Configuring the Active Directory Management Pack

  • Article

Before you install the Active Directory Management Pack, use the best practices and guidelines that are provided in the MOM 2005 Deployment Guide on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=33535) to deploy MOM 2005 in your environment. After you deploy MOM 2005, install and configure the Active Directory Management Pack to monitor the health of Active Directory.

It is recommended that you also install the DNS Management Pack and the Operating System Management Pack for the most complete results when monitoring Active Directory.

After you install the Active Directory Management Pack and all other recommended management packs, do the following to configure Active Directory monitoring:

  • Set the intersite replication latency threshold.

  • Specify domain controllers for replication latency data collection.

  • Perform initial triage.

  • Configure settings for slow wide area network (WAN) links or large branch office deployments. (Optional)

  • Configure agent computers to run in low-privilege scenarios.

The following sections contain procedures for these tasks.

On This Page

Setting the Intersite Replication Latency Threshold Value
Specifying Domain Controllers for Replication Latency Data Collection
Performing Initial Triage
Configuring Settings for Slow WAN Links or Large Branch Office Deployments
Configuring Agent Computers to Run in Low-Privilege Scenarios

Setting the Intersite Replication Latency Threshold Value

The maximum intersite replication latency threshold value is the maximum amount of time it takes for a change to replicate across the entire forest. By default, this value is set to 15 minutes. If it takes longer than 15 minutes for replication to occur, you will receive a warning. Consult your system architect to review what the expected maximum threshold value is for your environment. Usually, this value is monitored closely to ensure that any applicable SLAs for your organization are being met. After you have determined an appropriate value for your environment, modify the setting accordingly. The most common scenario involves ensuring that basic help desk procedures, such as resetting passwords, replicate from corporate headquarters to a branch office within a reasonable amount of time as determined by the SLA.

Monitoring the maximum latency for the forest also ensures that all domain controllers are receiving updates. Failure of even one domain controller to receive updates in a timely manner can have significant negative results. If you receive frequent alerts, with AD Replication Monitoring as the source, you are probably not meeting your SLA requirements. Site schedules that are not set correctly are the most common cause of this problem.

If you have an SLA, set the intersite maximum latency threshold value to one-third of the SLA (in minutes) or to the maximum expected time it takes for data to replicate across your forest, whichever is smaller. If you do not have an SLA, set the intersite maximum latency threshold value to the maximum expected time it takes for data to replicate across your forest.

To set the intersite replication latency threshold value

  1. In the MOM 2005 Administrator console, double-click Management Packs, double-click Rule Groups, double-click Microsoft Windows Active Directory (enabled), double-click Active Directory Windows 2000 and Windows Server 2003 (enabled), and then double-click Active Directory Availability (enabled).

  2. Click Event Rules.

  3. In the right pane, double-click Script - AD Replication Monitoring.

  4. On the Responses tab, click the script named AD Replication Monitoring, and then click Edit.

  5. Under Script parameters, double-click IntersiteExpectedMaxLatency.

  6. In Value, type the value (in minutes) for the maximum expected replication latency between domain controllers.

  7. Click OK.

  8. In the Launch a Script dialog box, click OK.

  9. In the Event Rule Properties dialog box, click OK.

  10. In the left pane, right-click Management Packs, and then click Commit Configuration Change.

Specifying Domain Controllers for Replication Latency Data Collection

For detailed trending analysis, add the names of the domain controllers for which you want to collect replication latency data to the Active Directory Management Pack. Specifying the names of the domain controllers is very useful for graphing replication performance between critical domain controllers, and it is required for the AD Replication Latency report.

You must specify both the source domain controllers and the target domain controllers for which you want to collect data. Replication latency data is collected only for replication from all of the source domain controllers to each of the target domain controllers.

Note

The amount of replication latency data that is collected for detailed trending analysis can be quite large. The amount of data collections is roughly equal to the number of source domain controllers multiplied by the number of target domain controllers that you specify. For example, if you specify 10 source domain controllers and 10 target domain controllers, you will receive approximately 100 data collections per interval.

To specify domain controllers for replication latency data collection

  1. In the MOM 2005 Administrator console, double-click Management Packs, and then double-click Computer Groups.

  2. In the right pane, right-click Active Directory Replication Latency Data Collection - Sources, and then click Properties.

  3. On the Included Computers tab, select the domain controllers that you want to track replication latency data from, and then click OK.

  4. Right-click Active Directory Replication Latency Data Collection - Targets, and then click Properties.

  5. On the Included Computers tab, select the domain controllers that you want to track replication latency data to, and then click OK.

  6. In the left pane, right-click Management Packs, and then click Commit Configuration Change.

Note

It can take up to 24 hours for data to start collecting.

Performing Initial Triage

After you configure the Active Directory Management Pack, allow 24 hours for the scripts to run. (Some of the scripts run in real time; others run at scheduled intervals of up to 24 hours). The number and severity of alerts that are generated in the first 24 hours depends on the thresholds that you set, as well as the number of domain controllers that are running in your environment and any existing problems in your Active Directory implementation.

After 24 hours, triage the alerts that the Active Directory Management Pack scripts have generated. Triaging the alerts helps you to identify critical issues and resolve them right away. It also helps you to decrease the amount of alert noise that is generated by your domain controllers, the WAN, and the MOM system, which makes it easier to maintain the health of your Active Directory environment.

To perform initial triage after configuring the Active Directory Management Pack

  1. Open the Microsoft Operations Manager 2005 Operator console, and view all alerts that have been generated in the last 24 hours.

  2. Address alerts in their order of severity (Critical Errors, Errors, Warnings, and Informational alerts). Each alert includes knowledge that provides additional information to help you resolve it.

    Important

    If you find errors from the AD Essential Services script, address these errors first. These errors indicate that one or more of the services that Active Directory depends on are not running.

  3. Address alerts that are generating the most noise on domain controllers, the WAN, and the MOM system by doing the following:

    1. On the Go menu, click Open Reporting Console.

    2. Click the Operational Health Analysis report.

    3. Click the Most Common Events by Computer report.

    4. In Computer, click a computer in the drop-down list, and then click View Report.

    5. Examine the report, and then address all events that show more than 5 percent in the Activity % column.

    6. At the top of the screen, click Operational Health Analysis, and repeat steps d and e for the Most Common Alerts by Alert Count report.

There are several scenarios in which you might decide not to collect warnings, performance data, and miscellaneous noncritical events. These scenarios include the following:

  • Deployments with very slow WAN links

  • Large branch office deployments

  • Deployments across satellite links

  • Deployments in which alerts are forwarded to a global network operations center

  • Scenarios in which warnings and informational messages are not needed

If you are deploying the Active Directory Management Pack in any of these scenarios, you can disable certain performance data to decrease network traffic.

Note

Several Active Directory Management Pack reports will not operate if performance data gathering is disabled.

To disable performance data

  1. In the MOM Administrator console, double-click Management Packs, double-click Rule Groups, double-click Microsoft Windows Active Directory (enabled), and then double-click Active Directory Windows 2000 and Windows Server 2003 (enabled).

  2. In the left pane, right-click Reporting Rules for Active Directory, and then click Properties.

  3. On the General tab, clear the Enabled check box, and then click OK.

  4. In the left pane, double-click Active Directory Windows 2000 (enabled).

  5. In the left pane, right-click Reporting Rules for Active Directory, and then click Properties.

  6. On the General tab, clear the Enabled check box, and then click OK.

  7. In the left pane, right-click Management Packs, and then click Commit Configuration Change.

Configuring Agent Computers to Run in Low-Privilege Scenarios

Monitoring functionality on an agent computer is provided by both the MOM Service (MOMService.exe) and the Action Account. On Windows 2000 Server, the Action Account must be a member of the local administrators group. On Windows Server 2003, you can use a low-privileged account for the agent’s Action Account under certain circumstances. However, configuring the Action Account with the necessary rights and privileges to run the Active Directory Management Pack features requires significant manual configuration on the agent computer.

On Windows Server 2003, the Action Account must have the following minimum privileges:

  • Member of the Local Users Group

  • Member of the Local Performance Monitor Users group

  • Access to Windows Event logs

  • Manage auditing and security log privilege (SeSecurityPrivilege)

  • Generate security audits privilege (SeAuditPrivilege)

  • Allow log on locally logon right (SeInteractiveLogonRight)

In a low-privileged scenario, the Active Directory Management Pack requires that the account that is used for the Action Account and the service context that the MOM Service runs under have additional rights and privileges.

Table 15 details the access types that must be configured manually.

Table 15   Access Types Required by the Active Directory Management Pack

Resource

Access Type

Instructions

CN=MomLatencyMonitors Container

Full

At minimum, the Action Account must be able to:

Create container objects as children of CN=MOMLatencyMonitors.

Read the attributes of all of the objects that are created under CN=MOMLatencyMonitors.

Write to the adminDescription attribute on the objects that are created under CN=MOMLatencyMonitors.

Create the MomLatencyMonitors container as a child container of the root of each domain and application directory partition that you are going to monitor. If an application directory partition crosses domain boundaries, provide the appropriate access to the Action Account in each domain.

If you are going to monitor the configuration partition, create the MomLatencyMonitors container as a child object of the configuration partition as well.

To create the MomLatencyMonitors container on a domain controller

  1. Click Start, click Run, and then type adsiedit.msc.

  2. In ADSI Edit, double-click Domain [ computername ], and then right-click DC= domainname ,DC=com.

  3. Click New, and then click Object.

  4. In Select a class, click Container, and then click Next.

  5. In Value, type MomLatencyMonitors, and then click Next.

  6. Click Finish.

The MomLatencyMonitors container needs to be created on only one domain controller. The created object will replicate to the other domains in the forest.

Registry keys

Read

Add the Action Account to the registry properties of HKLM\System\CurrentControlSet\Service\
NTDS\Parameters, and provide Read access. This enables the Action Account to find the location of NTDS.dit and the Active Directory log files.

You must add the Action Account to the registry properties on each domain controller.

Directories containing NTDS.dit and Active Directory log files

Read

The Action Account must have Read access to the file path location of NTDS.dit and the Active Directory log files.

The directory location of NTDS.dit is:

HKLM\System\CurrentControlSet\Service\
NTDS\Parameters\DSA Database File

The directory location of the Active Directory log files is: HKLM\System\CurrentControlSet\Service\
NTDS\Parameters\Database Log Files Path

You must provide access to the file path location on each domain controller.

Note

The Action Account must be a member of either the Domain Admins group or the Administrators group in the domain in which trusts are monitored using the AD Monitor Trusts script. If the Action Account is not a member of either of these groups, you will continue to receive a failure message unless you disable the following rule:

Microsoft Windows Active Directory\Active Directory Monitor Trusts\Script-AD Monitor Trusts.