Microsoft Press mcts training kit 70 - 640 configuring windows server 2008 active directory phần 8 pdf

The tools you can rely on to identify performance bottlenecks in Windows Server 2008include: ■ Task Manager, which displays current system resource usage.. MORE INFO Resource MonitorFor

If you did not assign a static IP address, the AD DS Active Directory Domain ServicesInstallation Wizard will give you a warning because you are using a dynamic IP Address

23 Click the Yes, The Computer Will Use A Dynamically Assigned IP Address (Not

26 On the Source Domain Controller page, accept the defaults and click Next.

27 On the Location For Database, Log Files And SYSVOL page, accept the default locations

and click Next

28 Type a strong password, confirm it, and click Next.

29 Confirm your settings on the Summary page and click Next Select Reboot On

Comple-tion and wait for the operaComple-tion to complete

Your new DC has been created from local media This cuts down replication and thenupdates the data through replication after the DC has been created

Exercise 3 Perform Database Maintenance

In this exercise, you will perform interactive database maintenance, using the restartableActive Directory Domain Services mode You can perform this operation now because there

are two DCs in the treyresearch.net domain You must have at least two DCs to be able to use

restartable AD DS

1 Log on to SERVER11 with the domain administrator account.

2 Use Windows Explorer to create a C:\Temp and a C:\OrignalNTDS folder

You will use these folders as temporary locations for the compacted and the originaldatabase

3 In Server Manager, expand the Configuration node and click Services.

4 Locate the Active Directory Domain Services service (it should be first on the list) and

right-click it to select Stop

5 In the Stop Other Services dialog box, click Yes

The server will stop the service

Remember that if the service cannot contact another writable DC, it will not be able tostop; otherwise, no one would be able to log on to the domain

6 Launch an elevated command prompt by right-clicking Command Prompt in the Start

menu and choosing Run As Administrator

7 Begin by compacting the database Type the following commands:

ntdsutil

activate instance NTDS

files

compact to C:\temp

The Ntdsutil.exe will compact the database and copy it to the new location In very large

directories, this operation can take some time

8 Type the following after the compaction operation is complete:

You delete the log files because you will be replacing the Ntds.dit file with the newly

com-pacted file, and the existing log files will not work with the newly comcom-pacted database

10 Now, back up the Ntds.dit file to protect it in case something goes wrong Type the following:

copy ntds.dit \originalntds

11 Copy the newly compacted database to the original NTDS folder Making sure you are

still within the %SystemRoot%\NTDS folder, type the following:

copy c:\temp\ntds.dit

y

12 Finally, verify the integrity of the new Ntds.dit file

After this is done, you will also perform a semantic database analysis to verify the datawithin the database Type the following:

Note that if the integrity check fails, you must recopy the original Ntds.dit back to this

folder because the newly compacted file is corrupt If you do not do so, your DC will nolonger be operational

13 Return to Server Manager, expand the Configuration node, and click Services.

14 Locate the Active Directory Domain Services service (it should be first on the list) and

right-click it to select Start

Your server is back online and ready to deliver authentication services to the network Itcan take several minutes for the dependent services to restart Delete the Ntds.ditlocated in the Original NTDS folder because it is no longer valid

Exercise 4 Automate Database Maintenance

You can script the entire database compaction operation from the command line if you want

to automate it You should, however, make sure all the operational results are captured in a textfile so that you can review them if something goes wrong

1 Log on to SERVER11 with the domain administrator account.

2 Also, make sure both a C:\Temp folder and a C:\NTDS folder exist on your server and

that both folders are empty

You will use this folder as a temporary location for the compacted database You areready to automate the compaction process

3 Move to the C:\Temp folder and right-click in the details pane to select New; then click

Text Document

4 Name the Text document Compaction.cmd

If you cannot see the txt extension of the file, click Folder Options from the Tools menu

in Windows Explorer On the View tab, clear Hide Extensions For Known File Types andclick OK Remove the txt extension on your file name Confirm the removal

5 Right-click Compaction.cmd and choose Edit Type the following commands:

ntdsutil Òactivate instance NTDSÓ files integrity quit Òsemantic database

analysisÓ Ògo fixupÓ quit quit

net start ntds

6 Save and close the Compaction.cmd file.

Note that you can add a pause command after each command in your text file to verifythe proper operation of the commands while testing

7 Test the file by launching an elevated command prompt by right-clicking Command

Prompt in the Start menu and choosing Run As Administrator

If the file works properly, you can use it to automate the compaction process

10 Remove any pause statements you entered in the file and save it again

You can reuse this command file each time you want to run the compaction on your tems It is recommended that you run this command file interactively to address anyerrors or issues during the process Be very wary of putting this file into a scheduledtask You should never run compaction in unattended mode because errors coulddestroy your DC

sys-11 If a DC is nonfunctioning, you can use the following command to remove the DC role: dcpromo /forceremoval

12 Run the Active Directory Domain Services Installation Wizard again to re-create the DC

Perform the Ntds.dit compaction operation at least once a month.

Exercise 5 Protect Group Policy Objects

In this exercise, you will use the GPMC to back up GPOs

1 Log on to SERVER11 with the domain administrator account.

2 Verify the existence of a folder named Temp on the C drive.

3 Launch the GPMC from the Administrative Tools program group.

4 Expand Forest\Domains\domainname\Goup Policy Objects.

5 Right-click Group Policy Objects and select Back Up All.

6 Type the location as C:\Temp or use the Browse button to locate the folder.

7 Type a description, in this case, First GPO Backup and click Back Up.

The GPO backup tool will show the progress of the backup

8 Click OK after the backup is complete.

Your GPOs are now protected

9 Back up the Temp folder

You can rely on this folder to copy the GPOs from one domain to another if you wish.Perform this operation at least once a week

Exam Tip Backing up and restoring GPOs are both important parts of the exam Practice these operations thoroughly to prepare for this topic

Lesson Summary

■ To maintain your directory service, you must perform proactive maintenance tasks.These tasks fall into twelve categories, many of which should be delegated to others.Domain administrators are responsible for the AD DS service and should focus on coredirectory operations such as database administration tasks

■ Several tools are available for AD DS administration The most commonly used tools arethe three main Active Directory consoles: Active Directory Users and Computers, ActiveDirectory Sites and Services, and Active Directory Domains and Trusts

■ With Windows Server 2008, AD DS is now a manageable service like all other serversand can be started and stopped without having to restart the server in Directory ServicesRestore Mode

■ When you delete an object in AD DS, you must restore the object to re-create its ties If you simply re-create the object, it will not have the same SID and, therefore, will

proper-not retain any of the deleted object’s properties Restoring an object restores the originalSID and, therefore, will automatically restore most of the access rights associated withthe object.

■ There are several ways to protect information in the directory:

❑ You can protect objects from deletion

❑ You can audit AD DS changes to view previous and changed values when changesare made

❑ You can rely on the tombstone container to recover deleted objects

❑ You can rely on backup and restore to recover lost information

■ To restore objects from the deleted objects container in AD DS, you must use a tool thatwill expose this container and enable you to modify the state of the object Two tools are

available for this operation: Ldp.exe and Quest Object Restore for Active Directory After

the object is restored, you must reassign its password, group memberships, and otherinformational attributes and then enable the object

■ When you restore an object from backup, the object is restored with all its previousattributes No additional changes are required

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 1,

“Proactive Directory Maintenance and Data Store Protection.” The questions are also available

on the companion CD if you prefer to review them in electronic form

NOTE Answers

Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book

1 You are a systems administrator for contoso.com You have been requested to compact the

database on one of the two DCs for the forest root domain However, when you try tostop the AD DS service, you find that you cannot stop it on the server you are working

on What could be the problem?

A You cannot stop the AD DS service on a Windows Server 2008 DC.

B Someone else is working on another DC in this domain.

C You must restart the server in Directory Services Restore Mode.

D You must use the net stop command to stop the AD DS service.

2 You are the network administrator of a large network One of your DCs recently failed.

You need to restore the DC to a working state You have several backups of the serverthat were created with Windows Server Backup Which of the following steps shouldyou perform? (Choose all that apply.)

A Restart the server in Directory Services Restore Mode.

B Perform an authoritative restore using the Ntdsutil.exe command

C Reinstall Windows Server 2008.

D Restart the server in WinRE

E Perform a nonauthoritative restore using the Ntdsutil.exe command

F Perform a full server recovery using the command line.

Lesson 2: Proactive Directory Performance Management

The second activity you must master to maintain your DCs proactively is performance agement When you use proper installation and creation procedures, your DCs should justwork Remember that the Domain Controller role is now in its fifth iteration since it appeared

man-in Microsoft Wman-indows NT, and it has evolved with the different releases of the Microsoft serveroperating system This means that it is now a very solid and stable service

However, you’ll find that despite this stability, things can still go wrong, whether they arerelated to system or human errors And when they do, you need to be ready to identify theissues quickly and take appropriate steps to correct the situation When you perform proactiveperformance management, you are forewarned when untoward events might occur This is thecrux of this lesson

After this lesson, you will be able to:

■ Work with system performance indicators

■ Use the Windows Server performance and reliability tools

■ Use the Windows System Resource Monitor

■ Generate and view performance reports

Estimated lesson time: 45 minutes

Managing System Resources

Windows Server includes several tools that help identify potential issues with systemresources When systems are not configured properly and are not assigned appropriateresources such as CPU, RAM, or disk space, systems monitoring will help you identify wherebottlenecks occur When you identify these bottlenecks, you then assign additional resources

to the system If the system is physical, this most often means shutting down the system;installing new resources, for example, additional memory chips; and then restarting the sys-tem If the system is virtual, then depending on the virtualization engine you use, you might

be able to allocate new resources while the virtual machine is still running If not, shut it down;allocate new resources, for example, an additional CPU and additional RAM; and then restart

it After the system is restarted, monitor its performance again to identify whether the newresources solved the problem

The tools you can rely on to identify performance bottlenecks in Windows Server 2008include:

■ Task Manager, which displays current system resource usage

■ Event Viewer, which logs specific events, including performance related events

■ Reliability Monitor, which tracks changes brought to the system, enabling you to identifywhether a change could be the cause of a new bottleneck.

■ Performance Monitor, which collects data in either real time or at specific intervals toidentify potential issues

■ Windows System Resource Manager (WSRM), which can be used to profile specificapplications to indicate which resources they need at which time You can also use it tomanage application resource allocation based on the profiles you generate

You can use other tools as well, such as Microsoft System Center Operations Manager, to tor the state of a system continuously and automatically correct well-known issues OperationsManager relies on custom management packs to monitor specific applications

moni-Using Task Manager

The simplest of all tools to use is Task Manager This tool provides real-time system statusinformation and covers several key aspects of a system’s performance, including:

■ Running applications

■ Running processes

■ Running services

■ Performance, including CPU and memory usage

■ Networking, including network interface card (NIC) utilization

■ Currently logged-on users

You can access Task Manager in a variety of ways, the most common of which is to right-clickthe taskbar and select Task Manager Another common method is to use the Ctrl+Alt+Deletekey combination and click Task Manager when the menu choices appear For example, this ishow you would access Task Manager on Server Core because it does not include a taskbar You

can also type Taskmgr.exe at a command prompt.

When you access information regarding system performance, the Performance tab is the mostuseful tab (See Figure 13-7.) This displays complete information about your system’s keyresource usage It details physical and kernel memory usage This tab also includes a buttonthat gives you access to Resource Monitor Clicking this button will launch Resource Monitorwhile keeping Task Manager open

Resource Monitor is a super Task Manager because it brings together the CPU, disk, memory,

and network usage graphs in a single view (See Figure 13-8.) In addition, it includes able components for each resource, displaying details of each component so that you can iden-tify which processes might be the culprit if issues are evident These two tools are ideal for on-the-spot verifications of resource usage You should rely on them if you need to identify imme-diately whether something is wrong with a server

expand-Figure 13-7 Viewing real-time performance information in Task Manager

For example, if the system does not have enough memory, you will immediately see thatmemory usage is constantly high In this case, Windows will be forced to use on-disk virtualmemory and will need to swap or page memory contents constantly between physical and vir-tual memory Constant paging is a typical issue that servers with insufficient physical memoryface and is often indicated by slow system behavior One good indicator of insufficient mem-ory is slow Server Manager operation

Figure 13-8 Viewing real-time performance information in Resource Monitor

MORE INFO Resource Monitor

For more information on Resource Monitor, see Scenario 1 in “Windows Server 2008 Performance

and Reliability Monitoring Step-by-Step Guide” at http://technet2.microsoft.com/windowsserver2008

/en/library/7e17a3be-f24e-4fdd-9e38-a88e2c8fb4d81033.mspx?mfr=true.

Working with Event Viewer

Another excellent indicator of system health is Windows Event Log Windows maintains eral event logs to collect information about each of the services running on a server By default,these include the Application, Security, Setup, System, and Forwarded Events logs, all located

sev-in the Wsev-indows Logs folder However, on a DC, you will also have additional logs that are cifically related to AD DS operation These will be located in the Applications and ServicesLogs folder and will include:

spe-■ DFS Replication, which is available in domains and forests operating in Windows Server

2008 full functional mode If you are running your domains or forests in one of the lier modes, the log will be for the FRS replication service

ear-■ Directory Service, which focuses on the operations that are specifically related to AD DS

■ DNS Server, which lists all events related to the naming service that supports AD DSoperation

However, one of the best features of Event Log is related to Server Manager Because it acts asthe central management location for each of the roles included in Windows Server 2008,Server Manager provides custom log views that percolate all the events related to a specific serverrole For example, if you click the Active Directory Domain Services role, Server Manager willprovide you with a log view that includes, among other things, a summary view of key eventsrelated to this service (See Figure 13-9.)

Event Log lists three types of events: Information, Warning, and Errors By default, the mary view displayed under the server role will list Errors with a high priority, Warnings with

sum-a medium priority, sum-and Informsum-ation messsum-ages with the lowest priority Therefore, Errors willalways appear at the top of the summary, alerting you immediately if there is an issue with yoursystem To drill down and see the event details, either double-click the event itself or move tothe Event Viewer section under the Diagnostics node of the tree pane in Server Manager

Figure 13-9 Viewing Summary Events for AD DS in Server Manager

MORE INFO Active Directory Services events and errors

To learn about specific events and errors related to Active Directory Services roles go to

http://technet2.microsoft.com/windowsserver2008/en/library/67928ddc-3c01-4a4a-a924-f964908b072b1033.mspx

Events provide much more information in Windows Server 2008 and Windows Vista thanever before In previous versions of Windows, events were arcane items that provided very lit-tle information about an issue Today, you get a full explanation on an event in Event Viewer,and you can link to an online database maintained by Microsoft for each event You can look

up an event in this database by clicking the Event Log Online Help link in the event’s ties dialog box You will be prompted to send information about the event to Microsoft ClickYes if you want information specifically about this event

Proper-This database does not provide information about every event in Windows, but it covers themost frequently viewed events You can also use third-party event log databases to view infor-mation about events

MORE INFO Windows event IDs

To access a free database of Windows event IDs, go to http://kb.prismmicrosys.com/index.asp

The more information you know about Windows events, the easier it will be to deal with the issue.You can rely on the Microsoft online event database and free third-party event databases as well

as supplement this information with online searches through tools such as Windows Live Search

to locate information about an issue Searching on the event ID will return the most results

MORE INFO New features of Event Log

For more information on working with Event Log, download “Tracking Change” in Windows Vista,

a multi-page article on the new features of Event Log and how it can be integrated with Task Manager to automate actions based on specific events as well as forward key events to a central

collection system at http://www.reso-net.com/download.asp?Fichier=A195.

Working with Windows Reliability Monitor

Another useful tool to identify potential issues on a system is Reliability Monitor This tool,located under the Diagnostic\Reliability and Performance\Monitoring Tools node in ServerManager, is designed to track changes that are made to a system Each time a change is per-formed on the system, it is logged in Reliability Monitor (See Figure 13-10.) Tracked changesinclude system changes, software installs or uninstalls, application failures, hardware failures,and Windows failures

If an issue arises, one of the first places you should check is Reliability Monitor because ittracks every change to your system and reveals what might have happened to make your sys-tem unresponsive For example, if the change is a new driver for a device, it might be a goodidea to roll back the device installation and see whether the system becomes more responsive.Verify Reliability Monitor whenever an issue affecting performance arises on a server

Exam Tip Work with Task Manager, Event Viewer, and Reliability Monitor All are important parts

of the exam

Figure 13-10 Viewing system changes in Reliability Monitor

Working with Windows Performance Monitor

Sometimes problems and issues are not immediately recognizable and require furtherresearch to identify them In this case, you need to rely on Performance Monitor This tool,located under the Diagnostic\ Reliability and Performance\Monitoring Tools node in ServerManager, is designed to track performance data on a system You use Performance Monitor totrack particular system components either in real time or on a scheduled basis

If you are familiar with previous versions of Windows Server, you’ll quickly note that WindowsServer 2008 Performance Monitor brings together several tools you might be familiar with:Performance Logs and Alerts, Server Performance Advisor, and System Monitor If you are new

to Windows Server with the 2008 release, you’ll quickly find that when it comes to mance management and analysis, Performance Monitor is the tool to use Using PerformanceMonitor, you create interactive collections of system counters or create reusable data collectorsets Performance Monitor is part of Windows Reliability and Performance Monitor (WRPM).Table 13-5 outlines each of the tools in WRPM that support performance monitoring and theaccess rights required to work with them

perfor-Windows Server 2008 includes a new built-in group called Performance Log Users, whichallows server administrators who are not members of the local Administrators group to per-form tasks related to performance monitoring and logging For this group to be able to initiatedata logging or modify data collector sets, it must have the Log On As A Batch Job user right.Note that this user right is assigned to this group by default.

In addition, Windows Server 2008 will create custom Data Collector Set templates when a role

is installed These templates are located under the System node of the Data Collector Setsnode of WRPM For example, with the AD DS role, four collector sets are created:

■ The Active Directory Diagnostics set collects data from registry keys, performancecounters, and trace events related to AD DS performance on a local DC

■ The LAN Diagnostics set collects data from network interface cards, registry keys, andother system hardware to identify issues related to network traffic on the local DC

■ The System Diagnostics set collects data from local hardware resources to generate datathat helps streamline system performance on the local DC

■ The System Performance set focuses on the status of hardware resources and systemresponse times and processes on the local DC

Of the four, the most useful for AD DS is the first This should be the data set you rely on themost You can create your own personalized data set If you do, focus on the items in Table 13-6

as the counters you should include in your data set

Table 13-5 WRPM Tools and Access Rights

Monitoring Tools,

Performance Monitor

To view performance data in real time or from log files The performance data can be viewed

in a graph, histogram, or report

Local Performance Log Users group

Data collector sets Groups data collectors into reusable elements

that can be used to review or log performance

Contains three types of data collectors: formance counts, event trace data, and system configuration information

per-Local Performance Log Users group with the Log on as a batch user right

Reports Includes preconfigured performance and

diagnosis reports Can also be used to ate reports from data collected using any data collector set

gener-Local Performance Log Users group with the Log on as a batch job user right

Table 13-6 Monitor Common Counters for AD DS

Network Interface:

Bytes Total/Sec

Rate at which bytes are sent and received over each network adapter, including framing characters

Track network interfaces to identify high usage rates per NIC This helps you determine whether you need to segment the network or increase bandwidth

to prevent transmission

Long queues of items indicate that the NIC is waiting for the network and is not keeping pace with the server This is a bottleneck

NTDS: DRA Inbound

Bytes Total/Sec

Total bytes received through cation It is the sum of both uncom-pressed and compressed data

repli-If this counter does not have any activity, it indicates that the network could be slowing down replication.NTDS: DRA Inbound

Object Updates

Remaining in Packet

Number of object updates received through replication that have not yet been applied to the local server

The value should be low on a stant basis High values show that the server is not capable of ade-quately integrating data received through replication

If this counter does not have any activity, it indicates that the network could be slowing down replication.NTDS: DRA

con-NTDS: DS Threads In

Use

Number of threads in use by AD DS If there is no activity, the network

might be preventing client requests from being processed

NTDS: LDAP Bind

Time

Time required for completion of the last LDAP binding

High values indicate either hardware

or network performance problems.NTDS: LDAP Client

To add counters to Performance Monitor, simply click the plus (+) sign in the toolbar at the top

of the details pane This displays the Add Counters dialog box (See Figure 13-11.) Scrollthrough the counters to identify which ones you need In some cases, you will need sub-counters under a specific heading (as shown in Table 13-6); in others, you need the entiresubset of counters When you need a subcounter, click the down arrow beside the heading,locate the subcounter, and click Add When you need the entire counter, click the counter andclick Add This adds the counter with a star heading below it, indicating that all subcountershave been added

IMPORTANT The Windows Server 2008 interface

When using the classic interface in Windows Server 2008, subcounters are accessed by clicking plus signs When using the Desktop Experience feature in Windows Server 2008, which simulates the Vista interface, subcounters are accessed through down arrows

To obtain information about a counter, click Show Description Then, when you click anycounter or subcounter, a short description will appear at the bottom of the dialog box

Statistics: NTLM

Authentication

Number of NTLM authentications

on the server per second

If there is no activity, the network might be preventing authentication requests from being processed.DFS Replicated

Folders: All Counters

Counters for staging and conflicting data

If there is no activity, the network might be causing problems

DFS Replication

Connections: All

Counters

Counter for incoming connections If there is no activity, the network

might be causing problems

If there is no activity, the processor might be causing problems

DNS: All Counters DNS Object Type handles the

Windows NT DNS service on your system

If there is no activity, the network might be causing problems, and clients might not be able to locate this DC

Table 13-6 Monitor Common Counters for AD DS

Figure 13-11 Adding counters to Performance Monitor

As soon as you are finished adding counters and you click OK, Performance Monitor will starttracking them in real time Each counter you added will be assigned a line of a specific color

To remove a counter, click the counter, and then click the Delete button (X) on the toolbar atthe top of the details pane

You can start and stop Performance Monitor much like a media player, using the same type ofbuttons When Performance Monitor runs, it automatically overwrites data as it collects more;therefore, it is more practical for real-time monitoring

If you want to capture the counters you added into a custom data set, right-click PerformanceMonitor and select New; then choose New Data Collector Set Follow the prompts to save yourcounter selections so that you can reuse them later

Exam Tip Work with Performance Monitor because it is an important part of the exam Also, note that there is no Server Performance Advisor (SPA) in Windows Server 2008 This Windows Server 2003 tool has been rolled into Windows Reliability and Performance Monitor Don’t get caught on questions regarding SPA on the exam

Creating Baselines for AD DS and DNS

For long-term system monitoring, you must create data collector sets These sets run mated collections at scheduled times When you first install a system, it is a good idea to cre-ate a performance baseline for that system Then as load increases on the system, you cancompare the current load with the baseline and see what has changed This helps you identifywhether additional resources are required for your systems to provide optimal performance Forexample, when working with DCs, it is a good idea to log performance at peak and nonpeaktimes Peak times would be when users log on in the morning or after lunch, and nonpeak timeswould be periods such as mid-morning or mid-afternoon To create a performance baseline,you need to take samples of counter values for 30 to 45 minutes for at least a week duringpeak, low, and normal operations The general steps for creating a baseline include:

auto-1 Identify resources to track.

2 Capture data at specific times.

3 Store the captured data for long-term access.

IMPORTANT Performance monitoring affects performance

Taking performance snapshots also affects system performance The object with the worst impact

on performance is the logical disk object, especially if logical disk counters are enabled However, because this affects snapshots at any time, even with major loads on the server, the baseline is still valid

You can create custom collector sets, but with Windows Server 2008, use the default plates that are added when the server role is installed to do so For example, to create a base-line for a DC, simply create a user-defined data collector set that is based on the ActiveDirectory Diagnostics template and run it on a regular basis

tem-Then, when you are ready to view the results of your collection, you can rely on the Reportssection of the Windows Reliability and Performance node Right-click the collector set forwhich you want to view the report (either User Defined or System) and select Latest Report.This will generate the report if it isn’t already available and provide extensive information onthe status of your DC (See Figure 13-12.)

MORE INFO Performance Monitor scenarios

For more information on Performance Monitor, see the scenarios in the Windows Server 2008

Performance and Reliability Monitoring Step-by-Step Guide at http://technet2.microsoft.com

/windowsserver2008/en/library/7e17a3be-f24e-4fdd-9e38-a88e2c8fb4d81033.mspx?mfr=true.

Figure 13-12 Viewing an Active Directory diagnostics report

Working with Windows System Resource Manager

Windows Server 2008 includes an additional tool for system resource management, WSRM, afeature that can be added through Add Features in Server Manager WSRM can be used in twomanners First, it can be used to profile applications This means that it helps identify howmany resources an application requires on a regular basis When operating in this mode,WSRM logs events in the application event log only when the application exceeds its allowedlimits This helps you fine-tune application requirements

The second mode offered by WSRM is the manage mode In this mode, WSRM uses its tion policies to control how many resources applications can use on a server If applicationsexceed their resource allocations, WSRM can even stop the application from executing andmake sure other applications on the same server can continue to operate However, WSRM willnot affect any application if combined processor resources do not exceed 70 percent utilization.This means that when processor resources are low, WSRM does not affect any application.WSRM also supports Alerts and Event Monitoring This is a powerful tool that is designed

alloca-to help you control processor and memory usage on large multiprocessing servers Bydefault, the WSRM includes four built-in management policies, but it also includes severalcustom resources you can use to define your own policies Basically, WSRM will ensure that

high-priority applications will always have enough resources available to them for continuedoperation, making it a good tool for DCs

IMPORTANT DCs and WSRM

If you use single-purpose DCs, you will not need WSRM as much as if you use multipurpose DCs Multipurpose DCs will usually run other workloads at the same time as they run the AD DS service Using WSRM in this case can ensure that the AD DS service is available during peak hours by assigning it more resources than other applications However, consider your choices carefully when deciding to create a multipurpose DC DCs are secure servers by default and should remain this way at all times If you add workloads to a DC, you will need to grant access rights to the DC to application administrators, administrators that do not need domain administration access rights

Use WSRM to first evaluate how your applications are being used; then apply managementpolicies Make sure you thoroughly test your policies before applying them in your productionenvironment This way, you will be able to get a feel for WSRM before you fully implement it

in your network When you’re ready, you can use WSRM Calendar to determine when whichpolicy should be applied

IMPORTANT WSRM resource requirements

If you are managing several servers with WSRM, you might need to dedicate resources to it because it is resource-intensive You might consider placing it on a dedicated management server

if this is the case

Quick Check

1 You want to view potential error messages about the directory service Where can

you find this information?

2 You are using WSRM to control processor and memory resources for several

appli-cations on a server However, after investigation, you see that none of your policiesare applied What could be the problem?

3 What are the objects you can use to allocate resources in WSRM?

Quick Check Answers

1 View potential error messages about the directory service in Event Log You can

view this information in two places The first is by clicking the server role name inthe tree pane of Server Manager This will display a summary view of directory ser-vice events The second is by going to the Directory Service log itself, under EventViewer This will display all the events related to the directory service

2 WSRM will not apply any policies if the processor usage does not reach 70 percent

3 WSRM resource allocations can be assigned to three objects: processes, users, or

IIS application pools

WSRM can be used for the following scenarios:

■ Use predefined or user-defined policies to manage system resources Resources can beallocated on a per-process, per-user, or per-IIS application pool basis

■ Rely on calendar rules to apply your policies at different times and dates without anymanual intervention

■ Automate the resource policy selection process based on server properties, events, oreven changes to available physical memory or processor count

■ Collect resource usage information in local text files or store them in a SQL database.You can also create a central WSRM collection system to collate resource usage from sev-eral systems running their own instances of WSRM

Table 13-7 outlines the default policies included in WSRM as well as the custom resources youcan use to create custom policies

WSRM can completely control how applications can and should run

Table 13-7 WSRM Policies and Custom Resources

Built-in Policy Description

Equal per process Assigns each application an equal amount of resources

Equal per user Groups processes assigned to each user who is running them and

assigns equal resources to each group

Equal per session Allocates resources equally to each session connected to the system.Equal per IIS application

pool

Allocates resources equally to each running IIS application pool

Custom Resource Description

Process Matching Criteria Used to match services or applications to a policy Can be selected

by file name, command, specified users, or groups

Resource Allocation

Poli-cies

Used to allocate processor and memory resources to the processes that match criteria you specify

Exclusion lists Used to exclude applications, services, users, or groups from

man-agement by WSRM Can also use command-line paths to exclude applications from management

Scheduling Use a calendar interface to set time-based events to resource

alloca-tion Supports policy-based workloads because you can set policies

to be active at specific times of day, specific days, or other schedules.Conditional policy

application

Used to set conditions based on specific events to determine whether policy will run

PRACTICE AD DS Performance Analysis

In this practice, you will use both WRPM and WSRM to view the performance of your servers.First, you will create a custom collector set After the collector set is created, you will run it andview the diagnostics report In the second exercise, you will install WSRM to view the policies

it provides These exercises rely on SERVER10, but SERVER11 should also be running

Exercise 1 Create a Data Collector Set

A data collector set is the core building block of performance monitoring and reporting in WRPM.You can create a combination of data collectors and save them as a single data collector set

1 Log on to SERVER10 with the domain Administrator account.

You need to be a member only of the Performance Log Users group with the Log On As

A Batch Job user right, but for the purpose of these exercises, you will use the domainadministrator account

2 In Server Manager, expand Diagnostics\Reliability and Performance\Data Collector

Sets, right-click User Defined, select New, and then select Data Collector Set

3 On the Template page, type Custom AD DS Collector Set, make sure Create From A

Template (Recommended) is selected, and click Next

4 On the next page, select the Active Directory Diagnostics template and click Next.

5 By default, the wizard selects %systemdrive%\PerfLogs\Admin as the root directory;

however, you might prefer to keep your collector sets on a separate drive if it exists In

this case, click Browse, choose drive D, and create a new folder named AD DS Collector Sets Press Enter and click OK to close the dialog box, and then click Next.

6 On the Create The Data Collector Set page, in the Run As field, type the account name

and the password to run the data collector set Leave the defaults and click Finish.When you create collector sets for long-term use, use a special account that is both amember of the Performance Log Users group and has the Log On As A Batch Job userright to run your collector sets Note that the Performance Log Users group has this rightassigned to it by default

When you finish the New Collector Set Wizard, you are given three options:

❑ Open Properties Data For This Data Collector Set to view the properties of the datacollector set or to make additional modifications

❑ Start This Data Collector Set Now to run the data collector set immediately

❑ Save And Close to save the data collector set without starting the collectionYour custom data collector set has been created Notice that it is stopped To schedulethe Start condition for your data collector set, use the following procedure

7 Right-click Custom AD DS Collector Set and click Properties.

8 Click the Schedule tab and click Add to create a start date, time, or day schedule.

9 In the Folder Action dialog box, make sure that today’s date is the beginning date, select

the Expiration Date check box, and set it as one week from today Also, make sure thatthe report time is set to the current time Click OK

You must set the start date of the schedule to now for the collection set to work If not,

you will not be able to generate reports in later steps

Note that you can create quite a modular schedule in this dialog box Also, note thatselecting an expiration date will not stop data collection in progress on that date It willonly prevent new instances of data collection from starting after the expiration date Youmust use the Stop Condition tab to configure how data collection is stopped

10 Click the Stop Condition tab, select the Overall Duration check box, make sure it lists 5

minutes, and select the Stop When All Data Collectors Have Finished check box Click OK.You select the Stop When All Data Collectors Have Finished check box to enable all datacollectors to finish recording the most recent values before the data collector set isstopped if you have also configured an overall duration

You can also set limits on your collection However, note that when an overall duration

is configured, it will override any limits you set If you do want to set limits, make surethe Overall Duration check box is cleared and define the following limits:

❑ Use When A Limit Is Reached, Restart The Data Collector Set to segment data lections into separate logs

col-❑ To configure a time period for data collection to write to a single log file, select theDuration check box and set its value

❑ To restart the data collector set or to stop collecting data when the log file reaches

a specific limit, select the Maximum Size check box and set its value

Collector sets will generate a large amount of data if you allow them to run unmonitored.

To configure data management for a data collector set, use the following procedure

11 Right-click Custom AD DS Data Collector Set and click Data Manager.

12 On the Data Manager tab, you can accept the default values or change them according to

your data retention policy Keep the defaults

❑ Select the Minimum Free disk or Maximum Folders check boxes to delete previousdata according to the resource policy you choose from the drop-down list (DeleteLargest or Delete Oldest)

❑ Select the Apply Policy Before The Data Collector Set Starts check box to deleteprevious data sets according to your selections before the data collector set createsits next log file

❑ Select the Maximum Root Path Size check box to delete previous data according toyour selections when the root log folder size limit is reached

13 On the Actions tab, you can set specific data management actions for this collector set.

Note that three policies already exist Click the 1 Day(s) policy and click Edit

Folder actions enable you to choose how data is archived before it is permanentlydeleted You can decide to disable the Data Manager limits in favor of managing all dataaccording to these folder action rules For example, you could copy all collection sets to

a central file share before deleting them on the local server

14 Click OK and OK again.

Your collector set is ready to run Wait until the scheduled time occurs for the report torun However, if you want to view an immediate report, proceed as follows:

15 Right-click the Active Directory Diagnostics template collector set under Data Collector

Sets, System and click Latest Report

If no report exists, this will launch the data collector set and begin the collection of mation from your server The set should run for five minutes and then stop If a reportexists, it will move you to the Reports node and display it

infor-16 If the report does not exist and you expand the Reports section of WRPM, you will see

that the collection set is generating a report Click the report name

17 View the report that was generated by your collector set Click Report Name under the

collector set name in System reports

You can also use the other default templates to generate reports on the spot For ple, if you want to run a report from the Systems Diagnostics template, right-click thetemplate name under the System node and select Latest Report If no report exists, it willrun the collector set and then display the report in the details pane

exam-
Exercise 2 Install WSRM

In this exercise, you will install the WSRM service and view how it operates This exercise isperformed on SERVER10; ensure that it is running

1 Log on to Server10 with the domain Administrator account.

2 In Server Manager, right-click the Features node and select Add Features.

3 On the Select Features page of the Add Features Wizard, select Windows System Resource

Manager and click Next

4 Server Manager prompts you to add Windows Internal Database Click Add Required

Features Click Next

Note that Windows Internal Database is a locally used database only and will not acceptremote connections To collect data from other servers, you must use Microsoft SQLServer 2005 or later

5 Review the information on the Confirm Installation Selections page and click Install.

6 Examine the installation results and click Close

Your installation is complete

7 You can now use WSRM on this system Windows System Resource Manager is a

stan-dalone console that can be found in the Administrative Tools program group

8 When you open the console, it will ask you which computer to connect to Select This

Computer and click Connect

Now you can tour the WSRM interface (See Figure 13-13.) Note that it uses the standardMicrosoft Management Console format Explore the various features of this console

Figure 13-13 Using Windows System Resource Monitor

Lesson Summary

■ In Windows Server 2008, you can use a series of tools to manage and monitor resourceusage on a computer These include Task Manager, Event Logs, Reliability Monitor, andPerformance Monitor

■ Performance Monitor is now the single tool that regroups other tools used in previousversions of Windows These tools included Performance Logs and Alerts, Server Perfor-mance Advisor, and System Monitor

■ You can use Windows System Resource Manager to control how resources behave on ascheduled basis In fact, it provides two functions It can monitor resource usage over timeand log activity Then, it can be used to control access to resources based on specific policies

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 2,

“Proactive Directory Performance Management.” The questions are also available on the panion CD if you prefer to review them in electronic form

com-NOTE Answers

Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book

1 You are the systems administrator for contoso.com You have been assigned the task of

verifying data collector sets on a DC You did not create the collector sets When youcheck the collector sets, you find that they are continuously running and that the allo-cated storage area is full What could be the problem? (Choose all that apply.)

A The collector sets do not have an expiration date

B The collector sets have not been set to run on a schedule

C The collector sets do not have a stop condition.

D The collector sets have been scheduled improperly.

2 You are a systems administrator at contoso.com As you log on to a DC to perform

main-tenance, you get the impression that server response is sluggish You want to verify what

is going on Which tool should you use? (Choose all that apply.)

A Reliability Monitor

B Event Viewer

C Task Manager

D Performance Monitor

Chapter Review

To further practice and reinforce the skills you learned in this chapter, you can perform the lowing tasks:

fol-■ Review the chapter summary

■ Review the list of key terms introduced in this chapter

■ Complete the case scenario This scenario sets up a real-world situation involving thetopics of this chapter and asks you to create a solution

■ Complete the suggested practices

■ Take a practice test

Chapter Summary

■ Active Directory Domain Services is a set of complex services that interact with each other

to provide a highly available identity and access solution Because of this, there are severalaspects to AD DS administration In fact, twelve activities are required to manage the envi-ronment both online and offline, although many of the twelve can be delegated to others

■ As domain administrators, operators of the directory service must concentrate on ing sure the AD DS service is always available and runs at its optimum performance.Many of the operations required to do this involve offline database administration tasks.With the release of Windows Server 2008, these tasks can now be performed withouthaving to shut down the server because the AD DS service can now be started andstopped like any other service

mak-■ There are several ways to protect AD DS data in Windows Server 2008 and several ways

to restore it One easy way to restore data is to recover it from the Deleted Items tainer, but when you do so, you must update the recovered item and then enable it

con-■ Two tools support backups of directory data in Windows Server 2008 Ntdsutil.exe will

support both the creation of offline installation media and the protection of the systemstate data required by the DC Windows Server Backup will protect entire volumes of thesystem and will even protect and support the restore of an entire computer system

■ Because the DC role is one that is ideal for virtualization, you can also protect DCs byusing simple services such as the Volume Shadow Copy Service on host servers Thisprotects the virtual hard drives that comprise the virtual machine the DC is running on

■ When performance issues arise, Windows Server 2008 provides a series of tools for ysis and problem correction These include both real-time and scheduled analysis tools.Real-time tools include Task Manager, Resource Monitor, and Performance Monitor.Scheduled or tracking tools include Event Log, Reliability Monitor, and scheduled datacollection sets in Performance Monitor

anal-■ Windows Server 2008 also includes a powerful tool by which you can manage based workloads, Windows System Resource Manager You must first use it to analyzerunning processes and then assign policies to these processes.

policy-Key Terms

Use these key terms to understand better the concepts covered in this chapter

■ compaction The process of recovering free space from a database When databaserecords are created, a specific amount of space is allocated in the database—enough tocontain all of the record’s possible values When the record is deleted, the space is notrecovered unless a compaction operation is performed

■ data collector set A collection of values collated from the local computer, including istry values, performance counters, hardware components, and more that provides adiagnostic view into the behavior of a system

reg-■ Ntds.dit The database that contains the directory store This database is located onevery DC and, because of multimaster replication, is updated at all times by all otherDCs except RODCs

■ tombstone The container to which each deleted object in the directory is automaticallymoved This container retains objects for a period of 180 days to ensure that all possiblereplications involving this object have been performed You can use this container torecover objects before the end of the 180 days

Case Scenario

In the following case scenario, you will apply what you’ve learned about subjects of this ter You can find answers to the questions in this scenario in the “Answers” section at the end

chap-of this book

Case Scenario: Working with Lost and Found Data

You are a domain administrator with Contoso, Ltd During a routine verification, you noticethat some of the accounts that should be contained within a specific OU have disappeared.You know that a local technician was assigned to work on these accounts recently becausenone of them had any information tied to them In addition, new accounts needed to be cre-ated in this OU The technician was assigned to add information such as the user’s address,manager, and office location in each of the accounts You contact the technician and verify that

he made the modifications as expected

You examine your directory event logs to locate the answer Fortunately, you configured a centralcollection server to which you forward AD DS events from all the DCs in your domain Aftersome time, you discover that another administrator from a remote office was working on thesame OU at the same time as the technician More examination shows that the administrator

moved the OU from its original location and then moved it back at the same time as the nician was working on the accounts

tech-Where are the accounts you cannot find?

Suggested Practices

To help you successfully master the exam objectives presented in this chapter, complete thefollowing tasks

Proactive Directory Maintenance

Working with AD DS means working with a central repository that provides two key services:user authentication and object management, hence the classification of AD DS as a NOS direc-tory service To become even more familiar with the exam objectives covered by this chapter,perform the following additional practices

■ Practice 1 Practice working with the various backup and restore tools found in WindowsServer 2008 If you can, perform a complete server backup and then a complete serverrestore Work with the DSRM and practice changing the DSRM password as well as per-forming nonauthoritative and authoritative restores Make sure you examine as many ofthe different options available to you in each of the supported DC backup and restorescenarios as possible

■ Practice 2 Work with the DC monitoring tools Use Task Manager, Event Viewer, andthe Windows Reliability and Performance Monitor views Try as many of the variousoptions as possible to become familiar with how they work Look up the suggested arti-cle for Event Log management and apply its principles to your DCs

■ Practice 3 Work with Windows System Resource Manager WSRM includes manyoptions Examine as many as possible and test out their operation Try assigning differ-ent policies to your DCs to see how they affect system operation View the event logs tosee how WSRM logs information about the system

Take a Practice Test

The practice tests on this book’s companion CD offer many options For example, you can testyourself on just one exam objective, or you can test yourself on all the 70-640 certificationexam content You can set up the test so that it closely simulates the experience of taking a cer-tification exam, or you can set it up in study mode so that you can look at the correct answersand explanations after you answer each question

MORE INFO Practice tests

For details about all the practice test options available, see the “How to Use the Practice Tests” tion in this book’s introduction

AD DS functionality Both use the same core code, and both provide a very similar feature set.

AD LDS, formerly called Active Directory Application Mode (ADAM), is a technology that isdesigned to support directory-enabled applications on an application-by-application basis andwithout having to modify the database schema of your network operating system (NOS) direc-tory running on AD DS AD LDS is a boon to administrators who want to use directory-enabled applications without integrating them in their NOS directory

Active Directory Domain Services can also support the use of directory-enabled applications Onevery good example is Microsoft Exchange Server 2007 All user information in Exchange Server isprovided by the directory When you install Exchange Server into your network, it begins byextending the AD DS schema, practically doubling its size As you know, schema modifications arenot to be taken lightly because, when you add an object or an attribute to the AD DS schema, it will

be added forever; it cannot be removed You can deactivate or rename and reuse these objects, butwho wants defunct objects in their NOS directory? Adding to the schema for an application such

as Exchange Server is appropriate because it provides a core networking service: e-mail

MORE INFO Best practices for Active Directory design

For a guide outlining best practices for the design of Active Directory as well as AD DS schema management guidelines, download the free “Chapter 3: Designing the Active Directory” from

Windows Server 2003: Best Practices for Enterprise Deployments, available at net.com/Documents/007222343X_Ch03.pdf

http://www.reso-For information on creating a new forest as well as migrating its contents from one forest to

another, look up Windows Server 2008: The Complete Reference by Ruest and Ruest (McGraw-Hill

Osborne, 2008) This book outlines how to build a complete infrastructure based on Microsoft Windows Server and how to migrate all of its contents from one location to another

However, when it comes to other applications, especially applications that are provided bythird-party software manufacturers, carefully consider whether you should integrate theminto your AD DS directory Remember, your production AD DS structure will be with you for

a very long time You don’t want to find yourself in a situation in which you integrated a uct to your directory and then, several years later when the third-party manufacturer is out of

prod-business, have to figure out what to do with the extensions this product added to your AD DSstructure, increasing replication timings and adding unused content in the directory This is why AD LDS is such a boon Because it can support multiple AD LDS instances on a sin-gle server (unlike AD DS, which can support only one instance of a directory on any givenserver), AD LDS can meet the requirements of any directory-enabled application and even pro-vide instances on an application-by-application basis In addition, you do not need EnterpriseAdministrator or Schema Administrator credentials to work with AD LDS, as you would with

AD DS No, AD LDS runs on member or standalone servers and requires only local tration access rights to manage it Because of this, it can also be used in a perimeter network toprovide application or Web authentication services AD LDS is one of the four Active Directorytechnologies that enable you to extend your organization’s authority beyond the firewall andinto the Internet cloud (See Figure 14-1.)

adminis-Figure 14-1 AD LDS can be used internally or externally in support of applications

PerimeterInstances

Legend

Active Directory technology integration

Possible relationships

Exam objectives in this chapter:

■ Configuring Additional Active Directory Server Roles

❑ Configure Active Directory Lightweight Directory Service (AD LDS)

Lessons in this chapter:

■ Lesson 1: Understanding and Installing AD LDS 690

■ Lesson 2: Configuring and Using AD LDS 701

Before You Begin

To complete the lessons in this chapter, you must have done the following:

■ Installed Windows Server 2008 on a physical or virtual computer, which should be

named SERVER01 and should be a domain controller in the contoso.com domain The

details for this setup are presented in Chapter 1, “Installation,” and Chapter 2, istration.”

“Admin-■ Installed Windows Server 2008 on another physical or virtual computer The machine

should be named SERVER03 and should be a member server within the contoso.com

domain This computer will host the AD LDS instances you will install and createthrough the exercises in this chapter Make sure this computer also includes a D drive

to store the data for the AD LDS instances Ten GB is recommended for the size of thisdrive

■ Installed Windows Server 2008 on a third physical or virtual computer The computer

should be named SERVER04 and should be a member server within the contoso.com

domain This computer will be used to configure replication scopes for AD LDS Makesure this computer also includes a D drive to store the data for the AD LDS instances.Ten GB is recommended for the size of this drive

Real World

Danielle Ruest and Nelson Ruest

In late 2003, we were asked by Redmond Magazine (then MCP Magazine) to put together

a review of the various products on the market that would assist system administrators tomanage Active Directory environments We were thrilled by the request because ActiveDirectory was one of our favorite technologies Besides being a true Lightweight DirectoryAccess Protocol (LDAP) directory service, Active Directory is also a very powerful NOSdirectory that can manage millions of objects In addition, Active Directory includes GroupPolicy, a very powerful object management platform that extends the NOS capabilities ofthe directory service Finally, through Group Policy Software Delivery, you could managethe delivery of Windows Installer–based software packages throughout the entire struc-ture of the directory There was no doubt, for us, that Active Directory was one of the bestproducts ever to come out of Redmond’s development labs

After scouring the Internet and polling our customers, we came up with a short list thatincluded six products that would assist in managing Active Directory environments:

■ Quest FastLane Active Roles

■ Aelita Enterprise Directory Manager

■ NetIQ Security Administration Suite

■ Javelina ADvantage

■ NetPro Active Directory Lifecycle Suite

■ Bindview Secure Active Directory LifeCycle Suite

Of the six, only four were available for the article Bindview declined to give us an ation copy of their product, so we had to omit this by default NetPro, which seemed tohave a great set of tools, wasn’t ready to go to market yet, so we had to omit this product

evalu-as well We did, however, have a chance to write about NetPro’s suite of Active Directory

products later (see http://mcpmag.com/reviews/products/article.asp?EditorialsID=454),

and it did very well indeed So, we were left with four products to write about The result

was an article titled “The 12 Mighty Labors of Active Directory Management” (see http:// mcpmag.com/Features/article.asp?EditorialsID=359) Readers everywhere seemed to like the

article quite a bit But we received some very biting comments from a couple of sourcesabout one key point we made in the article

Two of the four products we reviewed, the NetIQ and the Quest FastLane, modified thedatabase schema for Active Directory to work At that time, we had consulted in quite afew Active Directory implementations, and each one faced one single difficult question:how to manage schema modifications? That’s because, when the schema is modified,you can’t undo it Of course, in Windows Server 2003, Microsoft allowed you to deacti-vate or rename and reuse schema modifications, but for our customers and for us, thatwas a poor second choice It’s best to leave the schema alone, if at all possible In addi-tion, Microsoft had just released ADAM in support of organizations that needed to inte-grate applications to a directory service but didn’t want to modify the schema of theirNOS directory

In the end, we chose the Aelita product as the best choice for one major reason: Aelitahad opted to store all of its database requirements in Microsoft SQL Server instead ofmodifying the Active Directory schema, yet its tool was as powerful as the other twomajor contenders Javelina’s tool didn’t really compete with the others because it wasnot designed to support the same functions

To make a long story short, about two months after we published the article, Questbought Aelita and transformed Enterprise Directory Manager (EDM) into the next ver-sion of Active Roles The original Active Roles, which was produced by FastLane, a smallcompany from Ottawa, Canada, which was also bought by Quest, was rolled into EDM.The new version of Active Roles no longer required schema modifications to be imple-mented, yet still offered a powerful set of Active Directory management features Did ourarticle have anything to do with this? Who knows? One thing is sure: no one should evertake a NOS directory schema modification lightly, not when you have powerful tools likeADAM, now AD LDS, at your fingertips

Lesson 1: Understanding and Installing AD LDS

Even though it is based on the same code as AD DS, AD LDS is much simpler to work with Forexample, when you install AD LDS on a server, it does not change the configuration of theserver in the same way AD DS does when you create a domain controller AD LDS is an appli-cation and nothing more When you install it, you are not required to reboot the serverbecause the application installation process only adds functionality to the server and does notchange its nature

However, before you begin, you must first understand what makes up an AD LDS instance,how AD LDS instances should be used, and what their relationship is or can be with AD DSdirectories Then you can proceed to the installation of the AD LDS service

After this lesson, you will be able to:

■ Understand when to use AD LDS

■ Install AD LDS onto a member server

■ Locate and view the AD LDS directory store

Estimated lesson time: 30 minutes

Understanding AD LDS

Like AD DS, AD LDS instances are based on the Lightweight Directory Access Protocol (LDAP)and provide hierarchical database services Unlike relational databases, LDAP directories areoptimized for specific purposes and should be used whenever you need to rely on fast lookups

of information that will support given applications Table 14-1 outlines the major differencesbetween an LDAP directory and a relational database such as Microsoft SQL Server This com-parison helps you understand when to choose an LDAP directory in support of an applicationover a relational database

Table 14-1 Comparing LDAP Directories to Relational Databases

Hierarchical database design often based on the

Domain Name System (DNS) or the X.500

naming system

Structured data design relying on tables taining rows and columns Tables can be linked together

con-Relies on a standard schema structure, a

schema that is extensible

Does not rely on schemas

Decentralized (distributed) and relies on

repli-cation to maintain data consistency

Centrally located data repositories

Table 14-1 provides guidelines for selection of the right database for an application.

In addition, AD LDS is based on AD DS, but it does not include all the features of AD DS Table14-2 outlines the differences in features between AD LDS and AD DS

Security is applied at the object level Security is applied at the row or column level.Because the database is distributed, data consis-

tency is not absolute—at least not until

replica-tion passes are complete

Because data input is transactional, data tency is absolute and guaranteed at all times

consis-Records are not locked and can be modified by

two parties at once Conflicts are managed

through update sequence numbers (USNs)

Records are locked and can be modified by only one party at a time

Table 14-2 Comparing AD LDS with AD DS

Runs on client operating systems such as Windows Vista or Windows

Server 2008 member servers

Directory partitions can rely on X.500 naming conventions ; …

Manages objects such as workstations, member servers, and domain

controllers

Supports and integrates with public key infrastructures (PKIs) and X.509

certificates

Supports DNS service (SRV) records for locating directory services … ;Supports LDAP application programming interfaces (APIs) ; ;Supports Active Directory Services Interface (ADSI) API ; ;

Supports object-level security and delegation of administration ; ;

Table 14-1 Comparing LDAP Directories to Relational Databases

As you can see from the contents of Table 14-2, there are several similarities and differencesbetween AD LDS and AD DS For example, it is easy to see why Exchange Server must integratewith AD DS as opposed to relying on AD LDS because Exchange Server requires access tothe global catalog service to run Without it, e-mail users could not look up recipients.Because AD LDS does not support the global catalog, Exchange Server cannot rely on it How-ever, Exchange Server is an application that requires access to directory data in each site of thedomain or forest As such, it also relies on your domain controller positioning to ensure thateach user can properly address e-mails.

AD LDS, however, provides much of the same functionality as AD DS For example, you cancreate instances with replicas distributed in various locations in your network, just as with thelocation of domain controllers, and then use multimaster replication to ensure data consis-tency In short, AD LDS is a lightweight, portable, and more malleable version of the directoryservice offered by AD DS

AD LDS Scenarios

Now that you have a better understanding of AD LDS and its feature set, you can begin to tify scenarios in which you would need to work with this technology Consider these scenarioswhen you decide whether to rely on AD LDS or AD DS

iden-■ When your applications need to rely on an LDAP directory, consider using AD LDSinstead of AD DS AD LDS can often be hosted on the same server as the application, pro-viding high-speed and local access to directory data This would reduce replication traf-fic because all required data is local In addition, you can bundle the AD LDS instancewith the application when you deploy it For example, if you have a human resourcesapplication that must rely on custom policies to ensure that users can access only spe-cific content when their user object contains a set of particular attributes, you can storethese attributes and policies within AD LDS

Supports schema extensions and application directory partitions ; ;

Can include security principals to provide access to a Windows Server

Is integrated into the Windows Server 2008 backup tools ; ;

Table 14-2 Comparing AD LDS with AD DS