Overview of the Active Directory Management Pack

  • Article

The Active Directory Management Pack for Microsoft Operations Manager (MOM) 2005 provides a predefined, ready-to-run set of processing rules, monitoring scripts, and reports that are designed specifically to monitor the performance and availability of the Active Directory® directory service. This Management Pack monitors events that are placed in the Application, System, and Directory Service event logs by various Active Directory components and subsystems. It also monitors the overall health of Active Directory and alerts you to critical performance issues.

This guide provides information about the most common Active Directory monitoring scenarios, state monitoring definitions, tasks, reports, and views. This guide also includes instructions for deploying and operating the Active Directory Management Pack.

The Active Directory Management Pack provides a complete Active Directory monitoring solution by:

  • Monitoring all aspects of Active Directory health.

  • Monitoring the health of vital processes that Active Directory depends on, including replication, Lightweight Directory Access Protocol (LDAP), DC Locator, trusts, Net Logon service, File Replication service (FRS), Intersite Messaging service, Windows Time service, and Key Distribution Center (KDC).

  • Monitoring service availability.

  • Collecting key performance data.

  • Providing comprehensive reports, including reports on service availability and service health and reports that can be useful for capacity planning.

By detecting and creating alerts for critical events, the Active Directory Management Pack helps to indicate, correct, and prevent possible Active Directory service outages.

This guide was developed using the Active Directory Management Pack for MOM 2005. To ensure that you are using the most recent version of the Active Directory Management Pack, see Microsoft Operations Manager Management Packs on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=33752.

On This Page

What’s New in the Active Directory Management Pack for MOM 2005
Monitoring Scenarios
State Monitoring Definitions
Tasks
Reports
Views
Agentless Monitoring Support

What’s New in the Active Directory Management Pack for MOM 2005

The Active Directory Management Pack for MOM 2005 provides the following improvements and additions:

  • Improved alert suppression.

  • Improved and updated knowledge for all alerts.

  • Global catalog availability tests, which are added to the Client Pack.

  • State level monitoring for key Active Directory components.

  • Topological views representing site links and connection objects.

Monitoring Scenarios

The Active Directory Management Pack is designed to provide valuable monitoring information for most implementations of Active Directory.

Note

The Active Directory Management Pack does not support monitoring multiple-forest Active Directory configurations. To monitor multiple forests using the Active Directory Management Pack, configure a separate MOM Management Group for each forest. For more information about how to configure MOM management groups, see Microsoft Operations Manager 2005 Help that is installed with Microsoft Operations Manager (MOM).

Table 1 describes the most common Active Directory Management Pack monitoring scenarios.

Table 1   Active Directory Management Pack Monitoring Scenarios

Scenario

Description

Client Side Monitoring

Tests the availability of Active Directory components from directory-enabled applications, for example, Microsoft® Exchange 2000 Server and Exchange Server 2003. Clients determine availability by:

  • Pinging (using both Internet Control Message Protocol (ICMP) and LDAP).

  • Searching Active Directory.

  • Confirming that a sufficient number of global catalog servers are available.

  • Detecting primary domain controller (PDC) emulator availability and responsiveness.

Active Directory Trust Relationships

Monitors trust relationship issues and detects problems with trusts between Active Directory domains and forests.

Account and Authentication Issues

Monitors Active Directory user authentication and account issues between domain controllers, including the following:

  • Account password issues

  • Security Accounts Manager (SAM) failures

  • Invalid requests

  • KDC and NTLM errors

  • Account identifier issues

  • User credential issues

  • Account and group issues

  • Duplicate accounts and security identifiers (SIDs)

Net Logon service

Monitors the health of the Net Logon service, including the following:

  • Computer authentication issues

  • Computers with duplicate SIDs

  • Authentication failures for Active Directory computer accounts

  • Name collisions

  • Issues with connecting to Microsoft Windows NT® 4.0 domain controllers

  • Inability of the Net Logon service to register name records with the Windows Internet Name Service (WINS)

Universal Group Membership Caching

Monitors issues with universal group membership caching, a new feature in Microsoft Windows Server™ 2003 that enables a domain controller to process user logon requests when a global catalog server is unavailable.

Dependent Services

Monitors issues related to the availability of services that are critical to Active Directory operations, including the following:

  • File replication errors

  • Journal wrap errors

  • Computer account policy failures

  • Issues with time synchronization between Active Directory components

  • Group Policy processing issues and errors

  • Computer account issues

  • Group Policy object issues

  • Memory allocation issues

Active Directory Availability

Monitors various aspects of Active Directory health that affect availability, including the following:

  • Connectivity failures

  • Database size and available free disk space

  • Global catalog issues and errors

  • Operations master availability

Replication

Monitors replication issues or failures, including the following:

  • Replication failures

  • Initial replication not completed

  • Slow replication

  • Synchronization issues and errors

  • Time skew issues

  • Detection of replication islands

  • Domain controllers having appropriate numbers of replication partners

Performance Monitoring

Collects various aspects of domain controller performance, including the following:

  • Number of NTLM authentications per second

  • Number of Kerberos authentications per second

  • Directory searches per second

  • Number of server sessions

  • Replication latency

  • Processor usage

  • System up time

  • Memory: page writes per second

  • Memory: available bytes

  • Memory: committed bytes

  • KDC Authentication Service (AS) requests per second

  • KDC ticket-granting service (TGS) requests per second

  • LDAP searches per second

  • LDAP User Datagram Protocol (UDP) operations per second

  • Number of LDAP client sessions

  • Number of LDAP writes per second

  • Number of local security authority subsystem (LSASS) private bytes

  • LSASS handle count

  • LSASS processor usage

State Monitoring Definitions

The Active Directory Management Pack provides state monitoring based on the definitions in Table 2.

Note

The Active Directory Management Pack collects service discovery data every 30 minutes by default. Therefore, Active Directory–specific discovery data might not appear in the MOM Operator console until up to 30 minutes after the Management Pack is deployed.

Table 2   Active Directory Management Pack State Monitoring Definitions

State Indicator

Description

Service Health

Indicates the current health of the Active Directory directory service, focusing on the availability and responsiveness of the service. The following are monitored to determine service health:

  • Operations master responsiveness

  • Global catalog server responsiveness

  • Number of lost and found objects

Server Health

Indicates the current health of the components and services that are operating on a domain controller. Includes checks to ensure that all essential services are available, analyzes LSASS and NTDSA for performance, and confirms that the domain controller is discoverable by itself using DC Locator. The following are also monitored:

  • Required services

  • Database and log file space

  • CPU usage

  • Domain controller location and advertisement

Replication Health

Indicates the overall health of Active Directory replication by monitoring the health of connection objects that are used for Active Directory replication between domain controllers and by monitoring the speed at which replication occurs between replication partners.

Client View

Indicates Active Directory health from the view of the Client Pack for any computer on which the Client Pack is installed. The Client Pack monitors global catalog and PDC emulator availability, as well as interface availability and performance from the client’s perspective.

Tasks

Active Directory Management Pack tasks provide increased manageability by enabling you to manage Active Directory directly from the MOM console. The Active Directory Management Pack tasks that can be performed from the MOM console are described in Table 3.

Table 3   Active Directory Management Pack Tasks

Task

Description

Replication Summary Snapshot

Collects a snapshot of the current replication status from the perspective of the target computer by using the REPADMIN /replsum command.

Service Principal Name Health

Confirms service principal name (SPN) health on the target domain controllers.

This task is useful for diagnosing replication authentication errors that are caused by nonexistent, manipulated, or duplicate SPN registrations, Kerberos ticket refresh, admin tool startup, user and computer logon authorization, and service startup.

Enumerate Trusts

Enumerates the trust relationships between Active Directory domains.

Table 4   Active Directory Management Pack Advanced Tasks

Task

Description

Active Directory Users and Computers Snap-in

Opens the Active Directory Users and Computers snap-in on the local computer.

ADSI Edit

Opens ADSIEdit.mmc on the local computer.

DCDiag

Runs DCDiag.exe on a remote domain controller using parameters that are specified by the user.

LDP

Opens LDP.exe on the local computer.

NETDIAG

Runs Netdiag.exe on a remote domain controller using parameters that are specified by the user.

NETDOM

Runs Netdom.exe on a remote domain controller using parameters that are specified by the user.

NLTEST

Runs Nltest.exe on a remote domain controller using parameters that are specified by the user.

REPADMIN

Runs Repadmin.exe on a remote domain controller using parameters that are specified by the user.

SETSPN

Runs Setspn.exe on a remote domain controller using parameters that are specified by the user.

Note

Many tasks that are listed in this table require the use of support tools. Support tools are located in the Support Tools directory on the Microsoft Windows® 2000 Server and Windows Server 2003 operating system CDs.

Reports

Active Directory Management Pack reports provide important information in the areas of trending, user account problems, configuration, and service level availability.

Data collection for the AD Replication Monitoring report is disabled by default. A MOM administrator must enable data collection for this report to run properly. For information about how to enable this report, see the Configuration information in the Active Directory Replication Latency Performance Data Collection — Sources (and Targets) Rule Group descriptions.

Table 5 describes reports that display Active Directory configuration information.

Table 5   Active Directory Configuration Reports

Report

Description

AD Domain Controllers

Lists all domain controllers in the selected domain, along with their Internet Protocol (IP) addresses and sites.

AD Role Holders

Lists which computers are holding one or more operations master roles or are global catalog servers.

AD Replication Connection Objects

Summarizes the Active Directory replication topology by providing a list of connection objects. Indicates the source domain controllers and target domain controllers and their respective sites, the transport types, and whether the connection objects are manually configured.

AD Replication Site Links

Summarizes the current replication site link configuration for Active Directory.

Table 6 describes the report that displays disk space information for Active Directory.

Table 6   Active Directory Disk Space Report

Report

Description

AD DC Disk Space

Summarizes Active Directory disk space usage and free space for the database and log volumes. It is critical that adequate free space be available for Active Directory. Use this report to trend and predict the size of volumes that you will need, given your current growth rate.

Table 7 describes reports that display Active Directory operations information.

Table 7   Active Directory Operations Reports

Report

Description

AD Domain Changes

Summarizes significant changes to the domain, such as movement of the PDC emulator operations master and the addition or removal of domain controllers.

AD Machine Account Authentication Failures

Summarizes which workstations (that are joined to the domain) are unable to authenticate. This failure can prevent Group Policy updates and software distribution to the computer.

AD SAM Account Errors

Summarizes events that indicate that the SAM has detected an error. Corrective guidance is provided where applicable.

Table 8 describes reports that display Active Directory replication information.

Table 8   Active Directory Replication Reports

Report

Description

AD Replication Bandwidth

Summarizes the replication bandwidth (compressed and uncompressed) over the selected period. This report is useful for trending and capacity planning for replication bandwidth requirements.

AD Replication Latency

Summarizes the minimum, average, and maximum replication latency per naming context, per domain controller. This report is extremely useful in verifying any service level agreement (SLA) that you have for changes to replicate within the domain or forest.

Views

Active Directory Management Pack views provide a way for administrators to scope the information that has been reported to MOM.

Tables 9, 10, 11, 12, 13, and 14 briefly describe the default public views that are provided with the Active Directory Management Pack.

Table 9   Active Directory Event Views

Category

View

Client Side Monitoring

Client Side Events

Health Monitoring

  • Active Directory Global Catalog Search Response Events

  • Active Directory Op Master Response Events

  • Directory Service Errors

  • NTDS Events

  • Objects to Clean Up After Cross-Domain Moves

Table 10   Active Directory Performance Views

Category

View

Discovery

Number of Client Sessions

Health Monitoring

  • Active Directory Database

  • Active Directory DIT/Log Drive Space

  • Active Directory Log Files

  • CPU Usage on Active Directory Domain Controllers

  • Domain Controller Response Time

  • Global Catalog Response Time

  • LSASS CPU Usage on Active Directory Domain Controllers

  • Memory Use on Active Directory Domain Controllers

  • Processor Queue Length

  • Role Master Response Time

Replication Monitoring

  • Intersite (Compressed) Replication Traffic

  • Replication Latency

  • Replication Traffic — Inbound Bytes per Second

  • Replication Traffic — Outbound Bytes per Second

Table 11   Active Directory Alert Views

Category

View

Health Monitoring

  • Active Directory Domain Controller Alerts

  • Lingering Object Alerts

  • Service Level Exceptions for Active Directory Domain Controllers

Table 12   Active Directory Task Status Views

Category

View

Task Status

  • Enumerate Trusts

  • Replication Status Snapshot

  • Service Principal Name Health

Table 13   Active Directory Computer Group Views

Category

View

Discovery

Domain Controllers by OS Version

Table 14   Active Directory Diagram Views

Category

View

Replication Topology

  • Site Links

  • Connection Objects

  • Broken Connection Objects

Note

The Active Directory Management Pack collects service discovery data every 30 minutes by default. Therefore, Active Directory–specific discovery data might not appear in the MOM Operator console until up to 30 minutes after the Management Pack is deployed..

Agentless Monitoring Support

The Active Directory Management Pack for MOM 2005 does not support agentless monitoring.