Windows Administration
Monitoring Active Directory with MOM
John Hann
At a Glance:
- Management packs for Active Directory
- Customization tips for MOM
- Alert tuning
Management packs are the life-blood of Microsoft Operations Manager (MOM) 2005 and are what differentiate it from other management products. MOM uses management packs to put rules, reports, tasks, and views together and can be limited in scope to a specific application
or service, such as Active Directory. Microsoft product teams create the management packs for the applications they develop, ensuring that MOM reflects the teams' deep product knowledge. Furthermore, management packs can be customized to fit your IT environment. You then have rules that monitor and manage the product based on your particular server and application environment.
Not only is there a specific management pack for Active Directory®, but there are a myriad of management packs for measuring directory services health from Windows Server® Base Operating System to Dynamic Host Configuration Protocol (DHCP), DNS, and File Replication Service (FRS). Let's go over these management packs in detail so you'll have a better understanding of the end-to-end management of Active Directory possible through MOM.
DHCP Management Pack
The DHCP Service management pack monitors the DHCP service running on Windows NT®, Windows® 2000, and Windows Server 2003. It's a good idea to monitor DHCP so you know if clients are having issues connecting to the network. You'll also be alerted to rogue (unauthorized) DHCP servers running in your environment. The download package for this management pack contains a guide that documents the rules and reports as well as monitoring scenarios and deployment. A treasure trove of additional documentation and guidance can be found at the TechNet MOM 2005 Web site (microsoft.com/technet/prodtechnol/mom/mom2005).
The newer the version of Windows you're running the DHCP service on, the more instrumentation and functionality MOM 2005 provides for managing it. Therefore, you'll get more information about a Windows Server 2003 DHCP server than a Windows NT DHCP server. For example, a DHCP server running on Windows Server 2003 can have its superscopes monitored, whereas the DHCP management pack only monitors normal scopes on a Windows 2000 DHCP server. You can exclude scopes from being monitored by placing the scopes to be excluded as a parameter for the monitoring script.
As mentioned earlier, the DHCP management pack supports DHCP servers running on Windows NT, Windows 2000 Server, and Windows Server 2003. The computer groups are populated through formulas that use the operating system version and whether the server hosts the DHCP Server service.
The DHCP management pack does not support low-privilege configurations. The agent Action Account must be a member of the local Administrators group. Agentless monitoring is supported, but tasks are not supported in an agentless configuration. Figure 1 lists the reports that are available in the DHCP management pack.
Figure 1 DHCP Service Reports
| All DHCP Servers |
| All Authorized DHCP Servers |
| Performance History-Active Queue Length |
| Performance History-Conflict Check Queue Length |
| Performance History-Declines per Second |
| Performance History-Discovers per Second |
| Performance History-Milliseconds per Packet (Avg) |
| Performance History-NACKs per Second |
| Performance History-Scope Free Addresses |
| Performance History-Scope Addresses in Use |
| Performance History-Superscope Free Addresses |
| Perfromance History-Superscope Addresses in Use |
You can download the DHCP management pack from go.microsoft.com/fwlink/?LinkId=79527.
DNS Management Pack
The Domain Name Service management pack monitors the DNS service running on Windows 2000 Server and Windows Server 2003. Since it's such an integral part of the overall health of an Active Directory implementation, monitoring DNS with MOM 2005 is crucial. The DNS management pack monitors name resolution issues, database issues, registry issues, runtime events and errors, as well as related performance counters.
For Windows 2000 Server, a Windows Management Instrumentation (WMI) DNS provider has to be installed. Specifically, this allows the DNS management pack to query the WMI DNS namespace for information and testing.
The computer groups are all populated through formulas that use the operating system version and whether the server hosts the DNS Server service to determine group membership. The DNS management pack supports low privilege on Windows Server 2003 only. On Windows 2000, the Action Account must be a member of the local Administrators group. On Windows Server 2003, the Action Account must be a member of the local Users and Performance Monitor Users groups. In addition, the Action Account must have Manage auditing and security log (SeSecurityPrivilege) and Allow log on locally (SeInteractiveLogonRight) permissions. Figure 2 lists the reports that are available in the DNS management pack.
Figure 2 DNS Service Reports
| All Windows DNS Servers |
| All Windows DNS Servers by Zone |
| All Windows DNS Zones by Server |
Marcus Oh, an MVP for Microsoft® Systems Management Server (SMS), developed a script that tests a DNS server by calling nslookup to verify the DNS server's ability to resolve names. Take the time to review his blog post at marcusoh.blogspot.com/2006/05/mom-monitoring-dns-synthetically.html; you'll want to integrate this script into your DNS management pack.
You can download the DNS management pack from go.microsoft.com/fwlink/?LinkId=79528.
FRS Management Pack
The Windows File Replication Service management pack monitors the FRS service running on Windows 2000 and Windows Server 2003. FRS is used by the domain controllers to replicate logon scripts and Group Policy information. The FRS management pack will detail the health of the FRS service for each domain controller.
The FRS management pack utilizes the Ultrasound tool, which is available from go.microsoft.com/fwlink/?LinkId=79529. Ultrasound creates a WMI namespace for FRS on each domain controller. Note that Ultrasound requires a database and will store the information from the WMI namespace on each domain controller for health monitoring. By using the information from Ultrasound, the FRS management pack provides monitoring for replica sets, members, connections, the FRS service itself, and the Ultrasound controller service.
In fact, you should install Ultrasound on a separate server from the management server. Ultrasound rules generate events and alerts on behalf of other computers. In order for the Ultrasound rules to process data properly, you must enable agent proxying in the MOM Administrator console on each server running Ultrasound. Figure 3 lists the four service reports that are available in the FRS management pack.
Figure 3 FRS Service Reports
| Ultrasound-Frequently Detected Issues-Most Problematic Connections |
| Ultrasound-Frequently Detected Issues-Most Problematic Members |
| Ultrasound-Frequently Detected Issues-Most Problematic Replica Set |
| Ultrasound-Frequently Detected Issues-Summary |
Computer groups associated with this management pack include Microsoft Ultrasound 1.0 servers and FRS servers running on Windows 2000 Server and Windows Server 2003. The computer groups are all populated through formulas that use the operating system version and whether the server hosts the FRS service to determine group membership. The Ultrasound Servers group is populated when a server has Ultrasound installed.
When you configure the FRS management pack for low privilege, tasks do not work, but the rest of the management pack functionality is supported. The Action Account must have read access to the Ultrasound database and run permission for the GetControllerStatusForMOM001 stored procedure. The FRS management pack includes support for monitoring agentless as well as agant-managed computers.
You can download the FRS management pack from go.microsoft.com/fwlink/?LinkId=79530.
Windows Server Management Pack
The Windows Base Operating System management pack monitors Windows NT 4.0 Server, Windows 2000 Server, and Windows Server 2003. The Base OS management pack will report the health of the operating system for your domain controllers and also monitors the root services on the system. The management pack provides the status of core Windows services, memory and processor performance, as well as disk free space and disk latency. There is some overlap between the monitoring rules of this management pack and the others covered in this article, but it provides a great bottom-up view of the health of the domain controller.
Figure 4 shows the reports available in the Base OS management pack. As with the other management packs, the computer groups are all populated through formulas that use the operating system version.
Figure 4 Base Operating System Reports
| Disk Performance Analysis |
| Operating System Configuration |
| Operating System Performance |
| Operating System Shutdown by Event |
| Operating System Shutdown by Server |
| Operating System Storage Configuration |
| Software and Applications Installations by Application |
| Software and Applications Installations by Instance |
| Software and Applications Installations by Server |
| Reliability-Application Failures by Application |
| Reliability-Application Failures by Computer |
| Reliability-Application Failures by Event |
| Reliability-Operating System Failures by Computer |
| Reliability-Operating System Failures by Event |
| Reliability-Operating System Failures by Stop Code |
| Performance History-Performance History |
| Performance History-Additional Reports |
When you configure the Base OS management pack for operation with low privileges, Windows 2000 requires that the Action Account be a member of the local Administrators group. Windows Server 2003 requires the Action Account be a member of the local Users and Performance Monitor Users group, as well as having Manage auditing and security log (SeSecurityPrivilege) and Allow log on locally (SeInteractiveLog-onRight) permissions. Most of the Base OS management pack, except tasks, is supported on agentless monitored computers.
You can download the Base OS management pack from go.microsoft.com/fwlink/?LinkId=79531.
Active Directory Management Pack
The Active Directory management pack is very broad and its rules cover both Windows 2000 Server and Windows Server 2003. The Active Directory management pack encompasses five areas of rules: client-side monitoring, trust monitoring, replication monitoring, and topology discovery, plus rules covering the Windows 2000 Server and Windows Server 2003 operating systems. As noted earlier, newer versions of Windows enable more instrumentation and therefore additional monitoring. For example, the management pack supports trust monitoring on Windows Server 2003, but not on Windows 2000.
The Active Directory management pack creates a number of groups that it uses to apply rules to specific computers. The client-side monitoring rules use a group called Active Directory Client Side Monitoring. You would place computers that have the MOM agent installed in this group to monitor and manage these rules. I put a few desktop computers that have been licensed with the agent into this group as well as some of the Exchange servers. Exchange Server uses Active Directory extensively and would be a lead indicator of a developing problem. Desktop computers in the group can help you gauge end-user experience. The client-side monitoring rules utilize scripts to test connectivity to domain controllers, querying them via LDAP, and reporting failures. It is important to note that the client-side monitoring rules can only be applied to agent-managed computers that have proxying enabled but that are not domain controllers.
The trust-monitoring rules use a group called Active Directory Trust Monitoring. Windows Servers 2003 computers would be placed into this group to test trusts. Windows Server 2003 has a WMI namespace for trust monitoring. A script is employed by these rules to query against the WMI namespace. When errors in trusts with other domains are detected, these rules will alert you.
There are many Active Directory management pack rules that apply to either Windows 2000 Server or Windows Server 2003. These rules delineate the differences in how Active Directory is implemented between the two operating systems. However, most of the Active Directory management pack is in the combined rules for both operating systems. Some of these rules include scripts to test connectivity between domain controllers, verifying flexible single master operation (FSMO) role holders, directory information tree (DIT) database size, validating Group Policy processing, Knowledge Consistency Checker (KCC) inspection, and Intersite Messaging service testing.
Replication monitoring is the centerpiece of the Active Directory management pack. Two groups, Active Directory Replication Latency Data Collection (Sources and Active Directory Replication Latency Data Collection) Targets are in place to allow you to configure the domain controllers used only for reporting replication monitoring. Replication latency is calculated for each member of the data collection groups. Performance counters are populated with the time it takes for updates to replicate to each of the group members. Enterprise-wide replication latency is calculated and reported (and alerts are generated) if it exceeds defined thresholds. Note that a WMI namespace for replication monitoring has to be installed on Windows 2000 Server.
Topology discovery in the Active Directory management pack is used to create diagrams of your implementation. These useful diagrams can be exported to Microsoft Office Visio®. The diagrams are built in real-time by MOM so you can create an up-to-date version in just seconds.
Under the Diagram Views in the MOM 2005 Operator Console, there are three Active Directory management pack diagrams. The Broken Connection Objects diagram (see Figure 5) will show any connections that are in an error state. This diagram can be blank if no connection errors exist.
Figure 5** Broken Connections are Highlighted in Diagram View **
The Connection Objects diagram highlights the connections between DCs. The Site Links diagram shows each Active Directory site, encapsulating the appropriate domain controllers in that site and the connecting site links.
Since the diagrams created by MOM for these views are dynamic, you can export them to Visio for easy editing and customization. For example, Figure 6 shows the Site Links diagram being edited in Visio.
Figure 6** Editing a Site Links Diagram in Visio **(Click the image for a larger view)
Figure 7 lists the reports that are available in the Active Directory management pack. Computer groups associated with this management pack are shown in Figure 8. As you can see, the Active Directory computer groups are populated by explicit membership; the Windows computer groups are populated according to the version of the operating system and whether the machine is a domain controller.
Figure 8 Computer Groups
| Active Directory Client-Side Monitoring |
| Active Directory Replication Latency Data |
| Collection-Sources |
| Active Directory Replication Latency Data |
| Collection-Targets |
| Active Directory Trust Monitoring |
| Windows 2000 Server Domain Controllers |
| Windows Server 2003 Domain Controllers |
Figure 7 Active Directory Reports
| AD Domain Controller |
| AD Role Holders |
| AD Replication Connection Objects |
| AD Replication Site Links |
| AD DC Disk Space |
| AD Domain Changes |
| AD Machine Account Authentication Failures |
| AD Replication Bandwidth |
| AD Replication Latency |
The Active Directory management pack can be configured for low privileges on Windows Server 2003 domain controllers. The management pack does not support agentless monitoring. On Windows 2000 Server, the agent Action Account must be in the Domain Admins or local Administrators group. The agent Action Account on Windows Server 2003 domain controllers must have additional permissions to be configured for low privileges, including membership in the Users and Performance Monitor Users groups, access to Event logs, and the SeSecurityPrivilege, SeAuditPrivilege, and SeInteractiveLogonRight privileges. Additionally, the following access is required: full access to the CN=MomLatencyMonitors Container in Active Directory for replication monitoring, read access to the directories containing the NTDS.dit database and log files, and read access to the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service\NTDS\Parameters
If you are monitoring trusts in Windows Server 2003, note that the script AD Monitor Trusts requires that the agent Action Account have Domain Admin or Administrators group membership.
You can download the Active Directory management pack from go.microsoft.com/fwlink/?LinkId=79540.
Customizing MOM for Active Directory
The Active Directory management pack has to be configured or the alerts will keep your console full. The noisiest time for the Active Directory management pack occurs when a domain controller restarts-every possible alert seems to be triggered. The bad news is that it is not easy to stop this. Your best bet is to utilize Maintenance Mode within MOM to control the alerts during anticipated maintenance windows. The purpose of Maintenance Mode is to auto-resolve alerts for the domain controllers so that the console is not filled.
Be sure to configure the Active Directory Client Side Monitoring group by placing client computers and appropriate servers within the group. The rules associated with this group will help determine the health of your FSMOs and connectivity to them.
There are performance rules that use thresholds for binding to the FSMOs using LDAP, PING, and DNS to verify connectivity. These rules are located in the Active Directory Availability performance rules. You should customize the thresholds used by these rules by setting the alert severity. For instance, the FSMO bindings use attribute values that are in seconds. The performance rules for each of the FSMO roles use this alert creation methodology.
It's important to understand how the Alert Severity Calculation for State Rule settings work. The dialog box uses If-Else conditions for the attribute value and sets the alert severity accordingly (see Figure 9). When the rule collects the Last Bind performance counter created by the AD Op Master Response script, it checks them against the conditional thresholds set by these rules. You need to configure these different alert levels for your environment.
Figure 9** Setting Alert Severity Rules **(Click the image for a larger view)
Remember the replication schedule for each domain controller. If a given domain controller has a different schedule from others, it will skew the replication latency results and cause you to set thresholds higher. You'll need to set the parameters for the replication scripts to suit the needs of your particular environment. It is important to note that when any domain controller is down or having replication issues, every other domain controller in these groups can report a replication failure for that domain controller even if it is not a direct replication partner. Therefore, even if you place the offending domain controller in Maintenance Mode, the other domain controllers can report replication failures.
Replication monitoring is where you should spend most of your effort in tuning the Active Directory management pack. You'll need to run the management pack in your environment for a couple weeks to see how it alerts. Once you see some trends developing, use the reports to outline latencies and tune the thresholds accordingly.
Finally, you should take advantage of the guidance provided in the Alert Tuning Solution Accelerator.
Looking Forward
MOM 2005 and the Active Directory management pack allow you to effectively and efficiently monitor your organization's Active Directory implementation. With the Active Directory, DHCP, DNS, FRS, and Windows Server Base OS management packs, you are better able to monitor most aspects of your infrastructure, protecting the health and well-being of your Active Directory infrastructure-and your users, too. Using the expansive data collected into your reporting data warehouse, you can analyze your performance and event data to assist with capacity planning and performance trending.
To find the management packs that I've discussed in this article, along with many others, see the Management Pack Catalog.
The next update to the Active Directory management pack will contain the usual collection of fixes and tweaks to a few thresholds. More interesting are the new features planned for the next release of the product, called System Center Operations Manager 2007, including the ability to monitor multiple forests from a single configuration group, to define groups of domain controllers (each with its own expected replication latency between other groups) and to monitor domain controllers running on the next version of Window Server. Stop by the MOM Web site at microsoft.com/mom for details
John Hann has worked with MOM since MOM 2000 and has been a MOM MVP since 2004. John contributes to MyITForum.com, MOMCommunity.com, and LearnMOM.com. You can contact him through his blog.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.