check solution
• AD Replication Status solution
• Audit Security logs using Azure Log analytics

Active Directory Monitoring using AD Health check solution and AD Replication Solution

Before we start

• You should have an OMS subscription, you can use the free version which provides 500Mb’s daily upload and 7 days retention of log analytics data.
• OMS Agent should be installed in all Domain Controllers.
• Domain controllers should have internet, direct or through a proxy. If not, OMS gateway should be implemented.

Installing OMS Agent

• Login to the OMS portal or Azure portal
• Advance settings and Download the agent
  
  
  
• After downloading the agent, copy it to domain controllers and install the agent. Select Connect the agent to Azure Log Analytics (OMS)
  
  
  
• Next window provides the OMS workspace ID and Key found in OMS advance settings. If the server getting internet from proxy you can define the proxy details and continue next to install the agent.
• After a few minutes agents should be connected to the OMS. You can check this from OMS advance settings.
  

Active Directory Health check solution

AD Health check solution formally known as AD assessment is several health check assessments which run on regular intervals in domain controllers to identify issues and risks and provide recommendations to improve the existing infrastructure up to Microsoft best practices.

Its Free – you can use this solution with the free OMS log analytics bundle of 7 days retention and mbs data upload.

Login to the OMS portal or Azure Portal- Solution gallery – select Active Directory Health Check – Install

After a while, you can see the data collected from domain controllers are processed and shown in the Health Check solution. Click any error or recommendations which you need  to correct.

Note – if you cannot see all the domain controllers or data is not collected, you go to registry editor of particular DC to identify AD assessment is executed and time of it last executed. If you deleted the LastExecuted registry key, AD Assessment will run again in that domain controller.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\AOI-28d5fc07-da6e-43b2-8ef3-e1b9bd8cc180\Solutions\ADAssessment

AD Replication Status solution

AD Replication status solution will analyze the replication status of each connected domain controllers. It will help to identify and troubleshoot AD replication issues.

• Analyze the replication status for Domain controllers in AD Domain
• Expose AD replication errors and Helps to troubleshoot by providing links to TechNet knowledge base
• The dashboard helps to identify and track replications issues before DC going to Tombstone lifetime expire

Its Free – you can use this solution with the free OMS log analytics bundle of 7 days retention 500 mbs of data upload.

Login to the OMS portal or Azure Portal - Solution gallery – select Active Directory Replication – Install

After a while, you can see the data collected from domain controllers are processed and shown in the AD Replication solution. If there are no errors it will show as destination server with no errors.

Note - If you cannot see all the domain controllers or data is not collected you can navigate to the following registry value and delete the Lastexecuted key. AD replication monitor will run again in that domain controller and you can see the Lastexecuted key is newly generated.

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\AOI-28d5fc07-da6e-43b2-8ef3-e1b9bd8cc180\Solutions\ADReplication

Audit Security logs using Azure Log analytics

If you enabled auditing on domain controllers, it will generate a far amount of security data which you can use to search for events such as failed login or locked users. But searching this using native event viewer is not easy. OMS log analytics can be used to search these events and it will provide the information in rich presentable manner. Azure log analytics search query language also easy to understand. You can write queries and save those in log analytics for regular monitoring. Also, you can create dashboards using queries and regular monitor changes.

Some important use cases most customer face day in today's business

• Identify user’s login to the domain with a time range
• Users failed to login to the domain, incorrect password attempts, number of attempts, time where the failed attempts are made.
• Find the locked accounts. And from where the account was locked. Mainly accounts are locked by domain security policy after regularly failed attempts. But its hard to find where these attempts are made. You can use log analytics to track failed login attempts and generated IP address of those failed attempts.
• User accounts and groups created and by whom
• Any group membership changes, added to the group, removed from the group and who did this change. This is very important when domain admin group membership changes.

Not Free – to audit and monitor security events you should deploy the Security & Audit solution. Keep in mind that since 2017 that solution is now part of Azure Security Center rather Log Analytics which means separate pricing. Azure Security Center uses Log Analytics platform for storing data.

Search Queries

Following queries were made by me while analyzing the security events and relating them to the process. You can always improve these by adding more conditions and filters,  

Users logon to the domain by time ascending

SecurityEvent

| where AccountType =~ "user" and EventID == 4624

| summarize LastLogin = max(TimeGenerated )  by Account

| sort by LastLogin

Failed logon attempts by users

SecurityEvent

| where EventID == 4771

| summarize AggregatedValue = count() by TargetUserName

Failed logon attempts by Computer

SecurityEvent

| where EventID == 4771

| summarize AggregatedValue = count() by IpAddress

Locked Accounts

SecurityEvent

| where EventID == 4740

| extend Source= TargetDomainName

| summarize count() by TargetUserName,Source

User Account Created

SecurityEvent

| where (EventID == 624 or EventID == 4720)

| extend CreatedBy = SubjectAccount

| project TimeGenerated, TargetAccount, CreatedBy, Computer

User Account Deleted

SecurityEvent

| where (EventID == 630 or EventID == 4726)

| extend DeletedBy = SubjectAccount

| project TimeGenerated, TargetAccount, DeletedBy, Computer

Groups Created

SecurityEvent

| where (EventID == 631 or EventID == 4727)

| extend CreatedBy = SubjectUserName

| extend GroupName = TargetUserName

| project CreatedBy, GroupName, Activity, TimeGenerated

Group Deleted

SecurityEvent

| where (EventID == 634 or EventID == 4730)

| extend DeletedBy = SubjectUserName

| extend GroupName = TargetUserName

| project DeletedBy, GroupName, Activity, TimeGenerated

Group Membership Changes

search in (SecurityEvent) EventID == 4728 or EventID == 4732 or EventID == 4756 or EventID == 632 or EventID == 636 or EventID == 660 or EventID == 4729 or EventID == 4733 or EventID == 4757 or EventID == 633 or EventID == 637 or EventID == 661

| project  Activity , MemberName, TargetUserName, TimeGenerated

| sort by TimeGenerated desc

As above examples, you can develop more quires find the required information from security logs. Microsoft has provided guides and playing grounds to easily understand the language - https://docs.loganalytics.io/index

Hope this post has given you the knowledge on how to use Operations Management suite and Azure log analytics to monitor the Active directory. For my future posts, I’m hoping to release a full management solution with dashboards to audit and monitor the active directory.

Cheers

Asitha De Silva