Introduction to Monitoring Scenarios

  • Article

The Active Directory Management Pack is designed to provide valuable monitoring information about the health of your directory service. The following nine scenarios describe the most common Active Directory Management Pack monitoring scenarios.

All of the configuration options described in this document are optional and not required for a typical operating environment. Administrators can choose to set some options to more accurately monitor specific areas of their environment.

Multi-Forest Monitoring

The Active Directory Management Pack now supports the monitoring of forests in addition to the forest where Operations Manager and the management pack are installed. You can deploy agents to remote forests. The management pack will gather health and performance data for the remote forest according to the view of the domain controller where the agent is installed.

Monitoring of domain controllers in remote forests is nearly identical to the monitoring done of domain controllers in the local forest.

Important

All multiple forest monitoring scenarios, events, alerts, and performance data collections are fully supported in this release. Topology views automatically discover all forests that have two-way transitive trusts with the local forest. Topology views for untrusted remote forests are not supported in this release.

For a complete list of caveats to be aware of, in addition to more detailed information, refer to the Multi-Forest Monitoring sections earlier in this document.

Replication

Replication of data is a key aspect of any Active Directory installation. Replication Monitoring ensures that replication is occurring correctly in your environment. The following four specific aspects of replication are monitored:

  • Replication Provider This aspect provides monitoring continually and verifies that all of the replication links for a domain controller are always working properly. The health of each replication link is checked by leveraging Windows Management Instrumentation (WMI) to determine the status of each link.

  • Replication Partner Count This aspect ensures that every domain controller has an acceptable number of partners with which to replicate. If a domain controller has either too many or too few partners, the health of the domain controller will be considered to be degraded.

  • Replication Latency Monitoring This aspect ensures that changes made to the Active Directory installation are being replicated throughout the environment in a timely manner. The replication latency monitoring mechanism will inject changes into the directory at a regular interval, and then watch to see that those changes reach every domain controller that is monitored by the Active Directory Management Pack within a specified amount of time.

  • Operations Master Consistency Although Operations Master verification is performed elsewhere, replication monitoring verifies that all replication partners for a given domain controller agree on the owner of each Operations Master role. This check is a critical part of replication because replication partners need to agree on the ownership of each Operations Master role.

Essential Services

Active Directory system comprises a number of services, some that provide services directly and some that support the Active Directory system itself. For this reason, the management pack continually checks to ensure that these essential services are working correctly. Note that some services might or might not be monitored, depending on the version of Microsoft Windows Server being used and the particular configuration of your environment. The services monitored by this management pack include the following:

  • NT File Replication Service (NTFRS)

  • Distributed File System Replication (DFSR)

  • Windows Time Service (W32time)

  • Intersite Messaging (ISM)

  • Key Distribution Center (KDC)

  • NT Directory Services (NTDS)

  • Net Logon (NetLogon)

Note

The Active Directory Management Pack verifies only that these services are running. For a more in-depth health analysis of these services use the management pack that is associated with the services that you are interested in monitoring.

Trust Monitoring

Trusts between forests and domains are fundamental to the operation of the Active Directory deployment. This management pack monitors these trusts to ensure that services and resources in your environment will be available where appropriate.

Directory Service Availability

For the Active Directory Management Pack for Operations Manager 2007 customers, the names of the corresponding script in that management pack appear in parentheses. These services include:

  • A Global Catalog can be located in an acceptable amount of time (GC Response)

  • A Global Catalog can return a search result in an acceptable amount of time (GC Search Time)

  • There are an acceptable number of Lost and Found objects. (Lost & Found Count)

  • Verification of DNS records used by Active Directory (DNS Verification)

  • A serverless bind succeeds within an acceptable amount of time (AD General Response)

Active Directory Database Monitoring

Active Directory Database Monitoring verifies that the underlying files used to host the directory (sometimes referred to as the DIT) are in a consistent state, and that there is available room for the database files to grow. This includes both the database files and the log files on each domain controller that is monitored by the Active Directory Management Pack.

Time Skew Monitoring

The authentication used by the Active Directory application is built on Kerberos, which assumes that all computers participating in authentication are kept within five minutes of one another. Because all computers will have some amount of time skew between them, the Active Directory Management Pack continually verifies that all computers are within an acceptable time skew. The management pack will generate a warning or an error depending on the amount of time skew.

Operations Master Monitoring

An Active Directory environment will contain a number of Operations Master role owners. This management pack monitors these roles to ensure that they are available and can be located at all times. Specifically, each Operations Master role owner can be located and binding can occur within a specified amount of time.

Domain Controller Performance

It is critical to an Active Directory environment that services and responses are not only available, but can be located and queried within an acceptable amount of time. The specific areas of domain controller performance include the following:

  • The LSASS process is using an acceptable amount of CPU resources.

  • Binding can occur with a domain controller within an acceptable amount of time.