Azure AD Connect Health with AD DS

Azure AD Connect Health with AD DS is now in preview!

You’ll need Azure AD Premium for this, but it’s a little agent that gets installed on each of your domain controllers and provides health and alerting via Azure AD Connect Health.

The service is a light health and monitoring solution which reports back on some basics such as these:

azure health 3

Also, it will show any replication issues and other DC related problems for you to re-mediate. You can also configure email alerts, so you know when a problem is detected, rather than relying on checking the health page to notice something.

The setup of Azure AD Connect Health with AD DS is incredibly easy – download and install the agent (check you meet the prerequisites first!), use credentials of an Azure AD global administrator (set up a service account for this), and you’re done. If you install it on a server that doesn’t have the required Windows Server roles, you’ll get an error such as ” Microsoft.Identity.Health.Common.RoleNotFoundException: No role was registered.

The two other currently Health services are for ADFS and Azure AD Connect, so check those out too if you haven’t already.

One issue I had after installing was that I couldn’t see the box for Active Directory Domain Services in the Azure portal, it was just blank:


Pasted image at 2016_07_21 12_22 PM

After trying to work out why for a while, @kengoodwin pointed out that I should try resetting the view. This is done by clicking one of the ‘Add tiles’ options, then at the top of the screen choosing hte ‘Restore default’ option.

Doing this resulted in my tiles showing as they should – I’d never made adjustments to my tiles, but had previously gone into edit mode and saved the zero changes I did, which I believe stopped the portal from adding in the new tiles once the new health service was detected. This is how it should look:

ad health 2

Much better!

If you have Azure AD premium, then check out this free extra!

6 thoughts on “Azure AD Connect Health with AD DS

    1. Hi Wayne,
      Some of the Technet articles are a little confusing. When they refer to roles in this context, they mean the role options of Azure AD Connect Health. There’s 3 right now – Azure AD Connect, ADFS and AD DS.
      https://docs.microsoft.com/en-gb/azure/active-directory/connect-health/active-directory-aadconnect-health-faq

      Depending on your OS there’s different install instructions. Install it and see how you go, Azure will tell you if it’s not happy and give some troubleshooting steps (health scripts to run).

      Feel free to ask here if you get stuck.

      1. Thanks for your reply! I already have an Azure AD Connect server for our hybrid setup. The link you posted above appears to say I should install the AD Connect Health agent on the AD Connect server, however I see other MS documents saying to install it on all the Domain Controllers https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-agent-install and your link says I will need a lot of licenses (we have 4 DCs).

        I guess the main problem is right after I enter the Office 365 global admin credentials I get this error

        Configuration Failed

        To retry configuration, type:
        Register-AzureADConnectHealthADFSAgent

        Monitoring will not start until configuration is successful.

        Register-AzureADConnectHealthADFSAgent : No role was registered.
        At line:1 char:190
        + … \AdHealthAdfs; Register-AzureADConnectHealthADFSAgent}
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (:) [Register-AzureADConnectHealthADFSAgent], RoleNotFoundException
        + FullyQualifiedErrorId : Microsoft.Identity.Health.Common.RoleNotFoundException,Microsoft.Identity.Health.Adfs.Po
        werShell.ConfigurationModule.RegisterADHealthAdfsAgent

        PS I am installing on Windows 2012 and I tried your suggestion to install Windows Management Framework 5.0 without any luck.

        Thanks again

      2. Hi Wayne,
        There’s a different installer for each role – one for ADFS, one for DC and one for Connect. That looks like you’re using the ADFS one and it’s expecting the ADFS role, is that the one you’re expecting?

      3. I guess I am confused. I already have an Azure AD Connect server (I assume that is the “Connect” you refer to above) and our on-premises domain and Office 365 are in sync. Now I am attempting to install Azure AD Connect Health and I receive that error.

        Do I need to install something before installing Azure AD Connect Health?

        Thanks!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.