Foglight® for Active Directory 5.7.2.3
Developed for Foglight Management Server 5.9.5 / Foglight Evolve 9.0
Release Notes
July 2019
Welcome to Foglight for Active Directory
Resolved issues and enhancements
Getting started with Foglight for Active Directory
Foglight® solution simplifies application performance monitoring and reduces the skills and effort required to manage applications, the user experience, and the supporting infrastructure. Unlike other solutions, Foglight uses a single code base, and has a model-driven design that couples fast deployment and accelerated time-to-value. It offers the modular flexibility required to deliver a range of capabilities and sophistication to meet the needs of any organization—from those still focused on technology-centric monitoring to those that have completed the transition to application-centric or transactional monitoring.
Foglight performs equally well in physical, virtual, and mixed infrastructure environments, providing visibility into issues affecting the application and end-user experience. Intuitive workflows help you quickly move from the symptom to the root cause in the application, database, infrastructure, or network to resolve issues, reducing mean time to resolution. Predefined and drag-and-drop dashboards provide insight that is tailored to each stakeholder. By offering comprehensive visibility into your monitored environment, Foglight helps ensure that cross-functional teams collaborate on and prioritize issues that matter most to the business.
These Release Notes cover the resolved issues, known issues, workarounds, and other important information about the 5.7.2.3 release of Foglight for Active Directory. Review all sections before starting the installation.
This 5.7.2.3 release of Foglight for Active Directory accompanies the release of Foglight Evolve 9.0. It includes the following new features and improvements:
Note: For Windows server 2016 Domain Controller and Certificate Authority, you can connect to Domain controller and Certificate Authority via DCOM or WinRM. However, for Windows server 2019 DCs and Certificate Authority, only connecting via WinRM is supported at this release.
This 5.7.2.3 release of Foglight for Active Directory accompanies the release of Foglight Evolve 9.0. It includes the following issues and enhancements.
Defect ID |
Resolved Issue |
AD-697 |
Credential usage is incorrect for CA agent. |
AD-729 |
No data display in CA health check table. |
Foglight for Active Directory no longer supports Monitored Domain Controllers Windows Server® 2003.
The following is a list of issues known to exist at the time of this release.
Defect ID |
Known Issue |
AD-619 |
Memory Utilization shows a negative value. Workaround: After changing the memory, restart the Active Directory agent to refresh the memory capacity. |
AD-759 |
When host provider has been selected as VMware cartridge/Hyper-V cartridge, though the host provider will be changed to IC /Active Directory cartridge later, datastore metrics still display on Exchange Explorer Resource Utilization dashboard. |
n/a |
Metrics that do not have generally accepted thresholds for alarms are configured as trend alarms. The significance of trends is dependent on the environment and default settings may generate many meaningless alarms in a busy environment, while failing to fire at all in a smaller environment. Workaround: We recommended that the administrator allow the agent to collect values over an adequate period of time to observe normal performance and then adjust trend alarms to fire at suitable thresholds. |
n/a |
In some circumstances, DCs on Windows Server 2012/2012
R2 systems may experience high CPU usage when monitored by the Active
Directory agent. This issue only appears when using WinRM connections. |
The following is a list of third party issues known to exist at the time of this release.
Defect ID |
Known Issue |
AD-41 |
The automatic reboot feature of Windows® updates may not allow enough time for the Foglight Management Server (FMS) to shut down correctly. This can result in broken agents when the service is restarted. Workaround: Manually stop the FMS before performing updates. |
The latest version of Foglight for Active Directory is 5.7.2.3. Upgrades from version 5.6.9 and later are supported.
To upgrade the Foglight for Active Directory to the latest version:
Important: For a list of issues that you may encounter after upgrading the Foglight for Active Directory to version 5.7.2.3, and ways to troubleshoot these issues, see section Potential issues after upgrading the cartridge to version 5.7.2.3.
Note: If you are also running Foglight for Exchange, you must upgrade the Exchange agents as well. It is strongly recommended that you run the same version and patch level of both cartridges.
The following is a list of product versions and platforms compatible with this release.
Product Name |
Product Version |
Platform |
Foglight Management Server |
5.9.5 |
All platforms supported by this version of the Foglight Management Server |
Foglight Agent Manager |
5.9.5 |
All platforms supported by this version of the Foglight Agent Manager |
Foglight Evolve |
9.0 |
All platforms supported by these versions of the Foglight Evolve |
Before installing Foglight for Active Directory, ensure your system meets the following minimum hardware and software requirements:
Platform | Any supported Foglight or Foglight Evolve platform. For more information, see the System Requirements and Platform Support Guide. |
Memory | As specified in Foglight or Foglight Evolve documentation. |
Hard Disk Space | As specified in Foglight or Foglight Evolve documentation. |
Operating System | As specified in Foglight or Foglight Evolve documentation. |
Additional Software | Monitored Domain Controllers must be Windows Server® 2008 or newer. Note: If you are using Windows Server 2008 R2, refer to the prerequisites described in the Prerequisites and Troubleshooting sections. Small Business Systems (SBS) versions have not been tested. Read Only Domain Controller (RODC) versions are not supported. |
The following prerequisite conditions must be in place in order to successfully initialize an Active Directory agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Active Directory dashboards.
Note: The Remote Access Diagnostics utility, provided with this product, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Active Directory agent. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.
Note: Make sure to give minimum required privilege to your Active Directory® or Certificate Authority agent; otherwise this agent can not start data collection.
An Active Directory account with Administrator permissions (domain or built-in administrators) must be specified in agent properties. This is the account used to run remote scripts. Foglight for Active Directory uses the userPrincipalName in the agent properties, so the sAMAccountName and the account CN must be identical. Also, they must not contain spaces, or LDAP authentication errors may occur.
To run remote scripts, a Certificate Authority agent requires an account with relevant privileges:
Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.
Configuration steps:
Since Foglight for Active Directory uses an agent-less design, remote execution of scripts must be enabled on all domain controllers. If communication fails completely, you will not see server objects. If partial data is collected, the server object will appear in the UI and the metrics with values will be displayed.
Distributed COM (DCOM) must be enabled on all Domain Controllers (Active Directory Servers) or all Certificate Authority Servers.
To enable Distributed COM (DCOM):
For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.
The Remote Registry service must be running to allow agents remote access to the registry.
The account specified in the agent properties must have Full Control permissions on the registry keys for the following:
Note: In Windows operating systems prior to Windows Server 2008 R2, these permissions are granted to members of the Administrators group by default. In Windows Server 2008 R2 and Windows Server 2012, these permissions must be explicitly granted.
Symptom: Depending on the prerequisite, you will encounter a complete failure to collect data (missing servers) or subsets of missing values (empty charts).
Resolution:
We recommend that you create a backup copy of the Windows Registry before making any changes so that you can revert the changes, if necessary.
To grant permissions on these keys:
The Extensible Storage Engine (ESE) is the database engine used by Active Directory®. Foglight for Active Directory collects metrics and will fire alarms on ESE performance. It is recommended to verify that the Win32_PerfRawData_ESENT_Database WMI class is registered on each monitored domain controller by confirming the 'Database' Performance Object within Performance Monitor (Perfmon) exists. If this class is not registered, ESE queries will fail with 0x80041010 errors.
To check and register the ESENT WMI Class:
This procedure sets registry keys and refreshes the WMI database so it is aware of the change.
The Kerberos
configuration file should be located in the
following folder in the Fglam server:
/etc/krb5/krb5.conf [Solaris®]
%WINDOWS_ROOT%\krb5.ini [Windows]
/etc/krb5.conf [Linux®]
The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:
[libdefaults]
default_realm = MY.REALM
[realms]
MY.REALM = {
kdc = kdc.my.realm
}
Important: Starting with version 5.7.2, Foglight for Exchange trusts (by default) any certificates for secure LDAP connections, and does not require users to import the SSL certificate any longer. The only case when users need to import the certificate is when they set the vm parameter "quest.ldap.ssl.trustAnyCert" as False to disable any certificate trust.
When collecting data using LDAP through SSL communication, a new Certificate Authority must be added to the Agent Manager’s Java® Runtime Environment (JRE). The JRE includes a command-line tool keytool which can be used to add the new Certificate Authority.
keytool -import -file <importCertPath> -alias <someName> -keystore
<cacertsPath> -storepass <changeit>
keytool -list -alias <someName> -keystore
<cacertsPath> -storepass <changeit>
Here are example commands that import and list a new root certificate:
<FMS_HOME>\jre\bin\keytool -import -file MySSL.cer –alias
MySecuryLDAP.ca -keystore <FMS_HOME>\jre\lib\security\cacerts -storepass
changeit
<FMS_HOME>\jre\bin\keytool -list -alias MySecuryLDAP.ca -keystore
<FMS_HOME>\jre\lib\security\cacerts -storepass changeit
The initial password of the cacerts keystore file is changeit. System administrators should change this password and the default access permissions of this file when installing the SDK. The file can be found in the directory <FMS_HOME>\jre\lib\security\cacerts (embedded Agent Manager) or <FglAM_HOME>\jre\<JRE_VERSION>\jre\lib\security\cacerts (external Agent Manager).
Note: The certificate file that you want to import should be the public certificate for the Certificate Authority that signed the server's SSL certificate, not the SSL certificate itself. The Agent Manager must be restarted for the certificate to take effect. If security LDAP is enabled when creating the Active Directory agent via the Agent Setup wizard, the root certificate also needs to be added to the Foglight Management Server’s Java Runtime Environment (JRE).
This section provides information about problems that you might encounter while monitoring your environment with Foglight for Active Directory, and describes the solutions available to troubleshoot these problems.
Symptom: In some circumstances, DCs on Windows Server 2012/2012 R2 systems may experience high CPU usage when monitored by the Active Directory agent. This issue only appears when using WinRM connections. Using WMI/DCOM connections prevents this issue.
Resolution:
If this issue is encountered, contact Support for assistance.
To troubleshoot this issue directly, use the Windows Task Manager to look for an increasing number of active conhost.exe or svchost.exe processes. If this problem is observed, the problem can be confirmed by adding the optional "Command Line" column to Task Manager (View > Select Columns > [ x ] Command Line). You should then see WinRM commands associated with the conhost.exe or svchost.exe instances.
If many of these processes are observed, increase the WinRM message envelope size from the default size of 500, as follows:
winrm set winrm/config @{MaxEnvelopeSizekb="1000"}
Microsoft® offers a workaround for this issue in the "Svchost.exe uses excessive CPU resources on a single-core Windows Server 2012 domain controller" article (KB 3118385).
The following procedure is a best practice that is recommended for optimal performance.
Do NOT allow the Microsoft® automatic update feature to force an update of the server hosting the Foglight Management Server. This automatic update feature does not allow enough time for the Foglight Management Server to shutdown gracefully, which may leave your agents in a broken state.
Symptom: Cartridge agents will appear to be deactivated on the Agent Status dashboard.
Resolution: Using the Agent Status dashboard, select the deactivated agent and select the Activate button. If you cannot activate the selected agent, delete and reinstall the agent.
Symptoms:
When upgrading to version 5.7.2.3, you encounter an error message similar to the following message (actual values may vary):
Error deploying package … Cause: The addition of 2097152kb to the
negotiated JVM Max heap size would adjust to 2359296kb, which would exceed the
total available physical memory of 1780736kb. Rejecting memory request.
Resolution:
This message indicates that the Agent Manager does not have sufficient heap memory to allocate to the requesting Foglight for Active Directory agent package. It is not possible to directly increase the amount of heap memory available to the Agent Manager, as it uses as much memory as the monitoring host can provide to it before issuing this message. The amount of memory available to be allocated to the Agent Manager must be increased, for example by adding more physical memory to the host. If the monitoring host is a virtual machine, more memory may be allocated to the VM.
If this is not possible, consider moving some agents, or the Agent Manager and all agents, to another monitoring host which has more memory capacity.
Symptoms:
2013-12-19 17:57:56.129 ECHO
<ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent INFO>
[Thread-33] com.quest.agent.ad.ActiveDirectoryAgent - Validate credentials
for host: dc7.domain7.local
2013-12-19 17:57:56.130 ECHO
<ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent> ERROR
[Thread-33] com.quest.agent.ad.ActiveDirectoryAgent - Could not establish a
connection to host : dc7.domain7.local.
2013-12-19 17:57:56.130 ECHO
<ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent> ERROR
[Thread-33] com.quest.agent.ad.ActiveDirectoryAgent - Data collection
failure.
com.quest.glue.api.services.NoCredentialsException: Could not
establish a connection to host : dc7.domain7.local
at
com.quest.agent.ad.ActiveDirectoryAgent.buildConfigOnCredential(ActiveDirectoryAgent.java:1290)
at
com.quest.agent.ad.ActiveDirectoryAgent.access$000(ActiveDirectoryAgent.java:128)
at
com.quest.agent.ad.ActiveDirectoryAgent$1.run(ActiveDirectoryAgent.java:1262)
at java.lang.Thread.run(Thread.java:662)
"A Credential with purpose xxxx has been encrypted
with a lockbox that has not been granted to this Agent Manager"
.Resolution:
Symptom:
The following exception message may be found in the Active Directory agent log.
2013-12-19 18:00:02.317 ECHO
<ActiveDirectory/5.6.6/ActiveDirectory/ad0-dc7.domain7.local-agent> ERROR
[Thread-35] com.quest.agent.ad.ActiveDirectoryAgent - Data collection failure.
java.util.concurrent.TimeoutException: Time out when query AD / EXC credentials.
at
com.quest.agent.service.auth.impl.CredentialQueryResultImpl.get(CredentialQueryResultImpl.java:54)
at
com.quest.agent.service.auth.impl.CredentialManagerImpl.queryCredential(CredentialManagerImpl.java:56)
at
com.quest.agent.ad.ActiveDirectoryAgent.buildConfigOnCredential(ActiveDirectoryAgent.java:1285)
at
com.quest.agent.ad.ActiveDirectoryAgent.access$000(ActiveDirectoryAgent.java:128)
at
com.quest.agent.ad.ActiveDirectoryAgent$1.run(ActiveDirectoryAgent.java:1262)
at java.lang.Thread.run(Thread.java:662)
Resolution: Re-start the data collection.
Foglight includes a licensing capability that restricts access to those features that are defined in the license. Any Management Server installation requires a license that grants access to server-specific parts of the browser interface and the features associated with them. Foglight cartridges are also license-protected. While some cartridges are covered by the base Foglight license (such as Foglight Agent Manager cartridges and the Cartridge for Infrastructure), others may require an additional license. Foglight for Active Directory is covered by the Foglight Evolve Monitor and Operate license.
To activate a trial or a purchased commercial license:
The Foglight for Active Directory release package contains the following:
Foglight for Active Directory can be installed as a stand-alone cartridge on a Foglight platform. In this configuration, all Active Directory® metrics are collected as well as basic host metrics from both physical and virtual domain controllers. Before installing the cartridge, ensure that your Foglight Management Server is properly installed and configured. For information on how to install and configure the Foglight Management Server, refer to the Foglight Installation and Setup Guide set.
Foglight for Active Directory can also be installed on a Foglight Evolve platform. In this configuration, it is used to gain in-depth insight into the health of the virtual machine, the virtual host, and the virtual environment as a whole. Before installing the cartridge, ensure that Foglight Evolve is properly installed and configured. For information on how to install and configure Foglight Evolve, refer to the Foglight Installation and Setup Guide set.
You can use one Foglight Agent Manager (FglAM) with the following settings to support 25 to 30 agent instances: 6 GB memory and 2 CPU.
It is recommended that you perform the following steps before you begin the installation procedure:
Foglight for Active Directory is distributed as a .car file: Active-Directory-5_7_2_3.car. Use the Administration > Cartridges > Cartridge Inventory dashboard to install the cartridge. For full installation instructions, refer to the topic "Installing Foglight Cartridges" in the Foglight Administration and Configuration Help.
In order for Active Directory® data to appear on the Foglight browser interface, once the cartridge has been successfully installed, you need to deploy the agent package, configure the agent properties, create and activate agents, and start the data collection. For detailed information about these procedures, refer to Foglight for Active Directory User and Reference Guide.
Additional information is available from the following:
This section contains information about installing and operating this product in non-English configurations, such as those needed by customers outside of North America. This section does not replace the materials about supported platforms and configurations found elsewhere in the product documentation.
This release is Unicode-enabled and supports any Unicode character set. In this release, all product components should be configured to use the same or compatible character encodings and should be installed to use the same locale and regional options. This release is targeted to support operations in the following regions: North America, Western Europe and Latin America, Central and Eastern Europe, Far-East Asia, Japan. It supports bidirectional writing (Arabic and Hebrew). The release supports Complex Script (Central Asia – India, Thailand).
We are on a quest to make your information technology work harder for you. That is why we build community-driven software solutions that help you spend less time on IT administration and more time on business innovation. We help you modernize your data center, get you to the cloud quicker and provide the expertise, security and accessibility you need to grow your data-driven business. Combined with Quest’s invitation to the global community to be a part of its innovation, and our firm commitment to ensuring customer satisfaction, we continue to deliver solutions that have a real impact on our customers today and leave a legacy we are proud of. We are challenging the status quo by transforming into a new software company. And as your partner, we work tirelessly to make sure your information technology is designed for you and by you. This is our mission, and we are in this together. Welcome to a new Quest. You are invited to Join the Innovation™.
Our logo reflects our story: innovation, community and support. An important part of this story begins with the letter Q. It is a perfect circle, representing our commitment to technological precision and strength. The space in the Q itself symbolizes our need to add the missing piece — you — to the community, to the new Quest.
For sales or other inquiries, visit http://quest.com/company/contact-us.aspx or call +1-949-754-8000.
Technical support is available to Quest customers with a valid maintenance contract and customers who have trial versions. You can access the Quest Support Portal at https://support.quest.com.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:
Quest, the Quest logo, Foglight, and Join the Innovation are trademarks and registered trademarks of Quest Software Inc. in the U.S.A. and other countries. For a complete list of Quest Software trademarks, please visit our website at www.quest.com/legal. Red Hat, JBoss, the JBoss logo, and Red Hat Enterprise Linux are registered trademarks of Red Hat, Inc. in the U.S. and other countries. CentOS is a trademark of Red Hat, Inc. in the U.S. and other countries. Fedora and the Infinity design logo are trademarks of Red Hat, Inc. Microsoft, .NET, Active Directory, Internet Explorer, Hyper-V, Office 365, SharePoint, Silverlight,SQL Server, Visual Basic, Windows, Windows Vista and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. AIX, IBM, PowerPC, PowerVM, and WebSphere are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Java, Oracle, Oracle Solaris, PeopleSoft, Siebel, Sun, WebLogic, and ZFS are trademarks or registered trademarks of Oracle and/or its affiliates in the United States and other countries. SPARC is a registered trademark of SPARC International, Inc. in the United States and other countries. Products bearing the SPARC trademarks are based on an architecture developed by Oracle Corporation. OpenLDAP is a registered trademark of the OpenLDAP Foundation. HP is a registered trademark that belongs to HewlettPackard Development Company, L.P. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. MySQL is a registered trademark of MySQL AB in the United States, the European Union and other countries. Novell and eDirectory are registered trademarks of Novell, Inc., in the United States and other countries. VMware, ESX, ESXi, vSphere, vCenter, vMotion, and vCloud Director are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. Sybase is a registered trademark of Sybase, Inc. The X Window System and UNIX are registered trademarks of The Open Group. Mozilla and Firefox are registered trademarks of the Mozilla Foundation. IOS is a registered trademark or trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. Apple, iPad, iPhone, Mac OS, Safari, Swift, and Xcode are trademarks of Apple Inc., registered in the U.S. and other countries. Ubuntu is a registered trademark of Canonical Ltd. Symantec and Veritas are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. OpenSUSE, SUSE, and YAST are registered trademarks of SUSE LCC in the United States and other countries. Citrix, AppFlow, NetScaler, XenApp, and XenDesktop are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. PostgreSQL is a registered trademark of the PostgreSQL Global Development Group. MariaDB is a trademark or registered trademark of MariaDB Corporation Ab in the European Union and United States of America and/or other countries. Intel, Itanium, Pentium, and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. Debian is a registered trademark of Software in the Public Interest, Inc. OpenStack is a trademark of the OpenStack Foundation. Amazon Web Services, the "Powered by Amazon Web Services" logo, and "Amazon RDS" are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries. Infobright, Infobright Community Edition and Infobright Enterprise Edition are trademarks of Infobright Inc. POLYCOM®, RealPresence® Collaboration Server, and RMX® are registered trademarks of Polycom, Inc. All other marks and names mentioned herein may be trademarks of their respective companies.