Upload
georgina-griffin
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
ADM313:Monitoring Active Directory with MOM
Paul Reiner
Program Manager
Directory Services
Why Monitor Active Directory?
AD problems can be extremely disruptive if left undetected
Slow login / login failures / password issues
Group Policy problems
Resource access problems
Exchange 2000 Issues
AD problems are trivial to fix when detected early but rapidly become complex when ignored
Replication issues can lead to security related issues
More and more applications critically depend on AD everyday
When To Monitor
Plan your AD monitoring solution before deploying AD
Lab test your AD monitoring solution before deploying AD
Monitor AD simultaneously with first DC deployment
Pause new DC deployment if monitoring detects problems OR your monitoring solution fails
Key Takeaway
All production deployments must have effective forest-wide AD
monitoring
ADMP SP1 Design Goals
Customers will receive a very small # of highly relevant alerts identifying the “root cause” wherever possible
Very little configuration necessary
Available before AD ships
Easily customizable for very sophisticated implementations
Excellent AD health definition(Built by the AD team for AD)
Usable “out of the box” for very large AD deployments
Our Commitment to ADMP
Three man years development effort including multi-month code review, dozens of meeting with the architects, PMs, and developersValidated ADMP in Windeploy, NTDEV, and Corp forests (as well as other internal forests)Scrubbed all event messages and KB (help) three times for legibility, completeness, and usabilityVerified ADMP quality against known test suitesUsed by AD development team to help validate next version of AD works as expected
Interesting Stats
Two new WMI providers (replprov and trustmon) were created to expose critical information
ADMP is used exclusively for all production AD health monitoring for Microsoft worldwide (total of > 250 DCs)
Currently at 400+ rules, 12 scripts, 42 reports, and six dependency services included
> 100x improvement in many areas over version originally acquired by Microsoft
“Is My Current Monitoring Solution Sufficient?”
Common 3rd Party Issues
Event log rules will be missing or misapplied
Thresholds are far too simplistic and either false trigger or miss critical problems
Scripts either missing or cause wan saturation
Failure to monitor other “key” related servicesFRS, ISM, KDC, NETLOGON, …
Incomplete understanding of AD leads to huge gaps (duplicate SPNs issues, lingering objects, lack of application partitions support, AD/AM support, … )
Failure to account for behavior changes in service packs
Requires extensive customization
Product requires EXTENSIVE AD Knowledge
ADMP Successes
Centralized view of a distributed system
Complete end-to-end monitoring
Extremely WAN efficient
Include supporting views and reports
Include key performance Indicators
All rules will have “knowledge” about the most common reasons for the error and suggested next steps
Usable by large enterprises “out of the box”
Client Side Monitoring
Completing the picture
Phoenix
DC3
DC4
Redmond
DC1
DC2
ExchangeExchange
User
MOMMOMHelp Help DeskDesk
Exchange isExchange isslowslow!!
WHY ?WHY ?
Everything is Everything is finefine!!
Client Side Monitoring
Ensures AD is available for Exchangeand other directory-enabled apps at the app server
Tests all necessary AD interfacesICMP and LDAP ping
LDAP bind and sub-search
MAPI protocol head
Very granular controlTarget specific GCs/DCs
Target all DCs in a site
Target all DCs in a domain
Client Side Monitoring
Very WAN efficient
Can be placed near/on the app server of interest
Trends key LDAP perf indicators
Can run on any box running MOM agent
“Closes the loop” by providing MOM the client’s perspective of AD health
Phoenix
DC3
DC4
Redmond
DC1
DC2
Exchange
MOMMOM
Client Client packpack
Connectivity testsConnectivity testsAlert:Alert: Client is going to Client is going to out of site DCout of site DC
Alert:Alert: Server response Server response time exceeded limitstime exceeded limits
Phoenix
DC3
DC4
Redmond
DC1
DC2
MOMMOM
Generic App
Separate PCClient Client packpack
No impact to existing generic No impact to existing generic app serverapp server
Both boxes sit next to each otherBoth boxes sit next to each other Separate administrationSeparate administration
AD Reporting
42 reports covering health, discovery, and trending
Commonly uncovers problems missed by monitoring systems alone
Very useful in reducing load on AD and noise across WAN
New In SP1
Supports all Windows Server 2003 features todayNew Windows 2003 WMI provider to monitor Trust relationshipsNew WMI provider to monitor replication partner healthNew script to correlate high CPU and queue lengths to minimize false alerting on undersized DCs but still alert when they are running too hotAll scripts extensively reworked to provide simple clear messages with DNS name and IP address of source and target (where appropriate); designed to scale to several thousand serversProvides very low # of highly relevant alerts (suitable for paging operators) (Better than 100:1 reduction of alerts from NetIQ version. Better than 10:1 reduction from MOM 1.0)Client side monitoringSupports large deployments “out of the box”Extensive new KBGlobalization support
Supporting Documents
ADMP Users Guide is now shipping!Installation, configuration, and best-practices operations information
Specific support for large branch office scenarios & extremely low-bandwidth wan linkshttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/mom/maintain/operate/AdmpDOg.asp
ADMP Technical Reference Guide will release to web on 7/15/03
Summary
Monitoring AD is essential!
Not all monitoring solutions are alike
Comprehensive monitoring with MOM is now available
Designed and built by AD Engineering
Used by Microsoft internally for both production forests
Windows Server 2003 ready today!
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
The tools you need to put technology to work!The tools you need to put technology to work!
Suggested Reading And Resources
TITLETITLE AvailableAvailable
TodayTodayActive Directory® for Microsoft® Active Directory® for Microsoft® Windows® Server 2003 Technical Windows® Server 2003 Technical Reference: 0-7356-1577-2Reference: 0-7356-1577-2
Microsoft® Windows® Server Microsoft® Windows® Server 2003 Administrator's Companion: 2003 Administrator's Companion: 0-7356-1367-2 0-7356-1367-2
TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.