Professional Documents
Culture Documents
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Information in this document, including URL and other Internet Web site
references, is subject to change without notice. Unless otherwise noted, the
example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or should be
inferred. Complying with all applicable copyright laws is the responsibility of
the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the
express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or
other intellectual property rights covering subject matter in this document.
Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to
these patents, trademarks, copyrights, or other intellectual property.
Acknowledgments
Technical Reviewers: Mas Libman, Andrew Strachan, Ryan Johnson
Editor: Jim Becker
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Contents
Overview of the Active Directory Management Pack ..................................................... 4
Whats New in the Active Directory Management Pack for MOM 2005 ................... 5
Monitoring Scenarios ................................................................................................... 5
State Monitoring Definitions ....................................................................................... 8
Tasks ............................................................................................................................ 9
Reports ...................................................................................................................... 10
Views.......................................................................................................................... 11
Agentless Monitoring Support .................................................................................. 13
Configuring the Active Directory Management Pack ................................................... 14
Setting the Intersite Replication Latency Threshold Value ..................................... 14
Specifying Domain Controllers for Replication Latency Data Collection ............... 15
Performing Initial Triage ........................................................................................... 16
Configuring Settings for Slow WAN Links or Large Branch Office Deployments ... 17
Configuring Agent Computers to Run in Low-Privilege Scenarios .......................... 18
Active Directory Management Pack Operations ........................................................... 21
Daily Operations ........................................................................................................ 21
Weekly Operations .................................................................................................... 22
Monthly Operations ................................................................................................... 23
Other Common Active Directory Management Pack Operations ........................... 23
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
4 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
Monitoring the health of vital processes that Active Directory depends on, including
replication, Lightweight Directory Access Protocol (LDAP), DC Locator, trusts, Net Logon
service, File Replication service (FRS), Intersite Messaging service, Windows Time service,
and Key Distribution Center (KDC).
Providing comprehensive reports, including reports on service availability and service health
and reports that can be useful for capacity planning.
By detecting and creating alerts for critical events, the Active Directory Management Pack helps
to indicate, correct, and prevent possible Active Directory service outages.
This guide was developed using the Active Directory Management Pack for MOM 2005. To
ensure that you are using the most recent version of the Active Directory Management Pack, see
Microsoft Operations Manager Management Packs on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=33752.
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Global catalog availability tests, which are added to the Client Pack
Monitoring Scenarios
The Active Directory Management Pack is designed to provide valuable monitoring information
for most implementations of Active Directory. Table 1 describes the most common
Active Directory Management Pack monitoring scenarios.
Table 1 Active Directory Management Pack Monitoring Scenarios
Scenario
Description
Tests the availability of Active Directory components from directoryenabled applications, for example, Microsoft Exchange 2000 Server
and Exchange Server 2003. Clients determine availability by:
Pinging (using both Internet Control Message Protocol (ICMP)
and LDAP).
Searching Active Directory.
Confirming that a sufficient number of global catalog servers are
available.
Detecting primary domain controller (PDC) emulator availability
and responsiveness.
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
6 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
Scenario
Description
Monitors the health of the Net Logon service, including the following:
Computer authentication issues
Computers with duplicate SIDs
Authentication failures for Active Directory computer accounts
Name collisions
Issues with connecting to Microsoft Windows NT 4.0 domain
controllers
Inability of the Net Logon service to register name records with
the Windows Internet Name Service (WINS)
Dependent Services
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Scenario
Description
Replication
Performance Monitoring
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
8 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
Note
The Active Directory Management Pack collects service discovery data every
30 minutes by default. Therefore, Active Directoryspecific discovery data
might not appear in the MOM Operator console until up to 30 minutes after
the Management Pack is deployed.
Description
Service Health
Indicates the current health of the Active Directory directory service, focusing
on the availability and responsiveness of the service. The following are
monitored to determine service health:
Operations master responsiveness
Global catalog server responsiveness
Number of lost and found objects
Server Health
Indicates the current health of the components and services that are
operating on a domain controller. Includes checks to ensure that all essential
services are available, analyzes LSASS and NTDSA for performance, and
confirms that the domain controller is discoverable by itself using DC Locator.
The following are also monitored:
Required services
Database and log file space
CPU usage
Domain controller location and advertisement
Replication Health
Client View
Indicates Active Directory health from the view of the Client Pack for any
computer on which the Client Pack is installed. The Client Pack monitors
global catalog and PDC emulator availability, as well as interface availability
and performance from the clients perspective.
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Tasks
Active Directory Management Pack tasks provide increased manageability by enabling you to
manage Active Directory directly from the MOM console. The Active Directory Management
Pack tasks that can be performed from the MOM console are described in Table 3.
Table 3 Active Directory Management Pack Tasks1
Task
Description
Enumerate Trusts
ADSI Edit
DCDiag
LDP
NETDIAG
NETDOM
NLTEST
REPADMIN
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
10 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
Task
SETSPN
Description
Runs Setspn.exe on a remote domain controller using
parameters that are specified by the user.
1Many tasks that are listed in the table require the use of support tools. Support tools are located
Reports
Active Directory Management Pack reports provide important information in the areas of
trending, user account problems, configuration, and service level availability.
Data collection for the AD Replication Monitoring report is disabled by default. A MOM
administrator must enable data collection for this report to run properly. For information about
how to enable this report, see the Configuration information in the Active Directory Replication
Latency Performance Data Collection Sources (and Targets) Rule Group descriptions.
Table 4 describes reports that display Active Directory configuration information.
Table 4 Active Directory Configuration Reports
Report
Description
AD Domain Controllers
AD Role Holders
Table 5 describes the report that displays disk space information for Active Directory.
Table 5 Active Directory Disk Space Report
Report
AD DC Disk Space
Description
Summarizes Active Directory disk space usage and free
space for the database and log volumes. It is critical that
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Report
Description
adequate free space be available for Active Directory. Use
this report to trend and predict the size of volumes that you
will need, given your current growth rate.
Description
AD Domain Changes
Description
AD Replication Bandwidth
AD Replication Latency
Views
Active Directory Management Pack views provide a way for administrators to scope the
information that has been reported to MOM.
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
12 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
Tables 8, 9, 10, 11, 12, and 13 briefly describe the default public views that are provided with the
Active Directory Management Pack.
Table 8 Active Directory Event Views
Category
View
Health Monitoring
View
Discovery
Health Monitoring
Replication Monitoring
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
View
View
Task Status
Enumerate Trusts
Replication Status Snapshot
Service Principal Name Health
View
Domain Controllers by OS Version
View
Site Links
Connection Objects
Broken Connection Objects
Note
The Active Directory Management Pack collects service discovery data every
30 minutes by default. Therefore, Active Directoryspecific discovery data
might not appear in the MOM Operator console until up to 30 minutes after
the Management Pack is deployed.
14 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
Configure settings for slow wide area network (WAN) links or large branch office
deployments. (Optional)
Monitoring the maximum latency for the forest also ensures that all domain controllers are
receiving updates. Failure of even one domain controller to receive updates in a timely manner
can have significant negative results. If you receive frequent alerts, with AD Replication
Monitoring as the source, you are probably not meeting your SLA requirements. Site schedules
that are not set correctly are the most common cause of this problem.
If you have an SLA, set the intersite maximum latency threshold value to one-third of the SLA
(in minutes) or to the maximum expected time it takes for data to replicate across your forest,
whichever is smaller. If you do not have an SLA, set the intersite maximum latency threshold
value to the maximum expected time it takes for data to replicate across your forest.
2.
3.
4.
On the Responses tab, click the script named AD Replication Monitoring, and then click
Edit.
5.
6.
In Value, type the value (in minutes) for the maximum expected replication latency between
domain controllers.
7.
Click OK.
8.
9.
10. In the left pane, right-click Management Packs, and then click Commit Configuration
Change.
16 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
You must specify both the source domain controllers and the target domain controllers for which
you want to collect data. Replication latency data is collected only for replication from all of the
source domain controllers to each of the target domain controllers.
Note
The amount of replication latency data that is collected for detailed trending
analysis can be quite large. The amount of data collections is roughly equal
to the number of source domain controllers multiplied by the number of
target domain controllers that you specify. For example, if you specify 10
source domain controllers and 10 target domain controllers, you will receive
approximately 100 data collections per interval.
In the MOM 2005 Administrator console, double-click Management Packs, and then
double-click Computer Groups.
2.
In the right pane, right-click Active Directory Replication Latency Data Collection Sources, and then click Properties.
3.
On the Included Computers tab, select the domain controllers that you want to track
replication latency data from, and then click OK.
4.
Right-click Active Directory Replication Latency Data Collection - Targets, and then
click Properties.
5.
On the Included Computers tab, select the domain controllers that you want to track
replication latency data to, and then click OK.
6.
In the left pane, right-click Management Packs, and then click Commit Configuration
Change.
Note
It can take up to 24 hours for data to start collecting.
After 24 hours, triage the alerts that the Active Directory Management Pack scripts have
generated. Triaging the alerts helps you to identify critical issues and resolve them right away. It
also helps you to decrease the amount of alert noise that is generated by your domain controllers,
the WAN, and the MOM system, which makes it easier to maintain the health of your
Active Directory environment.
To perform initial triage after configuring the Active Directory Management Pack
1.
Open the Microsoft Operations Manager 2005 Operator console, and view all alerts that
have been generated in the last 24 hours.
2.
Address alerts in their order of severity (Critical Errors, Errors, Warnings, and Informational
alerts). Each alert includes knowledge that provides additional information to help you
resolve it.
Important
If you find errors from the AD Essential Services script, address these errors
first. These errors indicate that one or more of the services that
Active Directory depends on are not running.
3.
Address alerts that are generating the most noise on domain controllers, the WAN, and the
MOM system by doing the following:
a.
b.
c.
d.
In Computer, click a computer in the drop-down list, and then click View Report.
e.
Examine the report, and then address all events that show more than 5 percent in the
Activity % column.
f.
At the top of the screen, click Operational Health Analysis, and repeat steps d and e
for the Most Common Alerts by Alert Count report.
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
18 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
If you are deploying the Active Directory Management Pack in any of these scenarios, you can
disable certain performance data to decrease network traffic.
Note
Several Active Directory Management Pack reports will not operate if
performance data gathering is disabled.
2.
In the left pane, right-click Reporting Rules for Active Directory, and then click
Properties.
3.
On the General tab, clear the Enabled check box, and then click OK.
4.
5.
In the left pane, right-click Reporting Rules for Active Directory, and then click
Properties.
6.
On the General tab, clear the Enabled check box, and then click OK.
7.
In the left pane, right-click Management Packs, and then click Commit Configuration
Change.
Active Directory Management Pack features requires significant manual configuration on the
agent computer.
On Windows Server 2003, the Action Account must have the following minimum privileges:
In a low-privileged scenario, the Active Directory Management Pack requires that the account
that is used for the Action Account and the service context that the MOM Service runs under
have additional rights and privileges.
Table 14 details the access types that must be configured manually.
Table 14 Access Types Required by the Active Directory Management Pack
Resource
CN=MomLatencyMonitors
Container
Access Type
Full
Instructions
At minimum, the Action Account must be able to:
Create container objects as children of
CN=MOMLatencyMonitors.
Read the attributes of all of the objects that are
created under CN=MOMLatencyMonitors.
Write to the adminDescription attribute on the
objects that are created under
CN=MOMLatencyMonitors.
Create the MomLatencyMonitors container as a
child container of the root of each domain and
application directory partition that you are going to
monitor. If an application directory partition crosses
domain boundaries, provide the appropriate access
to the Action Account in each domain.
If you are going to monitor the configuration
partition, create the MomLatencyMonitors
container as a child object of the configuration
partition as well.
To create the MomLatencyMonitors container on a
domain controller:
1. Click Start, click Run, and then type
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
20 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
Resource
Access Type
Instructions
adsiedit.msc.
2. In ADSI Edit, double-click Domain
[computername], and then right-click
DC=domainname,DC=com.
3. Click New, and then click Object.
4. In Select a class, click Container, and then
click Next.
5. In Value, type MomLatencyMonitors, and then
click Next.
6. Click Finish.
The MomLatencyMonitors container needs to be
created on only one domain controller. The created
object will replicate to the other domains in the
forest.
Registry keys
Read
Read
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Note
The Action Account must be a member of either the Domain Admins group or
the Administrators group in the domain in which trusts are monitored using
the AD Monitor Trusts script. If the Action Account is not a member of either
of these groups, you will continue to receive a failure message unless you
disable the following rule:
Microsoft Windows Active Directory\Active Directory Monitor Trusts\ScriptAD Monitor Trusts.
Daily Operations
On a daily basis, perform the following operations:
Verify that all domain controllers are communicating with the MOM console.
Critical Errors
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
22 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
Alerts with a source name that begins with AD, such as AD Op Master Response,
AD Essential Services, and AD Replication Monitoring
Errors, Warnings
Not all problems can be repaired in one day or less. Commonly, parts must be ordered or
computers must be scheduled for reboot, and so forth. It is important that you follow up on these
open alerts to make sure that they are addressed in a timely manner.
Open the Microsoft Operations Manager 2005 Operator console, and then view all alerts that
have been generated in the last 24 hours.
2.
Address alerts in their order of severity (Critical Errors, Errors, Warnings, and Informational
alerts). Each alert includes knowledge that provides additional information to help you
resolve the alert.
To verify that domain controllers are communicating with the MOM console
1.
2.
Weekly Operations
In addition to the operations that you perform daily, review the following reports weekly:
AD Domain Changes
DC Disk Space
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Monthly Operations
In addition to the operations that you perform on a daily and weekly basis, review the reports in
the following categories monthly:
DC Replication Bandwidth
AD Domain Controllers
Clean up objects.
Cleaning Up Objects
After you remove a domain controller that you no longer want to monitor from the
Active Directory Management Pack, you need to clean up the object that is left behind.
To clean up objects after removing a domain controller from the Active Directory Management
Pack
1.
2.
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
24 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
3.
Double-click CN=MOMLatencyMonitors, and then locate the object for the domain
controller that you want to delete. (If CN=MOMLatencyMonitors does not exist, proceed
to step 5).
4.
5.
6.
Double-click CN=MOMLatencyMonitors, and then locate the object for the domain
controller that you want to delete. (If CN=MOMLatencyMonitors does not exist, proceed
to step 8).
7.
8.
If the domain controller that you deleted was a DNS server or if it held other application
directory partitions, connect to the appropriate application directory partition.
9.
10. Double-click CN=MOMLatencyMonitors, and then locate the object for the domain
controller that you want to delete.
11. Right-click the object, and then click Delete.
12. Repeat steps 9, 10, and 11 to delete the object in all other application directory partitions that
were held by that domain controller (for Windows Server 2003 only).
For more information about ADSI Edit, see Adsiedit.msc: ADSI Edit on the Microsoft Web site
at http://go.microsoft.com/fwlink/?LinkId=33544.
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community
Note
Always use this rule group on or near servers running directory-enabled
applications, such as Exchange 2000 Server and Exchange Server 2003, to
ensure that global catalog servers and domain controllers are always
available.
Each computer running the Active Directory Management Pack Client Pack can be configured to
monitor only the domain controllers in which you are interested. By using the Active Directory
Management Pack Client Pack, you can:
Monitor all domain controllers in the clients domain or in a specified list of domains.
The client computer determines whether the domain controllers are available by:
Thresholds can be specified for the LDAP binds and searches. If multiple consecutive failures (or
binds or searches that exceed the specified thresholds) occur, an alert is generated.
In addition, the client computer also determines whether:
In the MOM 2005 Administrator console, double-click Management Packs, and then
double-click Computer Groups.
2.
Right-click Active Directory Client Side Monitoring, and then click Properties.
3.
4.
Select the computers on which you want to deploy the Client Pack, and then click OK.
On each computer on which you have deployed the Client Pack, configure agent proxying
settings by using the following procedure.
26 Microsoft Active Directory Management Pack Guide Active Directory Management Pack for Microsoft Operations Manager 2005
1.
In the MOM 2005 Administrator console, double-click Administration, and then doubleclick Computers.
2.
3.
Right-click the domain controller on which you want to configure agent proxying settings,
and then click Properties.
4.
5.
Clear the Use global settings check box, and then clear the check box under Agent
proxying.
For more information about configuring the Active Directory Management Pack Client Pack, in
the MOM 2005 Administrator console see the configuration information in the Active Directory
Client Side Monitoring Rule Group description.
Did you find this information useful? Please send your suggestions and comments about
the documentation to momdocs@microsoft.com.
Looking for more MOM information? Experience the power of customer communities!
MOM Community