Upload
quynh
View
31
Download
0
Embed Size (px)
DESCRIPTION
Building and Managing a Resilient Active Directory Infrastructure with SMS and MOM. Jeff Alexander IT Pro Evangelist Microsoft Australia. Agenda. Building the Base Introducing the Active Directory Management Pack (ADMP) ADMP Monitoring and Server Health ADMP Reporting - PowerPoint PPT Presentation
Citation preview
Security Seminar ‘06
Security Seminar ‘06
Building and Managing a Building and Managing a Resilient Active Directory Resilient Active Directory Infrastructure with SMS and Infrastructure with SMS and MOMMOMJeff AlexanderJeff AlexanderIT Pro EvangelistIT Pro EvangelistMicrosoft AustraliaMicrosoft Australia
Security Seminar ‘06
AgendaAgenda
Building the BaseBuilding the BaseIntroducing the Active Directory Introducing the Active Directory Management Pack (ADMP)Management Pack (ADMP)ADMP Monitoring and Server HealthADMP Monitoring and Server HealthADMP ReportingADMP ReportingSMS 2003 Patch Management (ITMU)SMS 2003 Patch Management (ITMU)Summary and Q&ASummary and Q&A
Security Seminar ‘06
Resilient Infrastructure
Other NOSOther NOS
Application Application PackagesPackages
Internet
•VPN•Quarantine
Cisco FWSMCisco MPLS VPN
Security Seminar ‘06
Administrator
Web
Operator
Reporting• Agent-managed• Agent-managed• MOM Reporting Server
• Reporting Database
MOM Database
Management Pack
• Agentless managed• Agent-managed
MOM 2005 ArchitectureMOM 2005 Architecture
MOM Server
Domain A
Domain B
Management GroupSupport Users
Security Seminar ‘06
MOM 2005 SizerMOM 2005 Sizer
Security Seminar ‘06
Monitoring the stackMonitoring the stack
Partners provide Partners provide complete complete monitoring monitoring solutionssolutions
SybariSybari
Jalasoft Network Jalasoft Network ManagementManagement
ExchangeExchange
WindowsWindows
HP Proliant ServersHP Proliant Servers
Jalasoft Power ManagementJalasoft Power Management
Security Seminar ‘06
AgendaAgendaBuilding the BaseBuilding the BaseIntroducing the Active Directory Introducing the Active Directory Management Pack (ADMP)Management Pack (ADMP)ADMP Monitoring and Server HealthADMP Monitoring and Server HealthADMP ReportingADMP ReportingSMS 2003 Patch Management (ITMU)SMS 2003 Patch Management (ITMU)Summary and Q&ASummary and Q&A
Security Seminar ‘06
Why Monitor Active Why Monitor Active Directory?Directory?
• Hardware failures• Disk space• Network connectivity• Configuration errors• Errant applications
•Login/password issues•Group Policy•Resource access•Exchange e-mail•Replication issues
Security Seminar ‘06
Active Directory Management Active Directory Management PackPack
Security Seminar ‘06
Other Management PacksOther Management Packs
Base Operating Systems
Exchange
Group Policy
DNS
Security Seminar ‘06
Health Monitoring• Active Directory Domain Controller Alerts
• Lingering Object Alerts
• Service Level Exceptions for DCs
Discovery• Domain Controllers by OS Version
Task Status• Enumerate Trusts
• Replication Status Snapshot
• Service Principal Name Health
Discovery• Number of Client Sessions
Health Monitoring• Active Directory Database
• CPU and Memory Usage on DCs
• DC and GC Response Time
Replication Monitoring• Replication Traffic
• Replication Latency
Replication Topology• Broken Connection Objects
• Connection Objects
• Site Links
Client Side Monitoring• Client Side Events
Health Monitoring• GC Search Response Events
• Active Directory Op Master Response Events
• Directory Service Errors
• NTDS Events
• Clean Up After Cross-Domain Moves
Active Directory Public ViewsActive Directory Public Views
Computer Group Views
Event Views
Performance Views
Alert Views
Task Status Views
Diagram Views
Security Seminar ‘06
Replication Topology Diagram Replication Topology Diagram ViewsViews
Three different views:Three different views:
Broken Connection ObjectsBroken Connection Objects
Connection ObjectsConnection ObjectsSite Links
Site Links• Server health state
• Annotated server roles
• Site links• Detailed tool tips
Security Seminar ‘06
demonstrationIntroducing the ADMP
Exploring the Administrator Console Exploring the Operator Console Defining Client Side Monitoring Computers
Security Seminar ‘06
AgendaAgendaBuilding the BaseBuilding the BaseIntroducing the Active Directory Introducing the Active Directory Management Pack (ADMP)Management Pack (ADMP)ADMP Monitoring and Server HealthADMP Monitoring and Server HealthADMP ReportingADMP ReportingSMS 2003 Patch Management (ITMU)SMS 2003 Patch Management (ITMU)Summary and Q&ASummary and Q&A
Security Seminar ‘06
• Is each DC configured properly?• Are all DCs replicating?• Is replication occurring in a timely fashion? • Has initial replication completed in the last 24 hours?
• Active Directory service healthy?• Other processes that are vital to the health of Active Directory?• Database growth and log file free space OK?
• Are the necessary FSMO role holders responsive?• Is the Active Directory service responsive?• Can clients connect to the directory?
• End-to-end replication via change injection • Health of inbound connection objects• Appropriate number of replication partners• Site islands• Slow replication
• Health of LSASS, KCC, Userenv• State of NetLogon, FRS, ISM, W32Time, KDC• Name resolution and DC locator• SYSVOL accessibility
• Serverless bind threshold• GC Search Time• Lost object count• Availability of LDAP and crucial roles • Name resolution and DC locator• Client Pack tests
Active Directory State Active Directory State MonitoringMonitoringClient View
Server Health
Replication Health
Service Health
• Serverless bind• PDC availability• Minimum number of GCs available• Targeted DCs availability and responsiveness
• Can clients connect to PDC, GCs?• Is Active Directory responsive to clients?
Security Seminar ‘06
Monitoring ScenariosMonitoring ScenariosClient Side Monitoring
Ping
ICMP
LDAP
Search
Global Catalogs PDC Emulator
Security Seminar ‘06
Monitoring ScenariosMonitoring ScenariosActive Directory Trust Relationships
Monitors and detects problems
Security Seminar ‘06
Monitoring ScenariosMonitoring ScenariosAccount and Authentication Issues
Password issues Credential issues
Duplicate accounts Other problems
Security Seminar ‘06
Other Monitoring ScenariosOther Monitoring ScenariosNet Logon Service UGMC
Dependent Services Active Directory Availability
Replication Performance Monitoring
Security Seminar ‘06
Seattle.contoso.com
London.contoso.comClient Side Monitoring Client Side Monitoring ScenarioScenario
LON-DC-01
LON-DC-02
SEA-DC-02SEA-DC-01
LON-EXC-01Exchange user
Help Desk MOM 2005
My e-mail is slow!
Security Seminar ‘06
Replication MonitoringReplication Monitoring
Source DCs Target DCs
New container: CN=MomLatencyMonitorsScripts add timestamps to monitor latencySeparate thresholds for intra- and intersiteComputers can be both source and target
Security Seminar ‘06
ADMP Monitoring and Server Health
Troubleshooting Replication Problems Configuring Low-Privilege Account Forcing Data Collection
demonstration
Security Seminar ‘06
AgendaAgendaBuilding the BaseBuilding the BaseIntroducing the Active Directory Introducing the Active Directory Management Pack (ADMP)Management Pack (ADMP)ADMP Monitoring and Server HealthADMP Monitoring and Server HealthADMP ReportingADMP ReportingSMS 2003 Patch Management (ITMU)SMS 2003 Patch Management (ITMU)Summary and Q&ASummary and Q&A
Security Seminar ‘06
ADMP ReportsADMP ReportsConfiguration
Disk Space
Operations
Replication
Security Seminar ‘06
ADMP Reporting
Performing the Initial Triage Using Predefined Reports
demonstration
Security Seminar ‘06
AgendaAgendaBuilding the BaseBuilding the BaseIntroducing the Active Directory Introducing the Active Directory Management Pack (ADMP)Management Pack (ADMP)ADMP Monitoring and Server HealthADMP Monitoring and Server HealthADMP ReportingADMP ReportingSMS 2003 Patch Management (ITMU)SMS 2003 Patch Management (ITMU)Summary and Q&ASummary and Q&A
Security Seminar ‘06
Overview of Inventory Overview of Inventory Tool for Microsoft Updates Tool for Microsoft Updates (ITMU) (ITMU) Why the change to ITMU?Why the change to ITMU?
SMS 2003 currently uses Microsoft Baseline SMS 2003 currently uses Microsoft Baseline Security Analyzer (MBSA)Security Analyzer (MBSA)The MBSA scan engine is built on a third-The MBSA scan engine is built on a third-party tool named party tool named ShavlikShavlik. . SMS and Microsoft Update Partnership SMS and Microsoft Update Partnership ITMU – Reduced dependency on MBSAITMU – Reduced dependency on MBSAThe SMS ITMU enables customers to The SMS ITMU enables customers to standardize on the patch technology of standardize on the patch technology of choice for Microsoft going forward. choice for Microsoft going forward.
Security Seminar ‘06
Overview of Inventory Tool Overview of Inventory Tool for Microsoft Updates for Microsoft Updates (ITMU)(ITMU)What does the new ITMU do What does the new ITMU do
differently?differently?Improved patch management through a Improved patch management through a more comprehensive and widely supported more comprehensive and widely supported detection technologydetection technologyBroaderBroader detection support for detection support for moremore Microsoft productsMicrosoft productsConsistent product support across multiple Consistent product support across multiple detection technologies including parity detection technologies including parity with Automatic Updateswith Automatic Updates
Security Seminar ‘06
Overview of Inventory Tool Overview of Inventory Tool for Microsoft Updates for Microsoft Updates (ITMU)(ITMU)How is ITMU different from MBSA?How is ITMU different from MBSA?
ITMU supports security updates, service packs and ITMU supports security updates, service packs and rollupsrollupsITMU supports Office XP and later for security ITMU supports Office XP and later for security updates and service packsupdates and service packsITMU only supports Windows 2000 SP3 or laterITMU only supports Windows 2000 SP3 or laterITMU catalog (WSUSScan.cab) includes all ITMU catalog (WSUSScan.cab) includes all languageslanguagesITMU Supports SQL Server 2000 and beyondITMU Supports SQL Server 2000 and beyond
ITMU provides automatic updates of the ITMU provides automatic updates of the Microsoft Updates CatalogMicrosoft Updates CatalogUses Windows Updates Agent to scan Uses Windows Updates Agent to scan and identify current patch statusand identify current patch status
Security Seminar ‘06
Inventory Tool for Inventory Tool for Microsoft Updates (ITMU) Microsoft Updates (ITMU) DiagramDiagram
Security Seminar ‘06
Client Scans with ITMUClient Scans with ITMURequires Windows Update AgentRequires Windows Update Agent
If agent is not already installed, SMS can If agent is not already installed, SMS can automatically install the agent through a automatically install the agent through a dependent programdependent programScan program calls Windows Update Agent Scan program calls Windows Update Agent installation programinstallation programConfigurable through ITMU SetupConfigurable through ITMU Setup
Once Windows Updates Agent is Once Windows Updates Agent is installed, scan for Microsoft Updates installed, scan for Microsoft Updates can occurcan occur
Security Seminar ‘06
Client Scans with ITMUClient Scans with ITMUScan Agent process:Scan Agent process:
Scanwrapper.exeScanwrapper.exe verifies Windows verifies Windows Updates Agent Updates Agent installedinstalledScanwrapper.exeScanwrapper.exe calls calls SMSWushandler.exeSMSWushandler.exeSMSWusHandler.exeSMSWusHandler.exe performs scan through calls performs scan through calls to the Windows Updates Agentto the Windows Updates Agent
Scan Agent process:Scan Agent process:Scan Data is stored in WMIScan Data is stored in WMI
Data is stored in the Win32_PatchState_Extended Data is stored in the Win32_PatchState_Extended class class ““Type” attribute is set to “Microsoft Update”Type” attribute is set to “Microsoft Update”
Scan results reported through hardware inventoryScan results reported through hardware inventorySMS 2003 SP1 sms_def.mof file already supports SMS 2003 SP1 sms_def.mof file already supports the Extended Patch State class and datathe Extended Patch State class and data
Security Seminar ‘06
Viewing Results for ITMUViewing Results for ITMUData is maintained on the client in WMIData is maintained on the client in WMIData is returned to the SMS site database Data is returned to the SMS site database in in Extended Patch StateExtended Patch StateData can be viewed in Resource Explorer, Data can be viewed in Resource Explorer, Software Updates (SMS Administrator Software Updates (SMS Administrator Console node), and SMS ReportsConsole node), and SMS ReportsPreviously existing Software Compliance Previously existing Software Compliance reports are updated to support both reports are updated to support both classesclassesThere are six new reports added with this There are six new reports added with this tooltool
Two in Software Update – ComplianceTwo in Software Update – ComplianceFour in Software Update – Distribution StatusFour in Software Update – Distribution Status
Security Seminar ‘06
Update DistributionUpdate DistributionAs with MBSA, the Distribute Software As with MBSA, the Distribute Software Updates Wizard is usedUpdates Wizard is used
Presents a list of available updates for Presents a list of available updates for distributiondistributionDownloads updates and creates SMS objects Downloads updates and creates SMS objects required to deploy themrequired to deploy them
Optionally the administrator can pre-download and Optionally the administrator can pre-download and stage the patches prior to using the wizardstage the patches prior to using the wizard
Administrator selects which updates to Administrator selects which updates to deploy to which clientsdeploy to which clients
Can have multiple updates in a single packageCan have multiple updates in a single packageInstalled on all SMS 2003 SP1 Installed on all SMS 2003 SP1 Administrator Consoles automaticallyAdministrator Consoles automatically
Security Seminar ‘06
Inventory Tool for Microsoft Updates Overview of the tool Sending out patches
demonstration
Security Seminar ‘06
TroubleshootingTroubleshootingThere are new (and some old) log files that There are new (and some old) log files that can be helpful in troubleshooting patch can be helpful in troubleshooting patch deploymentdeploymentSMSWUSHANDLER.logSMSWUSHANDLER.log
Advertisement.logAdvertisement.logSMSCLIUI.logSMSCLIUI.logPatchUIMonitor.logPatchUIMonitor.logEXECMGR.logEXECMGR.logPatchinstall.logPatchinstall.logWUSSyncXML.logWUSSyncXML.logPatchDownloader.logPatchDownloader.log
Security Seminar ‘06
Troubleshooting (continued)Troubleshooting (continued)Client Side DebuggingClient Side Debugging
ITMU puts the inventory scan results ITMU puts the inventory scan results in the CIMV2 namespace on SP1 in the CIMV2 namespace on SP1 clientsclientsTo review the information collectedTo review the information collected
Connect to the Connect to the root\cimv2root\cimv2 namespace namespace (using WBEMTEST) on the Advanced (using WBEMTEST) on the Advanced ClientClientReview the class instances stored within Review the class instances stored within the the Win32_PatchState_ExtendedWin32_PatchState_Extended WMI WMI classclass
Basic setup issues may be solved by Basic setup issues may be solved by ensuring that the customer has the ensuring that the customer has the supported platforms installedsupported platforms installed
Security Seminar ‘06
Session SummarySession SummaryInstall additional MPs for the complete Install additional MPs for the complete picturepictureTake advantage of client side monitoringTake advantage of client side monitoringIdentify trends and issues through Identify trends and issues through reportingreportingBe able to respond to update Be able to respond to update requirementsrequirements
Security Seminar ‘06