Monitor UDP ports availability with SCOM 2022

Bojan Zivkovic 606 Reputation points
2025-04-03T08:35:33.5233333+00:00

Hi, is there any way of monitoring UDP ports availability with SCOM 2022? I'd like to monitor udp/53 and udp/123 availability on Domain Controllers (for starters) so we get alerted if port is not accessible from given source servers.

Thank you in advance.

System Center Operations Manager
System Center Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,620 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. XinGuo-MSFT 22,231 Reputation points
    2025-04-03T09:14:11.7066667+00:00

    Hi,

    Here's a PowerShell script that uses the PortQry command-line tool to check the availability of UDP ports and integrates with SCOM to create a custom monitor.

    This script will check the status of UDP ports 53 and 123 on your Domain Controllers and generate alerts if the ports are not accessible.

    1. Download PortQry:
      • Ensure you have the PortQry tool downloaded and extracted to a directory on your server.
    2. Create the PowerShell Script:
      • Save the following script as Check-UDPPorts.ps1:
    param (
        [string]$Server,
        [int]$Port
    )
    
    $portQryPath = "C:\Path\To\PortQry.exe"  # Update this path to where PortQry is located
    
    function Test-UDPPort {
        param (
            [string]$Server,
            [int]$Port
        )
    
        $result = & $portQryPath -n $Server -p udp -e $Port
        if ($result -match "LISTENING") {
            return $true
        } else {
            return $false
        }
    }
    
    $ports = @(53, 123)
    $allPortsOpen = $true
    
    foreach ($port in $ports) {
        if (-not (Test-UDPPort -Server $Server -Port $port)) {
            $allPortsOpen = $false
            Write-Output "Port $port is not open on $Server"
        } else {
            Write-Output "Port $port is open on $Server"
        }
    }
    
    if ($allPortsOpen) {
        exit 0  # All ports are open
    } else {
        exit 1  # One or more ports are not open
    }
    
    1. Create a SCOM Monitor:
      • Open the SCOM Console.
      • Navigate to Authoring > Monitors > Create a Monitor > Unit Monitor.
      • Select Scripting > Generic > Sample PowerShell Script 2 State Monitor.
      • Choose the appropriate management pack or create a new one.
      • Configure the monitor to target your Domain Controllers.
      • Set the script path to the location of Check-UDPPorts.ps1.
      • Configure the parameters to pass the server name and ports to the script.
      • Set the script to run at regular intervals and configure the alerting conditions based on the script's exit code.

    This setup will allow you to monitor the availability of UDP ports 53 and 123 on your Domain Controllers using SCOM and receive alerts if any issues are detected.

    If you need further assistance or have any questions, feel free to ask! 😊


  2. SChalakov 10,576 Reputation points MVP Volunteer Moderator
    2025-04-04T15:14:08.7866667+00:00

    Hi Bojan,

    Monitoring only the ports of a service (in your example: DNS, NTP) covers just a small aspect of ensuring that the service is truly available and functioning as expected. I would not recommend monitoring these UDP ports directly, as the effort involved often outweighs the actual benefits. Simply checking port availability does not guarantee that the service behind it is operational.

    Instead, here’s what I would recommend:

    NTP Monitoring

    The Active Directory management pack already provides basic time synchronization monitoring. However, if you want a more comprehensive solution, I suggest following Kevin Holman's approach, which is well-documented here:

    Monitoring for time drift in your enterprise – Kevin Holman

    This approach allows you to monitor time drift using a reference NTP server, ensuring that your systems remain in sync.

    DNS – Inbound Query Monitoring

    Monitoring UDP port 53 alone will only confirm that the port is open and accepting traffic—it won't tell you whether the DNS service is responding correctly to queries.

    A better method is to use performance counters. For example, you can monitor the following counter:

    Previewing Image attachment

    This counter will show you whether inbound DNS queries are being received by the server, which also implies that traffic is reaching port 53/UDP and being processed correctly by the DNS service.

    You can just use the counter and configure a monitor with it, a simpe process in SCOM.

    If You Choose to Use PowerShell Scripts

    If you still decide to go ahead with a custom PowerShell script for monitoring, make sure that:

    The agent executing the script has all required modules installed.

    The correct PowerShell version is in place.

    You have thoroughly tested the script on that specific agent.

    Let me know if you'd like help setting up any of the suggested monitoring methods.

    Best regards,

    Stoyan

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.