KBI 311526 New Rule Category In Argent For Active Directory To Support Active Directory 2012 And 2016

Version

Argent Advanced Technology 1701-A and later

Date

Thursday, 9 March 2017

Summary

Argent for Active Directory has been enhanced with set of new Rules to monitor Active Directory 2012 and 2016. A new tree branch named ‘Instant Best Practices for Active Directory 2012 And 2016‘ is has been added in Argent for Active Directory to hold 2012 and 2016 Active Directory Rules.

Technical Background

Previous versions of Argent for Active Directory have File Replication Rules listed under “Instant Best Practices for Active Directory 2008 And Above”.

File Replication Service (FRS) is a technology that was originally introduced on Windows 2000 Server to replicate Distributed File System (DFS) folders and the SYSVOL folder on domain controllers.

Please see the screenshot shown below.


Click For Full Size

But it has been found that File Replication Rules listed under “Instant Best Practices for Active Directory 2008 And Above” are deprecated in Active Directory 2012 and 2016.

File Replication Service (FRS) has been replaced in Windows Server 2016, Windows Server 2012 R2 and Windows Server 2012 by Distributed File System Replication (DFSR) for replicating Distributed File System (DFS) folders and for replicating the SYSVOL folder.

Argent for Active Directory has been enhanced by adding set of new Rules to monitor Active Directory 2012 and 2016.

Below screenshot shows the new Rules category added to hold 2012 and 2016 Active Directory Rules:


Click For Full Size

The new rules for supporting Active Directory 2012 and 2016 are added under the above node as the following categories:

  • 1. Distributed File System Replication Rules

    There are some NEW critical Performance Counters available in Active Directory 2012 and 2016 to monitor the performance of Distributed File System Replication (DFSR).

    This category resides under .\Performance Rules\Domain Controller

    The new Distributed File System Replication (DFSR) Rules are categorized into three, namely

    • Replicated Folders
    • Replication Connections
    • Replication Service Volumes

    Please see the below screenshots of new Distributed File System Replication (DFSR) performance Rules:


    Click For Full Size

    Click For Full Size

    Click For Full Size
  • 2. Active Directory Federation Services

    Active Directory Federation Services (ADFS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security

    Active Directory 2012 and 2016 contains some critical Performance Objects to monitor the performance of AD FS.

    This “Active Directory Federation Service” Rules resides under the Rule category \Performance Rules\Domain Controller

    Please see the below screenshot of new Active Directory Federation Services (ADFS) Performance Rules:


    Click For Full Size
  • 3. Security Accounts Manager Event Logs

    Windows Server 2012 and 2016 includes new audit events to help with early detection of malicious reconnaissance attempts to access The Security Account Manager (SAM).

    The Security Account Manager (SAM) is a database file, which stores users’ passwords. A common attack is to access SAM remotely to enumerate user groups, such as finding all the users in the local admin group on a server.

    This “Security Account Manager” Rules resides under the Rule category \Event Logs\Security Accounts Manager

    Please see the below screenshot of new Security Account Manager (SAM) Event Log Rules:


    Click For Full Size

Resolution

Upgrade to Argent Advanced Technology 1701-A or later