The AAD Connect comes with a Health Agent which monitors the AAD Connect and logs in to Azure AD.
The events can be viewed from portal.office.com and Choose Azure Active Directory. Under Manage -> Choose Azure AD Connect.
On the right pane, under Health and Analytics -> Click Azure Active Directory Connect Health
Now that we know how AAD Connect is being monitored by AAD Connect Health Agent, the same agent can also be used to monitor ADFS server and ADFS-Proxy server as well.
To do so,
- Download the AAD Connect Health Agent from https://www.microsoft.com/en-us/download/details.aspx?id=48261
- Run the setup, make sure you are installing ADFS agent.
- It will prompt you to “Configure now”. Click on it.
- You will see the following
Make sure you have enabled auditing on ADFS server to capture those events on Azure portal.
To do so,
- Open windows powershell on ADFS server,
- Run the following command
auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable
3. Open AD FS management console, Click on “Edit Federation Service Properties”, Under Event tab, check all the events.
Once you’ve done that, you can see events will start showing up on Azure Active Directory Connect Health
Of course you can monitor lot of events. To know more,
A recent .Net frame work update is causing the AAD Connect server to crash or the CPU utilization goes up to 100%
Go to Task manager and check the list of processes,
If MIcrosoft.Online.Reporting.MonitoringAgent.Startup is consuming high CPU or
If you have the following update,
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Then update your Azure AD Connect Health Agent as soon as possible to avoid or stop a major issue in your infrastructure.
Use following link to know how to update them,
AAD Connect is very flexible when the organization expands but at the sametime we should make sure the AAD Connect is up-to-date to coupe with the changes.
One of the incident that I’ve encounter may help others.
Issue : Cannot add new connectors to AAD Connect
I wanted to add a new forest to sync up to the Azure AD. All these users are going to be in the same office 365 Tenant.
When i add the connector (Microsoft way – Using AAD Connect wizard), I get the following error
When i check the logs,
- Checked the ports to see if the domain is reachable
- Made sure the domain name is resolved to the right ip’s
- The schema made be feel that, the service account doesn’t have rights on the forest that is being added
- Checked the permisisons – it is all good
- Changed the permission to Domain admin
- Adding new connector
- Added a new connector manually (click the new connector from Synchronization service console)
- Pointed to the forest
- When i did the right-click and “Search Connector space”, i can see all the objects from the domain (it wont sync anyway as the sync rule wont get populated, if you use “Create” connector)
At this point, i understood that it is not a problem with the forest that i’m trying to add.
I ran the wizard without adding the connector, i got the same error. So this proves that there is an issue with the existing connector.
I ran refresh schema on all the existing connector. I found one of the connector had a schema changes which wasn’t picked up by the AAD Connect (One of the forest administrator installed Exchange server in their infrastructure)
After refreshing the schema, i ran the wizard, it went like a charm.