The script sends results of AD DC diagnostic tests to Zabbix.
Script automatically makes all items on Zabbix server through API. You don't have to make them manually.
This solution based on Microsoft dcdiag.exe and repadmin.exe utilities which exist on a server with Domain Controller role and Microsoft Powershell which embedded in Windows.
-
Copy files AD DC diag.ps1 and functions_zabbix.ps1 to any folder on AD DC. And don't forget functions_zabbix.ps1
-
Run script AD DC diag.ps1 with elevated permissions and check for errors.
- Login to server with account which has sufficient permissions
- Run Powershell ISE "as administrator" (from context menu)
- Open AD DC diag.ps1
- Edit first line of script with $zabbix_server_url variable. Save script.
- Tailor function Zabbix-GetProxyByHostname for your infrastructure and naming conventions.
- Set $user and $password variables in command line (they are case-sensitive!). They only need in setup run, do not add them to script for security reasons.
- Run AD DC diag.ps1
- Check for errors
Script will add all appropriate keys to zabbix (via Zabbix API)
Now let's configure regular sending of monitoring data to these keys
-
Add script to Windows task scheduler:
Import task from "AD DC diag monitoring.xml" file
OR Create it manually (there is a caveat here if you want use SYSTEM account)
"Create Task.."- In General tab:
Name: enter any task name as you wish. For instance: "AD DC diag monitoring"
"When running the task, use the following user account:"
Enter account with sufficient permissions for reading AD DC data
DO NOT set chechbox "Do not store password"
Just for information, NT AUTHORITY/SYSTEM will work ok, but you cannot choose it from task scheduler on AD DCs
-
"Run whether user is logged on or not"
-
"Run with highest privileges"
-
Configure for: set latest version
-
In Triggers tab:
"New..."Begin task: On a schedule (default)
One time (default)
Repeat task every: 5 minutes (it is the minimum. You can set another value if you like)
For a duration of: Indefinitely
Stop task if it runs longer than: 30 minutes (this is optional parameter, just in case)
Enabled (default) -
In Actions tab:
"New..."Action: Start a program
Program/script: Powershell.exe
(or: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Add arguments (optional): -NoProfile -ExecutionPolicy Bypass -File "c:\zabbix\scripts\AD DC diag.ps1" -Mode "Scheduler"
(edit path to script here. And this is NOT optional :-) ) -
In Settings tab:
Stop the task if it runs longer than: 1 hour (this is optional parameter, just in case)
-
After clicking OK don't forget to enter (correct!) password to account. (Of course, if you entered NT AUTHORITY/SYSTEM, you will not be prompted for password)
-
Run created task and see that status changed to Ready and Last Run Result is (0x0)
-
Check that zabbix server correctly receives data (see Latest data, Hosts: your host, Name: AD)
-
Repeat for every DC in your infrastructure
In general, this diagnostics cannot be made as a template. Dcdiag.exe returns most results with DC name, but some with domain name, which cannot be known in general.
Also, there are two similar results in dcdiag.exe output: passed test DNS and passed test DNS
Full output of dcdiag.exe (only strings with test results)
......................... <DC> passed test Connectivity
......................... <DC> passed test Advertising
......................... <DC> passed test CheckSecurityError
......................... <DC> passed test CutoffServers
......................... <DC> passed test FrsEvent
......................... <DC> passed test DFSREvent
......................... <DC> passed test SysVolCheck
......................... <DC> passed test FrsSysVol
......................... <DC> passed test KccEvent
......................... <DC> passed test KnowsOfRoleHolders
......................... <DC> passed test MachineAccount
......................... <DC> passed test NCSecDesc
......................... <DC> passed test NetLogons
......................... <DC> passed test ObjectsReplicated
......................... <DC> passed test Replications
......................... <DC> passed test RidManager
......................... <DC> passed test Services
......................... <DC> passed test SystemLog
......................... <DC> passed test Topology
......................... <DC> passed test VerifyReferences
......................... <DC> passed test VerifyReplicas
......................... <DC> passed test DNS
......................... ForestDnsZones passed test CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
......................... Schema passed test CheckSDRefDom
......................... Schema passed test CrossRefValidation
......................... Configuration passed test CheckSDRefDom
......................... Configuration passed test CrossRefValidation
......................... <DOMAIN> passed test CheckSDRefDom
......................... <DOMAIN> passed test CrossRefValidation
......................... <DOMAIN> passed test DNS
......................... <DOMAIN> passed test LocatorCheck
......................... <DOMAIN> passed test FsmoCheck
......................... <DOMAIN> passed test Intersite