ADMP Guide For Mom 2005

Microsoft Active Directory
Management Pack Guide
Active Directory Management Pack for

Microsoft Operations Manager 2005
Program Manager: Mas Libman
Author: Shala Brandolini
Published: August 2004
Applies To: Microsoft Operations Manager 2005
Document Version: Release 1.0
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Information in this document, including URL and other Internet Web site
references, is subject to change without notice. Unless otherwise noted, the
example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or should be
inferred. Complying with all applicable copyright laws is the responsibility of
the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the
express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or
other intellectual property rights covering subject matter in this document.
Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to
these patents, trademarks, copyrights, or other intellectual property.
2004 Microsoft Corporation. All rights reserved.

Microsoft, Windows, Windows NT, Windows Server, and Active Directory are
either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
Acknowledgments
Technical Reviewers: Mas Libman, Andrew Strachan, Ryan Johnson
Editor: Jim Becker
MOM Community
Contents
Overview of the Active Directory Management Pack ..................................................... 4
Whats New in the Active Directory Management Pack for MOM 2005 ................... 5
Monitoring Scenarios ................................................................................................... 5
State Monitoring Definitions ....................................................................................... 8
Tasks ............................................................................................................................ 9
Reports ...................................................................................................................... 10
Views.......................................................................................................................... 11
Agentless Monitoring Support .................................................................................. 13
Configuring the Active Directory Management Pack ................................................... 14
Setting the Intersite Replication Latency Threshold Value ..................................... 14
Specifying Domain Controllers for Replication Latency Data Collection ............... 15
Performing Initial Triage ........................................................................................... 16
Configuring Settings for Slow WAN Links or Large Branch Office Deployments ... 17
Configuring Agent Computers to Run in Low-Privilege Scenarios .......................... 18
Active Directory Management Pack Operations ........................................................... 21
Daily Operations ........................................................................................................ 21
Weekly Operations .................................................................................................... 22
Monthly Operations ................................................................................................... 23
Other Common Active Directory Management Pack Operations ........................... 23
MOM Community
4 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
Overview of the Active Directory

Management Pack
The Active Directory Management Pack for Microsoft Operations Manager (MOM) 2005
provides a predefined, ready-to-run set of processing rules, monitoring scripts, and reports that
are designed specifically to monitor the performance and availability of the Active Directory
directory service. This Management Pack monitors events that are placed in the Application,
System, and Directory Service event logs by various Active Directory components and
subsystems. It also monitors the overall health of Active Directory and alerts you to critical
performance issues.
This guide provides information about the most common Active Directory monitoring scenarios,
state monitoring definitions, tasks, reports, and views. This guide also includes instructions for
deploying and operating the Active Directory Management Pack.
The Active Directory Management Pack provides a complete Active Directory monitoring
solution by:
Monitoring all aspects of Active Directory health.
Monitoring the health of vital processes that Active Directory depends on, including
replication, Lightweight Directory Access Protocol (LDAP), DC Locator, trusts, Net Logon
service, File Replication service (FRS), Intersite Messaging service, Windows Time service,
and Key Distribution Center (KDC).
Monitoring service availability.
Collecting key performance data.
Providing comprehensive reports, including reports on service availability and service health
and reports that can be useful for capacity planning.
By detecting and creating alerts for critical events, the Active Directory Management Pack helps
to indicate, correct, and prevent possible Active Directory service outages.
This guide was developed using the Active Directory Management Pack for MOM 2005. To
ensure that you are using the most recent version of the Active Directory Management Pack, see
Microsoft Operations Manager Management Packs on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=33752.
MOM Community
Overview of the Active Directory Management Pack 5
Whats New in the Active Directory Management

Pack for MOM 2005
The Active Directory Management Pack for MOM 2005 provides the following improvements
and additions:
Improved alert suppression
Improved and updated knowledge for all alerts
Global catalog availability tests, which are added to the Client Pack
State level monitoring for key Active Directory components
Topological views representing site links and connection objects
Monitoring Scenarios
The Active Directory Management Pack is designed to provide valuable monitoring information
for most implementations of Active Directory. Table 1 describes the most common
Active Directory Management Pack monitoring scenarios.
Table 1 Active Directory Management Pack Monitoring Scenarios
Scenario
Description
Client Side Monitoring
Tests the availability of Active Directory components from directoryenabled applications, for example, Microsoft Exchange 2000 Server
and Exchange Server 2003. Clients determine availability by:
Pinging (using both Internet Control Message Protocol (ICMP)
and LDAP).
Searching Active Directory.
Confirming that a sufficient number of global catalog servers are
available.
Detecting primary domain controller (PDC) emulator availability
and responsiveness.
Active Directory Trust

Relationships
Monitors trust relationship issues, and detects problems with trusts

between Active Directory domains and forests.
Account and Authentication

Issues
Monitors Active Directory user authentication and account issues

between domain controllers, including the following:
Account password issues
MOM Community
Scenario
Description
Security Accounts Manager (SAM) failures

Invalid requests
KDC and NTLM errors
Account identifier issues
User credential issues
Account and group issues
Duplicate accounts and security identifiers (SIDs)
Net Logon service
Monitors the health of the Net Logon service, including the following:
Computer authentication issues
Computers with duplicate SIDs
Authentication failures for Active Directory computer accounts
Name collisions
Issues with connecting to Microsoft Windows NT 4.0 domain
controllers
Inability of the Net Logon service to register name records with
the Windows Internet Name Service (WINS)
Universal Group Membership

Caching
Monitors issues with universal group membership caching, a new

feature in Microsoft Windows Server 2003 that enables a domain
controller to process user logon requests when a global catalog server
is unavailable.
Dependent Services
Monitors issues related to the availability of services that are critical

to Active Directory operations, including the following:
File replication errors
Journal wrap errors
Computer account policy failures
Issues with time synchronization between Active Directory
components
Group Policy processing issues and errors
Computer account issues
Group Policy object issues
Memory allocation issues
Active Directory Availability
Monitors various aspects of Active Directory health that affect

availability, including the following:
Connectivity failures
Database size and available free disk space
MOM Community
Scenario
Description
Global catalog issues and errors

Operations master availability
Replication
Monitors replication issues or failures, including the following:

Replication failures
Initial replication not completed
Slow replication
Synchronization issues and errors
Time skew issues
Detection of replication islands
Domain controllers having appropriate numbers of replication
partners
Performance Monitoring
Collects various aspects of domain controller performance, including

the following:
Number of NTLM authentications per second
Number of Kerberos authentications per second
Directory searches per second
Number of server sessions
Replication latency
Processor usage
System up time
Memory: page writes per second
Memory: available bytes
Memory: committed bytes
KDC Authentication Service (AS) requests per second
KDC ticket-granting service (TGS) requests per second
LDAP searches per second
LDAP User Datagram Protocol (UDP) operations per second
Number of LDAP client sessions
Number of LDAP writes per second
Number of local security authority subsystem (LSASS) private
bytes
LSASS handle count
LSASS processor usage
MOM Community
State Monitoring Definitions

The Active Directory Management Pack provides state monitoring based on the definitions in
Table 2.
Note
The Active Directory Management Pack collects service discovery data every
30 minutes by default. Therefore, Active Directoryspecific discovery data
might not appear in the MOM Operator console until up to 30 minutes after
the Management Pack is deployed.
Table 2 Active Directory Management Pack State Monitoring Definitions

State Indicator
Description
Service Health
Indicates the current health of the Active Directory directory service, focusing
on the availability and responsiveness of the service. The following are
monitored to determine service health:
Operations master responsiveness
Global catalog server responsiveness
Number of lost and found objects
Server Health
Indicates the current health of the components and services that are
operating on a domain controller. Includes checks to ensure that all essential
services are available, analyzes LSASS and NTDSA for performance, and
confirms that the domain controller is discoverable by itself using DC Locator.
The following are also monitored:
Required services
Database and log file space
CPU usage
Domain controller location and advertisement
Replication Health
Indicates the overall health of Active Directory replication by monitoring the

health of connection objects that are used for Active Directory replication
between domain controllers and by monitoring the speed at which replication
occurs between replication partners.
Client View
Indicates Active Directory health from the view of the Client Pack for any
computer on which the Client Pack is installed. The Client Pack monitors
global catalog and PDC emulator availability, as well as interface availability
and performance from the clients perspective.
MOM Community
Tasks
Active Directory Management Pack tasks provide increased manageability by enabling you to
manage Active Directory directly from the MOM console. The Active Directory Management
Pack tasks that can be performed from the MOM console are described in Table 3.
Table 3 Active Directory Management Pack Tasks1
Task
Description
Replication Summary Snapshot
Collects a snapshot of the current replication status from

the perspective of the target computer by using the
REPADMIN /replsum command.
Service Principal Name Health
Confirms service principal name (SPN) health on the target

domain controllers.
This task is useful for diagnosing replication authentication
errors that are caused by nonexistent, manipulated, or
duplicate SPN registrations, Kerberos ticket refresh, admin
tool startup, user and computer logon authorization, and
service startup.
Enumerate Trusts
Enumerates the trust relationships between Active Directory

domains.
Advanced Tasks
Active Directory Users and Computers

Snap-in
Opens the Active Directory Users and Computers snap-in on

the local computer.
ADSI Edit
Opens ADSIEdit.mmc on the local computer.
DCDiag
Runs DCDiag.exe on a remote domain controller using

parameters that are specified by the user.
LDP
Opens LDP.exe on the local computer.
NETDIAG
Runs Netdiag.exe on a remote domain controller using

NETDOM
Runs Netdom.exe on a remote domain controller using

NLTEST
Runs Nltest.exe on a remote domain controller using

REPADMIN
Runs Repadmin.exe on a remote domain controller using

MOM Community
Task
SETSPN
Description
Runs Setspn.exe on a remote domain controller using
1Many tasks that are listed in the table require the use of support tools. Support tools are located
in the Support Tools

directory on the Microsoft Windows 2000 Server and Windows Server 2003 operating system CDs.
Reports
Active Directory Management Pack reports provide important information in the areas of
trending, user account problems, configuration, and service level availability.
Data collection for the AD Replication Monitoring report is disabled by default. A MOM
administrator must enable data collection for this report to run properly. For information about
how to enable this report, see the Configuration information in the Active Directory Replication
Latency Performance Data Collection Sources (and Targets) Rule Group descriptions.
Table 4 describes reports that display Active Directory configuration information.
Table 4 Active Directory Configuration Reports
Report
Description
AD Domain Controllers
Lists all domain controllers in the selected domain, along

with their Internet Protocol (IP) addresses and sites.
AD Role Holders
Lists which computers are holding one or more operations

master roles or are global catalog servers.
AD Replication Connection Objects
Summarizes the Active Directory replication topology by

providing a list of connection objects. Indicates the source
domain controllers and target domain controllers and their
respective sites, the transport types, and whether the
connection objects are manually configured.
AD Replication Site Links
Summarizes the current replication site link configuration

for Active Directory.
Table 5 describes the report that displays disk space information for Active Directory.
Table 5 Active Directory Disk Space Report
Report
AD DC Disk Space
Description
Summarizes Active Directory disk space usage and free
space for the database and log volumes. It is critical that
MOM Community
Report
Description
adequate free space be available for Active Directory. Use
this report to trend and predict the size of volumes that you
will need, given your current growth rate.
Table 6 describes reports that display Active Directory operations information.

Table 6 Active Directory Operations Reports
Report
Description
AD Domain Changes
Summarizes significant changes to the domain, such as

movement of the PDC emulator operations master and the
addition or removal of domain controllers.
AD Machine Account Authentication

Failures
Summarizes which workstations (that are joined to the

domain) are unable to authenticate. This failure can prevent
Group Policy updates and software distribution to the
computer.
AD SAM Account Errors
Summarizes events that indicate that the SAM has detected

an error. Corrective guidance is provided where applicable.
Table 7 describes reports that display Active Directory replication information.

Table 7 Active Directory Replication Reports
Report
Description
AD Replication Bandwidth
Summarizes the replication bandwidth (compressed and

uncompressed) over the selected period. This report is
useful for trending and capacity planning for replication
bandwidth requirements.
AD Replication Latency
Summarizes the minimum, average, and maximum

replication latency per naming context, per domain
controller. This report is extremely useful in verifying any
service level agreement (SLA) that you have for changes to
replicate within the domain or forest.
Views
Active Directory Management Pack views provide a way for administrators to scope the
information that has been reported to MOM.
MOM Community
Tables 8, 9, 10, 11, 12, and 13 briefly describe the default public views that are provided with the
Active Directory Management Pack.
Table 8 Active Directory Event Views
Category
View
Client Side Monitoring
Client Side Events
Health Monitoring
Active Directory Global Catalog Search Response Events

Active Directory Op Master Response Events
Directory Service Errors
NTDS Events
Objects to Clean Up After Cross-Domain Moves
Table 9 Active Directory Performance Views

Category
View
Discovery
Number of Client Sessions
Health Monitoring
Active Directory Database

Active Directory DIT/Log Drive Space
Active Directory Log Files
CPU Usage on Active Directory Domain Controllers
Domain Controller Response Time
Global Catalog Response Time
LSASS CPU Usage on Active Directory Domain Controllers
Memory Use on Active Directory Domain Controllers
Processor Queue Length
Role Master Response Time
Replication Monitoring
Intersite (Compressed) Replication Traffic

Replication Latency
Replication Traffic Inbound Bytes per Second
Replication Traffic Outbound Bytes per Second
MOM Community
Table 10 Active Directory Alert Views

Category
Health Monitoring
View
Active Directory Domain Controller Alerts

Lingering Object Alerts
Service Level Exceptions for Active Directory Domain
Controllers
Table 11 Active Directory Task Status Views

Category
View
Task Status
Enumerate Trusts
Replication Status Snapshot
Service Principal Name Health
Table 12 Active Directory Computer Group Views

Category
Discovery
View
Domain Controllers by OS Version
Table 13 Active Directory Diagram Views

Category
Replication Topology
View
Site Links
Connection Objects
Broken Connection Objects
Note
The Active Directory Management Pack collects service discovery data every
30 minutes by default. Therefore, Active Directoryspecific discovery data
might not appear in the MOM Operator console until up to 30 minutes after
the Management Pack is deployed.
Agentless Monitoring Support

The Active Directory Management Pack for MOM 2005 does not support agentless monitoring.
MOM Community
Configuring the Active Directory

Management Pack
Before you install the Active Directory Management Pack, use the best practices and guidelines
that are provided in the MOM 2005 Deployment Guide on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=33536) to deploy MOM 2005 in your environment.
After you deploy MOM 2005, install and configure the Active Directory Management Pack to
monitor the health of Active Directory.
It is recommended that you also install the DNS Management Pack and the Operating System
Management Pack for the most complete results when monitoring Active Directory.
After you install the Active Directory Management Pack and all other recommended
management packs, do the following to configure Active Directory monitoring:
Set the intersite replication latency threshold.
Specify domain controllers for replication latency data collection.
Perform initial triage.
Configure settings for slow wide area network (WAN) links or large branch office
deployments. (Optional)
Configure agent computers to run in low-privilege scenarios.
The following sections contain procedures for these tasks.
Setting the Intersite Replication Latency

Threshold Value
The maximum intersite replication latency threshold value is the maximum amount of time it
takes for a change to replicate across the entire forest. By default, this value is set to 15 minutes.
If it takes longer than 15 minutes for replication to occur, you will receive a warning. Consult
your system architect to review what the expected maximum threshold value is for your
environment. Usually, this value is monitored closely to ensure that any applicable SLAs for
your organization are being met. After you have determined an appropriate value for your
environment, modify the setting accordingly. The most common scenario involves ensuring that
basic help desk procedures, such as resetting passwords, replicate from corporate headquarters to
a branch office within a reasonable amount of time as determined by the SLA.
MOM Community
Configuring the Active Directory Management Pack 15
Monitoring the maximum latency for the forest also ensures that all domain controllers are
receiving updates. Failure of even one domain controller to receive updates in a timely manner
can have significant negative results. If you receive frequent alerts, with AD Replication
Monitoring as the source, you are probably not meeting your SLA requirements. Site schedules
that are not set correctly are the most common cause of this problem.
If you have an SLA, set the intersite maximum latency threshold value to one-third of the SLA
(in minutes) or to the maximum expected time it takes for data to replicate across your forest,
whichever is smaller. If you do not have an SLA, set the intersite maximum latency threshold
value to the maximum expected time it takes for data to replicate across your forest.
To set the intersite replication latency threshold value

1.
In the MOM 2005 Administrator console, double-click Management Packs, double-click

Rule Groups, double-click Microsoft Windows Active Directory (enabled), double-click
Active Directory Windows 2000 and Windows Server 2003 (enabled), and then doubleclick Active Directory Availability (enabled).
2.
Click Event Rules.
3.
In the right pane, double-click Script - AD Replication Monitoring.
4.
On the Responses tab, click the script named AD Replication Monitoring, and then click
Edit.
5.
Under Script parameters, double-click IntersiteExpectedMaxLatency.
6.
In Value, type the value (in minutes) for the maximum expected replication latency between
domain controllers.
7.
Click OK.
8.
In the Launch a Script dialog box, click OK.
9.
In the Event Rule Properties dialog box, click OK.
10. In the left pane, right-click Management Packs, and then click Commit Configuration
Change.
Specifying Domain Controllers for Replication

Latency Data Collection
For detailed trending analysis, add the names of the domain controllers for which you want to
collect replication latency data to the Active Directory Management Pack. Specifying the names
of the domain controllers is very useful for graphing replication performance between critical
domain controllers, and it is required for the AD Replication Latency report.
MOM Community
You must specify both the source domain controllers and the target domain controllers for which
you want to collect data. Replication latency data is collected only for replication from all of the
source domain controllers to each of the target domain controllers.
Note
The amount of replication latency data that is collected for detailed trending
analysis can be quite large. The amount of data collections is roughly equal
to the number of source domain controllers multiplied by the number of
target domain controllers that you specify. For example, if you specify 10
source domain controllers and 10 target domain controllers, you will receive
approximately 100 data collections per interval.
To specify domain controllers for replication latency data collection

1.
In the MOM 2005 Administrator console, double-click Management Packs, and then
double-click Computer Groups.
2.
In the right pane, right-click Active Directory Replication Latency Data Collection Sources, and then click Properties.
3.
On the Included Computers tab, select the domain controllers that you want to track
replication latency data from, and then click OK.
4.
Right-click Active Directory Replication Latency Data Collection - Targets, and then
click Properties.
5.
On the Included Computers tab, select the domain controllers that you want to track
replication latency data to, and then click OK.
6.
In the left pane, right-click Management Packs, and then click Commit Configuration
Change.
Note
It can take up to 24 hours for data to start collecting.
Performing Initial Triage

After you configure the Active Directory Management Pack, allow 24 hours for the scripts to
run. (Some of the scripts run in real time; others run at scheduled intervals of up to 24 hours).
The number and severity of alerts that are generated in the first 24 hours depends on the
thresholds that you set, as well as the number of domain controllers that are running in your
environment and any existing problems in your Active Directory implementation.
MOM Community
After 24 hours, triage the alerts that the Active Directory Management Pack scripts have
generated. Triaging the alerts helps you to identify critical issues and resolve them right away. It
also helps you to decrease the amount of alert noise that is generated by your domain controllers,
the WAN, and the MOM system, which makes it easier to maintain the health of your
Active Directory environment.
To perform initial triage after configuring the Active Directory Management Pack
1.
Open the Microsoft Operations Manager 2005 Operator console, and view all alerts that
have been generated in the last 24 hours.
2.
Address alerts in their order of severity (Critical Errors, Errors, Warnings, and Informational
alerts). Each alert includes knowledge that provides additional information to help you
resolve it.
Important
If you find errors from the AD Essential Services script, address these errors
first. These errors indicate that one or more of the services that
Active Directory depends on are not running.
3.
Address alerts that are generating the most noise on domain controllers, the WAN, and the
MOM system by doing the following:
a.
On the Go menu, click Open Reporting Console.
b.
Click the Operational Health Analysis report.
c.
Click the Most Common Events by Computer report.
d.
In Computer, click a computer in the drop-down list, and then click View Report.
e.
Examine the report, and then address all events that show more than 5 percent in the
Activity % column.
f.
At the top of the screen, click Operational Health Analysis, and repeat steps d and e
for the Most Common Alerts by Alert Count report.
Configuring Settings for Slow WAN Links or Large

Branch Office Deployments
There are several scenarios in which you might decide not to collect warnings, performance data,
and miscellaneous noncritical events. These scenarios include the following:
Deployments with very slow WAN links
MOM Community
Large branch office deployments
Deployments across satellite links
Deployments in which alerts are forwarded to a global network operations center
Scenarios in which warnings and informational messages are not needed
If you are deploying the Active Directory Management Pack in any of these scenarios, you can
disable certain performance data to decrease network traffic.
Note
Several Active Directory Management Pack reports will not operate if
performance data gathering is disabled.
To disable performance data

1.
In the MOM Administrator console, double-click Management Packs, double-click Rule

Groups, double-click Microsoft Windows Active Directory (enabled), and then doubleclick Active Directory Windows 2000 and Windows Server 2003 (enabled).
2.
In the left pane, right-click Reporting Rules for Active Directory, and then click
Properties.
3.
On the General tab, clear the Enabled check box, and then click OK.
4.
In the left pane, double-click Active Directory Windows 2000 (enabled).
5.
In the left pane, right-click Reporting Rules for Active Directory, and then click
Properties.
6.
On the General tab, clear the Enabled check box, and then click OK.
7.
In the left pane, right-click Management Packs, and then click Commit Configuration
Change.
Configuring Agent Computers to Run in LowPrivilege Scenarios

Monitoring functionality on an agent computer is provided by both the MOM Service
(MOMService.exe) and the Action Account. On Windows 2000 Server, the Action Account must
be a member of the local administrators group. On Windows Server 2003, you can use a lowprivileged account for the agents Action Account under certain circumstances. However,
configuring the Action Account with the necessary rights and privileges to run the
MOM Community
Active Directory Management Pack features requires significant manual configuration on the
agent computer.
On Windows Server 2003, the Action Account must have the following minimum privileges:
Member of the Local Users Group
Member of the Local Performance Monitor Users group
Access to Windows Event logs
Manage auditing and security log privilege (SeSecurityPrivilege)
Generate security audits privilege (SeAuditPrivilege)
Allow log on locally logon right (SeInteractiveLogonRight)
In a low-privileged scenario, the Active Directory Management Pack requires that the account
that is used for the Action Account and the service context that the MOM Service runs under
have additional rights and privileges.
Table 14 details the access types that must be configured manually.
Table 14 Access Types Required by the Active Directory Management Pack
Resource
CN=MomLatencyMonitors
Container
Access Type
Full
Instructions
At minimum, the Action Account must be able to:
Create container objects as children of
CN=MOMLatencyMonitors.
Read the attributes of all of the objects that are
created under CN=MOMLatencyMonitors.
Write to the adminDescription attribute on the
objects that are created under
CN=MOMLatencyMonitors.
Create the MomLatencyMonitors container as a
child container of the root of each domain and
application directory partition that you are going to
monitor. If an application directory partition crosses
domain boundaries, provide the appropriate access
to the Action Account in each domain.
If you are going to monitor the configuration
partition, create the MomLatencyMonitors
container as a child object of the configuration
partition as well.
To create the MomLatencyMonitors container on a
domain controller:
1. Click Start, click Run, and then type
MOM Community
Resource
Access Type
Instructions
adsiedit.msc.
2. In ADSI Edit, double-click Domain
[computername], and then right-click
DC=domainname,DC=com.
3. Click New, and then click Object.
4. In Select a class, click Container, and then
click Next.
5. In Value, type MomLatencyMonitors, and then
click Next.
6. Click Finish.
The MomLatencyMonitors container needs to be
created on only one domain controller. The created
object will replicate to the other domains in the
forest.
Registry keys
Read
Add the Action Account to the registry properties of

HKLM\System\CurrentControlSet\Service\NTDS\
Parameters, and provide Read access. This enables
the Action Account to find the location of NTDS.dit
and the Active Directory log files.
You must add the Action Account to the registry
properties on each domain controller.
Directories containing NTDS.dit

and Active Directory log files
Read
The Action Account must have Read access to the

file path location of NTDS.dit and the
Active Directory log files.
The directory location of NTDS.dit is:
Parameters\DSA Database File
The directory location of the Active Directory log files
is:
Parameters\Database Log Files Path
You must provide access to the file path location on
each domain controller.
MOM Community
Active Directory Management Pack Operations 21
Note
The Action Account must be a member of either the Domain Admins group or
the Administrators group in the domain in which trusts are monitored using
the AD Monitor Trusts script. If the Action Account is not a member of either
of these groups, you will continue to receive a failure message unless you
disable the following rule:
Microsoft Windows Active Directory\Active Directory Monitor Trusts\ScriptAD Monitor Trusts.
Active Directory Management Pack

Operations
To maintain the general health of your Active Directory environment, triage all Active Directory
Management Pack alerts on a daily basis. In addition, perform other operations on a regular basis,
depending on your environment.
There are minor issues that can occur in an Active Directory environment that do not generate an
alert; however, they still require periodic attention. The Active Directory Management Pack
generates reports that display data over time and present patterns that indicate problems. Review
these reports often to resolve issues before they generate alerts.
You can perform daily, weekly, and monthly operations as specified in this section. However, it
is recommended that you adjust the frequency of these operations to meet the needs of your
particular environment.
Daily Operations
On a daily basis, perform the following operations:
Review all open alerts.
Verify that all domain controllers are communicating with the MOM console.
Reviewing All Open Alerts

Triage all new alerts in the following order of priority:
Critical Errors
MOM Community
Alerts with a source name that begins with AD, such as AD Op Master Response,
AD Essential Services, and AD Replication Monitoring
Errors, Warnings
Informational alerts (optional)
Not all problems can be repaired in one day or less. Commonly, parts must be ordered or
computers must be scheduled for reboot, and so forth. It is important that you follow up on these
open alerts to make sure that they are addressed in a timely manner.
To review open alerts

1.
Open the Microsoft Operations Manager 2005 Operator console, and then view all alerts that
have been generated in the last 24 hours.
2.
Address alerts in their order of severity (Critical Errors, Errors, Warnings, and Informational
alerts). Each alert includes knowledge that provides additional information to help you
resolve the alert.
Verifying That All Domain Controllers Are Communicating with the

MOM Console
Any communication failure between the domain controllers and the monitoring infrastructure
prevents you from receiving alerts so that you can examine and resolve them.
To verify that domain controllers are communicating with the MOM console
1.
Open the MOM 2005 Administrator console, double-click Administration, double-click

Computers, and then click Agent-managed Computers.
2.
In the right pane, click the Last Contacted column heading.

Clicking Last Contacted sorts the computers based on their last contact time. If the last
contact time is greater than five minutes, investigate why the computer is not communicating
with MOM. For more information about how to determine why computers are not
communicating with MOM, see the MOM 2005 Deployment Guide on the Microsoft Web
site at http://go.microsoft.com/fwlink/?LinkId=33536.
Weekly Operations
In addition to the operations that you perform daily, review the following reports weekly:
AD Domain Changes
DC Disk Space
AD Replication Latency Report
MOM Community
AD SAM Account Errors
Monthly Operations
In addition to the operations that you perform on a daily and weekly basis, review the reports in
the following categories monthly:
Active Directory Reports:
DC Replication Bandwidth
AD Machine Account Authentication Failures
AD Domain Controllers
Operational Health Analysis Reports:
Most Common Alerts by Rule Group
Most Common Events by Computer
Review other reports as appropriate for your installation.
Other Common Active Directory Management

Pack Operations
Managing the Active Directory Management Pack might require you to perform some operations
on an as-needed basis. As they are needed, perform the following operations:
Clean up objects.
Enable the Active Directory Management Pack Client Pack.
Cleaning Up Objects
After you remove a domain controller that you no longer want to monitor from the
Active Directory Management Pack, you need to clean up the object that is left behind.
To clean up objects after removing a domain controller from the Active Directory Management
Pack
1.
Click Start, click Run, and then type adsiedit.msc.
2.
In ADSI Edit, double-click Domain [computername], and then double-click

DC=domainname,DC=com.
MOM Community
3.
Double-click CN=MOMLatencyMonitors, and then locate the object for the domain
controller that you want to delete. (If CN=MOMLatencyMonitors does not exist, proceed
to step 5).
4.
Right-click the object, and then click Delete.
5.
Double-click Configuration [computername], and then double-click

CN=Configuration,DC=domainname,DC=com.
6.
Double-click CN=MOMLatencyMonitors, and then locate the object for the domain
controller that you want to delete. (If CN=MOMLatencyMonitors does not exist, proceed
to step 8).
7.
Right-click the object, and then click Delete.
8.
If the domain controller that you deleted was a DNS server or if it held other application
directory partitions, connect to the appropriate application directory partition.
9.
In the left pane, double-click the appropriate application directory partition.
10. Double-click CN=MOMLatencyMonitors, and then locate the object for the domain
controller that you want to delete.
11. Right-click the object, and then click Delete.
12. Repeat steps 9, 10, and 11 to delete the object in all other application directory partitions that
were held by that domain controller (for Windows Server 2003 only).
For more information about ADSI Edit, see Adsiedit.msc: ADSI Edit on the Microsoft Web site
at http://go.microsoft.com/fwlink/?LinkId=33544.
Deploying the Active Directory Management Pack Client Pack

The Active Directory Management Pack Client Pack augments the server-side monitoring
capabilities of the Active Directory Management Pack with a client-side view of
Active Directory health.
To use the Client Pack, you must deploy the rules in the Active Directory Client Side Monitoring
Rule Group. The rules in this rule group test the availability of Active Directory from a client
perspective, for example, the availability of Active Directory from directory-enabled application
servers.
Deploy this rule group manually in an environment where it is necessary (or desirable) to
monitor the availability of domain controllers and Active Directory from a client perspective.
MOM Community
Note
Always use this rule group on or near servers running directory-enabled
applications, such as Exchange 2000 Server and Exchange Server 2003, to
ensure that global catalog servers and domain controllers are always
available.
Each computer running the Active Directory Management Pack Client Pack can be configured to
monitor only the domain controllers in which you are interested. By using the Active Directory
Management Pack Client Pack, you can:
Monitor a specific list of domain controllers.
Monitor domain controllers in the clients local site.
Monitor domain controllers in a list of specified sites.
Monitor all domain controllers in the clients domain or in a specified list of domains.
The client computer determines whether the domain controllers are available by:
Pinging (using both ICMP and LDAP).
Performing a net use connection to the Sysvol share.
Performing LDAP binds.
Performing LDAP searches.
Thresholds can be specified for the LDAP binds and searches. If multiple consecutive failures (or
binds or searches that exceed the specified thresholds) occur, an alert is generated.
In addition, the client computer also determines whether:
The client can contact a domain controller in its local site.
There are a sufficient number of global catalog servers available.
To deploy the Active Directory Management Pack Client Pack

1.
In the MOM 2005 Administrator console, double-click Management Packs, and then
double-click Computer Groups.
2.
Right-click Active Directory Client Side Monitoring, and then click Properties.
3.
Click the Included Computers tab, and then click Add.
4.
Select the computers on which you want to deploy the Client Pack, and then click OK.
On each computer on which you have deployed the Client Pack, configure agent proxying
settings by using the following procedure.
To configure agent proxying settings

MOM Community
1.
In the MOM 2005 Administrator console, double-click Administration, and then doubleclick Computers.
2.
Click Agent-Managed Computers.
3.
Right-click the domain controller on which you want to configure agent proxying settings,
and then click Properties.
4.
Click the Security tab.
5.
Clear the Use global settings check box, and then clear the check box under Agent
proxying.
For more information about configuring the Active Directory Management Pack Client Pack, in
the MOM 2005 Administrator console see the configuration information in the Active Directory
Client Side Monitoring Rule Group description.
MOM Community

ADMP Guide For Mom 2005

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ADMP Guide For Mom 2005

Uploaded by

Copyright:

Available Formats

Microsoft Active Directory

Management Pack Guide

Active Directory Management Pack for

2004 Microsoft Corporation. All rights reserved.

Overview of the Active Directory

Monitoring all aspects of Active Directory health.

Monitoring service availability.

Collecting key performance data.

Overview of the Active Directory Management Pack 5

Whats New in the Active Directory Management

Improved alert suppression

Improved and updated knowledge for all alerts

State level monitoring for key Active Directory components

Topological views representing site links and connection objects

Client Side Monitoring

Active Directory Trust

Monitors trust relationship issues, and detects problems with trusts

Account and Authentication

Monitors Active Directory user authentication and account issues

Security Accounts Manager (SAM) failures

Net Logon service

Universal Group Membership

Monitors issues with universal group membership caching, a new

Monitors issues related to the availability of services that are critical

Active Directory Availability

Monitors various aspects of Active Directory health that affect

Overview of the Active Directory Management Pack 7

Global catalog issues and errors

Monitors replication issues or failures, including the following:

Collects various aspects of domain controller performance, including

State Monitoring Definitions

Table 2 Active Directory Management Pack State Monitoring Definitions

Indicates the overall health of Active Directory replication by monitoring the

Overview of the Active Directory Management Pack 9

Replication Summary Snapshot

Collects a snapshot of the current replication status from

Service Principal Name Health

Confirms service principal name (SPN) health on the target

Enumerates the trust relationships between Active Directory

Active Directory Users and Computers

Opens the Active Directory Users and Computers snap-in on

Opens ADSIEdit.mmc on the local computer.

Runs DCDiag.exe on a remote domain controller using

Opens LDP.exe on the local computer.

Runs Netdiag.exe on a remote domain controller using

Runs Netdom.exe on a remote domain controller using

Runs Nltest.exe on a remote domain controller using

Runs Repadmin.exe on a remote domain controller using

in the Support Tools

Lists all domain controllers in the selected domain, along

Lists which computers are holding one or more operations

AD Replication Connection Objects

Summarizes the Active Directory replication topology by

AD Replication Site Links

Summarizes the current replication site link configuration

Overview of the Active Directory Management Pack 11

Table 6 describes reports that display Active Directory operations information.

Summarizes significant changes to the domain, such as

AD Machine Account Authentication

Summarizes which workstations (that are joined to the

AD SAM Account Errors

Summarizes events that indicate that the SAM has detected

Table 7 describes reports that display Active Directory replication information.