Monitoring ADFS and the AAD Connect Sync Engine using AAD connect health:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-health-agent-install/#test-connectivity-to-azure-ad-connect-health-service

To test connectivity:

Test-AzureADConnectHealthConnectivity [-Role] {Adfs | Sync | Adds | HybridReporting} [[-ShowResult]]

The role parameter currently takes the following values:

ADFS
Sync
ADDS
HybridReporting

Test-AzureADConnectHealthConnectivity -Role ADFS -Showresult

The role parameter currently takes the following values:

  • ADFS
  • Sync
  • ADDS

 

AD health agent Errors:

Test Authentication Request (Synthetic Transaction) failed to obtain a token

https://social.msdn.microsoft.com/Forums/security/en-US/38a08011-3643-4b93-9df9-63ba17603a35/azure-adfs-health-monitoring-errors-need-resolution-guidance?forum=WindowsAzureAD

 

To check and to solve this issue:

PS C:\Program Files\Azure Ad Connect Health Adfs Agent\Diagnostics> import-module .\ADFSDiagnostics.psm1
PS C:\Program Files\Azure Ad Connect Health Adfs Agent\Diagnostics> Test-AdfsServerHealth | ft name,result -autosize

Name Result
—- ——
IsAdfsRunning Pass
IsWidRunning Pass

TestSSLUsingADFSPort NotRun
TestSSLCertSubjectContainsADFSFarmName NotRun
TestAdfsAuditPolicyEnabled Pass
TestAdfsRequestToken Fail                          <===== error
CheckOffice365Endpoints NotRun
TestADFSO365RelyingParty NotRun
TestNtlmOnlySupportedClientAtProxyEnabled NotRun

 

Solution:

on c:\windows\system32\hosts

add the line: 127.0.0.1   adfs.mydomain.com

retry the Test-ADFSserverhealth

TestSSLUsingADFSPort NotRun
TestSSLCertSubjectContainsADFSFarmName NotRun
TestAdfsAuditPolicyEnabled Pass
TestAdfsRequestToken Pass
CheckOffice365Endpoints NotRun
TestADFSO365RelyingParty NotRun
TestNtlmOnlySupportedClientAtProxyEnabled NotRun

 

Advertisements