Bundle Update: Microsoft Active Directory

ExtraHop-supported solution closes the visibility gaps on one of the most complex services in your environment.

Active Directory is Microsoft's directory service for managing network resources and data. With its complex structure and many moving parts, Active Directory can be tricky and time-consuming to monitor and troubleshoot, especially for large deployments. It utilizes protocols like Kerberos, LDAP, DNS, and SMB/CIFS to handle everything from authentication to resource access and policy management.

Without visibility into an Active Directory environment, you could be stuck digging through event logs or packet captures trying to pinpoint the issue when problems occur, instead of jumping straight into implementing a solution. With ExtraHop's newly updated Active Directory bundle, you can get this missing visibility into everything from a comprehensive top-level view of Active Directory protocols to detailed metrics for individual domain controllers and clients.

Active Directory Critical Components


Active Directory makes use of Microsoft's implementation of Kerberos, a ticket-based protocol for mutual authentication. Kerberos is divided into two related functions: the Authentication Service, which authenticates a client to the key distribution center (KDC) and returns a ticket-granting ticket (TGT), and the Ticket-Granting Service, which validates a client's TGT when it requests access to other resources on the network and returns a service ticket for the requested resource and a referral ticket if the resource is in a different domain.


Active Directory supports the use of Lightweight Directory Access Protocol (LDAP) as a way to interact with and modify its database of directory services, including network resources, computers, and users.

Queries to the global catalog occur over LDAP, but use port 3268 instead of the port for normal LDAP queries (port 389). A global catalog server differs from a normal domain controller in that it stores a partial attribute set of every object in the forest in addition to full copies of the objects in its own domain.

Active Directory group policy objects (GPOs) are also queried over LDAP and then loaded to clients via CIFS or a similar file access protocol. GPOs are collections of policy settings applied to specific groups of users and computers.


Active Directory clients query DNS SRV resource records to locate domain controllers and servers that offer specific services. A service record query for _kerberos._tcp.DomainName, for example, lets a client find a Kerberos server in the specified domain. Clients can also query for resource records using the Microsoft-specific _msdcs subdomain with a prefix such as pdc (primary domain controller), dc (domain controller), or gc (global catalog) to find a server with the specified role.

Windows Time Service

Active Directory relies on the Windows Time service, which uses the Network Time Protocol (NTP), to keep the computer clocks on clients and domain controllers in sync across the network. Time synchronization in an AD forest is based on a hierarchical model: clients sync their time with a domain controller in the same domain, domain controllers sync with the primary DC emulator in the domain, and the PDC emulator receives its time from an external time source. It is critical that machines share the same time to prevent replay attacks and allow conflicts to be resolved. Time skew errors caused by a time difference of 5 or more minutes between the client and domain controller can lead to authentication failures and prevent clients from accessing services.

ExtraHop's Active Directory Bundle

The newly updated and ExtraHop-supported Active Directory bundle, available for download in the bundle gallery, gives in-depth information about each of the protocols and services described above. If users are experiencing long login or load times for a component of Active Directory, for example, you can quickly and easily check how your servers are performing in terms of processing times per server and the number of requests each one is fielding to pinpoint a problem or determine if a domain controller is overloaded. If certain DNS service record lookups or Kerberos service principal names (SPNs) are resulting in errors, negatively impacting users, or causing services to fail, you'll be able to easily identify those as well.

The bundle also tracks several important security-related Kerberos and LDAP metrics. The dashboard gives a visual breakdown of different causes of user login failures, which can range from incorrectly typed passwords to access violations or configuration problems. If you suddenly see high numbers of failed login attempts coming from one user, it could be a sign that someone is attempting to brute force the account, and you'll have the information you need to prevent it. You will also be able to see both failed and successful attempts to login or access privileged accounts and services, which should be monitored to ensure the attempts are only coming from the expected clients.


Updates from the previous version of this bundle:

  • Dashboard region for privileged logins, attempts, and service accesses, which are important to monitor due to their increased permissions in Active Directory services and domain-joined systems
  • Information about errors related to Kerberos service principal names (SPNs), which are unique identifiers for instances of services and are specific to the machine that the service is hosted on. Errors occur when a service doesn't have an SPN associated with it in the directory or if multiple services are assigned the same SPN.
  • LDAP bind requests sent in plaintext, which can contain unencrypted usernames and passwords if not sent over SSL
  • Separate processing time information for the Authentication Service and Ticket-Granting Services, the two components of Kerberos that provide authentication and service access to clients through the Key Distribution Center (KDC)
  • Tracking of additional causes of login failures
  • More optional alerts for high processing times and errors
  • Additional record queries to quickly jump to important metrics

It's easy for slow load and access times to be written off as general network problems. With the visibility ExtraHop gives for each component of an Active Directory environment, you can instead detect the actual reason, whether it's group policies being loaded slowly, a misconfigured DNS zone file leading to errors and latency, a rogue client spamming the network with requests, or just an overloaded domain controller.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.