Using Event Viewer to Monitor Active Directory You can use the Windows Server 2003 Event Viewer tool is accessed via Start | Programs | Administrative Tools | Event Viewer, to view a var
Trang 1Monitoring the Database
It’s important to implement a consistent Active Directory monitoring strategy to ensure database integrity, reliability, and performance within your forest Regular monitoring can also improve your knowledge of Active Directory and assist you in determining when a problem is in the early stages
of unfolding.This will lead to performance and service issues being resolved in a much more timely manner
It is important to remember that Active Directory does not exist in a vacuum Performance and service issues that seem to relate to Active Directory can be caused by other key infrastructure com-ponents, such as name resolution services In the following sections, we look at some of the primary tools that you can use to monitor Active Directory
Using Event Viewer to Monitor Active Directory
You can use the Windows Server 2003 Event Viewer tool is accessed via Start | Programs | Administrative Tools | Event Viewer, to view a variety of event logs on the DC For
moni-toring the directory service, the following event logs are of particular interest:
■ DNS Server This event log displays information relating to the DNS server service if it
is installed on the DC It is common in small environments and remote offices to have a single server acting as both DC and DNS server (along with other roles) Because clients running Windows 2000 and later operating systems use DNS to locate DCs and GC servers, problems with this service can severely impact Active Directory availability on the network
■ System This event log displays critical information concerning the state of the operating system as a whole Examining the System log should be part of the review procedure because underlying system stability is critical to optimum functionality of a DC.The System event log is also used to display messages that notify you when the DC’s DNS record was not registered or updated properly
■ Application This event log displays extensive information from Group Policy and other
related Active Directory components
■ Directory ServiceThis is the primary event log for Active Directory It includes infor-mation related to when the directory service starts and stops, the Garbage Collection pro-cess, online defragmentation, and much more
■ File Replication Service This service controls the replication of SYSVOL, which
con-tains critical data such as Group Policy and replication topology connection information
In a large domain, event logs can grow quite rapidly, which makes it difficult to search through them for key events Microsoft recommends using the filter or search functionality to specifically seek out events matching the following criteria:
■ All records with an Error severity level in the Directory Service or FRS event logs
■ All LSASS records in the System event log with a severity level of Error.The Local Security Authority subsystem (LSASS) is the primary security subsystem for Active Directory
Trang 2■ All Kerberos V5 Key Distribution Center (KDC) records in the System event log with a severity level of Error.The KDC is the primary logon service for Windows 2000 and later clients in Active Directory
■ All USERENV records in the Application event log with a severity level of Error.This setting can indicate problems with the application of Group Policy
Using the Performance Console to Monitor Active Directory The Performance console is another tool that comes preinstalled in Windows Server 2003 and can
be very helpful in monitoring Active Directory.The Performance console is accessed via Start | Programs | Administrative Tools | Performance, is capable of monitoring the server on
which it is installed, and other remote servers Data from any number of Windows Server 2003 computers can be combined for tracking or display purposes Windows contains a variety of perfor-mance metrics that can be monitored with this utility.The Perforperfor-mance utility consists of the three following components:
■ System Monitor This portion of the utility is used to graphically display performance metrics
■ Counter and Trace logs These options allow for detailed levels of logging over time In most cases, you won’t have time to sit around all day watching the System Monitor, which charts real-time information Instead, you’ll need data that you can review and work with when it is convenient
■ Alerts The Alerts option allows you to specify critical thresholds that, when exceeded, cause some type of action to take place.The default action is to have the alert generate a message in Event Viewer.You can also have it send a network message, start logging to a preconfigured counter log, or execute a script, batch file, or program
The metrics that are monitored using the Performance console are called counters.These coun-ters are grouped according to the objects to which they pertain Figure 19.5 some of the councoun-ters
available for the NTDS (directory services) object
Figure 19.5 The Add Counters Dialog Box
Trang 3Microsoft recommends that you use the following performance counters for monitoring Active Directory:
■ NTDS performance object counters:
■ DRA inbound and outbound counters These counters are used to track the amount of replication information that flows into and out of a site Significant changes can indicate a major increase in the amount of replication traffic or a shift
in the site replication topology
■ DS Search sub-operations/sec Significant changes in this counter can indicate
an application that is incorrectly targeting a DC, or performance problems involving the DC
■ LDAP Searches/sec This counter corresponds to the overall number of LDAP searches per second on the DC It should be relatively consistent across all of your DCs in a well-planned and balanced environment If it isn’t, this counter can indi-cate that an application is incorrectly targeting a DC (rather than spreading its use out across several DCs) It can also indicate uneven client loads.This counter is also useful for tracking trends over time for capacity planning
■ LDAP Client Sessions This counter displays the number of clients that are con-nected to the LDAP services It can also be used to track uneven client loads, which might be indicative of connection failures to other DCs in a well-planned and balanced environment Like the LDAP Searches/sec counter, this counter is useful for tracking trends over time for capacity planning
■ NTLM Authentications This counter indicates the number of domain authenti-cations taking place using the NTLM protocol Windows 2000 and later clients should use Kerberos for authentication, but will fail back to NTLM when they are unable to authenticate using Kerberos.This counter can be used to indicate
Kerberos authentication issues in these types of environments
■ Kerberos Authentications This counter indicates the number of domain authentications that take place using the Kerberos protocol.This counter is helpful
in tracking authentication trends over time for capacity planning
■ Processor object counters:
■ % Processor Time This counter can be used to track the overall consumption
of processor resources in the DC Microsoft recommends that this counter not exceed 85 percent on a sustained basis
■ % DPC Time This counter alerts you to delayed execution of processes resulting from the DC being too busy to execute them Microsoft recommends a sustained threshold of 10 for this counter
Trang 4■ System object counters:
■ Processor Queue Length This counter indicates that the system cannot keep up
with processing requests When you see the word queue in any counter, the
counter tracks the number of things “waiting in line” to use the resource
Microsoft recommends that this counter not exceed a value of 6 on a sustained basis
■ Context Switches/sec Most modern processors can only execute one thread at
a time Although it appears that the computer is running many programs at once,
each program is actually sharing the processor with all others Each thread (the
smallest unit of executable code in a program) uses the processor for a short period
of time and then passes it on to the next.This concept is referred to as time slicing.
A context switch occurs when the processor switches between waiting processes
This counter can indicate too many applications (including operating system appli-cations) for the processor to service, or applications that are too busy for the pro-cessor to keep up with Microsoft recommends that this counter not exceed 70,000 on a sustained basis
■ Memory object counters:
■ Page Faults/sec This counter indicates when needed program code is not resi-dent in memory and must be loaded from disk (from the page file).This is often
an indication of a system in need of more physical RAM Microsoft recommends a sustained threshold of 700 for this counter
■ Available MBytes This counter indicates the amount of available system memory Microsoft recommends using this counter to configure an alert that will notify you when the DC is running low on memory resources
■ PhysicalDisk:Current Disk Queue Length counter This counter can be used to track the number of disk reads and writes that are waiting to be filled.This can be the result of a busy processor that is not able to keep up with IRQ requests, or a slow disk drive or subsystem Microsoft recommends that this counter not exceed a value of 2 on a sustained base
Use the following steps to configure System Monitor to display the key NTDS object counters
Use System Monitor to Monitor Active Directory
1 Open the Windows Server 2003 Performance console from Start | Programs | Administrative Tools | Performance.
2 Select the System Monitor node in the left pane.
Trang 53 In the right pane, right-click on the graph and select Add Counters… in the context menu that appears Note that you can also click the + button on the toolbar above the
graph to add a new counter
4 In the Add Counters dialog box, select NTDS from the Performance object:
drop-down box
5 In the Select counters from list: box, select the DS Search sub-operations/sec
counter
6 Click the Add button.
7 Repeating steps 5 and 6 after each addition, add the following counters: LDAP Searches/sec, LDAP Client Sessions, NTLM Authentications, and Kerberos Authentications.
8 Click the Close button in the Add Counters dialog box.
9 Your new counters should appear in the list in the right pane under the graph, as shown
in Figure 19.6 Select one of these counters by clicking on it in this list
10 Press Ctrl + H to highlight the counter in the graph.This tool is often used to display a
large number of counters, making it very difficult to tell them apart in the graph Using the highlight feature makes this much easier
11 Close the Performance console
Backing Up and Restoring Active Directory
Although it’s technically just a collection of files, Active Directory has its own unique backup and restore methods In this section, we’ll discuss backing up and restoring the Active Directory database
Figure 19.6 The Performance Console without Highlighting Enabled
Trang 6Backing Up Active Directory Several different methods can be used to back up Active Directory:
■ As part of a full system backup
■ As part of a partial system backup
■ Back up the system state data only
In the past, the Active Directory database had to be backed up as system state data Microsoft Backup and some other third-party backup programs are now able to use a new Windows Server
2003 feature known as the Volume Shadow Copy service to work around this open file issue
Volume Shadow Copy makes a read-only copy of the information in these open files, which can
be used for backup purposes.The original files continue to be accessed without any interference from the backup operation When the backup is complete, the Volume Shadow Copy is deleted.The amount of disk space required by the Volume Shadow Copy will vary, based on the amount of data that changes on the disk during the backup procedure If the underlying disk does not have enough free space to support Volume Shadow Copy, open files are not backed up
When preparing a backup job, rather than specifying the individual files for Active Directory to
be backed up, it is best to always use the system state data selection in the utility System state will be
backed up automatically when a full system backup is selected, and can be specified manually when
a partial backup is selected Using the system state backup feature ensures that all necessary files are backed up When using the Windows Server 2003 backup utility, if you select system state data, Volume Shadow Copy is enabled by default and cannot be disabled If you do not select system state data, you can choose to use Volume Shadow Copy (still selected by default) or not within the Backup Wizard
Backing Up at the Command Line Instead of using the graphical Backup utility, you can back up the system state data by using the command-line version of the Backup utility.This might be desirable for use with administrative scripts.The command-line utility is a full-featured backup program that can specify many of the same options covered in the previous section.To back up the system state data, open a command
prompt (Start | Run and type cmd) and use the following command and options: ntbackup backup systemstate /J “Syngress Backup Job” /F “C:\backupfile.bkf ”.
■ Ntbackup is the name of the command-line backup utility
■ Backup is the option to specify a backup operation
■ Systemstate is the option used to specify that the system state data should be backed up
■ /J specifies the backup job name, which should be surrounded in quotes if it contains spaces
■ /Fspecifies the name of the backup file
Trang 7Note that when you run this command, the graphical utility appears to show you the progress
of the job
There are many more switches that you can use with the Ntbackup command-line utility; those described here are the ones you will most commonly use to back up the system state data
Restoring Active Directory
Windows Server 2003 includes three types of directory services restore methods:
■ Primary
■ Normal
■ Authoritative The Active Directory restore options have seen some significant changes since Windows 2000
In Windows 2000, there were only two methods of restoration: Authoritative and
Authoritative With Windows Server 2003, Authoritative restores remain unchanged; however, Non-Authoritative restores are now referred to as Normal restores Despite the name change, they function exactly as they always have
A new type of restore is added, the Primary restore.This is designed to be used when all DCs for a given domain have been wiped out and need to be restored Under Windows 2000, this could
be an exhaustive Authoritative restore process involving many hours of labor and double-checking With the new Primary restore type, it is as simple as selecting a check box
Directory Services Restore Mode
Before we discuss the three different restore methods that can be used, it is important to discuss the Directory Services Restore Mode Remember that the special feature of this mode is that it allows a
DC to boot without initializing its copy of the Active Directory database Because you must always log on to a Windows Server 2003 computer before you can use the operating system, a small ver-sion of a local directory service database (called a SAM database) remains on the computer after it has been promoted to a DC.This database has a single account, the local administrator account When you have booted to the Directory Services Restore Mode using the directions given ear-lier in the chapter, you must log on with this account After you are authenticated, you can perform certain limited maintenance functions, such as running the Ntdsutil utility mentioned earlier.You can also run the Backup utility to perform restores of the Active Directory database It is necessary
to perform all restores while running in this mode, because the Active Directory database must be offline to be restored In this mode, you are logged on to a local account and the Active Directory database is not in use
Normal Restore
The simplest of all restore methods is the normal restore.This method can be used in the following circumstances:
■ When a domain only has one DC, and the DC needs to be restored.You can also opt to use the primary restore method (covered later) for this scenario
Trang 8■ If there are multiple DCs on the network for the domain, and at least one remains func-tional, a normal restore can be used to bring the downed DCs back to life
Like all Active Directory restores, a normal restore is performed by running the Backup utility while logged on to Directory Services Restore Mode When the restore has completed, the DC is rebooted When it comes back up, it begins normal replication with its replication partners Because
it was restored from a backup, some of its objects will have older version numbers than ones cur-rently on the network.This will cause updates and deletions to be replicated to the DC and will bring its Active Directory database up to date.To perform a normal restore, follow these steps:
1 Boot or reboot the computer
2 When prompted, press F8 during Windows Server 2003 startup.
3 Select Directory Services Restore Mode (Windows DCs only) in the Windows Advanced Options menu that appears, and press the Enter key.
4 Select your operating system (for example, Windows Server 2003, Enterprise), and press the Enter key.
5 You will see a number of checks performed while the system is booting, and eventually you will receive the Safe Mode logon prompt
6 Log on by providing the password for the local administrator account and clicking the OK
button
7 Click the OK button in the dialog box that notifies you that Windows is running in safe
mode
8 Open the Windows Server 2003 Backup utility from Start | All Programs | Accessories | System Tools | Backup.
9 On the initial page of the wizard, click the Next button.
10 Select the option button next to Restore files and settings and click the Next button.
11 The What to Restore page contains an Explorer style interface similar to the one you encountered while configuring your backup job Click the plus sign next to File in the
left pane.This should reveal the file to which you backed up the system state data earlier If
it doesn’t, you can click the Browse… button and select the file from the Open Backup Filedialog box Click the plus sign next to the file to which you backed up and select the
check box next to the backup you want to restore that appears beneath it Click the Next
button after making your selection
12 At this point in the wizard, you can click the Finish button and allow the restore to
pro-ceed with the default advanced settings However, we want you to see more of the settings
that are available within the wizard, so click the Advanced… button.
13 The Where to Restore page appears with three options that can be selected from the Restore files to:drop-down box
■ Original location This option restores all files to their original locations and is
the default When you select this option and click the Next button, a dialog box
Trang 9appears, informing you that restoring system state will always overwrite the current
system state information unless you restore to an alternate location Click the OK
button to proceed to the next screen
■ Alternate location Selecting this option reveals the Alternate location: text box and a Browse… button that opens the Restore Path dialog box.You can use
this option to restore the files to a different location.This can be helpful for verifi-cation and file comparison purposes
■ Single folder This option reveals the Alternate location: text box and
Browse… button, which opens the Restore Path dialog box As with the
Alternate locationsetting, you can use this option to restore the files to an alter-nate location When this option is selected, all restored files are placed in a single directory, rather than having their directory structures restored
14 Click the Next button after making your selection.
15 Depending on your selection, a Warning dialog box (shown in Figure 19.7) might appear
to inform you that a restore of system state data will always overwrite the current system
state data unless you choose to restore it to an alternate location Click the OK button if
you receive this dialog box
16 The How to Restore page contains the following three options:
■ Leave existing files (Recommended) This option ensures that the restore pro-cess does not overwrite any files that currently exist on the DC
■ Replace existing files if they are older than the backup files This option permits the files on the disk to be overwritten, but only if the backup file is newer than the one currently on the DC
■ Replace existing files Always copies the files from the backup media to the DC and replaces all files existing on the DC, regardless of whether they are newer
17 After making your selection, click the Next button to proceed.
18 The Advanced Restore Options page contains the following five check boxes:
■ Restore security settings This option is selected by default, and should remain selected It shows the power that a user with restore rights has, because any such
Figure 19.7 The System State Restore Warning Dialog Box
Trang 10user can, by deselecting this check box, restore the files without their associated permissions In some circumstances, difficulties can arise when restoring data that was on a disk formatted in the NTFS file system, which supports file level sions, to one using the FAT file system, which does not support file level permis-sions In circumstances like these, clearing this check box has been known to resolve some of the issues.This is because selecting this box restores a wide range
of extended data (permissions, auditing information, and ownership information) that is not supported by the FAT file system
■ Restore junction points, but not the folders and file data they reference
Among other things, junction points are used to reference mounted drives In Windows Server 2003, volumes can be mounted in folders of another volume, instead of being accessed through a drive letter If you do not restore junction points, you will not be able to restore the information on mounted drives unless you recreate the junction points manually
■ Preserve existing volume mount points This option relates to the preceding point When using mounted drives, it is necessary to create mount points, which are the empty folders to which the volume is mounted (thus creating the mounted drive) When selected, this box protects existing mount points on the volume being restored.This is helpful if you have already formatted the disk to which you are restoring and added these mount points prior to beginning the restore
However, if you have formatted the disk to which you are restoring and have not added these mount points back manually, clearing this check box will restore your old mount points from tape.This option is selected by default
■ Restore the Cluster Registry to the quorum disk and all other nodes
This option restores the cluster quorum database and replicates it to all of the nodes in the server cluster.This option will be grayed out if the DC is not part of
a server cluster
■ When restoring replicated data sets, mark the restored data as the pri-mary data for all replicas This option is used to perform a primary restore and
is covered in detail later in the chapter
19 Click the Next button after making your selections.
20 Click the Finish button to begin the restore.
21 The restore will take at least a few minutes and display its progress as shown in Figure
19.8 When it is finished, click the Close button (shown in Figure 19.9) to close the Restore Progress dialog box, or click the Report… button to view the backup log asso-ciated with the job Clicking the Report… button will display the Notepad application
with the log file displayed, as shown in Figure 19.10.You should review the log for any error messages, such as those pertaining to files that had to be skipped When you have finished reviewing the log, close the Notepad application