Jon,
Maybe it's not the best method for monitoring DC's, but i think it's pretty safe to say that whenever ldap access to a DC is not functioning the DC is probably offline or in a unusable state. So, a ldap based monitor might be a safe bet.
You have to create a (special purpose) user in AD for this to work (Or re-use the one from the xml-broker monitor). Make sure this user's password never expires, otherwise your monitor will stop working when it does and flags the pool offline. Hard to debug one year from now when you've forgotten all about it 🙂
The base-dn is set to the user's dn, to not unnecessarily stress the DC with a subtree search every 30 secs.
Here's our monitor :
ltm monitor ldap /Common/monitor_aaa_ad {
base "cn=SVC-F5CitrixMonitor,ou=Service Accounts,ou=Users,ou=xxx,dc=xxx,dc=xxx,dc=xx"
chase-referrals no
debug no
defaults-from /Common/ldap
destination *:636
filter (&(objectClass=user)(cn=SVC-F5CitrixMonitor))
interval 30
mandatory-attributes yes
password xxxxxxxxxxxxxxxxx
security ssl
time-until-up 0
timeout 91
username "cn=SVC-F5CitrixMonitor,ou=Service Accounts,ou=Users,ou=xxx,dc=xxx,dc=xxx,dc=xx"
}