You can browse the Azure AD Connect Health portal at https://aka.ms/aadconnecthealth. From there, you will be able to view basic details about your environment as well as obtain agent installation packages. See Figure 4.16:
Figure 4.16 – Azure Active Directory Connect Health
While Azure AD Connect Health Agent for Sync is included in the Azure AD Connect installation, the health agents for DS and AD FS are separate installations and must be downloaded separately:
- Azure AD Connect Health Agent for DS: https://go.microsoft.com/fwlink/?LinkID=820540
- Azure AD Connect Health Agent for AD FS: https://go.microsoft.com/fwlink/?LinkID=518973
If you do not have AD FS deployed in your environment, you do not need to deploy the AD FS agents.
Azure AD Connect Health for Sync
The core health product, Azure AD Connect Health for Sync, shows the current health of your synchronization environment, including object synchronization problems and data-related errors.
You can view the health status and identified errors by selecting Sync errors under Azure Active Directory Connect (Sync) in the Azure AD Connect Health portal (https://aka.ms/aadconnecthealth), as shown in Figure 4.17:
Figure 4.17 – Azure AD Connect Health Sync errors
Selecting an error type will allow you to drill down into individual errors. Figure 4.18 shows an example where Azure AD Connect Health has detected two objects with the same address:
Figure 4.18 – Azure AD Connect Health error details
You can use this information to identify and troubleshoot on-premises objects.
Azure AD Connect Health for Directory Services
Microsoft recommends deploying Azure AD Connect Health for DS agents on all domain controllers you want to monitor, or at least one for each domain.
The Azure AD Connect Health agent deployment is relatively straightforward, asking only for credentials to complete the installation. Once the installation is complete, you can review details about your domain controller’s health in the Azure AD Connect Health portal at https://aka. ms/aadconnecthealth.
From the Azure AD Connect Health page, under Active Directory Domain Services, select AD DS services, as shown in Figure 4.19, and then select a domain to view its details:
Figure 4.19 – Azure AD Connect Health AD DS services
The health services agents display a variety of details about the environment, including replication errors, LDAP bind operations, NTLM authentication operations, and Kerberos authentication operations. See Figure 4.20:
Figure 4.20 – Azure AD Connect Health for DS detail page
Errors that are detected here should be resolved in your on-premises AD environment.