Configuring the Active Directory Management Pack
Before you install the Active Directory Management Pack, use the best practices and guidelines that are provided in the MOM 2005 Deployment Guide on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=33535) to deploy MOM 2005 in your environment. After you deploy MOM 2005, install and configure the Active Directory Management Pack to monitor the health of Active Directory.
It is recommended that you also install the DNS Management Pack and the Operating System Management Pack for the most complete results when monitoring Active Directory.
After you install the Active Directory Management Pack and all other recommended management packs, do the following to configure Active Directory monitoring:
Set the intersite replication latency threshold.
Specify domain controllers for replication latency data collection.
Perform initial triage.
Configure settings for slow wide area network (WAN) links or large branch office deployments. (Optional)
Configure agent computers to run in low-privilege scenarios.
The following sections contain procedures for these tasks.
On This Page
Setting the Intersite Replication Latency Threshold Value
Specifying Domain Controllers for Replication Latency Data Collection
Performing Initial Triage
Configuring Settings for Slow WAN Links or Large Branch Office Deployments
Configuring Agent Computers to Run in Low-Privilege Scenarios
Setting the Intersite Replication Latency Threshold Value
The maximum intersite replication latency threshold value is the maximum amount of time it takes for a change to replicate across the entire forest. By default, this value is set to 15 minutes. If it takes longer than 15 minutes for replication to occur, you will receive a warning. Consult your system architect to review what the expected maximum threshold value is for your environment. Usually, this value is monitored closely to ensure that any applicable SLAs for your organization are being met. After you have determined an appropriate value for your environment, modify the setting accordingly. The most common scenario involves ensuring that basic help desk procedures, such as resetting passwords, replicate from corporate headquarters to a branch office within a reasonable amount of time as determined by the SLA.
Monitoring the maximum latency for the forest also ensures that all domain controllers are receiving updates. Failure of even one domain controller to receive updates in a timely manner can have significant negative results. If you receive frequent alerts, with AD Replication Monitoring as the source, you are probably not meeting your SLA requirements. Site schedules that are not set correctly are the most common cause of this problem.
If you have an SLA, set the intersite maximum latency threshold value to one-third of the SLA (in minutes) or to the maximum expected time it takes for data to replicate across your forest, whichever is smaller. If you do not have an SLA, set the intersite maximum latency threshold value to the maximum expected time it takes for data to replicate across your forest.
To set the intersite replication latency threshold value
|
Specifying Domain Controllers for Replication Latency Data Collection
For detailed trending analysis, add the names of the domain controllers for which you want to collect replication latency data to the Active Directory Management Pack. Specifying the names of the domain controllers is very useful for graphing replication performance between critical domain controllers, and it is required for the AD Replication Latency report.
You must specify both the source domain controllers and the target domain controllers for which you want to collect data. Replication latency data is collected only for replication from all of the source domain controllers to each of the target domain controllers.
Note
The amount of replication latency data that is collected for detailed trending analysis can be quite large. The amount of data collections is roughly equal to the number of source domain controllers multiplied by the number of target domain controllers that you specify. For example, if you specify 10 source domain controllers and 10 target domain controllers, you will receive approximately 100 data collections per interval.
To specify domain controllers for replication latency data collection
|
Note
It can take up to 24 hours for data to start collecting.
Performing Initial Triage
After you configure the Active Directory Management Pack, allow 24 hours for the scripts to run. (Some of the scripts run in real time; others run at scheduled intervals of up to 24 hours). The number and severity of alerts that are generated in the first 24 hours depends on the thresholds that you set, as well as the number of domain controllers that are running in your environment and any existing problems in your Active Directory implementation.
After 24 hours, triage the alerts that the Active Directory Management Pack scripts have generated. Triaging the alerts helps you to identify critical issues and resolve them right away. It also helps you to decrease the amount of alert noise that is generated by your domain controllers, the WAN, and the MOM system, which makes it easier to maintain the health of your Active Directory environment.
To perform initial triage after configuring the Active Directory Management Pack
|
Configuring Settings for Slow WAN Links or Large Branch Office Deployments
There are several scenarios in which you might decide not to collect warnings, performance data, and miscellaneous noncritical events. These scenarios include the following:
Deployments with very slow WAN links
Large branch office deployments
Deployments across satellite links
Deployments in which alerts are forwarded to a global network operations center
Scenarios in which warnings and informational messages are not needed
If you are deploying the Active Directory Management Pack in any of these scenarios, you can disable certain performance data to decrease network traffic.
Note
Several Active Directory Management Pack reports will not operate if performance data gathering is disabled.
To disable performance data
|
Configuring Agent Computers to Run in Low-Privilege Scenarios
Monitoring functionality on an agent computer is provided by both the MOM Service (MOMService.exe) and the Action Account. On Windows 2000 Server, the Action Account must be a member of the local administrators group. On Windows Server 2003, you can use a low-privileged account for the agent’s Action Account under certain circumstances. However, configuring the Action Account with the necessary rights and privileges to run the Active Directory Management Pack features requires significant manual configuration on the agent computer.
On Windows Server 2003, the Action Account must have the following minimum privileges:
Member of the Local Users Group
Member of the Local Performance Monitor Users group
Access to Windows Event logs
Manage auditing and security log privilege (SeSecurityPrivilege)
Generate security audits privilege (SeAuditPrivilege)
Allow log on locally logon right (SeInteractiveLogonRight)
In a low-privileged scenario, the Active Directory Management Pack requires that the account that is used for the Action Account and the service context that the MOM Service runs under have additional rights and privileges.
Table 15 details the access types that must be configured manually.
Table 15 Access Types Required by the Active Directory Management Pack
Resource |
Access Type |
Instructions |
---|---|---|
CN=MomLatencyMonitors Container |
Full |
At minimum, the Action Account must be able to: Create container objects as children of CN=MOMLatencyMonitors. Read the attributes of all of the objects that are created under CN=MOMLatencyMonitors. Write to the adminDescription attribute on the objects that are created under CN=MOMLatencyMonitors. Create the MomLatencyMonitors container as a child container of the root of each domain and application directory partition that you are going to monitor. If an application directory partition crosses domain boundaries, provide the appropriate access to the Action Account in each domain. If you are going to monitor the configuration partition, create the MomLatencyMonitors container as a child object of the configuration partition as well. To create the MomLatencyMonitors container on a domain controller
The MomLatencyMonitors container needs to be created on only one domain controller. The created object will replicate to the other domains in the forest. |
Registry keys |
Read |
Add the Action Account to the registry properties of HKLM\System\CurrentControlSet\Service\ You must add the Action Account to the registry properties on each domain controller. |
Directories containing NTDS.dit and Active Directory log files |
Read |
The Action Account must have Read access to the file path location of NTDS.dit and the Active Directory log files. The directory location of NTDS.dit is: HKLM\System\CurrentControlSet\Service\ The directory location of the Active Directory log files is: HKLM\System\CurrentControlSet\Service\ You must provide access to the file path location on each domain controller. |
Note
The Action Account must be a member of either the Domain Admins group or the Administrators group in the domain in which trusts are monitored using the AD Monitor Trusts script. If the Action Account is not a member of either of these groups, you will continue to receive a failure message unless you disable the following rule:
Microsoft Windows Active Directory\Active Directory Monitor Trusts\Script-AD Monitor Trusts.