ADM313: Monitoring Active Directory with MOM Paul Reiner Program Manager Directory Services

Why Monitor Active Directory? AD problems can be extremely disruptive if left undetected Slow login / login failures / password issues Group Policy problems Resource access problems Exchange 2000 Issues AD problems are trivial to fix when detected early but rapidly become complex when ignored Replication issues can lead to security related issues More and more applications critically depend on AD everyday

When To Monitor Plan your AD monitoring solution before deploying AD Lab test your AD monitoring solution before deploying AD Monitor AD simultaneously with first DC deployment Pause new DC deployment if monitoring detects problems OR your monitoring solution fails

Key Takeaway All production deployments must have effective forest-wide AD monitoring

ADMP SP1 Design Goals Customers will receive a very small # of highly relevant alerts identifying the “root cause” wherever possible Very little configuration necessary Available before AD ships Easily customizable for very sophisticated implementations Excellent AD health definition (Built by the AD team for AD) Usable “out of the box” for very large AD deployments

Our Commitment to ADMP Three man years development effort including multi-month code review, dozens of meeting with the architects, PMs, and developers Validated ADMP in Windeploy, NTDEV, and Corp forests (as well as other internal forests) Scrubbed all event messages and KB (help) three times for legibility, completeness, and usability Verified ADMP quality against known test suites Used by AD development team to help validate next version of AD works as expected

Interesting Stats Two new WMI providers (replprov and trustmon) were created to expose critical information ADMP is used exclusively for all production AD health monitoring for Microsoft worldwide (total of > 250 DCs) Currently at 400+ rules, 12 scripts, 42 reports, and six dependency services included > 100x improvement in many areas over version originally acquired by Microsoft

“Is My Current Monitoring Solution Sufficient?”

Common 3 rd Party Issues Event log rules will be missing or misapplied Thresholds are far too simplistic and either false trigger or miss critical problems Scripts either missing or cause wan saturation Failure to monitor other “key” related services FRS, ISM, KDC, NETLOGON, … Incomplete understanding of AD leads to huge gaps (duplicate SPNs issues, lingering objects, lack of application partitions support, AD/AM support, … ) Failure to account for behavior changes in service packs Requires extensive customization Product requires EXTENSIVE AD Knowledge

ADMP Successes Centralized view of a distributed system Complete end-to-end monitoring Extremely WAN efficient Include supporting views and reports Include key performance Indicators All rules will have “knowledge” about the most common reasons for the error and suggested next steps Usable by large enterprises “out of the box”

Client Side Monitoring Completing the picture

Phoenix DC3 DC4 Redmond DC1 DC2 Exchange Exchange User MOM Help Desk Exchange is slow! WHY ? Everything is fine!

Client Side Monitoring Ensures AD is available for Exchange and other directory-enabled apps at the app server Tests all necessary AD interfaces ICMP and LDAP ping LDAP bind and sub-search MAPI protocol head Very granular control Target specific GCs/DCs Target all DCs in a site Target all DCs in a domain

Client Side Monitoring Very WAN efficient Can be placed near/on the app server of interest Trends key LDAP perf indicators Can run on any box running MOM agent “Closes the loop” by providing MOM the client’s perspective of AD health

Phoenix DC3 DC4 Redmond DC1 DC2 Exchange MOM Client pack Connectivity tests Alert: Client is going to out of site DC Alert: Server response time exceeded limits

Phoenix DC3 DC4 Redmond DC1 DC2 MOM Generic App Separate PC Client pack No impact to existing generic app server No impact to existing generic app server Both boxes sit next to each other Both boxes sit next to each other Separate administration Separate administration

AD Reporting 42 reports covering health, discovery, and trending Commonly uncovers problems missed by monitoring systems alone Very useful in reducing load on AD and noise across WAN

New In SP1 Supports all Windows Server 2003 features today New Windows 2003 WMI provider to monitor Trust relationships New WMI provider to monitor replication partner health New script to correlate high CPU and queue lengths to minimize false alerting on undersized DCs but still alert when they are running too hot All scripts extensively reworked to provide simple clear messages with DNS name and IP address of source and target (where appropriate); designed to scale to several thousand servers Provides very low # of highly relevant alerts (suitable for paging operators) (Better than 100:1 reduction of alerts from NetIQ version. Better than 10:1 reduction from MOM 1.0) Client side monitoring Supports large deployments “out of the box” Extensive new KB Globalization support

Supporting Documents ADMP Users Guide is now shipping! Installation, configuration, and best-practices operations information Specific support for large branch office scenarios & extremely low-bandwidth wan links odtechnol/mom/maintain/operate/AdmpDOg.asp ADMP Technical Reference Guide will release to web on 7/15/03

Summary Monitoring AD is essential! Not all monitoring solutions are alike Comprehensive monitoring with MOM is now available Designed and built by AD Engineering Used by Microsoft internally for both production forests Windows Server 2003 ready today!

Community Resources Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers

The tools you need to put technology to work! Suggested Reading And Resources TITLE Available Today Active Directory® for Microsoft® Windows® Server 2003 Technical Reference: Microsoft® Windows® Server 2003 Administrator's Companion: Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluations evaluations

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.