ADM313:Monitoring Active Directory with MOM

Paul Reiner

Program Manager

Directory Services

Why Monitor Active Directory?

AD problems can be extremely disruptive if left undetected

Slow login / login failures / password issues

Group Policy problems

Resource access problems

Exchange 2000 Issues

AD problems are trivial to fix when detected early but rapidly become complex when ignored

Replication issues can lead to security related issues

More and more applications critically depend on AD everyday

When To Monitor

Plan your AD monitoring solution before deploying AD

Lab test your AD monitoring solution before deploying AD

Monitor AD simultaneously with first DC deployment

Pause new DC deployment if monitoring detects problems OR your monitoring solution fails

Key Takeaway

All production deployments must have effective forest-wide AD

monitoring

ADMP SP1 Design Goals

Customers will receive a very small # of highly relevant alerts identifying the “root cause” wherever possible

Very little configuration necessary

Available before AD ships

Easily customizable for very sophisticated implementations

Excellent AD health definition(Built by the AD team for AD)

Usable “out of the box” for very large AD deployments

Our Commitment to ADMP

Three man years development effort including multi-month code review, dozens of meeting with the architects, PMs, and developersValidated ADMP in Windeploy, NTDEV, and Corp forests (as well as other internal forests)Scrubbed all event messages and KB (help) three times for legibility, completeness, and usabilityVerified ADMP quality against known test suitesUsed by AD development team to help validate next version of AD works as expected

Interesting Stats

Two new WMI providers (replprov and trustmon) were created to expose critical information

ADMP is used exclusively for all production AD health monitoring for Microsoft worldwide (total of > 250 DCs)

Currently at 400+ rules, 12 scripts, 42 reports, and six dependency services included

> 100x improvement in many areas over version originally acquired by Microsoft

“Is My Current Monitoring Solution Sufficient?”

Common 3rd Party Issues

Event log rules will be missing or misapplied

Thresholds are far too simplistic and either false trigger or miss critical problems

Scripts either missing or cause wan saturation

Failure to monitor other “key” related servicesFRS, ISM, KDC, NETLOGON, …

Incomplete understanding of AD leads to huge gaps (duplicate SPNs issues, lingering objects, lack of application partitions support, AD/AM support, … )

Failure to account for behavior changes in service packs

Requires extensive customization

Product requires EXTENSIVE AD Knowledge

ADMP Successes

Centralized view of a distributed system

Complete end-to-end monitoring

Extremely WAN efficient

Include supporting views and reports

Include key performance Indicators

All rules will have “knowledge” about the most common reasons for the error and suggested next steps

Usable by large enterprises “out of the box”

Client Side Monitoring

Completing the picture

Phoenix

DC3

DC4

Redmond

DC1

DC2

ExchangeExchange

User

MOMMOMHelp Help DeskDesk

Exchange isExchange isslowslow!!

WHY ?WHY ?

Everything is Everything is finefine!!

Client Side Monitoring

Ensures AD is available for Exchangeand other directory-enabled apps at the app server

Tests all necessary AD interfacesICMP and LDAP ping

LDAP bind and sub-search

MAPI protocol head

Very granular controlTarget specific GCs/DCs

Target all DCs in a site

Target all DCs in a domain

Client Side Monitoring

Very WAN efficient

Can be placed near/on the app server of interest

Trends key LDAP perf indicators

Can run on any box running MOM agent

“Closes the loop” by providing MOM the client’s perspective of AD health

Phoenix

DC3

DC4

Redmond

DC1

DC2

Exchange

MOMMOM

Client Client packpack

Connectivity testsConnectivity testsAlert:Alert: Client is going to Client is going to out of site DCout of site DC

Alert:Alert: Server response Server response time exceeded limitstime exceeded limits

Phoenix

DC3

DC4

Redmond

DC1

DC2

MOMMOM

Generic App

Separate PCClient Client packpack

No impact to existing generic No impact to existing generic app serverapp server

Both boxes sit next to each otherBoth boxes sit next to each other Separate administrationSeparate administration

AD Reporting

42 reports covering health, discovery, and trending

Commonly uncovers problems missed by monitoring systems alone

Very useful in reducing load on AD and noise across WAN

New In SP1

Supports all Windows Server 2003 features todayNew Windows 2003 WMI provider to monitor Trust relationshipsNew WMI provider to monitor replication partner healthNew script to correlate high CPU and queue lengths to minimize false alerting on undersized DCs but still alert when they are running too hotAll scripts extensively reworked to provide simple clear messages with DNS name and IP address of source and target (where appropriate); designed to scale to several thousand serversProvides very low # of highly relevant alerts (suitable for paging operators) (Better than 100:1 reduction of alerts from NetIQ version. Better than 10:1 reduction from MOM 1.0)Client side monitoringSupports large deployments “out of the box”Extensive new KBGlobalization support

Supporting Documents

ADMP Users Guide is now shipping!Installation, configuration, and best-practices operations information

Specific support for large branch office scenarios & extremely low-bandwidth wan linkshttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/mom/maintain/operate/AdmpDOg.asp

ADMP Technical Reference Guide will release to web on 7/15/03

Summary

Monitoring AD is essential!

Not all monitoring solutions are alike

Comprehensive monitoring with MOM is now available

Designed and built by AD Engineering

Used by Microsoft internally for both production forests

Windows Server 2003 ready today!

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

The tools you need to put technology to work!The tools you need to put technology to work!

Suggested Reading And Resources

TITLETITLE AvailableAvailable

TodayTodayActive Directory® for Microsoft® Active Directory® for Microsoft® Windows® Server 2003 Technical Windows® Server 2003 Technical Reference: 0-7356-1577-2Reference: 0-7356-1577-2

Microsoft® Windows® Server Microsoft® Windows® Server 2003 Administrator's Companion: 2003 Administrator's Companion: 0-7356-1367-2 0-7356-1367-2

TodayToday

Microsoft Press books are 20% off at the TechEd Bookstore

Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.