# Monitor your AWS Managed Microsoft AD
You can get the most out of your AWS Managed Microsoft AD by learning more about the different AWS Managed Microsoft AD statuses and what they mean for your AWS Managed Microsoft AD. You can also use AWS services like Amazon Simple Notification Service and Amazon CloudWatch to monitor your AWS Managed Microsoft AD. Amazon Simple Notification Service can send you notifications of your AWS Managed Microsoft AD directory status. Amazon CloudWatch can monitor the performance of your AWS Managed Microsoft AD domain controllers.
**Topics**
+ [Understanding your AWS Managed Microsoft AD directory status](ms_ad_directory_status.md)
+ [Enabling AWS Managed Microsoft AD directory status notifications with Amazon Simple Notification Service](ms_ad_enable_notifications.md)
+ [Understanding your AWS Managed Microsoft AD directory logs](ms_ad_directory_logs.md)
+ [Enabling Amazon CloudWatch Logs log forwarding for AWS Managed Microsoft AD](ms_ad_enable_log_forwarding.md)
+ [Using CloudWatch to monitor the performance of your AWS Managed Microsoft AD domain controllers](ms_ad_monitor_dc_performance.md)
+ [Disabling Amazon CloudWatch log forwarding for AWS Managed Microsoft AD](ms_ad_disable_log_forwarding_with_console.md)
+ [Monitoring DNS Server with Microsoft Event Viewer](ms_ad_dns_event_viewer.md)
# Understanding your AWS Managed Microsoft AD directory status
The following are the various statuses for a directory.
**Active**
The directory is operating normally. No issues have been detected by the Directory Service for your directory.
**Creating**
The directory is currently being created. Directory creation typically takes between 20 to 45 minutes but may vary depending on the system load.
**Deleted**
The directory has been deleted. All resources for the directory have been released. Once a directory enters this state, it cannot be recovered.
**Deleting**
The directory is currently being deleted. The directory will remain in this state until it has been completely deleted. Once a directory enters this state, the delete operation cannot be cancelled, and the directory cannot be recovered.
**Failed**
The directory could not be created. Please delete this directory. If this problem persists, please contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
**Impaired**
The directory is running in a degraded state. One or more issues have been detected, and not all directory operations may be working at full operational capacity. There are many potential reasons for the directory being in this state. These include normal operational maintenance activity such as patching or EC2 instance rotation, temporary hot spotting by an application on one of your domain controllers, or changes you made to your network that inadvertently disrupt directory communications. For more information, see either [Troubleshooting AWS Managed Microsoft AD](ms_ad_troubleshooting.md), [Troubleshooting AD Connector](ad_connector_troubleshooting.md), [Troubleshooting Simple AD](simple_ad_troubleshooting.md). For normal maintenance related issues, AWS resolves these issues within 40 minutes. If after reviewing the troubleshooting topic, your directory is in an Impaired state longer than 40 minutes, we recommend that you contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
Do not restore a snapshot while a directory is in an Impaired state. It is rare that snapshot restore is necessary to resolve impairments. For more information, see [Restoring your AWS Managed Microsoft AD with snapshots](ms_ad_snapshots.md).
**Requested**
A request to create your directory is currently pending.
**RestoreFailed**
Restoring the directory from a snapshot failed. Please retry the restore operation. If this continues, try a different snapshot, or contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
**Restoring**
The directory is currently being restored from an automatic or manual snapshot. Restoring from a snapshot typically takes several minutes, depending on the size of the directory data in the snapshot.
# Enabling AWS Managed Microsoft AD directory status notifications with Amazon Simple Notification Service
Using Amazon Simple Notification Service (Amazon SNS), you can receive email or text (SMS) messages when the status of your directory changes. You get notified if your directory goes from an Active status to an [Impaired status](ms_ad_directory_status.md). You also receive a notification when the directory returns to an Active status.
## How It Works
Amazon SNS uses "topics" to collect and distribute messages. Each topic has one or more subscribers who receive the messages that have been published to that topic. Using the steps below you can add Directory Service as publisher to an Amazon SNS topic. When Directory Service detects a change in your directory's status, it publishes a message to that topic, which is then sent to the topic's subscribers.
You can associate multiple directories as publishers to a single topic. You can also add directory status messages to topics that you've previously created in Amazon SNS. You have detailed control over who can publish to and subscribe to a topic. For complete information about Amazon SNS, see [What is Amazon SNS?](https://docs.aws.amazon.com/sns/latest/dg/welcome.html).
**Note**
Directory status notifications is a Regional feature of AWS Managed Microsoft AD. If you are using [Multi-Region replication](ms_ad_configure_multi_region_replication.md), the following procedures must be applied separately in each Region. For more information, see [Global vs Regional features](multi-region-global-region-features.md).
## Enabling Amazon SNS
The following walks you through how you can enable Amazon SNS for your AWS Managed Microsoft AD:
1. Sign in to the AWS Management Console and open the [Directory Service console](https://console.aws.amazon.com/directoryservicev2/).
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, do one of the following:
+ If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to enable SNS messaging, and then choose the **Maintenance** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
+ If you do not have any Regions showing under **Multi-Region replication**, choose the **Maintenance** tab.
1. In the **Directory monitoring** section, choose **Actions**, and then select **Create notification**.
1. On the **Create notification** page, select **Choose a notification type**, and then choose **Create a new notification**. Alternatively, if you already have an existing SNS topic, you can choose **Associate existing SNS topic** to send status messages from this directory to that topic.
**Note**
If you choose **Create a new notification** but then use the same topic name for an SNS topic that already exists, Amazon SNS does not create a new topic, but just adds the new subscription information to the existing topic.
If you choose **Associate existing SNS topic**, you will only be able to choose an SNS topic that is in the same Region as the directory.
1. Choose the **Recipient type** and enter the **Recipient** contact information. If you enter a phone number for SMS, use numbers only. Do not include dashes, spaces, or parentheses.
1. (Optional) Provide a name for your topic and an SNS display name. The display name is a short name up to 10 characters that is included in all SMS messages from this topic. When using the SMS option, the display name is required.
**Note**
If you are logged in using an IAM user or role that has only the [DirectoryServiceFullAccess](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/role_ds_full_access.html) managed policy, your topic name must start with "DirectoryMonitoring". If you would like to further customize your topic name you will need additional privileges for SNS.
1. Choose **Create**.
If you want to designate additional SNS subscribers, such as an additional email address, Amazon SQS queues or AWS Lambda, you can do this from the [Amazon SNS console](https://console.aws.amazon.com//sns/v3/home.).
## Removing directory status messages from an Amazon SNS topic
The following walks you through how you can remove your AWS Managed Microsoft AD directory status messages from an Amazon SNS topic:
1. Sign in to the AWS Management Console and open the [Directory Service console](https://console.aws.amazon.com/directoryservicev2/).
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, do one of the following:
+ If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to remove status messages, and then choose the **Maintenance** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
+ If you do not have any Regions showing under **Multi-Region replication**, choose the **Maintenance** tab.
1. In the **Directory monitoring** section, select an SNS topic name in the list, choose **Actions**, and then select **Remove**.
1. Choose **Remove**.
This removes your directory as a publisher to the selected SNS topic.
## Deleting an Amazon SNS topic
If you want to delete the entire topic, you can do this from the [Amazon SNS console](https://console.aws.amazon.com//sns/v3/home.).
Before deleting an Amazon SNS topic using the SNS console, you should ensure that a directory is not sending status messages to that topic.
If you delete an Amazon SNS topic using the SNS console, this change will not immediately be reflected within the Directory Services console. You would only be notified the next time a directory publishes a notification to the deleted topic, in which case you would see an updated status on the directory's **Monitoring** tab indicating the topic could not be found.
Therefore, to avoid missing important directory status messages, before deleting any topic that receives messages from Directory Service, associate your directory with a different Amazon SNS topic.
For more information on how to delete an Amazon SNS topic, see [Deleting an Amazon SNS topic and subscription](https://docs.aws.amazon.com/sns/latest/dg/sns-delete-subscription-topic.html).
# Understanding your AWS Managed Microsoft AD directory logs
Security logs from AWS Managed Microsoft AD domain controller instances are archived for a year. You can also configure your AWS Managed Microsoft AD directory to forward domain controller logs to Amazon CloudWatch Logs in near real time. For more information, see [Enabling Amazon CloudWatch Logs log forwarding for AWS Managed Microsoft AD](ms_ad_enable_log_forwarding.md).
AWS logs the following events for compliance.
****
| Monitoring category | Policy setting | Audit state |
| --- | --- | --- |
| Account Logon | Audit Credential Validation | Success, Failure |
| | Audit Other Account Logon Events | Success, Failure |
| | Audit Kerberos Authentication Service | Success, Failure |
| Account Management | Audit Computer Account Management | Success, Failure |
| | Audit Other Account Management Events | Success, Failure |
| | Audit Security Group Management | Success, Failure |
| | Audit User Account Management | Success, Failure |
| Detailed Tracking | Audit DPAPI Activity | Success, Failure |
| | Audit PNP Activity | Success |
| | Audit Process Creation | Success, Failure |
| DS Access | Audit Directory Service Access | Success, Failure |
| | Audit Directory Service Changes | Success, Failure |
| Logon/Logoff | Audit Account Lockout | Success, Failure |
| | Audit Logoff | Success |
| | Audit Logon | Success, Failure |
| | Audit Other Logon/Logoff Events | Success, Failure |
| | Audit Special Logon | Success, Failure |
| Object Access | Audit Other Object Access Events | Success, Failure |
| | Audit Removable Storage | Success, Failure |
| | Audit Central Access Policy Staging | Success, Failure |
| Policy Change | Audit Policy Change | Success, Failure |
| | Audit Authentication Policy Change | Success, Failure |
| | Audit Authorization Policy Change | Success, Failure |
| | Audit MPSSVC Rule-Level Policy Change | Success |
| | Audit Other Policy Change Events | Failure |
| Privilege Use | Audit Sensitive Privilege Use | Success, Failure |
| System | Audit IPsec Driver | Success, Failure |
| | Audit Other System Events | Success, Failure |
| | Audit Security State Change | Success, Failure |
| | Audit Security System Extension | Success, Failure |
| | Audit System Integrity | Success, Failure |
# Enabling Amazon CloudWatch Logs log forwarding for AWS Managed Microsoft AD
You can use either the Directory Service console or APIs to forward domain controller security event logs to Amazon CloudWatch Logs for your AWS Managed Microsoft AD. This helps you to meet your security monitoring, audit, and log retention policy requirements by providing transparency of the security events in your directory.
CloudWatch Logs can also forward these events to other AWS accounts, AWS services, or third party applications. This makes it easier for you to centrally monitor and configure alerts to detect and respond proactively to unusual activities in near real time.
Once enabled, you can then use the CloudWatch Logs console to retrieve the data from the log group you specified when you enabled the service. This log group contains the security logs from your domain controllers.
For more information about log groups and how to read their data, see [Working with log groups and log streams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) in the *Amazon CloudWatch Logs User Guide*.
**Note**
Log forwarding is a Regional feature of AWS Managed Microsoft AD. If you are using [Multi-Region replication](ms_ad_configure_multi_region_replication.md), the following procedures must be applied separately in each Region. For more information, see [Global vs Regional features](multi-region-global-region-features.md).
Once enabled, the log forwarding capability will begin transmitting logs from your domain controllers to the specified CloudWatch log group. Any logs created before log forwarding is enabled will not be transferred to the CloudWatch log group.
**Topics**
+ [Using the AWS Management Console to enable Amazon CloudWatch Logs log forwarding](#enable_log_forwarding_with_console)
+ [Using the CLI or PowerShell to enable Amazon CloudWatch Logs log forwarding](#enable_log_forwarding_with_cli)
## Using the AWS Management Console to enable Amazon CloudWatch Logs log forwarding
You can enable Amazon CloudWatch Logs log forwarding for your AWS Managed Microsoft AD in the AWS Management Console.
1. In the [Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories**.
1. Choose the directory ID of the AWS Managed Microsoft AD directory that you want to share.
1. On the **Directory details** page, do one of the following:
+ If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to enable log forwarding, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
+ If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.
1. In the **Log forwarding** section, choose **Enable**.
1. On the **Enable log forwarding to CloudWatch** dialog, choose either of the following options:
1. Select **Create a new CloudWatch log group**, under **CloudWatch Log group name**, specify a name that you can refer to in CloudWatch Logs.
1. Select **Choose an existing CloudWatch log group**, and under **Existing CloudWatch log groups**, select a log group from the menu.
1. Review the pricing information and link, and then choose **Enable**.
## Using the CLI or PowerShell to enable Amazon CloudWatch Logs log forwarding
Before you can use the [https://docs.aws.amazon.com/cli/latest/reference/ds/create-log-subscription.html](https://docs.aws.amazon.com/cli/latest/reference/ds/create-log-subscription.html) command, you must first create an Amazon CloudWatch log group and then create an IAM resource policy that will grant the necessary permission to that group. To enable log forwarding using the CLI or PowerShell, complete the following steps.
### Step 1: Create a log group in CloudWatch Logs
Create a log group that will be used to receive the security logs from your domain controllers. We recommend pre-pending the name with `/aws/directoryservice/`, but that is not required. For example:
------
#### [ CLI Command ]
```
aws logs create-log-group --log-group-name '/aws/directoryservice/d-1111111111'
```
------
#### [ PowerShell Command ]
```
New-CWLLogGroup -LogGroupName '/aws/directoryservice/d-1111111111'
```
------
For instructions on how to create a CloudWatch Logs group, see [Create a log group in CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#Create-Log-Group) in the *Amazon CloudWatch Logs User Guide*.
### Step 2: Create a CloudWatch Logs resource policy in IAM
Create a CloudWatch Logs resource policy granting Directory Service rights to add logs into the new log group you created in Step 1. You can either specify the exact ARN to the log group to limit Directory Service's access to other log groups or use a wild card to include all log groups. The following sample policy uses the wild card method to identify that all log groups that start with `/aws/directoryservice/` for the AWS account where your directory resides will be included.
You will need to save this policy to a text file (for example DSPolicy.json) on your local workstation as you will need to run it from the CLI. For example:
------
#### [ CLI Command ]
```
aws logs put-resource-policy --policy-name DSLogSubscription --policy-document
file://DSPolicy.json
```
------
#### [ PowerShell Command ]
```
$PolicyDocument = Get-Content .\DSPolicy.json –Raw
```
```
Write-CWLResourcePolicy -PolicyName DSLogSubscription -PolicyDocument $PolicyDocument
```
------
### Step 3: Create an Directory Service log subscription
In this final step, you can now proceed to enable log forwarding by creating the log subscription. For example:
------
#### [ CLI Command ]
```
aws ds create-log-subscription --directory-id 'd-1111111111' --log-group-name '/aws/directoryservice/d-1111111111'
```
------
#### [ PowerShell Command ]
```
New-DSLogSubscription -DirectoryId 'd-1111111111' -LogGroupName '/aws/directoryservice/d-1111111111'
```
------
# Using CloudWatch to monitor the performance of your AWS Managed Microsoft AD domain controllers
Directory Service integrates with Amazon CloudWatch to help provide you with important performance metrics for each domain controller in your Active Directory. This means that you can monitor domain controller performance counters, such as CPU and memory utilization. You can also configure alarms and initiate automated actions to respond to periods of high utilization. For example, you can configure an alarm for domain controller CPU utilization above 70 percent and create an SNS topic to notify you when this occurs. You can use this SNS topic to initiate automation, such as AWS Lambda functions, to increase the number of domain controllers to your Active Directory.
For more information about monitoring your domain controllers, see [Determining when to add domain controllers with CloudWatch metrics](#scaledcs).
There are fees associated with Amazon CloudWatch. For more information, see [CloudWatch billing and cost](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_billing.html).
**Important**
Domain controller performance metrics with CloudWatch is unavailable in the Canada West (Calgary) Region.
To enable CloudWatch, see [Enabling Amazon CloudWatch Logs log forwarding for AWS Managed Microsoft AD](ms_ad_enable_log_forwarding.md).
## Finding domain controllers performance metrics in CloudWatch
In the Amazon CloudWatch console, metrics for a given service are grouped first by the service's namespace. You can add metric filters that are subordinate to that namespace. Use the following procedure to locate the correct namespace and subordinate metric that is required to set up AWS Managed Microsoft AD domain controller metrics in CloudWatch.
**To find domain controller metrics in the CloudWatch console**
1. Sign in to the AWS Management Console and open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**.
1. From the list of metrics, select the **Directory Service** namespace, and then from the list, select the **AWS Managed Microsoft AD** metric.
For instructions on how to set up domain controller metrics using the CloudWatch console, see [How to automate AWS Managed Microsoft AD scaling based on utilization metrics](https://aws.amazon.com/blogs/security/how-to-automate-aws-managed-microsoft-ad-scaling-based-on-utilization-metrics/) in the AWS Security Blog.
## Determining when to add domain controllers with CloudWatch metrics
Load balancing across all of your domain controllers is important for the resilience and performance of your Active Directory. To help you optimize the performance of your domain controllers in AWS Managed Microsoft AD, we recommend that you first monitor important metrics in CloudWatch to form a baseline. During this process, you analyze your Active Directory over time to identify your average and peak Active Directory utilization. After determining your baseline, you can monitor these metrics on a regular basis to help determine when to add a domain controller to your Active Directory.
The following metrics are important to monitor on a regular basis. For a full list of available domain controller metrics in CloudWatch, see [AWS Managed Microsoft AD performance counters](#performance-counters).
+ Domain controller-specific metrics, such as:
+ Processor
+ Memory
+ Logical Disk
+ Network Interface
+ AWS Managed Microsoft AD directory-specific metrics, such as:
+ LDAP searches
+ Binds
+ DNS queries
+ Directory reads
+ Directory writes
For instructions on how to set up domain controller metrics using the CloudWatch console, see [How to automate AWS Managed Microsoft AD scaling based on utilization metrics](https://aws.amazon.com/blogs/security/how-to-automate-aws-managed-microsoft-ad-scaling-based-on-utilization-metrics/) in the AWS Security Blog. For general information about metrics in CloudWatch, see [Using Amazon CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html) in the *Amazon CloudWatch User Guide*.
For general information about domain controller planning, see [Capacity planning for Active Directory Domain Services](https://docs.microsoft.com/en-us/windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services) on the Microsoft website.
## AWS Managed Microsoft AD performance counters
The following table lists all performance counters available in Amazon CloudWatch for tracking domain controller and directory performance in AWS Managed Microsoft AD.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_monitor_dc_performance.html)
# Disabling Amazon CloudWatch log forwarding for AWS Managed Microsoft AD
You can disable CloudWatch Logs log forwarding for your AWS Managed Microsoft AD in the AWS Management Console. For more information on log forwarding, see [Using CloudWatch to monitor the performance of your AWS Managed Microsoft AD domain controllers](ms_ad_monitor_dc_performance.md).
1. In the [Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories**.
1. Choose the directory ID of the AWS Managed Microsoft AD directory that you want to share.
1. On the **Directory details** page, do one of the following:
+ If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to disable log forwarding, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
+ If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.
1. In the **Log forwarding** section, choose **Disable**.
1. Once you've read the information in the **Disable log forwarding** dialog, choose **Disable**.
# Monitoring DNS Server with Microsoft Event Viewer
You can audit your AWS Managed Microsoft AD DNS events, making it easier to identify and troubleshoot DNS issues. For example, if a DNS record is missing, you can use the DNS audit event log to help identify the root cause and fix the issue. You can also use DNS audit event logs to improve security by detecting and blocking requests from suspicious IP addresses.
To do that, you must be logged on with the **Admin** account or with an account that is a member of the **AWS Domain Name System Administrators** group. For more information about this group, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md).
**To access Event Viewer for your AWS Managed Microsoft AD DNS**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the left navigation pane, choose **Instances**.
1. Locate an Amazon EC2 instance that is joined to your AWS Managed Microsoft AD directory. Select the instance and then choose **Connect**.
1. Once connected to the Amazon EC2 instance, open the **Start **menu and select the ** Windows Administrative Tools** folder. Within the **Administrative Tools** folder, select **Event Viewer**.
1. In the **Event Viewer** window, choose **Action ** and then choose **Connect to Another Computer**.
1. Select **Another computer**, type one of your AWS Managed Microsoft AD DNS servers name or IP address, and choose **OK**.
1. In the left pane, navigate to **Applications and Services Logs**>**Microsoft**>**Windows**>**DNS-Server**, and then select **Audit**.