CHAPTER 14
MANAGING ACTIVE DIRECTORY PERFORMANCE
Lesson 1:
Active Directory Performance Monitoring Tools
Monitoring Active Directory performance is an important part of maintaining and administering your
Microsoft Windows 2000 installation. You use Active Directory performance data to:
Understand Active Directory performance and the corresponding effect on your system’s resources.
Observe changes and trends in performance and resource usage so you can plan for future upgrades.
Test configuration changes and other tuning efforts by monitoring the results
Diagnose problems and target components or processes for optimization.
Event Logs for Monitoring Active Directory Performance
=======================================================================
Log Description
=======================================================================
Application Contains, errors, warnings or infor. About e-mail or databases.
Directory Service Errors, warnings and information that Active Directory Services
Generates.
File Replication Errors, warning and information that the File Replication
Service service generates.
System Errors, warnings and information that Windows 2000
Generates. Windows 2000 presets which events to record.
========================================================================
The Performance Console
Allows you to monitor conditions within local and remote computers anywhere in your network
and to summarize performance at selected intervals.
The performance console can also be used for collecting baseline performance data, then
configured to send alerts to the Event Log or other locations about exceptions to the baseline.
System Monitor
======================================================================
winads14.html PAGE
2 2002/03/05
With system monitor, you can measure Active Directory performance on your own computer
or other computers on a network:
· Collect and view real-time performance data on a local computer for from several
remote computers.
· View data collected either currently or previously recorded.
· Present data in a printable graph.
· Incorporate System Monitor
· Create HTML pages from performance views.
· Create reusable monitoring configurations that can be installed on other computers using
· Microsoft Management Console (MMC).
You can define the Active Directory data you want to collect
in the following ways:
Type of Data. To select the data to be collected, you specify performance objects
and performance counters.
Source of Data. System Monitor can collect data from your local computer or from
other computers on the network where you have permissions.
Sampling parameters. System Monitor support manual, on-demand sampling or
automatic sampling based on a time interval you specify.
In addition to options for defining data content, you have considerable flexibility in designing
the appearance of your System Monitor Views:
· Type of Display. System Monitor supports chart, histogram, and report views.
· Display Characteristics. For any of the three display types, you can define the
characteristics, colors, and fonts for the display.
Defining data for Monitoring
A performance object is a logical connection of counters that is associated with a resource or
service that can be monitored.
Performance counters refer to the multitude of conditions that can apply to a performance object.
======================================================================
winads14.html PAGE
3 2002/03/05
The NTDS Performance Object Counters
After determining the statistics you want to monitor you must find the matching performance
counters. Typically, counters that are suited for capacity planning contain the work “total” in
their name. These counters fall into three types: statistic counters, ratio counters, and
accumulative counters.
Agent) Inbound Properties Total/Sec, which is the total number of object properties
received from inbound replication partners.
%Writes From LDAP, which is the percentage of directory writes coming from LDAP
query
example: DRA Inbound Bytes Total Since Boot, which is the total number of bytes
replicated in, the sum of the number of uncompressed bytes (never compressed) and
the number of compressed bytes (after compression).
*** See the charts on
page 524 – 527 ****
Performance Logs and Alerts
The Performance Logs and Alerts snap-in provides you with the ability to create counter logs,
trace logs, and system alerts automatically from local or remote computers.
Counter Logs
Similar to System Monitor, counter logs support the definition of performance objects and
performance counters and setting sampling intervals for monitoring data about hardware
resources and system services.
Trace Logs
Using the default system data provider or another nonsystem provider, trace logs record
data when certain activities such as disk I/O operation or a page fault occur.
Active Directory nonsystem providers include those for NetLogon, Kerberos, Security
Accounts Manager (SAM), and Windows NT Active Directory Service.
======================================================================
winads14.html PAGE
4 2002/03/05
Logging Options
For both counter and trace logs you can:
automatic log generation and manage multiple logging sessions from a single console
window.
user-defined schedule.
Counter and Trace Logging Requirements
To create or modify a log, you must have FC permissions for the following registry key, which
controls the Performance Logs and Alerts service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\LogQueries
Administrators usually have this permission by default. Administrators can grant permissions
to users by using the Security menu in REGEDIT32.EXE.
Lesson Summary:
errors or successful starting of a service.
computers anywhere in your network and to summarize performance at select intervals.
Logs and Alerts.
Lesson 2:
Active Directory Support Tools
The Windows 2000 Support Tools on the Windows 2000 CD-ROM are intended to help
assist in diagnosing computer problems.
======================================================================
winads14.html PAGE
5 2002/03/05
The following tools are available for support of Active Directory:
LDP.EXE: Active Directory Administration Tool. You can perform LDAP operations, such
as connect, bind, search, modify, add, and delete, against LDAP-compatible directory, such
as Active Directory. LDAP is an internet standard protocol.
REPLMON.EXE: Active Directory Replication Monitor. This tool enables you administrators
to view the low-level status of Active Directory replication, force synchronization between
domain controllers, view the topology in a graphical format, and monitor the status and
performance of domain controller replication through a graphical interface.
Graphics displays. Replication monitor displays whether or not the monitored server is a global
catalog server, automatically discovers the directory partitions that the monitored server hosts,
graphically displays this breakdown, and shows the replication partners that are used for inbound
replication for each directory partition.
Replication status history. The history of replication status per directory partition, per replication
partner is recorded, generating a granular history of what occurred between two domain
controllers.
Property pages. For direct replication partners, a series of property pages displays the following
of each partner: the name of the domain controller, its globally unique identifier (GUID), the
directory partition that it replicates to the monitored server, the transport used (RPC or SMTP
and distinguishes between intra and inter-site when RPC is used, the time of the last successful
and attempted replication events, update sequence number (USN) values, and any special
properties of the connection between the two servers.
Status report generation. Administrators can generate a status report for the monitored server
that includes a listing of the directory partitions for the server, the status of each replication partner
(direct and transitive) for each directory partition, detail on which domain controllers the monitored
server notifies when changes have been recorded, the status of any group policy objects (GPOs),
the domain controllers that hold the Flexible Single Master Operations (FSMO) roles.
Server Wizard. Administrators can either browse for the server to monitor or explicitly enter it,
and they can create an .inf file.
Graphical Site Toplology. Replication Monitor displays a graphical view of the intra-site topology
and, by using the context menu for a given domain controller in the view, allows the administrator
to quickly display the properties of the server and any intra and inter-site connections that exist for
that server.
Properties display. Administrators can displays the properties for the monitored server including
the server name, the DNS host name of the computer and the location of the computer account in
Active Directory.
======================================================================
winads14.html PAGE
6 2002/03/05
Statistics and replication state polling. In automatic Update mode, Replication Monitor polls the
server at an administrator-defined interval to get the current statistics and replication state.
Replication triggering. Administrators can trigger replication on a server with a specific replication
partner, with all other domain controllers in the site, or all other domain controllers intra- and
intersite.
KCC triggering. Administrators can trigger the KCC on the monitored server to recalculate the
replication topology.
Display nonreplicated changes. Administrators can display, on demand, Active Directory
changes that have not yet replicated from a given replication partner.
REPADMIN.EXE: Replication Diagnostic Tool*. Is a command-line tools that assists
Administrators in diagnosing replication problems between Windows 2000 Domain Controllers.
REPADMIN.EXE allows the administrator to view the replication topology as seen from the
perspective of each domain controller. NOTE: During the normal course of operations, there
is no need to manually create the replication topology. Incorrect use of this tool may adversely
impart the replication topology. The major use of this tool is to monitor replication so problems
such as offline servers or unavailable local area networks (LAN)/wide area network (WAN)
connections can be identified.
DSASTAT.EXE: Active Directory Diagnostic Tool. Is a command-line tool that compares
and detects differences between naming contexts on domain controllers.
SDCHECK.EXE: Security Descriptor Check Utility*. Is a command-line tool that displays
the security descriptor for any object stored in the Active Directory. The security descriptor
contains the ACLs defining the permissions that users have an objects stored in the Active
Directory.
NLTEST.EXE*. Is a command-line relationships and the state of a domain controller replication
in a Windows domain. You can also query and check on the status of a trust, force a shutdown,
get lists of PDCs etc. Only runs on x86-based computers.
ACLDIAG.EXE: ACL Diagnostics*. Is a command-line tool that helps diagnose and
troubleshoot problems with permissions on Active Directory objects.
the schema defaults.
or Control Wizard in the Active Directory Users and Computers console.
groups that show up in the ACL.
DSACLS.EXE*. Is a command-line tool that facilitates management of ACLs for directory
services.
*Command-prompt-only
tool
======================================================================
winads14.html PAGE
7 2002/03/05
Lesson 3:
Monitoring Access to Shared Folders
Why monitor Network Resources?
Some of the reasons it is important to assess and manage network resources are the following:
Maintenance. Determine which users are currently using a resource so that you can notify
them before making the resource that are confidential or need to be secure to verify that
only authorized users are accessing them.
Security. You should monitor user access to resources that are confidential or need to
be secure to verify that only authorized users are accessing them.
Planning. You should determine which resources are being used and how much they
are being used so that you can plan for future system growth.
Microsoft Windows 2000 includes the Shared Folders snap-in so that you can easily monitor
access to network resources and send administrative messages to users. If you add the shared
folders snap-in to an MMC you can specify whether you want to monitor the resources on the
local computer or a remote computer.
Network Resource Monitoring Requirements
Groups that can Access network Resources
======================================================================
A Member of These
Groups Can
Monitor
======================================================================
Administrators or Server Operators for the domain All computers in the domain
Administrators or Power Users for a member That computer.
Server, stand-alone, or computer running
Microsoft 2000 workstation.
======================================================================
NOTE: Windows 2000 does not update the list of shared folders, open files, and user sessions
automatically. To update these lists, on the Action menu, click Refresh.
Determining How many users can access
a Shared Folder concurrently
You can use the Shared folder snap-in to determine the maximum number of users that are
permitted to gain access to a folder.
======================================================================
winads14.html PAGE 8 2002/03/05
Modifying Shared Folder Properties
Click the Shared folder/ action/properties tab.
Monitoring Open Files
Use the Open Files folder in the Shared Folders snap-in to view a list of open files that are
located in shared folders and the users who have a current connection to each file.
Disconnecting Users from Open Files
You can disconnect users from one open file or from all open files. If you make changes to
Windows NT file system (NTFS) permissions for a file that is currently opened by a user, the
new permissions will not affect the user until he or she closes and them attempts to reopen the
file.
Lesson Summary: