New Active Directory Management Pack Functionality
Active Directory Management Pack (ADMP) for MOM 2005 provides new, key technical functionality for monitoring Active Directory, including a state view that provides an instant view of Active Directory health; a diagram view that displays the replication topology of your network; and a Tasks pane from which to start context-sensitive tasks and diagnostics.
On This Page
Agent Action Account and ADMP
State View
Diagram View
Tasks Pane
Agent Action Account and ADMP
MOM collects data from the computers in a domain by dispatching agents to those computers to run ADMP scripts. The computers to which agents are dispatched are called managed computers. It is necessary to define a security context in which scripts are run to ensure that the appropriate actions can be accomplished by the script, using the minimum permissions necessary. The Agent Action Account is the security context provided by MOM that ADMP scripts are run in. For the minimum permissions that are required by the Agent Action Account to run each ADMP script, see "Active Directory Management Pack Scripts."
State View
When you monitor the state of Active Directory with ADMP for MOM 2005, you can get an instant view of Active Directory health. ADMP scripts run predefined tests at regular intervals to test the state of Active Directory. Based on the test results, events might be generated. Events in turn trigger rules which affect the state of the components by raising alerts.
Rather than waiting for an alert to be raised, you can view the summary state for Active Directory components at any time by clicking State in the Public Views pane of the MOM Operator console. The state of a component is indicated in the State Details pane with different-colored icons:
A green icon indicates success, or it indicates that there is information available that requires no action.
A yellow icon indicates an error or a warning.
A red icon can indicate either a critical error or a security issue or that a service is unavailable.
No icon indicates that no data affecting state has been collected.
There are four state components that are monitored by ADMP:
Client View: checks whether Active Directory is responding to clients that have the Active Directory Client Pack installed.
Replication Health: checks whether domain controllers are configured properly and that they are replicating. Also checks whether replication is occurring in a timely fashion and that initial domain controller replication has completed after Active Directory has been installed on a computer.
Server Health: checks whether the Active Directory service and processes that are vital to Active Directory are healthy.
Service Health: checks whether operations master (also known as flexible single master operations (FSMO)) role holders and the Active Directory service are responsive and whether clients can connect to the directory.
The following table lists each state component, the source of the state change, and the rules affecting the state for the component.
State Component |
Source |
Rule Affecting State |
|---|---|---|
Client View |
Various Client Pack scripts |
AD Client Side Test Failed |
Client View |
AD Client PDC Response (script) |
The PDC Emulator cannot be contacted |
Replication Health |
AD Replication Monitoring (script) |
AD Replication is occurring slowly |
Replication Health |
AD Replication Monitoring (script) |
Initial replication after domain controller promotion has not completed |
Replication Health |
AD Replication Monitoring (script) |
Replication is not occurring - All replication partners have failed to synchronize |
Server Health |
AD Essential Services Running (script) |
Windows Time Service is not running |
Server Health |
AD Database and Log (script) |
Database Log File Excessive Growth Warning |
Server Health |
AD Essential Services Running (script) |
Net Logon Service is not running |
Server Health |
AD CPU Overload (script) |
The LSASS process is using a high percentage of available CPU time |
Server Health |
AD Database and Log (script) |
Database and Log File Drive Space - Error |
Server Health |
AD Database and Log (script) |
Database Excessive Growth Warning |
Server Health |
AD CPU Overload (script) |
CPU is overloaded |
Server Health |
AD Essential Services Running (script) |
Intersite Messaging Service is not running |
Server Health |
AD Essential Services Running (script) |
Kerberos Key Distribution Center Service (KDC) is not running |
Server Health |
AD Essential Services Running (script) |
Cannot connect to local SYSVOL share |
Server Health |
AD Essential Services Running (script) |
File Replication Service is not running |
Server Health |
AD Essential Services Running (script) |
The domain controller is not advertising - Clients will not be able to locate this domain |
Service Health |
Op Master Domain Naming Last Bind (performance counter) |
Op Master Domain Naming Last Bind - Threshold Exceeded |
Service Health |
Op Master Schema Last Bind (performance counter) |
Op Master Schema Last Bind - Threshold Exceeded |
Service Health |
Op Master Infrastructure Last Bind (performance counter) |
Op Master Infrastructure Last Bind - Threshold Exceeded |
Service Health |
Op Master RID Last Bind (performance counter) |
Op Master RID Last Bind - Threshold Exceeded |
Service Health |
Op Master PDC Last Bind (performance counter) |
Op Master PDC Last Bind - Threshold Exceeded |
Service Health |
Active Directory Last Bind (performance counter) |
Active Directory Last Bind - Threshold Exceeded |
Service Health |
Global Catalog Search Time (performance counter) |
Global Catalog Search Time - Threshold Exceeded |
Service Health |
Active Directory Lost Objects (performance counter) |
Active Directory Lost Objects - Threshold Exceeded |
Diagram View
Active Directory replication topology diagrams display the replication topology of your network, with dashed lines indicating intersite connections and solid lines indicating intrasite connections. Each computer is annotated for its role and state. The state of domain controllers in the replication topology diagrams is indicated by the same colored icons:
A green icon indicates that replication is functioning and no action is required.
A yellow icon indicates that replication failures have been detected.
A red icon indicates multiple consecutive failures or that replication is not occurring on the domain controller.
The diagrams also contain ToolTips that provide detailed information, such as subnet configuration details, link costs, replication intervals, consecutive failures, and partition names. From the diagram view, you can navigate to other views. For example, to see alerts that pertain to only a specific domain controller, you can right-click that domain controller in a diagram, point to View, and then click Alerts. You can also select one or more domain controllers in a diagram and run a task remotely on that domain controller from the diagram view.
ADMP provides three dynamic replication topology diagrams, which are described in the following sections.
Connection Objects
Connection objects are Active Directory objects that represent a replication connection from one domain controller to another. For replication to occur between two domain controllers, the server object of one domain controller must have a connection object that represents inbound replication from another domain controller. The connection objects replication topology diagram displays connection objects that exist between domain controllers on your network, along with the current state of the connection objects.
The following figure shows an example of the connection objects replication topology diagram.
.gif "admp_ref05_03s.gif")
Broken Connection Objects
The broken connection objects replication topology diagram displays connection objects that exist between the domain controllers on your network that are in an error state.
The following figure shows an example of the broken connection objects replication topology diagram.
.gif "admp_ref05_02s.gif")
Site Links
Site links are logical paths that are used to establish a connection for Active Directory replication. Sites must be linked to other sites manually by using site links so that domain controllers in one site can replicate directory changes from domain controllers in another site. The site links replication topology diagram displays the site links that exist between each site on your network and the domain controllers that exist in each site.
The following figure shows an example of the site links replication topology diagram.
.gif "admp_ref05_04s.gif")
Tasks Pane
With ADMP you can start context-sensitive tasks and diagnostics against one or more managed computers. You can run tasks using the MOM Operator console, the MOM Management Server, or a managed computer. (For an explanation of "managed computer," see "Agent Action Account and Active Directory Management Pack" earlier in this document.) The following table describes the advanced tasks that you can perform with ADMP.
Task |
Description |
|---|---|
Active Directory Users and Computers |
Opens the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in on the local computer. |
ADSI Edit |
Opens the ADSI Edit MMC snap-in on the local computer. |
DCDIAG |
Runs dcdiag with a customized set of command-line parameters against one or more domain controllers or managed computers. |
NETDIAG |
Runs netdiag with a customized set of command-line parameters against one or more domain controllers or managed computers. |
NETDOM |
Runs netdom with a customized set of command-line parameters against one or more domain controllers or managed computers. |
SETSPN |
Runs setspn with a customized set of command-line parameters against one or more domain controllers or managed computers. |
NLTEST |
Runs nltest with a customized set of command-line parameters against one or more domain controllers or managed computers. |
REPADMIN |
Runs repadmin with a customized set of command-line parameters against one or more domain controllers or managed computers. |
LDP |
Runs ldp on the local computer. |
Note
Many tasks in this table require the use of support tools. Support tools are located in the Support Tools directory on the Microsoft Windows® 2000 and Windows Server™ 2003 operating system CDs. When a task is run it assumes that the support tools are installed in their default location or that the directory to which they were installed is in the system path (%path%). If you have installed the support tools in any other location, and that location is not in the system path (%path%), you must provide the location in the Task Wizard or the task will fail.
The following table describes the replication troubleshooting tasks that you can perform with ADMP.
Task |
Description |
|---|---|
Replication Summary Snapshot |
Collects a snapshot of the current replication status — from the perspective of the computer that the tasks are being run on — using the repadmin /replsum command. |
Service Principal Name Health |
Confirms Service Principal Name (SPN) health on target domain controllers. This task is useful for diagnosing replication authentication errors that are caused by nonexistent, manipulated, or duplicate SPN registrations; Kerberos ticket refresh; or administrative tool startup. |
The following table describes the trust details task that is provided with ADMP.
Task |
Description |
|---|---|
Enumerate Trusts |
Enumerates the trust relationships between Active Directory domains. You can provide all or part of the source domain name or names for which you want to enumerate trusts; use * as a wildcard. |