|1| Chapter 14, Managing Active Directory Performance

|2| Chapter 14, Lesson 1

Active Directory Performance Monitoring Tools

|3| 1. Uses for Active Directory Performance Data

A. Understand Active Directory performance and the corresponding effect on the system’s resources

B. Observe changes and trends in performance and resource usage to enable future planning

C. Test configuration changes or other tuning efforts by monitoring the results

D. Diagnose problems and target components or processes for optimization

|4| 2. Performance Monitoring Tools

A. The Event Viewer console allows log files and error messages sent by applications to be viewed.

B. The Performance console provides a graphical way to view the performance of Active Directory according to the measurements, or counters, selected.

C. The Performance console also provides a means to log activity or send alerts according to those measurements and view the logs either printed or online.

|5| 3. The Event Viewer Console

|6| A. Overview

1. The Event Viewer console monitors both Windows-wide events, such as application, system, and security events, and service-specific events, such as directory service events.

2. Events are recorded in event logs.

3. The directory service event logs should be the first item used to investigate the causes of Active Directory problems.

4. Event log information can be used to better understand the sequence and types of events that led up to a particular performance problem.

5. Windows 2000 security logs operate in a fashion similar to the event logs used to monitor Active Directory performance.

|7| B. Event logs for monitoring Active Directory performance

1. Application log: Contains errors, warnings, or information that applications, such as a database server or an e-mail program, generate

2. Directory Service log: Contains errors, warnings, and information that Active Directory generates

3. File Replication Service log: Contains errors, warnings, and information that the File Replication service generates

4. System log: Contains errors, warnings, and information that Windows 2000 generates

|8| 4. The Performance Console

A. Monitors conditions within local and remote computers anywhere in the network and summarizes performance at selected intervals

B. Uses various counters for monitoring real-time resource usage

C. Logs results into a file so that historical performance problems can be viewed and diagnosed

D. Monitors resource usage of other computers that run server services on the network

E. Used for collecting baseline performance data

F. Configured to send alerts to the event log or other locations about exceptions to the baseline

G. Contains two snap-ins: System Monitor and Performance Logs and Alerts

|9| 5. System Monitor

|10| A. Measures Active Directory performance

1. Collects and displays real-time performance data on a local computer or from several remote computers

2. Displays data collected either currently or previously recorded in a counter log

3. Presents data in a printable graph, histogram, or report view

4. Incorporates System Monitor functionality into Microsoft Word or other applications in the Microsoft Office suite by means of Automation

5. Creates HTML pages from performance views

6. Creates reusable monitoring configurations that can be installed on other computers using Microsoft Management Console (MMC)

|11| B. Defining the Active Directory data to collect

1. Type of data: To select the data to be collected, performance objects and performance counters are specified

2. Source of data: System Monitor can collect data from the local computer or from other computers on the network where permissions exist; additionally, real-time data or data collected previously can be included using counter logs

3. Sampling parameters: System Monitor supports manual, on-demand sampling or automatic sampling based on a specified time interval; starting and stopping times can be selected to view data spanning a specific time range

|12| C. Designing the appearance of System Monitor

1. Type of display: System Monitor supports chart, histogram, and report views

2. Display characteristics: For any of the three display types, characteristics, colors, and fonts for the display can be defined

|13| D. Defining data for monitoring

1. To begin monitoring data, performance objects and performance counters are specified.

a. Performance object: A logical connection of counters that is associated with a resource or service that can be monitored

b. Performance counters: The multitude of conditions that can apply to a performance object

2. Using System Monitor enables the activity of performance objects to be tracked through the use of counters.

3. To monitor Active Directory, the activity of the NTDS performance object is monitored.

E. NTDS performance object counters

|14| 1. Overview

a. The NTDS performance object contains many performance counters that provide statistics about Active Directory performance.

b. After determining the desired statistics to monitor, the matching performance counters must be found.

c. Performance counters can provide some baseline analysis information for capacity and performance planning.

d. Counters that are suited for capacity planning contain the word total in their name.

e. Each counter has its own guidelines and limits.

|15| 2. Types of counters

a. Statistic counters: Show totals per second

b. Ratio counters: Show percentage of the total

c. Accumulative counters: Show totals since Active Directory was last started

3. Active Directory system monitor counters

a. DRA Inbound Bytes Compressed (Between Sites, After Compression)/Sec: The compressed size of inbound compressed replication data

Note Directory Replication Agent (DRA) monitors replication activity.

b. DRA Inbound Bytes Compressed (Between Sites, Before Compression)/Sec: The original size of inbound compressed replication data

c. DRA Inbound Bytes Not Compressed (Within Site)/Sec: Number of bytes received through inbound replication that were not compressed at the source, that is, from other DSAs in the same site

d. DRA Inbound Bytes Total/Sec: Total number of bytes received through replication, per second; the sum of the number of uncompressed bytes and the number of compressed bytes

e. DRA Inbound Full Sync Objects Remaining: Number of objects remaining until the full synchronization process is completed or set

f. DRA Inbound Objects/Sec: Number of objects received, per second, from replication partners through inbound replication

g. DRA Inbound Objects Applied/Sec: Rate per second at which replication updates are received from replication partners and applied by the local directory service; excludes changes that are received but not applied, which indicates how much replication update activity is occurring on the server as a result of changes generated on other servers

h. DRA Inbound Objects Filtered/Sec: Number of objects received per second from inbound replication partners that contained no updates that needed to be applied

i. DRA Inbound Object Updates Remaining in Packet: Number of object updates received in the current directory replication update packet that have not yet been applied to the local server; tells whether the monitored server is receiving changes but taking a long time applying them to the database

j. DRA Inbound Properties Applied/Sec: Number of properties that are applied through inbound replication as a result of reconciliation logic

k. DRA Inbound Properties Filtered/Sec: Number of property changes that are already known received during the replication

l. DRA Inbound Properties Total/Sec: Total number of object properties received per second from inbound replication partners

m. DRA Inbound Values (DNs Only)/Sec: Number of object property values received from inbound replication partners that are Distinguished Names (DNs), per second. This includes objects that reference other objects. DN values, such as group or distribution list memberships, are more expensive to apply than other kinds of values because group or distribution list objects can include hundreds and thousands of members and therefore are much bigger than a simple object with only one or two attributes. This counter might explain why inbound changes are slow to be applied to the database.

n. DRA Inbound Values Total/Sec: Total number of object property values received from inbound replication partners per second. Each inbound object has one or more properties, and each property has zero or more values; zero values indicate property removal.

o. DRA Outbound Bytes Compressed/Sec: Compressed size of outbound compressed replication data, after compression, from DSAs in other sites

p. DRA Outbound Bytes Compressed (Between Sites, Before Compression)/Sec: Original size of outbound compressed replication data, before compression, from DSAs in other sites

q. DRA Outbound Bytes Not Compressed (Within Site)/Sec: Number of bytes replicated out that were not compressed, that is, from DSAs in the same site

r. DRA Outbound Bytes Total/Sec: Total number of bytes replicated out per second; the sum of the number of uncompressed bytes and the number of compressed bytes

s. DRA Outbound Objects/Sec: Number of objects replicated out per second

t. DRA Outbound Objects Filtered/Sec: Number of objects acknowledged by outbound replication that required no updates; also represent objects that the outbound partner did not already have

u. DRA Outbound Properties/Sec: Number of properties replicated out per second; tells whether or not a source server is returning objects

v. DRA Outbound Values (DNs Only)/Sec: Number of object property values containing DNs sent to outbound replication partners. DN values, such as group or distribution list memberships, are more expensive to read than other kinds of values because group or distribution list objects can include hundreds and thousands of members and therefore are much bigger than a simple object with only one or two attributes.

w. DRA Outbound Values Total/Sec: Number of object property values sent to outbound replication partners per second

x. DRA Pending Replication Synchronizations: Number of directory synchronizations that are queued for this server but not yet processed. This helps to determine replication backlog; the larger the number, the larger the backlog.

y. DRA Sync Requests Made: Number of synchronization requests made to replication partners

z. DS Directory Reads/Sec: Number of directory reads per second

aa. DS Directory Writes/Sec: Number of directory writes per second

bb. DS Security Descriptor Suboperations/Sec: Number of Security Descriptor Propagation suboperations per second. One Security Descriptor Propagation operation is made up of many suboperations. A suboperation roughly corresponds to an object that the propagation causes the propagator to examine.

cc. DS Security Descriptor Propagations Events: Number of Security Descriptor Propagation events that are queued but not yet processed

dd. DS Threads in Use: Current number of threads in use by the directory service. Threads in Use is the number of threads currently servicing client API calls and can be used to indicate whether additional processors can be of benefit.

ee. Kerberos Authentications/Sec: Number of times per second that clients use a ticket to this domain controller to authenticate this domain controller

ff. LDAP Bind Time: Time taken for the last successful LDAP binding

gg. LDAP Client Sessions: Number of connected LDAP client sessions

hh. LDAP Searches/Sec: Number of search operations per second performed by LDAP clients

ii. LDAP Successful Binds/Sec: Number of successful LDAP binds per second

jj. NTLM Authentications: Number of NT LAN Manager (NTLM) authentications per second serviced by this domain controller

kk. XDS Client Sessions: Number of connected Extended Directory Service (XDS) client sessions. This indicates the number of connections from other Windows NT services and the Windows NT Administrator program.

F. To monitor Active Directory performance counters

1. From the Start menu, select Programs, point to Administrative Tools, and then click Performance.

2. Right-click the System Monitor details pane and click Add Counters

|16| 3. In the Add Counters dialog box:

a. To monitor any computer on which the monitoring console is run, click Use Local Computer Counters.

b. To monitor a specific computer regardless of where the monitoring console is run, click Select Counters From Computer and select a computer name from the list.

4. In the Performance Object list, select the NTDS performance object

Note For a description of a particular counter, click the name of the counter from the list, and then click Explain.

5. Select the counters to monitor:

c. To monitor all counters for the NTDS performance object, click All Counters.

Note Because there are many counters, monitoring all counters will affect processing time and is not a practical solution.

b. To monitor only selected counters, click Select Counters From List and select which counters to monitor; multiple counters can be selected by clicking on a counter and holding the Ctrl key.

6. Click Add

7. When all counters have been added, click Close

3. The counters selected appear in the lower part of the screen; each counter is represented by its own color; choose either the chart, histogram, or report display view by clicking the appropriate toolbar button

Note When creating a System Monitor snap-in for export, make sure to select Use Local Computer Counters on the Select Counters dialog box. Otherwise, System Monitor obtains data from the computer named in the text box, regardless of where the snap-in is installed.

6. Performance Logs and Alerts

|17| A. Counter logs

1. Similar to System Monitor, counter logs support the definition of performance objects and performance counters and the setting of sampling intervals for monitoring data about hardware resources and system service.

2. Counter logs collect performance counter data in a comma- or tab-separated format for easy import to a spreadsheet or database program.

3. Logged counter data can be viewed using System Monitor or exported to a file for analysis and report generation.

|18| B. Trace logs

1. Uses the default system data provider or another nonsystem provider to record data when certain activities occur, such as a disk I/O operation or a page fault

2. The provider sends the data to the Performance Logs and Alerts service when the event occurs.

3. Trace logs wait for a specific event to occur, unlike counter logs, which obtain data from the system at intervals.

4. Active Directory nonsystem providers include those for NetLogon, Kerberos, SAM, and Windows NT Active Directory Service.

5. These providers generate trace log files containing messages that may be used to track the operations performed.

6. A parsing tool is required to interpret the trace log output.

7. Developers can create such a tool using APIs provided on the Microsoft Developer Web site (http://msdn. microsoft. com/).

|19| C. Logging options for counter and trace logs

1. Define start and stop times, file names, file types, file sizes, and other parameters for automatic log generation and manage multiple logging sessions from a single console window

2. Start and stop logging either manually on demand or automatically based on a user-defined schedule

3. Configure additional settings for automatic logging, such as automatic file renaming, and set parameters for stopping and starting a log based on the elapsed time or the file size

4. Define a program that runs when a log is stopped

5. View logs during collection as well as after collection has stopped; data collection occurs regardless of whether any user is logged on to the computer being monitored.

|20| D. Counter and trace logging requirements

1. To create or modify a log, Full Control permission is required for the following registry key, which controls the Performance Logs and Alerts service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\SysmonLog\Log Queries.

a. Administrators usually have this permission by default.

b. Administrators can grant permission to users by using the Security menu in REGEDIT32. EXE.

2. To run the Performance Logs and Alerts service, permission to start or otherwise configure services on the system is required.

a. Administrators have this right by default.

b. Administrators can grant this permission to users by using group policy.

3. To log data on a remote computer, the Performance Logs and Alerts service must run under an account that has access to the remote system.

E. To create a counter log

1. From the Start menu, select Programs, point to Administrative Tools, and then click Performance

3. Double-click Performance Logs And Alerts, and then click Counter Logs

Note Any existing logs will be listed in the details pane. A green icon indicates that a log is running; a red icon indicates that a log has been stopped.

3. Right-click a blank area of the details pane and then click New Log Settings

4. In the New Log Settings dialog box, in the Name box, type the name of the log, and then click OK

5. In the General tab of the counter log’s dialog box, type the name of the path and file name of the log file in the Current Log File Name box, and then click Add

6. In the Select Counters dialog box, choose the computer for which to log counters:

a. To log counters from the computer on which the Performance Logs and Alerts service will run, click Use Local Computer Counters.

b. To log counters from a specific computer regardless of where the service is run, click Select Counters From Computer and select the name of the computer to be monitored from the list.

7. In the Performance Object list, select an object to log

8. Select the counter to log from the list and then click Add

9. Click Close when finished selecting counters to log

|21| 10. In the Log Files tab of the counter log’s dialog box, configure the options

|22| 11. In the Schedule tab of the counter log’s dialog box, configure the options

12. Click OK

Note When creating a Performance Logs and Alerts snap-in for export, make sure to select Use Local Computer Counters on the Select Counters dialog box. Otherwise, counter logs will obtain data from the computer named in the text box, regardless of where the snap-in is installed.

F. Options on the Log Files tab

1. Location: The name of the folder where the log file will be created; click Browse to search for the folder

2. File Name: A partial or base name for the log file; use in conjunction with End File Names With, if appropriate; appears on the details pane

3. End File Names With: The suffix style to use, chosen from the list provided; used to distinguish between individual log files with the same log file name that are in a group of logs that have been automatically generated

4. Start Numbering At: The start number for automatic file numbering, when nnnnnn is selected for End File Names With

5. Log File Type: The format for this log file:

a. Text File CSV

(1) Defines a comma-delimited log file (.csv extension)

(2) Used to export the log data to a spreadsheet program

b. Text File TSV

(1) Defines a tab-delimited log file (.tsv extension)

(2) Used to export the log data to a spreadsheet program

c. Binary File

(1) Defines a sequential, binary-format log file (.blg extension)

(2) Used to record data instances that are intermittent, stopping and resuming after the log has begun running

(3) Nonbinary file formats cannot accommodate instances that are not persistent throughout the duration of the log.

d. Binary Circular File

(1) Defines a circular, binary-format log file (.blg extension)

(2) Used to record data continuously to the same log file

(3) Overwrites previous records with new data

6. Comment: A comment or description for the log file; appears in the details pane

7. Log File Size: Selected if circular logging is desired

a. Maximum Limit: Data is continuously collected in a log file until it reaches limits set by disk quotas or the OS

b. Limit Of: The maximum size of the log file

G. Options on the Schedule tab

1. Start Log

a. Manually: Logging will start manually.

b. At: Logging will start according to the time and date parameters set

2. Stop Log

a. Manually: Logging will stop manually

b. After: Logging will stop after the time specified

c. At: Logging will stop at the time and date parameters set

d. When The Log File Is Full: Logging will stop when the log file reaches a maximum size

3. When A Log File Closes

a. Start A New Log File: Logging will resume in a new file after logging stops for the current log file

b. Run This Command: A specified command is run when a log file closes

H. To create a trace log

1. From the Start menu, select Programs, point to Administrative Tools, and then click Performance

3. Double-click Performance Logs And Alerts, and then click Trace Logs

Note Any existing logs will be listed in the details pane. A green icon indicates that a log is running; a red icon indicates that a log has been stopped.

3. Right-click a blank area of the details pane and then click New Log Settings

4. In the New Log Settings dialog box, in the Name box, type the name of the log and then click OK

a. In the General tab of the trace log’s Properties dialog box, the name of the path and file name of the log file is shown in the Current Log File Name box.

b. By default, the log file is created in the PerfLogs folder in the root directory and a sequence number is appended to the file name entered and the sequential trace file type with the .etl extension.

5. Select the events to be logged:

a. Select Events Logged By System Provider for the default provider to monitor processes, threads, and other activity. To define events for logging, click the check boxes as appropriate, which can create some performance overhead for the system.

b. Select Nonsystem Providers to select trace data providers, using the Add or Remove buttons to select or remove nonsystem providers

c. For a list of the installed providers and their status (enabled or not), click Provider Status.

Note Only one trace log that uses the system provider can be running at a time. In addition, multiple trace logs from the same nonsystem provider cannot run concurrently. If the system trace provider is enabled, nonsystem providers cannot be enabled, and vice versa. However, multiple nonsystem providers can be enabled simultaneously.

6. In the Log Files tab of the trace log’s Properties dialog box, configure the options in the same manner as counter logs are configured, except for the options described in the next section, following step 8

7. In the Schedule tab of the trace log’s Properties dialog box, configure the options as shown for counter logs (refer to the earlier outline section “To create a counter log”)

8. Click OK

|23| I. Trace log-specific options in the Log Files tab

1. Log File Type: The desired format for this log file

a. Circular Trace File: Defines a circular trace log file (.etl), used to record data continuously to the same log file, overwriting previous records with new data

b. Sequential Trace File: Defines a sequential trace log file (.etl) that collects data until it reaches a user-defined limit and then closes and starts a new file

2. Log File Size: Select this option for circular logging:

a. Maximum Limit: Data is continuously collected in a log file until it reaches limits set by disk quotas or the OS

d. Limit Of: The maximum size, in megabytes, of the log file

Note Trace logging of file details and page faults can generate an extremely large amount of data. It is recommended that trace logging be limited using the file details and page fault options to a maximum of two hours.

|24| J. Alerts

1. Similar to System Monitor and counter logs, alerts support the use of performance objects and performance counters and setting sampling intervals for monitoring data about hardware resources and system services.

2. Using this data, an alert can be created for a counter, which logs an entry in the application event log, sends a network message to a computer, starts a performance data log, or runs a program when the selected counter’s value exceeds or falls below a specified setting.

3. An alert scan can be started or stopped either manually on demand or automatically based on a user-defined schedule.

K. To create an alert

1. From the Start menu, select Programs, point to Administrative Tools, and then click Performance

2. Double-click Performance Logs And Alerts and then click Alerts

3. Right-click a blank area of the details pane and click New Alert Settings

4. In the New Alert Settings dialog box, in the Name box, type the name of the alert and then click OK

5. In the Comment box on the alert’s dialog box, type a comment to describe the alert, as needed, and then click Add

6. In the Select Counters dialog box, choose the computer for which to create an alert:

a. To create an alert on the computer on which the Performance Logs and Alerts service will run, click Use Local Computer Counters.

b. To create an alert on a specific computer regardless of where the service is run, click Select Counters From Computer and specify the name of the computer.

7. In the Performance Object list, select an object to monitor

8. Select the counters to monitor, and then click Add

9. Click Close when you have finished selecting counters to monitor for the alert

10. In the Alert When The Value Is list, specify Under or Over, and in the Limit box, specify the value that triggers the alert

11. In the Sample Data Every section, specify the amount and the unit of measure for the update interval

|25| 12. In the Action tab of the alert’s dialog box, select when an alert is triggered

13. In the Schedule tab of the alert’s dialog box, configure the options as shown for counter logs

14. Click OK

L. Options on the Action tab

1. Log An Entry In The Application Event Log: Creates an entry visible in Event Viewer

2. Send A Network Message To: Triggers the messenger service to send a message to the specified computer

3. Start Performance Data Log: Runs a specified counter log when an alert occurs

4. Run This Program: Triggers the service to create a process and run a specified program when an alert occurs

5. Command Line Arguments: Triggers the service to copy specified command-line arguments when the Run This Program option is used

|26| Chapter 14, Lesson 2

Active Directory Support Tools

1. Overview

|27| A. GUI tools

1. LDP.EXE: Active Directory Administration Tool

2. REPLMON.EXE: Active Directory Replication Monitor

|28| B. Command-line tools

1. REPADMIN.EXE: Replication Diagnostics Tool

2. DSASTAT.EXE: Active Directory Diagnostic Tool

3. SDCHECK.EXE: Security Descriptor Check Utility

4. NLTEST.EXE

5. ACLDIAG.EXE: ACL Diagnostics

6. DSACLS.EXE

|29| 2. LDP.EXE: Active Directory Administration Tool

A. Allows users to perform LDAP operations, such as connect, bind, search, modify, add, and delete, against any LDAP-compatible directory

1. LDAP is an Internet-standard wire protocol used by Active Directory.

B. Graphic tool located on the Tools menu within Windows 2000 Support Tools

C. Used by administrators to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata

3. REPLMON.EXE: Active Directory Replication Monitor

|30| A. Overview

1. Enables administrators to perform several tasks:

a. View the low-level status of Active Directory replication

b. Force synchronization between domain controllers

c. View the topology in a graphic format

d. Monitor the status and performance of domain controller replication through a graphic interface

2. Located on the Tools menu within Windows 2000 Support Tools

|31| B. Features

1. Graphic displays

a. Displays whether or not the monitored server is a global catalog server

b. Automatically discovers the directory partitions that the monitored server hosts

c. Shows the replication partners that are used for inbound replication for each directory partition

d. Distinguishes between direct replication partners, transitive replication partners, bridgehead servers, and servers removed from the network in the user interface

e. Indicates failures from a specific replication partner by changing the icon used for the partner

2. Replication status history

a. The history of replication status per directory partition, per replication partner, is recorded, generating a granular history of what occurred between two domain controllers.

b. This history can be viewed through Replication Monitor’s user interface or can be viewed offline or remotely through a text editor.

3. Property pages

a. For direct replication partners, a series of property pages displays the following for each partner:

(1) The name of the domain controller and its GUID

(2) The directory partition that it replicates to the monitored server

(3) The transport protocol (SMTP or RPC) used

(4) The time of the last successful and attempted replication events

(5) Update sequence number (USN) values

(6) Any special properties of the connection between the two servers

4. Status report generation

a. Administrators can generate a status report for the monitored server that includes the following:

(1) A listing of the directory partitions for the server and the status of each replication partner for each directory partition

(2) Details on which domain controllers the monitored server notifies when changes have been recorded

(3) The status of any group GPOs

(4) The domain controllers that hold the Flexible Single Master Operations (FSMO) roles

(5) A snapshot of the performance counters on the computer

(6) The registry configuration for the server, including KCC, Active Directory, Jet database, and LDAP

b. Administrators can choose to record the enterprise configuration, which includes each site, site link, site link bridge, subnet, and domain controller, and the properties of each of these object types.

5. Server Wizard

a. Administrators can either browse for the server to monitor or explicitly enter it.

b. Administrators can also create an .ini file, which predefines the names of the servers to monitor, which is then loaded by Replication Monitor to populate the user interface.

6. Graphic site topology

a. Replication Monitor displays a graphic view of the intra-site topology.

b. By using the context menu for a given domain controller in the view, administrators can quickly display the properties of the server and any intra- and inter-site connections that exist for that server.

7. Properties display

a. Administrators can display the properties for the monitored server, including:

(1) Server name

(2) DNS host name of the computer

(3) Location of the computer account in Active Directory

(4) Preferred bridgehead status

(5) Any special flags for the server

(6) Which computers it believes to hold the FSMO roles

(7) Replication connections and the reasons they were created

(8) IP configuration of the monitored server

8. Statistics and replication state polling

a. In Automatic Update mode, Replication Monitor polls the server at an administrator-defined interval to get the current statistics and replication state.

(1) Generates a history of changes for each monitored server and its replication partners

(2) Allows the administrator to see topology changes as they occur for each monitored server

b. In Automatic Update mode, Replication Monitor also monitors the count of failed replication attempts for each replication partner.

(1) If the failure count meets or exceeds an administrator-defined value, Replication Monitor can write to the event log and send an e-mail notification to the administrator.

9. Replication triggering

a. Administrators can trigger replication on a server with a specific replication partner, with all other domain controllers in the site, or with all other domain controllers intra- and inter-site.

10. KCC triggering

a. Administrators can trigger the KCC on the monitored server to recalculate the replication topology.

11. Display nonreplicated changes

a. Administrators can display Active Directory changes that have not yet replicated from a given replication partner.

|32| 4. REPADMIN.EXE: Replication Diagnostic Tool

A. A command-line tool that assists administrators in diagnosing replication problems between Windows 2000 domain controllers

B. Allows the administrator to view the replication topology as seen from the perspective of each domain controller

C. Used to manually create the replication topology, force replication events between domain controllers, and view both the replication metadata and up-to-dateness vectors

Note During the normal course of operations, there is no need to manually create the replication topology. Incorrect use of this tool may adversely impact the replication topology. The major use of this tool is to monitor replication so that problems such as offline servers or unavailable LAN/WAN connections can be identified.

|33| 5. DSASTAT.EXE: Active Directory Diagnostic Tool

A. A command-line tool that compares and detects differences between naming contexts on domain controllers

B. Used to compare two directory trees across replicas within the same domain or, in the case of a global catalog, across different domains

C. Retrieves capacity statistics, such as MB per server, objects per server, and MB per object class, and performs comparisons of attributes of replicated objects

|34| D. The user specifies the targeted domain controllers and additional operational parameters from the command line or from an initialization file.

E. Determines whether domain controllers in a domain have a consistent and accurate image of their own domain

F. Checks whether the global catalog has a consistent image with domain controllers in other domains

G. Used to ensure that domain controllers are up to date with one another

|35| 6. SDCHECK.EXE: Security Descriptor Check Utility

A. A command-line tool that displays the security descriptor for any object stored in Active Directory

1. The security descriptor contains the ACLs defining the permissions that users have on objects stored in Active Directory.

B. Displays the object hierarchy and any ACLs that are inherited by the object from its parent, enabling administrators to determine the effective access controls on an object

C. Displays the security descriptor propagation metadata so that administrators can monitor changes with respect to the propagation of inherited ACLs as well as the replication of ACLs from other domain controllers

1. As changes are made to the ACLs of an object or its parent, they are propagated automatically by Active Directory.

D. Used to ensure that domain controllers are up to date with one another

|36| 7. NLTEST.EXE

A. A command-line tool that helps perform the following network administrative tasks:

1. Testing trust relationships and the state of a domain controller replication in a Windows domain

2. Querying and checking on the status of trust

3. Forcing a shutdown

4. Getting a list of PDCs

5. Forcing a user account database into sync on Microsoft Windows NT 4.0 or earlier domain controllers

B. Runs only on x86-based machines

|37| 8. ACLDIAG.EXE: ACL Diagnostics

A. A command-line tool that helps diagnose and troubleshoot problems with permissions on Active Directory objects

B. Reads security attributes from ACLs and outputs information in either readable or tab-delimited format

1. Tab-delimited format can be uploaded into a text file for searches on particular permissions, users, or groups, or into a spreadsheet or database for reporting.

C. Provides some simple cleanup functionality

|38| D. Enables administrators to perform several tasks:

1. Compare the ACL on a directory service object to the permissions defined in the schema defaults

2. Check or fix standard delegations performed using templates from the Delegation of Control Wizard in the Active Directory Users and Computers console

3. Get effective permissions granted to a specific user or group or to all users and groups that show up in the ACL

E. Displays only the permissions of objects the user has the right to view

F. Cannot be used on GPOs because they are virtual objects that have no distinguished name

|39| 9. DSACLS.EXE

A. A command-line tool that facilitates management of ACLs for directory services

B. Used for general-purpose ACL reporting and setting from the command prompt

C. Enables administrators to query and manipulate security attributes on Active Directory objects

D. A command-line equivalent of the Security page on various Active Directory snap-in tools

E. Provides security configuration and diagnosis functionality on Active Directory objects

|40| Chapter 14, Lesson 3

Monitoring Access to Shared Folders

1. Why Monitor Network Resources?

|41| A. Reasons to assess and manage network resources

1. Maintenance: Which users are currently using a resource can be determined so that they can be notified before resources are made temporarily or permanently unavailable

2. Security: User access to resources that are confidential or need to be secure can be monitored to verify that only authorized users are accessing them

3. Planning: Which resources are being used and how much they are being used can be determined so that future system growth can be planned

|42| B. Shared Folders snap-in

1. Included in Windows 2000 so that access to network resources can be easily monitored and administrative messages can be sent to users

2. Preconfigured in the Computer Management console, allowing resources on the local computer to be monitored

3. When added to an MMC, enables the administrator to specify whether the resources should be monitored on the local computer or on a remote computer

2. Network Resource Monitoring Requirements

|43| A. Groups that can access network resources

1. Administrators or Server Operators for the domain: Can monitor all computers in the domain

2. Administrators or Power Users for a member server: Can monitor that computer

3. Administrators or Power Users for a stand-alone server: Can monitor that computer

4. Administrators or Power Users for computers running Microsoft Windows 2000 Professional: Can monitor that computer

|44| 3. Monitoring Access to Shared Folders

|45| A. Overview

1. The Shares folder in the Shared Folders snap-in is used to view a list of all shared folders on the computer.

2. The Shares folder also is used to determine how many users have a connection to each folder.

|46| B. Fields in the details pane for the Shares folder

1. Shared Folder: The name of the shared folders on the computer

2. Shared Path: The path to the shared folder

3. Type: The OS that must be running on a computer so that it can be used to gain access to the shared folder

4. # Client Redirections: The number of clients who have made a remote connection to the shared folder

5. Comment: Descriptive text about the folder; provided when the folder was shared

Note Windows 2000 does not update the list of shared folders, open files, and user sessions automatically. To update these lists, click Refresh on the Action menu.

C. Determining how many users can access a shared folder concurrently

1. The maximum number of concurrent users that can access a shared folder can be determined by clicking the folder in the Shared Folders details pane, clicking Properties on the Action menu, and then reviewing the user limit on the General tab of the Properties dialog box for the shared folder.

2. An easy way to troubleshoot connectivity problems is to use the Shared Folders snap-in to determine whether the maximum number of users that are permitted to gain access to a folder has been reached.

a. If the maximum number of connections has already been made, the user cannot connect to the shared resource.

D. Modifying shared folder properties

1. Existing shared folders can be modified, including shared folder permissions, from the Shares folder by clicking the shared folder, clicking Properties on the Action menu, and then making changes in the Properties dialog box.

a. The General tab shows the share name, the path to the shared folder, and any comment entered.

b. The General tab is used to view and set a user limit for accessing the shared folder.

c. The Security tab is used to view and change the shared folders permissions.

|47| 4. Monitoring Open Files

|48| A. Overview

1. The Open Files folder in the Shared Folders snap-in is used to view a list of open files that are located in shared folders and the users who have a current connection to each file.

2. This information can be used to contact users to notify them that the system will be shut down.

3. Which users have a current connection and should be contacted when another user is trying to gain access to a file that is in use can also be determined.

|49| B. Information available in the Open Files folder

1. Open File: The name of the open files on the computer

2. Accessed By: The logon name of the user who has the file open

3. Type: The OS running on the computer where the user is logged on

4. # Locks: The number of locks on the file

Note Programs can request the OS to lock a file to gain exclusive access and prevent other programs from making changes to the file.

5. Open Mode: The type of access that the user’s application requested when it opened the file, such as Read or Write

5. Disconnecting Users from Open Files

|50| A. Overview

1. Users can be disconnected from one open file or from all open files.

2. If changes are made to NTFS permissions for an open file, the new permissions will not affect the user until the file is closed and the user attempts to reopen it.

B. Changes can be forced to take place immediately by doing either of the following:

1. All users can be disconnected from all open files by clicking Open Files in the Shared Folders snap-in console tree and then clicking Disconnect All Open Files on the Action menu.

3. All users can be disconnected from one open file by clicking Open Files in the Shared Folders snap-in console tree, selecting the open file in the details pane, and then clicking Close Open File on the Action menu.

Note Disconnecting users from open files can result in data loss.

6. To send a console message to connected users

A. Click the Shared Folders snap-in, click the Action menu, click All Tasks, and then click Send Console Message

B. In the Send Console Message dialog box, type in the Message box the message to send to users

C. Select the computer name that will receive the message in the Recipients box and then click Send

1. If a user is logged on to more than one computer, only the computer that has its name in the recipient list will receive the message.

2. If any recipients do not successfully receive the message, the Send Console Message dialog box reappears.

3. Recipients who do not successfully receive the message are the only computer names remaining in the list.

4. Check whether the computer names are valid and whether the computers are available.