Overview of Active Directory Operations
The goal of operations is to ensure that IT services are delivered according to service level requirements that are agreed to by IT management and its various customer business units. The day-to-day operations of an IT department are proactive, and require that the proper products and services be in place to identify and prevent potential problems.
On This Page
Planning for Active Directory Operations
Tools Used for Active Directory Operations
Operations Tasks Checklist
Planning for Active Directory Operations
To plan your Active Directory operations environment, you need to perform the following tasks:
Assess the IT environment and establish a baseline.
Determine operational needs.
Define operations actions.
Assessing the IT Environment and Establishing a Baseline
You must have a complete and accurate idea of the details behind each service that the IT department delivers in order to properly configure management systems and technologies, and to collect any necessary metric data.
Review any service specifications that were produced during the deployment process, along with any service level requirements defined in Service Level Agreements between the IT organization and customer business units.
The following information is especially useful when planning your operations:
Server specifications
Network specifications
Logical and physical architectural diagrams
Supported applications
User statistics and requirements
Current thresholds and performance metrics
Acceptable performance and outage times
This data provides a starting point to establish a baseline for the operations environment, and to set the proper level of service.
Determining Operational Needs
The Active Directory operations team must establish processes for the following tasks:
Continuous monitoring and reporting
Auditing
Backup and restoration
Managing Active Directory components, including:
Domain controllers (including issues relating to installation, global catalog servers, operations masters, database, SYSVOL, Windows Time Service, and long-disconnected domain controllers)
Trusts
Sites
Defining Operations Actions
Categorize actions that are performed during the course of day-to-day operations as follows:
Automated actions
Operator-driven actions
Automated Actions
Automated actions provide a time-saving method to detect and react to incidents occurring in the production environment. Identify those tasks and procedures that you want to automate, whether with scripts or a monitoring product such as Microsoft Operations Manager 2000 (MOM). Also identify the triggers, such as alerts generated by MOM, which start the automated action.
An example of an automated action is configuring an agent process to respond when it detects that the threshold for disk space has been exceeded. In this case, the agent process running on the affected computer automatically takes action to resolve the situation, such as deleting all the files in the Temp directory, thereby returning the system to acceptable conditions as defined in the Service Level Agreement. The agent system also sends a message to the management server that includes any necessary event data (the name and address of the affected system, the error message, the results of the action taken, and so on). After the automated action resolves the incident, the operations team can determine what, if any, further action to take. In this example, the automated action temporarily resolves the incident, and the operations team must investigate further to determine a permanent resolution.
Operator-Driven Actions
Operator-driven actions are those that are performed by an operator, as opposed to those performed by an automated system. Operator-driven actions need to be defined whenever and wherever possible, so that operators with varying degrees of skills and training can perform specific tasks, such as changing a password, loading forms into a printer, starting or stopping processes, and so on.
Tools Used for Active Directory Operations
Active Directory operations involves using tools that are either part of the Windows 2000 operating system, the Windows 2000 Support Tools, or the Microsoft® Windows® 2000 Server Resource Kit. Table 1.3 lists the tools that are used to operate Active Directory, where the tools are found, and a brief description of the purpose of the tool.
For information about installing the Windows 2000 Support Tools and the Windows 2000 Administrative Tools Pack, see Windows 2000 Server Help.
Table 1.3 Tools Used in Active Directory Operations
Tool |
Location |
Function |
|---|---|---|
Active Directory Migration Tool (ADMT) |
https://www.microsoft.com/windows2000/downloads/tools/ADMT/default.asp |
Migrate account and resource domains. |
Active Directory Domains and Trusts snap-in |
Windows 2000 Administrative Tools Pack |
Administer domain trusts, add user principal name suffixes, and change the domain mode. |
Active Directory Installation Wizard |
Windows 2000 |
Install Active Directory, and promote or demote domain controllers. |
Active Directory Sites and Services snap-in |
Windows 2000 Administrative Tools Pack |
Administer the replication of directory data. |
Active Directory Users and Computers snap-in |
Windows 2000 Administrative Tools Pack |
Administer and publish information in the directory. |
ADSI Edit, MMC snap-in |
Windows 2000 Support Tools |
View, modify, and set access control lists on objects in the directory. |
Backup Wizard |
Windows 2000 system tool |
Back up and restore data. |
Control Panel |
Windows 2000 |
View and modify computer, application, and network settings. |
Dcdiag.exe |
Windows 2000 Support Tools and Windows 2000 Server Resource Kit |
Analyze the state of domain controllers in a forest or enterprise; assist in troubleshooting by reporting any problems. |
DNS snap-in |
Windows 2000 Administrative Tools Pack |
Manage DNS. |
Dsastat.exe |
Windows 2000 Support Tools |
Compare directory information on domain controllers and detectsdifferences. |
Event viewer |
Windows 2000 Administrative Tools Pack |
Monitor events recorded in event logs. |
Lbridge.cmd |
Windows 2000 Server Resource Kit |
Replicate logon scripts and profiles between Windows 2000–based domain controllers and Windows NT 4.0–based domain controllers. |
Ldp.exe |
Windows 2000 Support Tools |
Perform LDAP operations against Active Directory. |
Linkd.exe |
Windows 2000 Server Resource Kit |
Create, delete, update, and view the links that are stored in junction points. |
MMC |
Windows 2000 |
Create, save, and open administrative tools (called MMC snap-ins) that manage hardware, software, and network components. |
Netdiag.exe |
Windows 2000 Server Resource Kit and Windows 2000 Support Tools |
Check end-to-end network connectivity and distributed services functions. |
Netdom.exe |
Windows 2000 Support Tools |
Allow batch management of trusts, joining computers to domains, and verifying trusts and secure channels. |
Net use, start, stop, del, copy, time |
Windows 2000 system tool |
Perform common tasks on network services, including stopping, starting, and connecting to network resources. |
Nltest.exe |
Windows 2000 Support Tools |
Verify that the locator and secure channel are functioning. |
Notepad |
Windows 2000 Accessories |
View, create, and modify text files. |
Ntdsutil.exe |
Windows 2000 system tool |
Manage Active Directory, manage single master operations, remove metadata, create application directory partitions. |
Regedit.exe |
Windows 2000 system tool |
View and modify registry settings. |
Repadmin.exe |
Windows 2000 Support Tools |
Verify replication consistency between replication partners, monitor replication status, display replication metadata, and force replication events and topology recalculation. |
Replmon.exe |
Windows 2000 Support Tools |
Display replication topology, monitor replication status, and force replication events and topology recalculation. |
Services snap-in |
Windows 2000 Administrative Tools Pack |
Start, stop, pause, or resume system services on remote and local computers, and configures startup and recovery options for each service. |
Terminal Services |
Windows 2000 |
Access and manage computers remotely. |
W32tm |
Windows 2000 system tool |
Manage Windows Time Service. |
Windows Explorer |
Windows 2000 |
Access files, Web pages, and network locations. |
Operations Tasks Checklist
Table 1.4 provides a quick reference for those product maintenance tasks that the operations team must perform on a regular basis. These task lists summarize the tasks that are required to maintain Active Directory operations.
Table 1.4 Active Directory Operations Tasks
Frequency |
Tasks |
|---|---|
Daily |
Verify that all domain controllers are communicating with the central monitoring console or collector. |
Daily |
View and examine all new alerts on each domain controller, resolving them in a timely fashion. |
Daily |
Resolve alerts indicating the following services are not running: FRS, Net Logon, KDC, W32Time, ISMSERV. MOM reports these as Active Directory Essential Services. |
Daily |
Resolve alerts indicating SYSVOL is not shared. |
Daily |
Resolve alerts indicating that the domain controller is not advertising itself. |
Daily |
Resolve alerts indicating time synchronization problems. |
Daily |
Resolve all other alerts in order of severity. If alerts are given error, warning, and information status similar to the event log, resolve alerts marked error first. |
Daily to weekly, depending on environment |
Identify a site that has no global catalog server. |
Weekly |
Review the Time Synchronization Report to detect intermittent problems and resolve time-related alerts. |
Weekly |
Review the Authentication Report to help resolve problems generated by computer accounts with expired passwords. |
Weekly |
Review the Duplicate Service Principal Name Report to list all security principals that have a service principal name conflict. |
Weekly |
Review a report of the top alerts generated by the Active Directory monitoring indicators and resolve those items that occur most frequently. |
Weekly |
Review the report that lists all trust relationships in the forest and check for obsolete, unintended, or broken trusts. |
Monthly |
Verify that all domain controllers are running with the same service pack and hot fix patches. |
Monthly |
Review all Active Directory reports and adjust thresholds As needed Examine each report and determine which reports, data, and alerts are important for your environment and service level agreement. |
Monthly |
Review the Replication Monitoring Report to verify that replication throughout the forest occurs within acceptable limits |
Monthly |
Review the Active Directory response time reports. |
Monthly |
Review the domain controller disk space reports. |
Monthly |
Review all performance related reports. These reports are called Health Monitoring reports in MOM. |
Monthly |
Review all performance related reports for capacity planning purposes to ensure that you have enough capacity for current and expected growth. These reports are called Health Monitoring reports in MOM. |
Monthly |
Adjust performance counter thresholds or disable rules that are not applicable to your environment or that generate irrelevant alerts. |
Monthly |
Identify the global catalog servers in a site. |
At least twice within the tombstone lifetime |
Back up Active Directory and associated components. |
As needed |
Perform a non-authoritative restore. |
As needed |
Perform an authoritative restore of a subtree or leaf object. |
As needed |
Perform an authoritative restore of the entire directory. |
As needed |
Recover a domain controller through reinstallation. |
As needed |
Restore a domain controller through reinstallation and subsequent restore from backup. |
As needed |
Prepare for Active Directory Installation. |
As needed |
Install Active Directory. |
As needed |
Perform Active Directory post-installation tasks. |
As needed |
Decommission a domain controller. |
As needed |
Identify the current configuration of a domain controller. |
As needed |
Rename a domain controller. |
As needed |
Restore the original configuration of a domain controller. |
As needed |
Add the global catalog to a domain controller and verify global catalog readiness. |
As needed |
Remove the global catalog from a domain controller. |
As needed |
Designate operations master roles. |
As needed |
Reduce the workload on a PDC emulator. |
As needed |
Decommission an operations master role holder. |
As needed |
Seize operations master roles. |
As needed |
Choose a standby operations master. |
As needed |
Relocate directory database files. |
As needed |
Return unused disk space from the directory database to the file system. |
As needed |
Speed removal of an expired-tombstone backlog. |
As needed |
Change the space allocated to the Staging Area folder. |
As needed |
Relocate the Staging Area folder. |
As needed |
Move SYSVOL by using the Active Directory Installation Wizard. |
As needed |
Move SYSVOL manually. |
As needed |
Update the SYSVOL path. |
As needed |
Restore and rebuild SYSVOL. |
As needed |
Configure a time source for the forest. |
As needed |
Configure a reliable time source on a computer other than the PDC emulator. |
As needed |
Configure a client to request time from a specific time source. |
As needed |
Optimize the polling interval. |
As needed |
Disable the Windows Time Service. |
As needed |
Prepare a domain controller for long disconnection. |
As needed |
Reconnect a long-disconnected domain controller. |
As needed |
Remove lingering objects from an outdated writable domain controller. |
As needed |
Remove lingering objects from a global catalog server. |
As needed |
Create an external trust (between a Windows 2000 domain and a Windows NT 4.0 domain, or between domains in different forests). |
As needed |
Create a shortcut trust. |
As needed |
Remove a manually created trust. |
As needed |
Prevent unauthorized privilege escalation. |
As needed |
Add a new site. |
As needed |
Add a subnet to the network. |
As needed |
Link sites for replication. |
As needed |
Change site link properties. |
As needed |
Move a domain controller to a different site. |
As needed |
Remove a site. |