Guide for System Center Management Pack for Active Directory for Operations Manager 2012

Microsoft Corporation Published: October 2013 Send feedback or suggestions about this document to mpgfeed@microsoft com Please include the management pack guide name !ith "our feedback #he Operations Manager team encourages "ou to pro$ide feedback on the management pack b" pro$iding a re$ie! on the management pack%s page in the Management Pack Catalog &http:''go microsoft com'f!link'()ink*+,-210./

Copyright
#his document is pro$ided 0as1is0 *nformation and $ie!s e2pressed in this document3 including 45) and other *nternet 6eb site references3 ma" change !ithout notice Some e2amples depicted herein are pro$ided for illustration onl" and are fictitious 7o real association or connection is intended or should be inferred #his document does not pro$ide "ou !ith an" legal rights to an" intellectual propert" in an" Microsoft product 8ou ma" cop" and use this document for "our internal3 reference purposes 8ou ma" modif" this document for "our internal3 reference purposes 9 2013 Microsoft Corporation :ll rights reser$ed Microsoft3 :cti$e +irector"3 ;ing3 ;i<#alk3 =orefront3 >"per1?3 *nternet @2plorer3 AScript3 SharePoint3 Sil$erlight3 SB) +atabase3 SB) Ser$er3 ?isio3 ?isual ;asic3 ?isual Studio3 6in323 6indo!s3 6indo!s :<ure3 6indo!s *ntune3 6indo!s Po!erShell3 6indo!s Ser$er3 and 6indo!s ?ista are trademarks of the Microsoft group of companies :ll other trademarks are propert" of their respecti$e o!ners

evision !istory
e"ease Date Changes

March 200C 7o$ember 200-

Original release of the :cti$e +irector" Management Pack 5eorgani<ed this guide and added ne! topics :dded scenario impro$ements to the DChanges in #his 4pdateE section 4pdated the guide to reflect support for 6indo!s Ser$er 200- 52 :dded information regarding support for :cti$e +irector" 6eb Ser$ices &:+6S/ and the :cti$e +irector" Management Gate!a" Ser$ice :dded the D:ppendi2: Monitors and O$errides for Management PacksE section 4pdated all configuration steps throughout guide *ntegrated multiple topics related to Client Monitoring into a single topic and placed under Optional Configuration

October 200F

e"ease Date

Changes

Pro$ided detailed steps on enabling 5eplication Monitoring Performance +ata Collection3 !hich is in the Optional Configuration section =i2es to problems reported b" customers: :cti$e +irector" databases larger than H G; reported incorrectl" 20I of the alerts are not triggered due to !rong e$ent *+ mapping Performance data is not collected due to !rong e$ent *+ mapping Performance counter selected b" default is !rong #ime ske! alert is not triggered due to script defect Operation master monitor is broken due to script defect =reJuent operation master alert description misspelled

September 2011

=i2es to architectural issues to facilitate future S"stem Center Operations Manager releases: +isco$er" inter$al for client perspecti$es set to larger $alues +isco$er" scheduler class is used on se$eral disco$eries ?ie!s target a custom :+ +S MP class instead of S"stem @ntit" 5eports target a custom :+ +S MP class instead of S"stem @ntit" Some disco$er" targets !ill not change Properties

March 2012

Corrected some Publisher names &for e2ample3 changed from Publisher7ame,K+C to Publisher7ame,Microsoft16indo!s1 Kerberos1Ke"1+istribution1Center/ 4pdated rules to generate :lerts and not onl" go to the @$ent ?ie!er 5emo$ed unnecessar" check for @$ent Source 7ame for all 7#+S rules &for

e"ease Date

Changes

e2ample3 remo$ed @$entSource7ame,E7#+S GeneralE/ October 2012 +ecember 2012 Corrected e$ent parameter $alidation 4pdated Jueries to search for correct e$ent *+s =i2ed spelling errors :dded missing descriptions to rules =i2ed problems !ith >ealth Monitoring scripts 5emo$ed user name checks from 4seren$ rules

4pdated the guide to reflect support for 6indo!s Ser$er 2012 Product kno!ledge impro$ements @2cessi$e alert fi2es Script error fi2es 5ule error fi2es

=or more details about these fi2es3 see Changes in #his 4pdate October 2013 Product functionalit" impro$ements 7oise reduction fi2es Content Proofing updates Product accessibilit" for customi<ation

Contents
*ntroduction Changes in #his 4pdate Supported Configurations Getting Started ;efore 8ou *mport the Management Pack LH1;it Considerations =iles in #his Management Pack 5ecommended :dditional Management Packs Other 5eJuirements >o! to *mport the :cti$e +irector" Management Pack *nitial Configuration Create a 7e! Management Pack for Customi<ations @nable the :gentPro2"Setting on :ll +omain Controllers Optional Configuration Collecting 5eplication Performance +ata Client Monitoring @nabling :gent1Onl" +isco$er" Placing Monitored ObMects in Maintenance Mode +isabling and @nabling :lerts for 5eports Securit" Considerations 4nderstanding Management Pack Operations 5elationships >o! >ealth 5olls 4p Ke" Monitoring Scenarios Multi1=orest Monitoring 5eplication @ssential Ser$ices #rust Monitoring +irector" Ser$ice :$ailabilit" :cti$e +irector" +atabase Monitoring #ime Ske! Monitoring Operations Master Monitoring :cti$e +irector" 6eb Ser$ice Monitoring +omain Controller Performance ?ie!s C 1L 1C 1C 111F 1F 1F 1F 20 20 22 23 2C 31 32 33 33 3L 3L 3C 33F H0 H. HL HC .2 .3 .. .L .C .C

Configuring #ask Settings :ppendi2: 5eports :ppendi2: 4sing )o!1Pri$ilege :ccounts to 5un Scripts :ppendi2: Monitors and O$errides for Management Packs >o! to ?ie! Management Pack +etails >o! to +ispla" Monitors for a Management Pack >o! to +ispla" O$errides for a Management Pack >o! to +ispla" :ll Management Pack 5ules >o! to +ispla" Monitor #hresholds >o! to +ispla" Performance Collection 5ules )inks

L3 LH LC0 C0 C1 C1 C2 C2 CH CL

#ntroduction
#he :cti$e +irector"N Management Pack pro$ides both proacti$e and reacti$e monitoring of "our :cti$e +irector" deplo"ment *t monitors e$ents that are placed in the :pplication3 S"stem3 and Ser$ice e$ent logs b" $arious :cti$e +irector" components and subs"stems *t also monitors the o$erall health of the :cti$e +irector" s"stem and alerts "ou to critical performance issues #he monitoring pro$ided b" this management pack includes monitoring of the domain controllers and monitoring of health from the perspecti$e of clients utili<ing :cti$e +irector" resources #o monitor the domain controllers3 the :cti$e +irector" Management Pack pro$ides a predefined3 read"1to1run set of processing rules3 monitoring scripts3 and reports that are designed specificall" to monitor the performance and a$ailabilit" of the :cti$e +irector" domain controllers #he client in "our en$ironment might e2perience connecti$it" and ser$ice issues e$en though the domain controller appears to be operating correctl" #he :cti$e +irector" Client Management Pack3 included in the :cti$e +irector" Management Pack files to do!nload3 helps to identif" these issues #his management pack monitors the ser$ices pro$ided b" the domain controller *t pro$ides information in addition to that collected directl" on the domain controller about !hether the" are a$ailable b" running s"nthetic transactions against the director" ser$ice3 such as )ight!eight +irector" :ccess Protocol &)+:P/ binds and )+:P pings *n addition to health monitoring capabilities3 this management pack pro$ides a complete :cti$e +irector" monitoring solution b" monitoring the health of $ital processes that "our :cti$e +irector" deplo"ment depends upon3 including the follo!ing: 5eplication )ight!eight +irector" :ccess Protocol &)+:P/ +omain Controller )ocator #rusts 7et )ogon ser$ice =ile 5eplication Ser$ice &=5S/ *ntersite Messaging ser$ice 6indo!s #ime ser$ice :cti$e +irector" 6eb Ser$ices &:+6S/ :cti$e +irector" Management Gate!a" Ser$ice Ke" +istribution Center &K+C/ Monitoring ser$ice a$ailabilit" Collecting ke" performance data

Pro$iding comprehensi$e reports3 including reports about ser$ice a$ailabilit" and ser$ice health and reports that can be used for capacit" planning 6ith this management pack3 information technolog" &*#/ administrators can automate one1to1 man" management of users and computers3 simplif"ing administrati$e tasks and reducing *#

costs :dministrators can efficientl" implement securit" settings3 enforce *# policies3 and minimi<e ser$ice outages

Document $ersion
#his $ersion of the guide !as !ritten based on the L 0 -22- 0 $ersion of the :cti$e +irector" Management Pack #he guide is updated to indicate support for :+ +S in 6indo!s Ser$er 2012 52 along !ith some changes in functionalit"

Getting the %atest Management Pack and Documentation

8ou can find the :cti$e +irector" Management Pack in the S"stem Center Operations Manager 2012 Catalog &http:''go microsoft com'f!link'()ink*d,-210./

Changes in &his 'pdate

#his section describes the changes made to the :cti$e +irector" Management Pack October 2013 4pdate +ecember 2012 4pdate March 2012 4pdate September 2011 4pdate October 200F 4pdate 7o$ember 200- 4pdate

Octo(er 201) 'pdate

*i+es #mpact

Product functionalit " impro$eme nts Scripts updates

Client GC monitoring is 5OGC a!are

D:+ +atabase =ree SpaceE monitor script updated to fi2 language setting issues 4pdated the :+OClientOConnecti$it" $bs script to honor failure thresholds Changed D:+OClientOSer$erlessO;indE Monitor from !arning to error to reflect the se$erit" of monitor%s unhealth" state :+)ocal+isco$er"+C $bs updated to disco$er +Cs outside of +omain Controller O4 b" remo$ing the +omain Controller O4 lookup 4pdate to monitor 4p'+o!n states of )+:P o$er SS) &port L3L/ on +omain controllers 4pdated :+)ocal+isco$er"+C $bs to disco$er +omain 7aming Master -

*i+es

#mpact

propert" for +Cs in Child +omains 7oise reduction fi2es Content proofing and updates +emoted +omain Controllers are undisco$ered 4pdated the :+OClientOSer$erlessO;ind script to remo$e e2isting errors +isabling and @nabling :lerts for 5eports

Modified default 0*nter$alSeconds0 of 0:+ replication partner op master consistenc" monitor0 to match default intra1site replication schedule &updated from L0 seconds to 300 seconds/ 4pdated the :+ $ie!s to sa" DSer$er 200- and :bo$eE 4pdated the alert information for the alert D:+ cannot update the obMectE !ith useful K; article references 4pdated the alert message for 0:+ Op Master 5esponseE !ith more accurate and detailed message 4pdated the alert message for 0:+ Op Master 5esponseE !ith more accurate and detailed message 4pdated the alert message for 0:+ Op Master 5esponseE !ith more accurate and detailed message

Public :ccessibilit " for customi<ati on

4pdated the follo!ing MPs to gi$e public accessibilit" for customi<ation: Microsoft 6indo!s Ser$er 200- :+ +omainController5ole:ggregates+epre catedMonitors Microsoft 6indo!s Ser$er 200- :+ @ssentialSer$ice 5ollup

Decem(er 2012 'pdate

#he +ecember 2012 update does not include ne! functionalit"3 but it does include se$eral fi2es reJuested b" customers #he follo!ing table lists the updates and their impact #hese fi2es affect domain controllers that run 6indo!s Ser$er 20123 6indo!s Ser$er 200- 523 6indo!s Ser$er 200-3 and 6indo!s Ser$er 2003
*i+es #mpact

Product kno!ledge impro$ements

Client Monitoring alerts identif" problematic domain controllers in the description *nterdomain trust alert identifies !hich trust is broken in the alert description More specific action recommendations added to alert for DCould not determine =SMO role holderE and alert for Ddomain F

*i+es

#mpact

Controller%s Ops Master is inconsistent E Kno!ledge ;ase article information added to alert for D#he :cti$e +irector" database is corrupt E Kno!ledge ;ase article information added to alert for D#!o replication partners ha$e an inconsistent $ie! of the =SMO role holders E Some rules !ith names that begin DClient Side scriptPD but !ere not actuall" e2ecuted b" client1side monitors !ere renamed More specific action recommendation added to description for @$ent *+ 1000 @2cessi$e alert fi2es : duplicate alert that appears !hen a computer authentication fails !as remo$ed 5epetiti$e alerts for 4ser@n$ and 7etlogon !ere replaced !ith a single alert that includes a count of the number of occurrences #he alert for the number of allo!able replication partners !as increased from 100 to the ma2imum number of replication connections #he alert of =SMO role holder a$ailabilit" !as refined so that it is issued less freJuentl" in cases !here operations master role holder is temporaril" una$ailable :cti$e +irector" processor o$erload monitor !as remo$ed because it duplicates an e2isting monitor in the operating s"stem management pack +uplicate alerts for K+C errors and trust $erification failures !ere remo$ed *nformational alert !as disabled for rule D#he default securit" settings for the 7#=S file s"stems ha$e not been applied to :cti$e +irector" director" folders E Script error fi2es Multiple script errors !ere fi2ed to impro$e :cti$e +irector" site topolog" disco$er"3 +7S $erification3 operation master role disco$er"3 10

,ote
*i+es #mpact

and other impro$ements 5ule error fi2es Multiple rule errors !ere fi2ed to impro$e error handling3 e$ent logging3 and ser$er state reporting

March 2012 'pdate

#he March 2012 update does not include ne! functionalit"3 but it does include se$eral fi2es reJuested b" customers #he follo!ing table lists the updates and !hich operating s"stem monitoring rules are impacted #he guide !as also updated in October 2012 to reflect that it applies to running :+MP on 6indo!s Ser$er 2012 domain controllers
*i+ Operating system monitoring ru"es impacted

Corrected some Publisher names &for e2ample3 changed from Publisher7ame,K+C to Publisher7ame,Microsoft16indo!s1Kerberos1 Ke"1+istribution1Center/ 4pdated se$eral important rules to generate :lerts and not onl" go to the @$ent ?ie!er

6indo!s Ser$er 200- and later

6indo!s Ser$er 200- and later

5emo$ed unnecessar" check for @$ent Source 6indo!s Ser$er 2003 and later 7ame for all 7#+S rules &for e2ample3 remo$ed @$entSource7ame,E7#+S GeneralE/ Corrected e$ent parameter $alidation 4pdated some Jueries to search for correct e$ent *+s =i2ed spelling errors :dded missing descriptions to se$eral rules =i2ed se$eral problems !ith >ealth Monitoring scripts 5emo$ed user name checks from 4seren$ rules 6indo!s Ser$er 2003 and later 6indo!s Ser$er 2003 and later 6indo!s Ser$er 2003 and later 6indo!s Ser$er 2003 and later 6indo!s Ser$er 2003 and later 6indo!s Ser$er 2003

11

Septem(er 2011 'pdate

#he September 2011 update includes fi2es to problems and deprecation of certain rules3 monitors3 and disco$eries *i+es #his table lists the fi2es to problems reported b" users and other architectural fi2es and ho! the" can affect "our en$ironment
*i+ #mpact

:cti$e +irector" databases larger than H G; reported incorrectl"

#his pre$ents incorrect logging of @$ent *+ 333 !ith the follo!ing te2t:
AD Database and Log: Free space (KB) on drive is lower than the required reserved space for AD Log file. !""""" KB#tes. t should be at least

20I of the alerts are not triggered due to !rong e$ent *+ mapping

#his pre$ents se$eral e$ent1dri$en rules from breaking due to using the old e$ent sources from 6indo!s Ser$er 2003 in their e$ent rules rather than the ne! e$ent sources for 6indo!s Ser$er 200- and 6indo!s Ser$er 200- 52 Pre$ents the follo!ing alert caused b" rules that fail to collect performance data on domain controllers that run 6indo!s Ser$er 200-:
n $erfData%ource& could not find counter '(D%& D)A nbound B#tes 'ot *o+pressed

Performance data is not collected due to !rong e$ent *+ mapping

(,ithin %ite)-sec& in %napshot. .nable to sub+it $erfor+ance value. /odule will not be unloaded.

Performance counter selected b" default is !rong #ime ske! alert is not triggered due to script defect

=i2es problems that pre$ented 5eplication )atenc" Performance data from appearing Matches the names of arguments in a function in :+O#imeOSke! $bs to $ariables passed to )ogScript@$ent to enable e$ents related to time ske! to be created as designed Corrected a $ariable name in the +isco$er" script so the +7S 7aming Master propert" is disco$ered correctl" for proper Operations Master Consistenc" monitoring Corrected misspelling of Dinconsistent E 12

Operation master monitor is broken due to script defect

=reJuent operation master alert description

*i+

#mpact

misspelled +isco$er" inter$al for client perspecti$es set to larger $alues +isco$er" inter$al for client perspecti$es had an inter$al set too high3 !hich could cause performance issues that could block installation of an updated management pack Some !orkflo!s use S"stem Scheduler instead of S"stem +isco$er" Scheduler #his could ha$e blocked installation of an updated management pack #his could ha$e blocked installation of an updated management pack #his problem could cause bad performance for organi<ations !ith man" domain controllers

+isco$er" scheduler class is not used on se$eral disco$eries ?ie!s target a custom :+ +S MP class instead of S"stem @ntit" 5eports target a custom :+ +S MP class instead of S"stem @ntit" Some disco$er" targets !ill not change Properties Deprecated ru"es- monitors- and discoveries

#he follo!ing rules3 monitors3 and disco$eries !ere deprecated in $ersion L 0 C0L. 1 =or 6indo!s 2000 Ser$er: :+ @nterprise )icense +isco$er" &deprecated/ )icense +isco$er" for Microsoft 6indo!s Ser$er :+ &+eprecated/ )icense +isco$er" for Microsoft 6indo!s Ser$er :+ &+eprecated/ =or 6indo!s Ser$er 2003: =or 6indo!s Ser$er 200-: #he follo!ing common monitors !ere replaced !ith a separate rule for 6indo!s Ser$er 2003 and 6indo!s Ser$er 200- instead of sharing a common monitor: :+ +C Performance Collection 1 Metric 7#+S +5: *nbound ;"tes Compressed &;et!een Sites3 ;efore Compression/'sec &+eprecated/ :+ +C Performance Collection 1 Metric 7#+S +5: *nbound ;"tes Compressed &;et!een Sites3 :fter Compression/'sec &+eprecated/ :+ +C Performance Collection 1 Metric 7#+S +5: *nbound ;"tes 7ot Compressed &6ithin Site/'sec &+eprecated/ :+ +C Performance Collection 1 Metric 7#+S +5: *nbound ;"tes #otal'sec &+eprecated/ :+ +C Performance Collection 1 Metric 7#+S +5: *nbound ;"tes Compressed &;et!een Sites3 :fter Compression/'sec &+eprecated/ :+ +C Performance Collection 1 Metric 7#+S +5: Outbound ;"tes Compressed &;et!een Sites3 :fter Compression/'sec &+eprecated/ :+ +C Performance Collection 1 Metric 7#+S +5: Outbound ;"tes Compressed &;et!een Sites3 ;efore Compression/'sec &+eprecated/ 13

 :+ +C Performance Collection 1 Metric 7#+S +5: Outbound ;"tes 7ot Compressed &6ithin Site/'sec &+eprecated/ :+ +C Performance Collection 1 Metric 7#+S 55: Outbound ;"tes #otal'Sec &+eprecated/ emove .indo/s 2000 MPs #he 6indo!s 2000 Ser$er monitoring management pack has been remo$ed as of this release of the :cti$e +irector" Management Pack 6indo!s 2000 Ser$er is no longer a supported product #ncrease Script &ime0Outs Man" scripts in the :cti$e +irector" Management Pack ha$e time1out $alues that ma" cause the script to be terminated prematurel" b" the agent *f freJuent time1outs are occurring in "our en$ironment3 consider increasing the amount of time that the script is allo!ed to e2ecute Missing 5oll14ps #he follo!ing monitors do not roll up to a standard aggregate monitor3 and thus !ill not be included in the o$erall health status of the ser$er: 1 Microsoft 6indo!s Ser$er :+ 2003 Monitoring Management Pack: 0 AD )eplication /onitoring 0 All of the replication partners failed to replicate. 2 Microsoft 6indo!s Ser$er :+ 200- Monitoring Management Pack: 0 AD )eplication /onitoring 0 All of the replication partners failed to replicate. Mismatched A"ert Severity :lerts raised b" the :+ Client Ser$erless ;ind Monitor do not match the state of the monitor !hen an error condition is detected #he monitor !ill raise an alert !ith a se$erit" of @rror3 !hile the monitor !ill be in the 6arning state 'ndocumented Overrides
/icrosoft.,indows.%erver.AD.Do+ain*ontroller.D)A ntersite1utB#tes.*ollection.1verride.)1D *2roup /icrosoft.,indows.%erver.AD.Do+ain*ontroller.D)A1utboundB#tes*o+p.*ollection.1verride.)1D *2roup /icrosoft.,indows.%erver.AD.Do+ain*ontroller.D)A1utboundB#tes'ot*o+p.*ollection.1verride. )1D*2roup /icrosoft.,indows.%erver.AD.Do+ain*ontroller.D)A1utboundB#tes(otal.*ollection.1verride.)1 D*2roup

#hese o$errides disabled the follo!ing replication performance counter rules for 6indo!s Ser$er 200- and 6indo!s Ser$er 200- 52 5ead1Onl" +omain Controllers: :+ 200- +C Performance Collection 1 Metric 7#+S +5: Outbound ;"tes Compressed &;et!een Sites3 :fter Compression/'sec :+ 200- +C Performance Collection 1 Metric 7#+S +5: Outbound ;"tes Compressed &;et!een Sites3 ;efore Compression/'sec 1H

:+ 200- +C Performance Collection 1 Metric 7#+S +5: Outbound ;"tes 7ot Compressed &6ithin Site/'sec :+ 200- +C Performance Collection 1 Metric 7#+S 55: Outbound ;"tes #otal'Sec Scripts /ith Synta+ 1rrors #he :+ClientPerspecti$e $bs script used b" the :+ Client Monitoring +isco$er" contains a script error and !ill not e2ecute !hen run

Octo(er 2002 'pdate

#he October 200F re$ision of the :cti$e +irector" Management Pack includes the follo!ing additions: Support for monitoring 6indo!s Ser$erN 200- 52 ser$er operating s"stems as !ell as 6indo!sN C client operating s"stems Support for monitoring the :cti$e +irector" 6eb Ser$ice &:+6S/ in 6indo!s Ser$er 200- 52 as !ell as the :cti$e +irector" Management Gate!a" Ser$ice in 6indo!s Ser$er 200- and 6indo!s Ser$er 2003

,ovem(er 2003 'pdate

#he 7o$ember 200- update of the :cti$e +irector" Management Pack includes the follo!ing scenario impro$ements Scenario #mprovement 6indo!s Ser$er 200- disco$er" for !riteable domain controllers and read1onl" domain controllers &5O+Cs/ Description +isco$er" of the follo!ing obMects for a 6indo!s Ser$er 200- domain controller: domains3 forests3 sites3 site links3 5O+C3 primar" domain controller &P+C/ emulator3 relati$e *+ &5*+/ master and infrastructure master and connection obMects #he multiple S): function is performed b" creating a group and adding computers to it and then setting an o$erride for the replication monitoring script that is pregroup :cti$e +irector" Multiple =orests #opolog" +isco$er" is a ne! feature in this management pack that !as added to pro$ide feature parit" !ith the :cti$e +irector" Management Pack for Microsoft Operations Manager &MOM/ 200. !ith Ser$ice Pack 1 &SP1/ *n both :cti$e +irector" management packs for Operations Manager 200. &SP1/ and 1.

6indo!s Ser$er 200- replication monitoringQ multiple ser$ice le$el agreements &S):s/3 enhanced !orkflo!3 and ne! essential ser$ices &=ile 5eplication Ser$ice &=5S/3 +istributed =ile S"stem 5eplication &+=S5/3 and 7#+S/ Multiple forest topolog" disco$er" and $ie!s

Operations Manager 200C &SP1/3 to disco$er other forests3 a trust relationship is reJuired bet!een the forest hosting the Operations Manager 5oot Management Ser$er &5MS/ and other forests =orests that ha$e a t!o1!a" transiti$e trust !ith the 5MS forest !ill be disco$ered #he follo!ing obMects !ill be created and displa"ed in the #opolog" $ie!s: =orest3 +omain3 Site3 Site )ink3 and 5eplication Connection 7e! essential ser$ices roll1up models for 6indo!s Ser$er 200- and 6indo!s Ser$er 2003 #he @ssential Ser$ice health state roll1up !as redesigned in :cti$e +irector" Management Pack for Operations Manager 200C SP1 for t!o reasons:

#o add an O$erall @ssential Ser$ice state as the parent health state for all the @ssential Ser$ices and to present a correct hierarchical entit" relationship for +C :$ailabilit"3 O$erall @ssential Ser$ices3 and indi$idual @ssential Ser$ices #o accuratel" reflect the dependencies for four essential ser$ices: S"s?ol3 +istributed =ile S"stem &+=S/3 7et)ogon3 and +C)ocator
*mplement ne! reports +omain Changes and S"nchronous :ccess Mode &S:M/ :ccount Changes for 6indo!s Ser$er 20003 6indo!s Ser$er 20033 and 6indo!s Ser$er 200-

Supported Configurations
#he :cti$e +irector" Management Pack for Microsoft S"stem Center Operations Manager 2012 and S"stem Center Operations Manager 200C is supported on the configurations in the follo!ing table
Configuration Supported4

6indo!s Ser$er 2012 52 6indo!s Ser$er 2012 6indo!s Ser$er 200- 52

8es 8es 8es 1L

#mportant
Configuration

,ote
Supported4

6indo!s Ser$er 2006indo!s Ser$er 2003 52 6indo!s Ser$er 2003 6indo!s Ser$er 2000 ?irtual en$ironment Clustered ser$ers 6riteable domain controllers 5ead1onl" domain controller &5O+C/ +omain member computers and ser$ers :gentless monitoring Stand1alone or !orkgroup member computers

8es 8es 8es 8es 8es 8es 8es 8es 8es 7o 7o

Migration from Microsoft Operations Manager &MOM/ 200. to S"stem Center Operations Manager 200C is not supported3 but a side1b"1side installation of these t!o products is supported :ll support is subMect to the Microsoft o$erall >elp and Support life c"cle &http:''go microsoft com'f!link'()inkid,2L13H/ and the Operations Manager 200C 52 Supported Configurations &http:''go microsoft com'f!link'()inkid,F0LCL/ document #he step1b"1step procedures in this guide are based on the S"stem Center Operations Manager 200C 52 user interface #he actual steps ma" $ar" if "ou are using the S"stem Center Operations Manager 200C Ser$ice Pack 1 user interface

Getting Started
#his section describes the actions that "ou should take before "ou import the management pack3 an" steps that "ou should take after "ou import the management pack3 and information about customi<ations

5efore 6ou #mport the Management Pack

;efore "ou import the :cti$e +irector" Management Pack3 note the follo!ing limitations of the management pack: #here is no support for agentless monitoring

1C

 #here is support for monitoring across multiple forests >o!e$er3 there are special considerations !hen "ou configuring in this en$ironment3 !hich are outlined in the Multi1 =orest Monitoring section of this document #here are limitations !hen running Microsoft Operations Manager 200. simultaneousl" !ith Operations Manager 200C on domain controllers running the 2LH1based $ersions of 6indo!s Ser$er 2003 #hese limitations are outlined in the LH1;it Considerations section of this document ;efore "ou import the :cti$e +irector" Management Pack3 take the follo!ing actions: @nsure that "ou imported the Microsoft 6indo!s Ser$er )ibrar" from the 6indo!s Ser$er Operating S"stem Management Pack for Operations Manager 200C &at least $ersion L 0 LLLC 0/ ?erif" that each domain controller and client computer that "ou plan to monitor has an agent installed *f "ou plan to use the :cti$e +irector" Client Management Pack3 deplo" it on computers that are running director"1enabled applications3 such as Microsoft @2change Ser$er 2000 and Microsoft @2change Ser$er 2003

7805it Considerations
*f "ou install a Microsoft S"stem Center Operations Manager 200C Ser$ice Pack 1 &SP1/ agent on a domain controller that is running a LH1bit ser$er $ersion of 6indo!s and the computer alread" has a Microsoft Operations Manager &MOM/ 200. agent installed3 the Operations Manager 200C SP1 agent replaces the 321bit :cti$e +irector" helper obMect &OOM:+S/ that the MOM 200. agent uses #he result is that alerts3 issued b" the :cti$e +irector" Management pack3 are generated in the MOM 200. Operations Console3 for e2ample:
Failed to create the ob3ect 4/cActiveDir.ActiveDirector#5. (his is an une6pected error. (he error returned was 4(he specified +odule could not be found.5 ("67""8""89)

#o resol$e the issues in these alerts3 appl" the hotfi2 as described in article F.L1-H in the Microsoft Kno!ledge base &http:''go microsoft com'f!link'()ink*d,1L.L2-/

*i"es in &his Management Pack

#o monitor the director"3 "ou must first do!nload the :cti$e +irector" Management Pack from the S"stem Center Operations Manager 200C Catalog &http:''go microsoft com'f!link'( )ink*d,-210./ #he :cti$e +irector" Management Pack includes the follo!ing files: Microsoft 6indo!s Ser$er :+ 2000 +isco$er" Microsoft 6indo!s Ser$er :+ 2000 Monitoring Microsoft 6indo!s Ser$er :+ 2003 +isco$er" Microsoft 6indo!s Ser$er :+ 2003 Monitoring Microsoft 6indo!s Ser$er :+ 200- +isco$er" Microsoft 6indo!s Ser$er :+ 200- Monitoring Microsoft 6indo!s Ser$er :+ )ibrar" 1-

#mportant ,otes Microsoft 6indo!s Ser$er :+ ClientMonitoring 5egardless of the net!ork en$ironment3 all of the :cti$e +irector" management pack disco$er" files must be imported for the :cti$e +irector" Management Pack to monitor replication properl"

ecommended Additiona" Management Packs

:lthough no further management packs are reJuired for the :cti$e +irector" Management Pack to perform3 the follo!ing management packs might be of interest because the" complement the :cti$e +irector" monitoring ser$ices: 6indo!s Ser$er +7S 2000'2003'200- Management Pack for Operations Manager 200C =ile 5eplication Ser$ice and +istributed =ile S"stem 5eplication Management Packs 6indo!s Ser$er 2003'200- Group Polic"

Other e9uirements
#he :cti$e +irector" >elper ObMect &$ersion 1 0 33 also referred to as OOM:+S/ must be installed for the Operations Manager 200. agent running on LH1bit domain controllers #he Operations Manager 200. agent contains the 321bit $ersion of the :cti$e +irector" >elper ObMect &$ersion 1 0 33 also referred to as OOM:+S/3 and the Operations Manager 200C LH1bit agent cannot use the 321bit OOM:+S =or more information3 see the LH1;it Considerations section of this document

!o/ to #mport the Active Directory Management Pack

=or instructions about importing a management pack3 see >o! to *mport a Management Pack in Operations Manager 200C &http:''go microsoft com'f!link'()ink*+,F-3H-/ *f "ou import a management pack using a 6indo!s *nstaller file on a LH1bit 6indo!s operating s"stem3 "ou ma" find that the management pack is installed to the Is"stemdri$eIRProgram =iles &2-L/RS"stem Center Operations Manager folder instead of to the default location of the Is"stemdri$eIRProgram =ilesRS"stem Center Operations Manager folder

#nitia" Configuration
:fter the :cti$e +irector" Management Pack is imported3 follo! these procedures to finish "our initial configuration: 1 2 Create a ne! management pack in !hich to store o$errides and other customi<ations @nable the :gent Pro2" setting on all domain controllers 1F

&o create a ne/ management pack for overrides

Create a ,e/ Management Pack for Customi:ations

Most $endor management packs are sealed so that "ou cannot change an" of the original settings in the management pack file >o!e$er3 "ou can create customi<ations3 such as o$errides or ne! monitoring obMects3 and sa$e them to a different management pack ;" default3 Operations Manager 200C sa$es all customi<ations to the default management pack :s a best practice3 "ou should instead create a separate management pack for each sealed management pack "ou !ant to customi<e Creating a ne! management pack for storing o$errides has the follo!ing ad$antages: *t simplifies the process of e2porting customi<ations that !ere created in "our test and pre1production en$ironments to "our production en$ironment =or e2ample3 instead of e2porting a default management pack that contains customi<ations from multiple management packs3 "ou can e2port Must the management pack that contains customi<ations of a single management pack *t allo!s "ou to delete the original management pack !ithout first needing to delete the default management pack : management pack that contains customi<ations is dependent on the original management pack #his dependenc" reJuires "ou to delete the management pack !ith customi<ations before "ou can delete the original management pack *f all of "our customi<ations are sa$ed to the default management pack3 "ou must delete the default management pack before "ou can delete an original management pack *t is easier to track and update customi<ations to indi$idual management packs =or more information about sealed and unsealed management packs3 see Management Pack =ormats &http:''go microsoft com'f!link'()ink*d,10-3../ =or more information about management pack customi<ations and the default management pack3 see :bout Management Packs in Operations Manager 200C &http:''go microsoft com'f!link'()ink*d,10-3.L/ #o perform the procedures in this section3 "ou must be a member of the Operations Manager :dministrators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'()ink*d,1L.C3L/ 1 On "our management ser$er3 click Start3 t"pe Operations Conso"e3 and then click the Operations Conso"e 2 3 H *n the na$igation pane3 click Administration 5ight1click Management Packs3 and then click Create ,e/ Management Pack *n ,ame3 t"pe a name &for e2ample3 :+MP Customi<ations/3 and then click ,e+t

. Click Create :fter the ne! management pack is created3 it appears in the Management Packs pane

1na("e the AgentPro+ySetting on A"" Domain Contro""ers

@nabling the :gent Pro2" makes it possible for each domain controller to disco$er the connection obMect to other domain controllers Connection obMects are hosted b" the forest3 and the forest is 20

&o discover domain contro""ers disco$ered b" the topolog" disco$er"3 !hich is run on the Operations Manager 200C root management ser$er #o perform the procedures in this section3 "ou must be a member of the Operations Manager :dministrators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'()ink*d,1L.C3L/ 1 *n the Operations console3 click Administration

2 *n the na$igation pane3 right1click Agent Managed3 and then click Discovery .i:ard 3 *n the Computer and +e$ice Management 6i<ard3 on the .hat /ou"d you "ike to manage4 page3 ensure that .indo/s computers is selected3 and then click ,e+t H On the Auto or Advanced4 page3 select the t"pe of disco$er" and the t"pe of computers that "ou !ant the management ser$er to use :n" disco$er" method should be able to locate the domain controllers Click ,e+t . On the Discovery Method page3 select one of the follo!ing options: Scan Active Directory or 5ro/se for- or type0in computer names *f "ou select Scan Active Directory3 "ou click the Configure button3 and then "ou use the *ind Computers dialog bo2 to search for the computers that "ou !ant to be disco$ered *f "ou select 5ro/se for- or type in computer names3 "ou click the 5ro/se button3 and then "ou use the Se"ect Computers dialog bo2 to locate specific computers 8ou can use both methods to produce a list of computers to be disco$ered Select the method that "ou !ant to use3 and then click ,e+t #mportant #he account that "ou select to use for bro!sing !ill also be used for installing the agent on the disco$ered computers #herefore3 ensure that "ou use an account that has permissions to install soft!are on the domain controllers that "ou !ant to disco$er L On the Administrator Account page3 "ou can determine !hich account "ou !ant to use to disco$er the client computers :fter "ou select the account that "ou !ant to use3 click Discover C On the Se"ect O(<ects to Manage page3 the disco$er" results are displa"ed 4se the check bo2es to select the computer or computers that "ou !ant to configure for management3 and then click ,e+t - On the Summary page3 "ou can set the agent installation director" or "ou can accept the default :lso3 "ou can determine the credentials that "ou !ant to use on the computer to run the management agent3 or "ou can accept the %oca" System account as the default 6hen "ou are read" to install the agent on the selected computer3 click *inish F :fter the installation is complete3 "ou see the Agent Management &ask Status dialog bo23 !hich indicates the success of installation *f there are an" problems !ith the 21

&o ena("e the Agent Pro+y setting on a"" domain contro""ers installation3 "ou can use the information in the dialog bo2 to help resol$e the problems Click C"ose 1 2 3 H *n the Operations Conso"e3 click Administration *n the na$igation pane3 click Agent Managed +ouble1click a domain controller in the list Click the Security tab ,otes *f "ou do not !ant to change this securit" setting or if "ou do not need to disco$er connection obMects3 disable :+ 5emote #opolog" +isco$er" b" using an o$erride: a b c d *n the Operations Console3 click Authoring3 and then click O(<ect Discoveries *n the Operations Console toolbar3 click Scope *n the Scope Management Pack O(<ects dialog bo23 click $ie/ a"" targets Click Active Directory Connection O(<ect3 and then click O=

e #he AD emote &opo"ogy Discovery obMect is in the O(<ect Discoveries pane 5ight1click the obMect3 click Overrides3 and then click the o$erride option that "ou !ant to implement . Click A""o/ this agent to act as a pro+y and discover managed o(<ects on other computers L 5epeat steps 3 through . for each domain controller

Optiona" Configuration
#here are se$eral items in the :cti$e +irector" Management Pack &:+MP/ that "ou ha$e the option to configure =or e2ample3 "ou can configure the thresholds in multiple monitors to change alert criteria #his section includes information about the follo!ing optional configurations: 1 2 3 H . Collecting 5eplication Performance +ata Client Monitoring @nabling :gent1Onl" +isco$er" Placing Monitored ObMects in Maintenance Mode +isabling and @nabling :lerts for 5eports

:lso3 in the Ke" Monitoring Scenarios section3 there are multiple scenarios that pro$ide additional configuration information3 as sho!n in the follo!ing table

22

,ote
Section

Caution
Configuration

5eplication +irector" Ser$ice :$ailabilit"

Ma2imum number of replication partners Ma2imum number of failed )ight!eight +irector" :ccess Protocol &)+:P/ reJuests Ma2imum number of failed global catalog search reJuests Global catalog search time

#ime Ske! Monitoring Operations Master Monitoring

Setting a manual time source )ast bind monitor threshold

Co""ecting ep"ication Performance Data

Please note that currentl" 5eplication Monitoring is not applicable to 5ead Onl" +omain Controllers &5O+C/ Setting up replication monitoring on an 5O+C !ill generate significant alerts and errors *f "ou !ant to monitor and report :cti$e +irector" replication performance3 there is some additional configuration to do 5eplication monitoring performance collection is not enabled b" default because the performance reduction can be significant if replication data is collected automaticall" for e$er" domain controller #o enable replication performance collection3 complete the follo!ing manual tasks: 1 2 Configure replication performance collection groups Configure o$errides for each applicable monitor

:fter "ou enable 5eplication Performance Collection on a set of domain controllers3 replication for each domain controller that is a member of sources group is monitored to each domain controller that is a member of the targets group =or e2ample3 consider the case of four domain controllers named +C13 +C23 +C33 and +CH *f +C1 and +C2 are made members of the sources group and +C3 and +CH are made members of the targets group3 replication performance is monitored as sho!n in the follo!ing list: +C1 to +C3 +C2 to +C3 +C1 to +CH +C2 to +CH

Creating

ep"ication Performance Co""ection Groups

Configuring the :+ 5eplication Monitoring Performance Collection &Source/ and :+ 5eplication Monitoring Performance Collection &#argets/ performance rules to gather data for all obMects might affect "our s"stem performance3 depending on the number of domain controllers in "our enterprise #o reduce the likelihood of affecting s"stem performance3 23

Create and configure the AD group

ep"ication Performance Monitoring Performance Monitoring Co""ection >&argets? >Sources?

choose onl" the Source and #arget domain controllers for !hich "ou !ant to carefull" monitor replication #o perform the procedures in this section3 "ou must be a member of the Operations Manager Administrators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'()ink*d,1L.C3L/ 1 2 *n the Operations console3 click Authoring *n the na$igation pane3 click Groups

3 *n the Actions pane3 click Create a ,e/ Group3 !hich starts the Create Group .i:ard H On the 1nter the ,ame and Description for the ne/ Group page3 in ,ame3 t"pe AD ep"ication Monitoring Performance Co""ection >Sources? Group :s an option3 "ou ma" enter a description in Description ,ote #he actual name of the group is up to the person !ho creates it )ater steps ask that "ou filter the a$ailable groups using D&Sources/E as part of the name filter #herefore3 !e recommend that "ou at least include D&Sources/E as part of the group name . *n Se"ect destination management pack3 select the management pack that "ou created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click ,e+t L On the Choose Mem(ers from a %ist page3 in 1+p"icit Group Mem(ers >optiona"?3 click Add@ emove O(<ects #he Create Group .i:ard A O(<ect Se"ection dialog bo2 opens C Set Search for to .indo/s Domain Contro""er :s an option3 "ou can use *i"ter (y part of name >optiona"? to enter a part of the name of the domain controller that "ou !ant to add Click Search - *n Avai"a("e items3 select the domain controllers that "ou !ant to configure for the sources group3 click Add3 and then click O= ,ote #here are additional methods for configuring group members3 such as Dynamic Mem(ers3 Su(groups3 and 1+c"uded Mem(ers :lthough the procedures for using these methods are not pro$ided in this section3 "ou ma" decide to use them #o learn more about these methods3 click !e"p in the Create Group .i:ard dialog bo2 F 1 Click ,e+t three times3 and then click Create *n the Operations console3 ensure that Authoring is selected 2H

Configure an override to co""ect performance data from the rep"ication sources 2 *n the na$igation pane3 ensure that Groups is selected

3 *n the Actions pane3 click Create a ,e/ Group3 !hich starts the Create Group .i:ard H On the 1nter the ,ame and Description for the ne/ Group page3 in ,ame3 t"pe AD ep"ication Monitoring Performance Co""ection >&argets? Group :s an option3 "ou ma" enter a description in Description ,ote #he actual name of the group is up to the person !ho creates it )ater steps ask that "ou filter the a$ailable groups using D&#argets/E as part of the name filter #herefore3 !e recommend that "ou at least include D&#argets/E as part of the group name . *n Se"ect destination management pack3 select the management pack that "ou created for :+MP customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click ,e+t L On the Choose Mem(ers from a %ist page3 in 1+p"icit Group Mem(ers >optiona"?3 click Add@ emove O(<ects #he Create Group .i:ard A O(<ect Se"ection dialog bo2 opens C Set Search for to .indo/s Domain Contro""er :s an option3 "ou can use *i"ter (y part of name >optiona"? to enter a part of the name of the domain controller that "ou !ant to add Click Search - *n Avai"a("e items3 select the domain controllers that "ou !ant to configure for the targets group3 click Add3 and then click O= F Click ,e+t three times3 and then click Create

Configuring Overrides to 1na("e ep"ication Monitoring Performance Co""ection

#o make it possible for the performance collection scripts in the :+MP to use the source and target groups that "ou created in the pre$ious section3 "ou must enable an o$erride to the applicable monitors for the domain controllers in "our en$ironment 1 2 *n the Operations console3 ensure that Authoring is selected *n the na$igation pane3 click ,ote *f "ou do not see the rules3 check that the scope is set to include Active Directory Domain Contro""er Server 2000 Computer o"e 3 Active Directory Domain Contro""er Server 200) Computer o"e3 and Active Directory Domain Contro""er Server 2003 Computer o"e b" clicking Scope in the Operations console toolbar 2. u"es

Configure an override to co""ect performance data from the rep"ication targets 3 *n the u"es pane3 in %ook for3 t"pe >Sources?3 and then click *ind ,o/ #here should be onl" a fe! rules displa"ed ,ote *f "ou do not see %ook for3 ensure that *ind is selected in the Operations console toolbar H 5ight1click the AD ep"ication Monitoring Performance Co""ection >Sources? rule that is subordinate to the Active Directory Domain Contro""er Server 2000 Computer o"e monitor3 click Overrides3 click Override the u"e3 and then click *or a group . *n the Se"ect O(<ect dialog bo23 in &e+t string3 t"pe >Sources? #he list of matching obMects should be reduced considerabl" Click the group that "ou created pre$iousl" to contain the source domain controllers to be used for replication performance data collection #he suggested name !as :+ 5eplication Monitoring Performance Collection &Sources/ Group ,ote 4sing the te2t filter &Sources/ in this step assumes that "ou follo!ed the naming suggestion earlier3 !hich !as to use &Sources/ as part of the group name *f "ou did not use &Sources/ as part of the group name3 "ou should not use the te2t filter &Sources/ *nstead3 locate the group b" scrolling through the list of groups or using an appropriate string for the group name that "ou created for the domain controller sources L *n the Override Properties dialog bo23 select the Override bo2 that corresponds to 1na("ed in the Parameter ,ame column C *n the Override $a"ue column3 set the $alue to &rue - Select the check bo2 in the 1nforced column for the ro! of $alues that "ou Must configured F #he Se"ect destination management pack option should alread" be configured for the management pack that "ou set in the pre$ious section Click O= 10 5epeat steps H through F for the AD ep"ication Monitoring Performance Co""ection >Sources? rules that are subordinate to the follo!ing monitors: 1 2 :cti$e +irector" +omain Controller Ser$er 2003 Computer 5ole :cti$e +irector" +omain Controller Ser$er 200- Computer 5ole

*n the Operations console3 ensure that Authoring is selected *n the na$igation pane3 click u"es

3 *n the u"es pane3 in %ook for3 t"pe >&argets?3 and then click *ind ,o/ #here should be onl" a fe! rules displa"ed no!3 one for each operating s"stem t"pe that "ou selected pre$iousl" H 5ight1click the AD ep"ication Monitoring Performance Co""ection >&argets? rule that is subordinate to the Active Directory Domain Contro""er Server 2000 Computer o"e monitor3 click Overrides3 click Override the u"e3 and then click *or a group 2L

. *n the Se"ect O(<ect dialog bo23 in &e+t string3 t"pe >&argets? and the list of matching obMects should be considerabl" reduced Click the group that "ou created pre$iousl" for the target domain controllers to be used for replication performance data collection #he suggested name !as :+ 5eplication Monitoring Performance Collection &#argets/ Group ,ote 4sing the te2t filter &#argets/ in the pre$ious step assumes that "ou follo!ed the naming suggestion earlier to use &#argets/ as part of the group name *f "ou did not use &#argets/ as part of the group name3 "ou should not use the te2t filter &#argets/ *nstead3 locate the group b" scrolling through the list or using an appropriate string for the group name that "ou created for the domain controller targets L *n the Override Properties dialog bo23 select the Override bo2 that corresponds to 1na("ed in the Parameter ,ame column C *n the Override $a"ue column3 set the $alue to &rue - Select the check bo2 in the 1nforced column for the ro! of $alues that "ou Must configured F Se"ect destination management pack should alread" be configured for the management pack that "ou set in the pre$ious section Click O= 10 5epeat steps H through F for the AD ep"ication Monitoring Performance Co""ection >&argets? rules that are subordinate to the follo!ing monitors: :cti$e +irector" +omain Controller Ser$er 2003 Computer 5ole :cti$e +irector" +omain Controller Ser$er 200- Computer 5ole

:cti$e +irector" replication monitoring performance data collection is no! enabled *n appro2imatel" 2H hours3 "ou should see data appearing in the Operations console under Monitoring3 Microsoft .indo/s Active Directory3 and ep"ication Monitoring in the ep"ication %atency obMect

C"ient Monitoring
#he Client Monitoring Management Pack deplo"s a set of rules and monitors to a computer that represents an :cti$e +irector" client #hese rules and monitors pro$ide monitoring data3 such as connecti$it"3 latenc" and a$ailabilit"3 from the perspecti$e of the client 8our monitoring needs dictate !here "ou decide to place the :cti$e +irector" client and ho! man" clients "ou choose 6hen "ou make "our decision3 consider the follo!ing factors: Ser$ers that ha$e applications that depend on :cti$e +irector" +omain Ser$ices &:+ +S/3 such as computers running Microsoft @2change Ser$er3 are good candidates for client monitoring #he :cti$e +irector" client1monitoring measurements include net!ork time #herefore3 measurements differ3 depending on !here "our client computer is located 4se information about net!ork speeds to place :cti$e +irector" client monitoring on computers in strategic 2C

Caution

&o add a computer to the AD C"ient Monitoring Discovery ru"e

locations =or e2ample3 if "ou ha$e a branch office that is connected to a domain controller !ith a #1 connection3 "ou !ould probabl" use client monitoring on one of the branch office computers to monitor the e2perience for the users !ho are connected !ith the #1 connection Client monitoring generates o$erhead and should not be used for e$er" :cti$e +irector" client in an installation *nstead3 turn it on for selected computers that gi$e "ou a representati$e picture of the en$ironment =or e2ample3 "ou might perform client monitoring from one ser$er in a branch office3 or "ou might pick one ser$er per @2change Ser$er deplo"ment

Configuration
:fter "ou import the :cti$e +irector" Client Management pack3 client monitoring is performed on computers that "ou add to the AD C"ient Monitoring Discovery rule 8ou should create a specific group in Microsoft S"stem Center Operations Manager 200C to use for monitoring replication :dd to that group onl" a select number of computers that "ou !ant to monitor #o learn about creating groups in Operations Manager 200C3 see Creating and Managing Groups &http:''go microsoft com'f!link'()ink*d,1LL0HC/ +o not enable client monitoring on all "our member ser$ers or desktop client computers running 6indo!s *f "ou ha$e too man" clients running transactions onl" for the sake of monitoring3 "ou can degrade the performance of "our :cti$e +irector" deplo"ment #o perform the procedures in this section3 "ou must be a member of the Operations Manager Administrators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'()ink*d,1L.C3L/ 1 2 *n the Operations Conso"e3 click Authoring @2pand Management Pack O(<ects3 and then click O(<ect Discoveries

3 *n the O(<ect Discoveries pane3 right1click AD C"ient Monitoring Discovery3 click Overrides3 click Override the O(<ect Discovery3 and then click *or a group ,ote *f "ou do not see the rule3 check that "our scope is set to include Active Directory C"ient Perspective b" clicking the Scope in the Operations Conso"e toolbar H *n the Se"ect O(<ect dialog bo23 click the group of computers that "ou ha$e created for the purpose of client monitoring3 and then click O= . *n the Override Properties dialog bo23 ensure that the Override bo2 that corresponds to 1na("ed in the Parameter ,ame column is selected3 and then change Override $a"ue to &rue L *n Se"ect destination management pack3 select the management pack that "ou created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click O= 2-

C"ient Monitoring Modes

:fter it is deplo"ed correctl"3 client monitoring runs in one of four modes #he default mode is &3/ )ocal Site Mode >o!e$er3 the administrator can select a mode for each computer that is running client monitoring #he follo!ing table lists the four client monitoring modes
Mode &ype Description

=ull

:ll domain controllers in the same domain as the client computer !ill be monitored 7o additional configuration is necessar" #he client automaticall" disco$ers all the domain controllers in its domain b" using )ight!eight +irector" :ccess Protocol &)+:P/ +omain controllers in the specified list of sites !ill be monitored #he administrator pro$ides a list of sites to be monitored Client monitoring determines the domain controllers that are contained in the list of sites #he list is maintained on the client computer in the form of a test file :ll domain controllers in the same site as the client computer !ill be monitored 7o additional configuration is necessar" #he client automaticall" disco$ers all the domain controllers in its site b" using )+:P Onl" domain controllers that are listed !ill be monitored #he administrator pro$ides a list of domain controllers to be monitored #he list is maintained on the client computer in the form of a test file

Specific

)ocal Site

Specific

2F

&o set overrides #he administrator configures the mode for client monitoring3 including &if necessar"/ the list of specific sites or domain controllers3 b" setting o$errides 1 2 3 Open the Operations Conso"e3 and then click Authoring @2pand Management Pack O(<ects3 and then click *n the ,ote *f "ou do not see %ook for3 ensure that "ou ha$e *ind selected on the Operations Conso"e toolbar H 5ight1click the AD C"ient 'pdate DCs rule3 click Overrides3 click Override the and then click *or a group ,ote *f "ou are unable to find the AD C"ient 'pdate DCs rule3 check that "our scope is set to include the Active Directory C"ient Perspective b" clicking Scope in the Operations Conso"e toolbar . *n Se"ect O(<ect3 click the group of computers that "ou ha$e created for the purpose of client monitoring3 and then click O= L Select the Override bo2 that corresponds to 1na("ed in the Parameter ,ame column C @nsure that the Override $a"ue is set to &rue - Select the Override bo2 that corresponds to Site Discovery Mode in the Parameter ,ame column F *n the Override $a"ue column3 t"pe the number of the mode that "ou !ant to configure #he mode can be 13 23 33 or H &See the table of modes described earlier in this section / ,otes *f "ou set mode 23 "ou should enable the Sites o$erride and pro$ide a list of sites in the form of a comma1delimited string of site names3 such as site:&site!&site; *f "ou set mode H3 "ou should enable the Domain Contro""ers o$erride and pro$ide a list of domain controllers in the form of a comma1delimited string of domain controller full" Jualified domain names &=B+7s/3 such as
dc:.contoso.co+&dc!.contoso.co+&dc;.contoso.co+

u"es

u"es pane3 in %ook for3 t"pe AD C"ient 'pdate3 and then click *ind ,o/

u"e3

10 *n Se"ect destination management pack3 select the management pack that "ou created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click O=

30

,ote

&o ena("e agent0on"y discovery

1na("ing Agent0On"y Discovery

#he :cti$e +irector" Management Pack &:+MP/ disco$er" mechanism t"picall" collects information about all the domain controllers in the same forest as the 5oot Management Ser$er &5MS/ and in the trusted forests 8ou can see this b" using the :+ #opolog" ?ie! from !ithin the console >o!e$er3 onl" a subset of the domain controllers that are disco$ered !ill actuall" be monitored b" an Operations Manager agent @nabling agent1onl" disco$er" filters the list of disco$ered domain controllers to include onl" those domain controllers that ha$e an agent installed 6e recommend that "ou carefull" re$ie! this entire section before "ou enable the agent1 onl" disco$er" feature

e9uirements
#he agent1onl" disco$er" feature reJuires the installation of the 6indo!s Po!erShellS command1line interface and the S"stem Center Operations Manager 6indo!s Po!erShell Cmdlets on the 5MS *f "ou do not install 6indo!s Po!erShell and its components3 :+MP disco$er" ma" fail

5efore you ena("e agent0on"y discovery

;efore "ou enable the agent1onl" disco$er" feature3 do the follo!ing: @nsure that 6indo!s Po!ershell is installed on the 5MS +etermine the location of the 6indo!s Po!erShell e2ecutable #he default location is I!indirIRS"stem32R6indo!sPo!ershellR$1 0Rpo!ershell e2e +etermine the location of S"stem Center Operations Manager #he default location is IProgram=ilesIRS"stem Center Operations Manager 200C @nsure that the S"stem Center Operations Manager Po!ershell e2tensions are installed correctl" 8ou can $erif" that the" are installed correctl" b" starting the S"stem Center Operations Manager Po!ershell !indo! and running the Get0Agent command #o run the command3 click Start3 click A"" Programs3 click System Center Operations Manager3 click Command She""3 and then t"pe Get0Agent #he list of agent1monitored computers appears3 or an empt" list appears if there are no agents currentl" installed on the domain controllers #o perform the procedures in this section3 "ou must be a member of the Operations Manager Administrators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'()ink*d,1L.C3L/ 1 2 3 Open the Operations console3 and then click Authoring @2pand Management Pack O(<ects3 and then click O(<ect Discoveries Click Scope on the Operations console toolbar

H *n the Scope Management Pack O(<ects dialog bo23 click $ie/ a"" targets3 select the Active Directory *orest check bo23 and then click O= #he user interface &4*/ displa"s the AD &opo"ogy Discovery obMect 31

,ote . 5ight1click AD &opo"ogy Discovery3 click Overrides3 click Override the O(<ect Discovery3 and then click *or a"" o(<ects of c"assB oot Management Server L Select the Override bo2 that corresponds to Discovery Agent On"y in the Parameter ,ame column3 C Change the Override $a"ue to &rue3 and then select the bo2 in the 1nforced column #mportant a *f 6indo!s Po!erShell is installed in a location other than the default location3 select the Override bo2 that corresponds to the Po/ershe""#nsta""Path parameter3 and then edit Override Setting to point to the correct Po!erShell location 5emember to include double Juotation marks around the path b *f Operations Manager is installed in a location other than the default location3 select the OpsMgr#nsta""Path check bo23 and then edit Override Setting to point to the correct Operations Manager location 5emember to include double Juotation marks around the path - *n Se"ect destination management pack3 select the management pack that "ou created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click O= +isco$er" must run again to remo$e an" pre$iousl" disco$ered domain controllers ;" default3 :+ #opolog" +isco$er" runs once e$er" 2H hours >o!e$er3 "ou can force disco$er" to run b" restarting the OpsMgr !ea"th ServiceC

P"acing Monitored O(<ects in Maintenance Mode

6hen a monitored obMect3 such as a computer or distributed application3 goes offline for maintenance3 Operations Manager 200C detects that no agent heartbeat is being recei$ed and3 as a result3 the obMect might generate numerous alerts and notifications #o pre$ent alerts and notifications3 place the monitored obMect into maintenance mode *n maintenance mode3 alerts3 notifications3 rules3 monitors3 automatic responses3 state changes3 and ne! alerts are suppressed at the agent =or general instructions about placing a monitored obMect in maintenance mode3 see >o! to Put a Monitored ObMect into Maintenance Mode in Operations Manager 200C &http:''go microsoft com'f!link'()ink*d,10-3.-/ 1+ception *f users are getting the alerts from the follo!ing replication monitoring rules for domain controllers in maintenance mode3 it is a kno!n issue #he !orkaround is to resol$e these alerts !hen domain controllers are out of maintenance mode D:+ 5eplication is occurring slo!l"E D+C has failed to s"nchroni<e naming conte2t !ith its replication partnerE DOne or more domain controllers ma" not be replicatingE 32

&o ena("e the ru"es Create Account Changes eport

eport and Create Domain Changes

Disa("ing and 1na("ing A"erts for eports

#here are t!o reports3 the +omain Changes 5eport and the :ccount Changes 5eports3 that send alerts !hen the" are run and are read" for the administrator to $ie! =or the :cti$e +irector" +omain Controller 6indo!s Ser$er 200- and abo$e Management Packs3 t!o ne! rules !ere created to allo! the 5eports to be generated !ithout sending an alert #hese optional rules !ere created to help reduce noise if the administrator does not !ant to see the alerts but still !ants to ha$e the reports generated and a$ailable #he ne! rules are Create Account Changes eport and Create Domain Changes eport #hese rules are disabled initiall" #o generate the reports !ithout getting alerts the process is to disable the e2isting rules that generate alerts3 and then enable the ne! rules =or a guide on disabling a rule3 see >o! to +isable a Monitor or 5ule 4sing O$errides &http:''technet microsoft com'librar"'bb30F.-3 asp2/ 1 2 *n the Operations console3 click the Authoring button *n the :uthoring pane3 click u"es

3 *n the 5ules section3 t"pe Create :ccount Changes in the %ook for bar and click find no! H . Click on the Create Account Changes eport rule On the Operations console toolbar3 click Overrides and then point to Override the u"e 8ou can choose to o$erride this monitor or rule for obMects of a specific t"pe or for all obMects !ithin a group :fter "ou choose !hich group of obMect t"pe to o$erride3 the O$erride Properties dialog bo2 opens3 enabling "ou to $ie! the default settings contained in this monitor L *n the Override Properties dia"og bo23 click to select the Override check (o+ that corresponds to the 1na("ed parameter C *n the Override Setting column3 click &rue - *n the Se"ect destination management pack list3 click the appropriate management pack in !hich to store the o$erride or create a ne! unsealed management pack b" clicking ,e/ F 6hen "ou complete "our changes3 click O= and start o$er at step H this time searching for Domain Changes eport

Security Considerations
8ou might need to customi<e "our management pack Certain accounts cannot be run in a lo!1 pri$ilege en$ironment3 or the" must ha$e minimum permissions

33

,ote

&o create a un As Account

Action Account
=or each of the client1side monitoring scripts to run successfull"3 the Action Account must be a member of the :dministrators group on both the computer on !hich the client management pack is running and the domain controller that is being monitored #he Action Account must also be a member of the Operations Manager Administrators group3 !hich is configured through the Operations console in so that all the scripts that are configured on the 5oot Management Ser$er can run properl" #o learn more about the Action Account3 see :ccount *nformation for Operations Manager 200C &http:''go microsoft com'f!link'()ink*d,1L.C3L/

AD MP Account
#he AD MP Account un As Profi"e is automaticall" created !hen "ou import the :+MP #his account is not needed if "ou are using the Action Account for :+MP operations >o!e$er3 if "ou !ould prefer to use a different domain account to monitor :cti$e +irector" operations3 "ou can utili<e the :+MP un As Profi"e b" first creating a un As Account and then adding that account to the AD MP Account un As Profi"e

Creating a un As Account
Creating a un As Account allo!s Operations Manager 200C utili<e the user account for monitoring #o perform the procedures in this section3 "ou must be a member of the Operations Manager :dministrators group in the Operations console =or more information3 see :ccount *nformation for Operations Manager 200C&http:''go microsoft com'f!link'()ink*d,1L.C3L/ 1 On "our management ser$er3 open the Operations Conso"e3 and then click Administration 2 3 *n the na$igation pane3 right1click Security3 and then click Create un As Account *f the #ntroduction page of the Create un As Account .i:ard appears3 click ,e+t

H On the Genera" Properties page3 ensure that .indo/s is selected for un As Account type and for Disp"ay ,ame t"pe ADMP 8ou can optionall" t"pe additional information in Description ,ote 8ou ma" t"pe an" name that "ou like for the un As Account to use3 the name :+MP is a suggested name and is used to make !riting these directions more concise *f "ou t"pe a different name3 substitute that name for :+MP in an" steps !hich make reference to the :+MP un As Account . On the Credentia"s page3 enter the user name of the account "ou designated for monitoring replication #hen3 enter and confirm the pass!ords "ou set for the account Click ,e+t 3H

Adding the L

un As Account to the

un As Profi"e

Once the

un As account is created3 click C"ose

Add the un As Account to the ADMP un As Account Profi"e

#he last maMor task enabling replication monitoring b" an account other than the Action Account is to add the un As account to the AD MP Account un As Profi"e 1 2 3 *n the Administration na$igation pane of the Operations Conso"e3 click Profi"es *n the Profi"es pane3 double1click AD MP Account *f the #ntroduction page of the un As Profi"e .i:ard appears3 click ,e+t

H *n Disp"ay name3 confirm that AD MP Account appears as the name of the profile and then click ,e+t . On the un As Accounts page3 click Add L *n the Add a un As Account dialog bo23 under un As account3 use the drop1 do!n menu to select the un As account "ou created pre$iousl" C *n &his un As Account /i"" (e used to manage the fo""o/ing o(<ects 3 select A se"ected c"ass- group- or o(<ect &ip *f "ou ha$e created a group for all "our domain controllers3 then "ou ma" !ant to select that in the ne2t step rather than follo!ing the steps to select domain controllers indi$iduall" See >o! to Create Groups in Operations Manager 200C &http:''go microsoft com'f!link'()ink*d,1L.C3L/ for more information Click Se"ect and then click O(<ect F 4se the O(<ect Search dialog bo2 to locate all the domain controllers "ou !ant to monitor3 select one and then click O= &ip *n the O(<ect Search dialog bo23 "ou can set %ook for to .indo/s Server to reduce the number of obMects returned 5epeat this step as needed until "ou ha$e all the domain controller computer accounts "ou !ant to monitor in the un As accounts list3 and then click Save 10 *f on the Comp"etion page3 under More0secure then click ADMP Other!ise3 click C"ose un As accounts3 "ou see ADMP

11 *f "ou clicked ADMP3 then in the un As Account Properties3 in the Distri(ution tab3 !ith More secure selected3 click Add 4se the Computer Search dialog bo2 to locate the domain controllers to !hich "ou !ant to distribute these credentials 6hen "ou locate the computers "ou !ant3 click Add3 then click O= t!ice and then click C"ose

3.

Security Monitoring
#he +omain :dministrator needs to kno! the :cti$e +irector" user authentication and account issues that occur bet!een domain controllers3 including the follo!ing: :ccount pass!ord issues Securit" :ccounts Manager &S:M/ failures 5eJuests that are not $alid 7#)M errors Ke" +istribution Center &K+C/ errors :ccount identifier issues 4ser credential issues :ccount and group issues +uplicate accounts and securit" identifiers &S*+s/

'nderstanding Management Pack Operations

#his section pro$ides additional information about the t"pes of obMects that the management pack disco$ers and ho! health rolls up *t also pro$ides an in1depth look at the concepts that are introduced in the #ntroduction to Monitoring Scenarios section

e"ationships
#he follo!ing diagram sho!s the relationships that are defined in this management pack

3L

!o/ !ea"th o""s 'p

#he :cti$e +irector" Management Pack $ie!s the :cti$e +irector" s"stem as a la"ered structure3 !here each la"er depends on the lo!er la"er to be health" #he top of this structure is the entire :cti$e +irector" en$ironment3 and the lo!est le$el is all of the domain controllers 6hen enough

3C

of one la"er changes state3 the la"er abo$e it changes state to match #his action is called rolling up health #he follo!ing diagram sho!s ho! the health states of components roll up in this management pack

#his model captures the idea that if onl" a fe! domain controllers are in an error state3 it is unlikel" that the entire site or forest the" belong to is do!n >o!e$er3 if most of the domain controllers in a site are in an error state3 it is likel" that the site is in trouble3 !hile the forest that contains the site might still be health" >ealth for each of the la"ers rolls up to ne2t1highest la"er !hen L0 percent of the obMects in the lo!er la"er change state =or rolling up health3 an unkno!n state is considered to be an error state3 !hile Maintenance mode is ignored :cti$e +irector" domains are treated slightl" differentl" than sites >ealth from domain controllers rolls up to the domain3 but domains do not roll up to the forest la"er

=ey Monitoring Scenarios

#he :cti$e +irector" Management Pack &:+MP/ is designed to pro$ide $aluable monitoring information about the health of "our director" ser$ice #he follo!ing nine scenarios describe the most common :+MP monitoring scenarios :ll of the configuration options described in this document are optional and not reJuired for a t"pical operating en$ironment :dministrators can choose to set some options to more accuratel" monitor specific areas of their en$ironment #he follo!ing monitoring scenarios are discussed in this section of the guide: Multi1=orest Monitoring 3-

#mportant ,ote 5eplication @ssential Ser$ices #rust Monitoring +irector" Ser$ice :$ailabilit" :cti$e +irector" +atabase Monitoring #ime Ske! Monitoring Operations Master Monitoring :cti$e +irector" 6eb Ser$ice Monitoring +omain Controller Performance

Mu"ti0*orest Monitoring
#he :+MP supports the monitoring of forests in addition to the forest !here Operations Manager and the management pack are installed 8ou can deplo" agents to remote forests #he management pack !ill gather health and performance data for the remote forest according to the $ie! of the domain controller !here the agent is installed Monitoring of domain controllers in remote forests is nearl" identical to the monitoring done of domain controllers in the local forest :ll multiple forest monitoring scenarios3 e$ents3 alerts3 and performance data collections are full" supported in this release #opolog" $ie!s automaticall" disco$er all forests that ha$e t!o1!a" transiti$e trusts !ith the local forest >o!e$er3 cross1forest monitoring of a forest that is not full" trusted is not supported Multi1forest disco$er" consist of t!o !orkflo!s: 1 2
/icrosoft.AD.(opolog#.Discover# /icrosoft.AD.)e+ote.(opolog#.Discover#

is the maMor !orkflo! for multi1forest disco$er"3 and it is defined in /icrosoft.,indows.%erver.AD.Librar#.+p

/icrosoft.AD.(opolog#.Discover#

#his !orkflo! runs on the 5oot Management Ser$er &5MS/ and disco$ers :cti$e +irector" instances such as forests3 domains3 sites3 sitelinks3 and domain controller computers in addition to relationships bet!een those instances that are spread o$er different forests !ith t!o1!a" transiti$e trust ;ecause the 5MS submits disco$er" data3 it is reJuired to enable the pro2" at the 5MS #he other !orkflo!3 /icrosoft.AD.)e+ote.(opolog#.Discover#3 is defined in each $ersion of disco$er" management pack &that is3 /icrosoft.,indows.%erver.AD.<version=.Discover#./$/ and runs on each of the domain controllers !ith Operations Manager agents deplo"ed #he maMor task of the /icrosoft.AD.)e+ote.(opolog#.Discover# !orkflo! is to disco$er connection obMects :lso in this !orkflo!3 the pro2" must be enabled &as described in @nable the :gentPro2"Setting on :ll +omain Controllers/ at each of the agents to complete disco$er" data submission #he t!o !orkflo!s are configured to run once a da" 3F

,ote

Configuration
#here are no recommended configuration settings for this scenario

ep"ication
5eplication of data is a ke" aspect of an" :cti$e +irector" installation 5eplication Monitoring ensures that replication is occurring correctl" in "our en$ironment #he follo!ing four specific aspects of replication are monitored: ep"ication Provider #his aspect pro$ides monitoring continuall" and $erifies that all of the replication links for a domain controller are al!a"s !orking properl" #he health of each replication link is checked b" le$eraging 6indo!s Management *nstrumentation &6M*/ to determine the status of each link ep"ication Partner Count #his aspect ensures that e$er" domain controller has an acceptable number of partners !ith !hich to replicate *f a domain controller has either too man" or too fe! partners3 the health of the domain controller !ill be considered to be degraded ep"ication %atency Monitoring #his aspect ensures that changes made to the :cti$e +irector" installation are being replicated throughout the en$ironment in a timel" manner #he replication latenc" monitoring mechanism !ill inMect changes into the director" at a regular inter$al3 and then !atch to see that those changes reach e$er" domain controller that is monitored b" the :+MP !ithin a specified amount of time Operations Master Consistency :lthough operations master $erification is performed else!here3 replication monitoring $erifies that all replication partners for a gi$en domain controller agree on the o!ner of each operations master role #his check is a critical part of replication because replication partners need to agree on the o!nership of each operations master role 5eplication is the mechanism b" !hich domain controllers in a domain e2change changes to the director" #his mechanism is essential to the operation of the :cti$e +irector" deplo"ment in a forest #he topic of replication is both deep and !ide3 and a full $ie! of e$er" aspect of replication is be"ond the scope of !hat the :cti$e +irector" Management Pack &:+MP/ attempts to monitor =or the purpose of this management pack3 "ou should stri$e to monitor the critical aspects of replication to gi$e information technolog" &*#/ administrators an o$erall assessment of replication for their en$ironment #his section discusses the monitoring of replication for the purposes of pro$iding alerts !hen replication issues are detected *f "ou are interested in configuring replication performance monitoring that allo!s for trend reporting3 see Collecting 5eplication Performance +ata in the Optional Configuration section of this guide #he follo!ing four specific aspects of replication are monitored: 5eplication Pro$ider T #his aspect uses 6indo!s Management *nstrumentation &6M*/ to indicate !hether replication links bet!een a domain controller and its replication partners are health" or unhealth" 5eplication Partner Count T #his aspect $alidates that a particular domain controller does not ha$e too man" or too fe! replication partners H0

,ote 5eplication )atenc" T #his aspect $alidates that updates to the director" are propagated to other domain controllers !ithin a reasonable timeframe Operations Master Consistenc" Check T #his aspect $alidates that all of the replication partners for a particular domain controller agree on the $arious Operations Master role holders #hese four aspects of replication are monitored to pro$ide an o$erall $ie! of the replication mechanism of the :cti$e +irector" en$ironment Sometimes3 it !ill be appropriate to utili<e a tool that is more speciali<ed in monitoring replication =or e2ample3 if the 5eplication Pro$ider $erification fails3 the guidance might be to use the 5eplpro$ tool to gather more detailed information about the failure

ep"ication Provider
#he replication paths of data bet!een domain controllers are represented b" replication links #hese links are a logical entities &represented as obMects in the director"/ that the domain controller !ill reference !hen it needs to replicate #he health of the replication links is essential to determining the health of replication #he :+MP determines the health status of these links b" using 6M* >ealth of replication links is determined b" e2amining the MS:+O5epl7eighbor obMect in 6M* *nformation about this obMect can be found MS:+O5epl7eighbor Class &http:''go microsoft com'f!link'()ink*d,122CFL/ #he replication pro$ider check specificall" monitors the follo!ing aspects of the MS:+O5epl7eighbor obMect: Modified7umConsecuti$eS"nc=ailures is less than 2 #he #imeOf)astS"ncSuccess is less than 1H da"s old

ep"ication Partner Count

6ith replication as one of the cornerstones of the :cti$e +irector" en$ironment3 it is essential that the domain controllers in the forest are all able to replicate !ith each other3 and that there are not e2cessi$e connections being created bet!een domain controllers @2cessi$e connections can degrade the performance of the forest3 !hile a lack of connecti$it" can create replication site islands : replication site island occurs !hen a single domain controller or group of domain controllers in a particular site do not ha$e an" connections to domain controllers in another site #he domain controllers in a replication site island are unable to propagate their o!n changes to the other domain controllers in the domain and forest #he replication partner count specificall" $alidates the follo!ing three cases are true: : domain controller al!a"s has at least one outbound connection ;ecause replication connections are al!a"s seen as inbound connections3 there is no need to record outbound connections #his means that the replication partner count mechanism !ill $alidate that a minimum number of connections e2ist b" checking all of the other domain controllers in the domain to see if the domain controller in Juestion has a connection : domain containing a single domain controller is considered a lone domain controller3 and the replication partner count check !ill be ignored : domain controller has at least one connection to another site 6hen sites are created3 the" must ha$e a !a" to replicate changes to domain controllers from other sites ;" default3 H1

,ote !hen a site is created be"ond the initial +efault1Site1=irst17ame site3 the @nterprise :dministrator needs to create a site link to connect these t!o sites : site al!a"s needs to ha$e at least one intersite connection to another site *f the domain or forest contains onl" a single site3 the replication site island check !ill be ignored : domain controller does not ha$e more than a specified number of connections 6hen a domain controller has too man" connections3 the performance of the director" can become degraded #he replication partner count $alidation mechanism checks that a domain controller does not ha$e too man" connections #he specific threshold is made a parameter to the script3 so that it can be o$erridden and customi<ed for a particular en$ironment

ep"ication %atency
#he purpose of replication latenc" monitoring is to ensure that changes are being properl" replicated across the forest :n :cti$e +irector" deplo"ment comprises domain controllers3 all of !hich &e2cluding read1onl" domain controllers &5O+Cs// are able to modif" the collecti$e director" 6hen a change is recorded3 it !ill be replicated to neighboring domain controllers !ithin a gi$en time inter$al 5eplication latenc" monitoring in this management pack is done b" inMecting a change into the director" and determining ho! long it takes for that change to reach e$er" other domain controller in the forest #his $alue can $ar" from domain controller to domain controller #he ma2imum determined time that it takes a change to replicate across the forest is kno!n as the con$ergence latenc" )atenc" monitoring is done on a per1naming conte2t basis On a t"pical domain controller3 there !ill be three predefined naming conte2ts in the director": #he +omain 7aming Conte2t3 !hich e2ists for each domain #he Configuration 7aming Conte2t3 !hich e2ists for each forest #he Schema 7aming Conte2t3 !hich e2ists for each forest

*n addition3 on a domain controller that is acting as a +omain 7ame S"stem &+7S/ ser$er3 there !ill be t!o more partitions: #he +omain +7S Uones 7aming Conte2t #he =orest +7S Uones 7aming Conte2t

@ach partition is monitored separatel" from the others #his is because some customers might configure certain partitions to not be replicated3 and the management pack needs to be fle2ible enough to handle this 8ou need to be able to ensure that each partition is being correctl" replicated >o! and !hen replication occurs bet!een domain controllers is hea$il" dependent on the site location of the domain controller 5eplication can be di$ided into t!o categories: 5eplication bet!een domain controllers that are !ithin the same site &kno!n as intrasite replication/

H2

&o configure the OpsMgr%atencyMonitors container 5eplication bet!een domain controllers that are in different sites &kno!n as intersite replication/ 6hen a change is made on a domain controller3 the replication partners of that domain controller need to recei$e a cop" of that change ;ecause domain controllers belonging to the same site are considered to be !ell connected3 changes are proacti$el" pulled b" other domain controllers from the same site almost as soon as the changes are made =or domain controllers belonging to a separate site3 the assumption is made that these domain controllers are not as !ell connected3 so "ou should reJuest changes onl" on a scheduled inter$al #his !a"3 changes from the pre$ious x minutes !ill be patched together and transferred at the same time ;ecause the replication inter$als for intersite and intrasite replication are different3 the management pack needs to monitor each t"pe of replication separatel" =or this reason3 "ou use an intersite replication latenc" threshold and an intrasite replication latenc" threshold

,ote

Container Creation
6hen the :+MP is deplo"ed for the first time3 the latenc" obMects container &OpsMgr)atenc"Monitors/ does not "et e2ist ;efore monitoring can begin3 the container needs to be created3 !hich can occur in t!o different !a"s: *f the container does not e2ist3 the replication monitoring script attempts to create the container *f the S"stem Center Operations Manager 200C Action Account does not ha$e appropriate permissions to create the OpsManager)atenc"Monitors container3 the creation !ill fail and an e$ent !ill be logged =or information about the Action Account3 see :ccount *nformation for Operations Manager 200C &http:''go microsoft com'f!link'()ink*+,1L.C3L/ #he administrator can use :+S* @dit to manuall" create the latenc" obMects container =or situations in !hich the administrator creates an Action Account or e$en another user account specificall" for the latenc" monitoring mechanism3 the account that is used ma" not pro$ide the credentials to create the container automaticall" =or this reason3 "ou ma" reJuire an enterprise administrator to manuall" create the container3 as described in the follo!ing section 1 #o perform this procedure3 "ou must be a member of the @nterprise :dmins group in :cti$e +irector"3 or "ou must ha$e been delegated the appropriate authorit" :s a securit" best practice3 consider using 5un as to perform this procedure =or more information3 see +efault local groups3 +efault groups3 and 4sing 5un as #mportant @nsure that the OpsMgr)atenc"Monitors container is created onl" onceQon one domain controllerQand that it !ill replicate to the other domains in the forest 2 *n :+S* @dit3 right click the ADS# 1dit obMect in the na$igation pane3 and then click Connect &o 3 *n the Connection Settings dialog bo2 under Connection Point3 ensure that Se"ect a /e"" kno/n ,aming Conte+t is selected3 and then click Configuration in the drop1 do!n menu H3

H *n the Computer section3 select the domain controller on !hich "ou !ant to complete the configuration3 and then click O= . *n the na$igation pane3 e2pand the Configuration obMect :n obMect !ith C,DConfiguration follo!ed b" )+:P path of the forest appears L *f "ou do not see the OpsMgr)atenc"Monitors container immediatel" belo! the C7,Configuration obMect in the na$igation pane3 create the container: a b c 5ight1click the C,DConfiguration obMect3 click ,e/3 and then click O(<ect *n the Create O(<ect dialog bo23 select the container3 and then click ,e+t *n $a"ue3 t"pe OpsMgr%atencyMonitors3 and then click ,e+t Click *inish

C *n the na$igation pane of ADS# 1dit3 right1click C,DOpsMgr%atencyMonitors3 and then click Properties Click the Security tab3 click Advanced3 and then click Add F 4se the Se"ect users- Computers- Service Accounts or Groups dialog bo2 to locate the Action Account3 and then click O= 10 *n the Permissions 1ntry for OpsMgr%atencyMonitors dialog bo23 ensure that App"y to reads &his o(<ect and a"" descendant o(<ects 11 *n Permissions3 select the A""o/ bo2 that corresponds to the Create container o(<ects permission 12 Click the Properties tab3 and then set App"y to so that it reads A"" descendant o(<ects 13 *n Permissions3 select the A""o/ bo2 that corresponds to ead a"" properties 1H Select the A""o/ bo2 that corresponds to .rite adminDescription3 and then click O= three times to close the open dialog bo2es

%atency Detection
:fter change inMection has been performed3 the container !ill be scanned for e2isting obMects @ach obMect represents a domain controller that is participating in replication latenc" monitoring #he process begins b" Juer"ing the local domain controller b" using the )ight!eight +irector" :ccess Protocol &)+:P/ for a list of all the obMects located in the latenc" obMects container3 !here the containers that are Jueries are determined b" using the naming conte2t monitoring parameters for the !orkflo! #he list is reiterated3 taking each obMect one at a time

Operations Master Consistency Check

5eplication monitoring $erifies that all replication partners for a gi$en domain controller agree on the o!ner of each operations master role #his check is a critical part of replication because replication partners need to agree on the o!nership of each operations master role

Configuration
#o perform the procedures in this section3 "ou must be a member of the Operations Manager :dministrators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'()ink*d,1L.C3L/ HH

&o change the ma+imum num(er of rep"ication partners 1 2 Open the Operations console3 and then click Authoring @2pand Management Pack O(<ects3 and then click Monitors

3 *n the Monitors pane3 e2pand Active Directory Domain Contro""er Server 2000 Computer o"e H @2pand 1ntity !ea"th3 and then e2pand Configuration . 5ight1click AD ep"ication Partner Count Monitor3 click Overrides3 click Override the Monitor3 and then click *or a"" o(<ects of c"assB Active Directory Domain Contro""er Server 2000 ComputerC L #o change the !arning threshold3 select the Override bo2 that corresponds to the ,um(er Connections .arning &hresho"d in the Parameter ,ame column C *n the Override $a"ue column3 enter the number of connections that "ou !ant to set as the ne! !arning threshold - #o change the error threshold3 select the Override bo2 that corresponds to ,um(er Connections 1rror &hresho"d F *n the Override $a"ue column3 enter the number of connections that "ou !ant to set as the ne! error threshold 10 *n Se"ect destination management pack3 select the management pack that "ou created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create management pack no! Click O= 11 5epeat steps . through 10 for the follo!ing monitors: Active Directory Domain Contro""er Server 200) Computer o"e Active Directory Domain Contro""er Server 2003 Computer o"e

1ssentia" Services
#he :cti$e +irector" s"stem comprises a number of ser$ices3 some that pro$ide ser$ices directl" and some that support the :cti$e +irector" s"stem itself =or this reason3 the management pack continuall" checks to ensure that these essential ser$ices are !orking correctl" 7ote that some ser$ices might or might not be monitored3 depending on the $ersion of 6indo!s Ser$er being used and the particular configuration of "our en$ironment #he ser$ices that this management pack monitors include the follo!ing: 7# =ile 5eplication Ser$ice &7#=5S/ +istributed =ile S"stem 5eplication &+=S5/ 6indo!s #ime Ser$ice &632time/ *ntersite Messaging &*SM/ Ke" +istribution Center &K+C/ 7# +irector" Ser$ices &7#+S/ 7et )ogon &7et)ogon/ H.

:cti$e +irector" 6eb Ser$ice &:+6S/

#he 7#=5S and +=S5 ser$ices both pro$ide a file replication ser$ice +epending on "our en$ironment3 "ou might ha$e one or both of these ser$ices running at one time #he management pack e2amines "our en$ironment to determine !hich ser$ice or ser$ices it should checked for3 and it reports an error if the reJuired ser$ice or ser$ices are not running #he 6indo!s #ime Ser$ice &632time/ is responsible for keeping the $arious domain controllers on "our net!ork in time s"nchroni<ation !ith each other #his management pack $erifies that 632time is running on all domain controllers that are monitored *ntersite Messaging is reJuired on 6indo!s 2000 Ser$er domain controllers and 6indo!s Ser$er 2003 domain controllers that are not operating at the 6indo!s Ser$er 2003 forest functional le$el *ntersite Messaging !ill be monitored !here applicable #he K+C is a ke" ser$ice for facilitating Kerberos in :cti$e +irector" deplo"ments #he management pack !ill $erif" that the K+C ser$ice is running on all domain controllers being monitored On a domain controller that runs 6indo!s Ser$er 200- or later3 :cti$e +irector" +omain Ser$ices &:+ +S/ hosts the :cti$e +irector" processes #his ser$ice must be running for the :cti$e +irector" s"stem to function #he 7et )ogon &7et)ogon/ ser$ice is responsible for handling a number of fundamental :cti$e +irector" authentication and location ser$ices #he :+MP $erifies that the 7et)ogon ser$ice is running on all domain controllers being monitored #he :cti$e +irector" 6eb Ser$ice &:+6S/ pro$ides ser$ices that are reJuired b" the :cti$e +irector" :dministrati$e Center and the :cti$e +irector" module for 6indo!s Po!erShell

S6S$O% Avai"a(i"ity
On e$er" domain controller3 the S8S?O) share must be accessible #he management pack tests the a$ailabilit" of the domain controller b" attempting to map a net!ork dri$e using the path R 12C 0 0 1RS8S?O)3 !hich represents the S8S?O) director" on the domain controller *f the script that is associated !ith S8S?O) a$ailabilit" is not able to map a net!ork dri$e3 it generates an e$ent indicating the error that is returned from the attempt *f the script is able to map a net!ork dri$e to the domain controller3 it !ill not generate an e$ent3 and it !ill subseJuentl" remo$e the mapped dri$e

Configuration
#here are no recommended configuration settings for this scenario

&rust Monitoring
#rusts bet!een forests and domains are fundamental to the operation of the :cti$e +irector" deplo"ment #his management pack monitors these trusts to ensure that ser$ices and resources in "our en$ironment !ill be a$ailable !here appropriate #rustMon3 !hich is included on 6indo!s Ser$er 2003 domain controllers3 is the 6indo!s Management *nstrumentation &6M*/ trust monitoring pro$ider #he :cti$e +irector" Monitor #rusts HL

script uses #rustMon to enumerate the trusts on the local domain controller3 and it generates alerts if an" problems are found #he :cti$e +irector" Monitor #rusts script configures the #rustMon 6M* pro$ider to return all trusts3 and then it Jueries for all instances of the MicrosoftO+omain#rustStatus obMect in the RrootRMicrosoft:cti$e+irector" 6M* namespace =or each obMect that is returnedV if the #rust#"pe propert" of the obMect is not +o!nle$el or 4ple$el &the other options are Kerberos 5ealm and +C@3 !hich cannot be monitored effecti$el" b" #rustMon/3 the trust is ignored *f the #rust#"pe of the obMect indicates that it can be monitored3 the #rustStatus propert" of the obMect is checked *f #rustStatus is not 03 the trust is in an error state and the trust and its #rustStatusString &a te2tual description of the current state of the trust/ are formatted and rela"ed as the trust status :fter all the MicrosoftO+omain#rustStatus obMects ha$e been processed3 the local domain is obtained from the RrootRMicrosoft:cti$e+irector":MicrosoftO)ocal+omain*nfo obMect

Configuration
#here are no recommended configuration settings for this scenario

Directory Service Avai"a(i"ity

=or :cti$e +irector" Management Pack for Operations Manager 200C customers3 the names of the corresponding script in that management pack appear in parentheses #hese ser$ices include the follo!ing: : global catalog can be located in an acceptable amount of time &GC 5esponse/ : global catalog can return a search result in an acceptable amount of time &GC Search #ime/ #here are an acceptable number of )ost and =ound obMects &)ost W =ound Count/ ?erification of +omain 7ame S"stem &+7S/ records that :cti$e +irector" uses &+7S ?erification/ : ser$erless bind succeeds !ithin an acceptable amount of time &:+ General 5esponse/ +irector" ser$ice a$ailabilit" reports the health of a number of aspects in the en$ironment *t is co$ered b" fi$e monitors3 as described in the follo!ing table
Monitor Description

General 5esponse

Measures the responsi$eness of the :cti$e +irector" s"stem to a )ight!eight +irector" :ccess Protocol &)+:P/ reJuest *t periodicall" binds to the domain controller to measure the response time to a simple )+:P Juer" *f too man" )+:P reJuests fail in a ro!3 the health of the domain controller !ill be HC

&o set Genera"

Monitor

esponse to (ind to the SS% port )32

Description

degraded Global Catalog Search 5esponse Measures the time that is reJuired to perform a global catalog search #he Juer" to be run can be passed as a parameter &See the DConfigurationE section later in this document / #he measurement is reported as performance data3 and related rules generate alerts for unusuall" slo! conditions Checks the current global catalog search time against the configured thresholds to $erif" that searches made against a global catalog are processed in a timel" fashion Performs $arious checks on the +omain 7ame S"stem &+7S/ setup *ndi$idual alerts for a number of issues are reported Checks that there are not an e2cessi$e number of lingering obMects in the )ost and =ound container

Global Catalog Search #ime

+7S ?erification

)ost ObMect Count

Configuration
#o perform the procedures in this section3 "ou must be a member of the Operations Manager Administrators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'()ink*d,1L.C3L/ 1 2 *n the Operations console3 click Authoring @2pand Management Pack O(<ects3 and then click Monitors

3 On the Monitors pane3 e2pand Active Directory Domain Contro""er Server 2003 Computer o"e H @2pand 1ntity !ea"th3 and then e2pand Avai"a(i"ity . 5ight1click AD Genera" esponse Monitor3 click Overrides3 click Override the Monitor3 and then click *or a"" o(<ects of c"assB Active Directory Domain Contro""er Server 2003 Computer o"e ,ote *f "ou do not see the rule3 check that the scope is set to include the Active Directory C"ient Perspective b" clicking Scope in the Operations Manager toolbar H-

&o set Genera"

esponse to (ind to the standard port 7)7

L Select the Override bo2 that corresponds to the 1na("ed entr" in the Parameter ,ame column C @nsure that Override $a"ue is set to &rue - Select the Override bo2 that corresponds to MonitorStandard%DAP5ind in the Parameter ,ame column3 and then enter the $alue of Xtrue% in the Override $a"ue column ,ote *f "ou do not !ant to monitor on this port set this $alue to Xfalse% *f set to false $erif" that the MonitorSS%%DAP5ind o$erride is set to Xtrue% :t least one of those $alues must be true other!ise the General 5esponse monitor !ill not bind to an" port F *n Se"ect destination management pack3 select the management pack that "ou created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click O= 1 2 *n the Operations console3 click Authoring @2pand Management Pack O(<ects3 and then click Monitors

3 On the Monitors pane3 e2pand Active Directory Domain Contro""er Server 2003 Computer o"e H @2pand 1ntity !ea"th3 and then e2pand Avai"a(i"ity . 5ight1click AD Genera" esponse Monitor3 click Overrides3 click Override the Monitor3 and then click *or a"" o(<ects of c"assB Active Directory Domain Contro""er Server 2003 Computer o"e ,ote *f "ou do not see the rule3 check that the scope is set to include the Active Directory C"ient Perspective b" clicking Scope in the Operations Manager toolbar L Select the Override bo2 that corresponds to the 1na("ed entr" in the Parameter ,ame column C @nsure that Override $a"ue is set to &rue - Select the Override bo2 that corresponds to MonitorSS%%DAP5ind in the Parameter ,ame column3 and then enter the $alue of Xtrue% in the Override $a"ue column ,ote *f "ou do not !ant to monitor on this port set this $alue to Xfalse% *f set to false $erif" that the MonitorStandard%DAP5ind o$erride is set to Xtrue% :t least one of those $alues must be true other!ise the General 5esponse monitor !ill not bind to an" port F *n Se"ect destination management pack3 select the management pack that "ou HF

&o change the ma+imum num(er of fai"ed g"o(a" %DAP re9uests cata"og search re9uests created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click O= 1 2 *n the Operations console3 click Authoring @2pand Management Pack O(<ects3 and then click Monitors

3 On the Monitors pane3 e2pand Active Directory Domain Contro""er Server 2000 Computer o"e H @2pand 1ntity !ea"th3 and then e2pand Avai"a(i"ity . 5ight1click AD Genera" esponse Monitor3 click Overrides3 click Override the Monitor3 and then click *or a"" o(<ects of c"assB Active Directory Domain Contro""er Server 2000 Computer ,ote *f "ou do not see the rule3 check that the scope is set to include the Active Directory C"ient Perspective b" clicking Scope in the Operations Manager toolbar L Select the Override bo2 that corresponds to the 1na("ed entr" in the Parameter ,ame column C @nsure that Override $a"ue is set to &rue - Select the Override bo2 that corresponds to *ai"ure &hresho"d in the Parameter ,ame column3 and then enter the $alue that "ou !ant to set in the Override $a"ue column F *n Se"ect destination management pack3 select the management pack that "ou created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click O= 10 5epeat steps 3 through F for the follo!ing monitors: 1 2 Active Directory Domain Contro""er Server 200) Computer o"e Active Directory Domain Contro""er Server 2003 and a(ove Computer o"e

*n the Operations console3 click Authoring @2pand Management Pack O(<ects3 and then click Monitors

3 *n the Monitors pane3 e2pand Active Directory Domain Contro""er Server 2000 Computer o"e H @2pand 1ntity !ea"th3 and then e2pand the Avai"a(i"ity . 5ight1click AD G"o(a" Cata"og Search esponse Monitor3 click Overrides3 click Override the Monitor3 select *or a"" o(<ects of c"assB Active Directory Domain Contro""er Server 2000 Computer3 and then click O= ,ote .0

&o change the thresho"d for g"o(a" cata"og search time *f "ou do not see the rule3 check that the scope is set to include the Active Directory C"ient Perspective b" clicking Scope in the Operations Conso"e toolbar L Select the Override bo2 that corresponds to the 1na("ed entr" in the Parameter ,ame column C @nsure that Override $a"ue is set to &rue - Select the Override bo2 that corresponds to *ai"ure &hresho"d in the Parameter ,ame column3 and then enter the $alue that "ou !ant to set in the Override $a"ue column F *n Se"ect destination management pack3 select the management pack that "ou created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click O= 10 5epeat steps 3 through F for the follo!ing monitors: 1 2 Active Directory Domain Contro""er Server 200) Computer o"e Active Directory Domain Contro""er Server 2003 and a(ove Computer o"e

*n the Operations console3 click Authoring @2pand Management Pack O(<ects3 and then click Monitors

3 *n the &arget pane3 e2pand Active Directory Domain Contro""er Server 2000 Computer o"e H @2pand 1ntity !ea"th3 and then e2pand the Performance . 5ight1click AD DC G"o(a" Cata"og Search &ime Monitor3 click Overrides3 click Override the Monitor3 select *or a"" o(<ects of c"assB Active Directory Domain Contro""er Server 2000 Computer3 and then click O= ,ote *f "ou do not see the rule3 check that the scope is set to include the Active Directory C"ient Perspective b" clicking Scope in the Operations Conso"e tool bar L Select the Override bo2 that corresponds to the 1na("ed entr" in the Parameter ,ame column C @nsure that Override $a"ue is set to &rue - Select the o$erride bo2 that corresponds to &hresho"d 1rror >sec? in the Parameter ,ame column3 and then enter the $alue that "ou !ant to configure for the threshold in the Override $a"ue column F Select the o$erride bo2 that corresponds to &hresho"d .arning >sec? in the Parameter ,ame column3 and then enter the $alue that "ou !ant to use as the threshold in the Override $a"ue column Click O= 10 Select the Override bo2 that corresponds to *ai"ure &hresho"d in the Parameter ,ame column3 and then enter the $alue that "ou !ant to set in the Override $a"ue .1

,ote column 11 *n Se"ect destination management pack3 select the management pack that "ou created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click O= 12 5epeat steps 3 through 11 for the follo!ing monitors: Active Directory Domain Contro""er Server 200) Computer o"e Active Directory Domain Contro""er Server 2003 and a(ove Computer o"e

Active Directory Data(ase Monitoring

:cti$e +irector" +atabase Monitoring $erifies that the underl"ing files used to host the director" &sometimes referred to as the +*#/ are in a consistent state3 and that there is a$ailable room for the database files to gro! #his includes both the database files and the log files on each domain controller that is monitored b" the :+MP #he :cti$e +irector" +atabase and )og =ile !orkflo! monitors database and log file si<e and a$ailable free space on the associated disk $olumes ;" default3 the script runs e$er" 1. minutes3 and it calls the OOM:+s Component ObMect Model &COM/ obMect to obtain data #he :cti$e +irector" +atabase and )og =ile script first calls OOM:+s Get+atabase*nfo *f that call succeeds3 the script stores the returned $alues for dri$e free space and database si<e as performance data #he script then calls OOM:+s Get)og=ile*nfo *f that call succeeds3 the script stores the returned $alues for dri$e free space and database log si<e as performance data *f both calls succeed3 the script attempts to determine if a significant decrease has occurred in the amount of free space on either dri$e3 and3 if possible3 it identifies the cause of the free space reduction #o make this determination3 the script records the follo!ing data: :cti$e +irector" +atabase &+*#/ Si<e )og Si<e =ree +; Space =ree )og Space S8S?O) Si<e )ast 5un #ime

Data(ase and %og *i"e Gro/th

6hen a domain controller is not in its first replication c"cle3 the :cti$e +irector" +atabase and )og =ile script performs a test to determine !hether e2cessi$e gro!th in either the database or the log files is occurring *mmediatel" after :cti$e +irector" deplo"ment and a computer becomes a domain controller3 an initial3 complete replication c"cle must occur before the domain controller begins ad$ertising its ser$ices on the net!ork +uring this initial replication c"cle3 the .2

,ote database and log file si<es are e2pected to gro! significantl" #his gro!th is not reported b" the script as an error >o!e$er3 for a ne! domain controller3 the script still reports an" lo!1disk1space conditions #o determine !hether the domain controller is in its initial replication c"cle3 an attempt is made to read the rep"'p&oDate$ector attribute on the )+:P:''5oot+S@ obMect of the local computer *f the attribute e2ists3 the domain controller has alread" completed its first replication c"cle : comparison of the current and pre$ious $alues for database and log file si<e is used to determine !hether the database or log has gro!n more than 20 percent since the last time that the script ran *f e2cessi$e gro!th has occurred3 an e$ent is generated that indicates the amount of gro!th and the time difference &in minutes/ bet!een the current and pre$ious measurements #he 201percent $alue is fi2ed3 and it cannot be configured b" the user

e9uired Disk Space

*f the database and log files reside on separate logical dri$es3 the script $erifies that the logical dri$e holding the database file has the greater of .003000 kilob"tes &K;/ or 20 percent of the current database si<e a$ailable #he script also $erifies that the logical dri$e holding the log file has the greater of 2003000 K; or . percent of the current database si<e a$ailable *f the database and log files reside on the same logical dri$e3 the script $erifies that the greater of C003000 K; or 2. percent of the current si<e of the database is a$ailable on the dri$e =irst3 the script determines !hether the database and log files reside on the same logical dri$e #he script makes this determination b" comparing the first t!o characters of the file path for both the database and the log files &*f one path uses a 4ni$ersal 7aming Con$ention Y47CZ path name and the other path uses a dri$eRdirector" path name3 the check fails / *f both files reside on the same dri$e3 the amount of free space that is reJuired on the database dri$e is added to the amount of free space on the log dri$e #he reJuired amount of free space is then checked against the a$ailable free space *f the reJuired free space is greater than the a$ailable free space3 an e$ent is generated #he e$ent contains the current free space on the dri$e and the calculated3 reJuired free space on the dri$e

Configuration
#here are no recommended configuration settings for this scenario

&ime Ske/ Monitoring

#he authentication that the :cti$e +irector" application uses is built on the Kerberos authentication protocol3 !hich assumes that all computers that participate in authentication are kept !ithin fi$e minutes of one another ;ecause all computers !ill ha$e some amount of time ske! bet!een them3 the :+MP continuall" $erifies that all computers are !ithin an acceptable time ske!

.3

,ote

&o specify a manua" time source

#he management pack !ill generate a !arning or an error depending on the amount of time ske! *f the time ske! is abo$e the !arning threshold3 the time ske! monitor for the domain controller is in a !arning state *f the time ske! is abo$e the error threshold3 the time ske! monitor for this domain controller is in an error state =or e$er" domain controller that uses the management pack3 the time ske! monitor !ill automaticall" choose a time source for time comparison purposes #he time source that is chosen is determined b" a simple algorithm #his algorithm !orks as follo!s: *f the computer being monitored is not a primar" domain controller &P+C/3 the P+C for that computer%s domain !ill be chosen as a time source *f the computer being monitored is a P+C for the non1root domain3 the P+C for the root domain !ill be chosen as a time source *f the computer being monitored is the P+C of the root domain3 no time ske! detection is done #he time source that the management pack uses is not the same time source that the 6indo!s #ime ser$ice &632time/ uses #his is because the management pack must be able to determine the time ske! e$en !hen 632time is not running #he time on a domain controller is determined b" connecting to the root+S@ obMect using )ight!eight +irector" :ccess Protocol &)+:P/ #his is the most succinct and error1free !a" to determine the time #his method for determining the time reJuires that the remote computer is also a domain controller Computers that are not domain controllers and 7et!ork #ime Protocol &7#P/ time sources are not allo!ed to be manual time sources #he time source that is chosen for comparison is determined automaticall" !hen a manual time source is not specified *f a manual time source is specified &using an o$erride/3 the automatic time source selection !ill be ignored and the manuall" specified time source !ill be used 5efer to the configuration section for specif"ing a manual time source

Configuration
#o perform the procedures in this section3 "ou must be a member of the Operations Manager Administrators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'()ink*d,1L.C3L/ 1 2 Open the Operations console3 and click Authoring @2pand Management Pack O(<ects3 and then click Monitors

3 *n the Monitor pane3 e2pand Active Directory Domain Contro""er Server 2000 Computer o"e H @2pand 1ntity !ea"th3 and then e2pand Configuration . 5ight1click AD &ime Ske/ Monitor3 click Overrides3 click Override this Monitor3 and then click *or a"" o(<ects of c"assB Active Directory Domain Contro""er Server 2000 Computer L Select the bo2 that corresponds to &imeSource in the Parameter ,ame column3 and .H

enter the full" Jualified domain name &=B+7/ of a domain controller as the ne! time source C *n Se"ect destination management pack3 select the management pack that "ou created for :+MP Customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click O= 5epeat steps 3 through C for the follo!ing roles: Active Directory Domain Contro""er Server 200) Computer o"e Active Directory Domain Contro""er Server 2003 and a(ove Computer o"e

Operations Master Monitoring

:n :cti$e +irector" en$ironment !ill contain a number of operations master role o!ners #his management pack monitors these roles to ensure that the" are a$ailable and can be located at all times Specificall"3 each operations master role o!ner can be located and binding can occur !ithin a specified amount of time #he :cti$e +irector" Operation Master 5esponse script monitors :cti$e +irector" Operations Masters Operations masters are domain controllers that hold one or more of the operations master roles &also kno!n as fle2ible single master operations or =SMO roles/ in :cti$e +irector" #hese roles are critical to :cti$e +irector" health and a$ailabilit" #he operations master roles include the follo!ing: Schema operations master +omain naming operations master *nfrastructure operations master 5elati$e *+ &5*+/ operations master Primar" domain controller &P+C/ emulator operations master

#his script runs e$er" fi$e minutes to determine the responsi$eness of the operations masters #he response time for each role holder is recorded as performance data =or each operations master3 the :cti$e +irector" Operations Master 5esponse script determines the point at !hich that operations master !as last tested successfull" *f the number of script runs since the last successful test is greater than or eJual to the SuccessCount parameter3 the test is performed again &!ith the e2ception of the P+C emulator master3 !hich is tested during each script run/ :n operations master is also tested if the pre$ious test of the same operations master failed or if the operations master has not been tested since the Operations Manager ser$ice started *f the script tests an operations master and the test fails3 the script generates an e$ent and increments a counter that is associated !ith the domain controller being tested *f the counter eJuals the *ai"ure&hresho"d parameter3 the script generates another e$ent3 and it generates a 6arning alert indicating that multiple consecuti$e failures ha$e occurred

..

&o change the thresho"d for an operations master "ast (ind monitor 6hen the script tests an operations master and the test completes successfull"3 the failure counter for that domain controller is reset to 03 and a success e$ent is generated #he script also generates an *nformation alert

Configuration
#o perform the procedures in this section3 "ou must be a member of the Operations Manager Administrators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'()ink*d,1L.C3L/ 1 2 Open the Operations console3 and click Authoring @2pand Management Pack O(<ects3 and then click Monitors

3 *n the Monitors pane3 e2pand Active Directory Domain Contro""er Server 2000 Computer o"e H @2pand 1ntity !ea"th3 and then e2pand Performance . 5ight1click AD DC Op Master E*SMOro"eF %ast 5ind Monitor3 !here [=SMOrole\ is the operations master role that "ou !ant to modif" L Click Overrides3 click Override the Monitor3 select *or a"" o(<ects of c"assB Active Directory Domain Contro""er Server 2000 Computer C Select the Override bo2 that corresponds to 1na("ed in the Parameter ,ame column @nsure that the $alue in the Override $a"ue column is set to &rue - Select the Override that corresponds to &hresho"d 1rror >sec? in the Parameter ,ame column3 and then enter the $alue that "ou !ant to use in the Override column F Select the Override bo2 for &hresho"d .arning >sec?3 and then enter the $alue that "ou !ant to configure in the Override $a"ue column 10 *n Se"ect destination management pack3 select the management pack that "ou created for :cti$e +irector" Management Pack &:+MP/ customi<ations3 as described in Create a 7e! Management Pack for Customi<ations *f "ou ha$e not "et created a management pack for "our o$errides3 "ou can click ,e/ to create one no! Click O= 11 5epeat steps 3 through 10 for the follo!ing monitors: a b Active Directory Domain Contro""er Server 200) Computer o"e Active Directory Domain Contro""er Server 2003 and a(ove Computer o"e

Active Directory .e( Service Monitoring

:cti$e +irector" 6eb Ser$ices &:+6S/ is a ne! ser$ice beginning in 6indo!s Ser$er 200- 52 #he :cti$e +irector" Management Gate!a" Ser$ice is an eJui$alent ser$ice that can be added to 6indo!s Ser$er 200- and 6indo!s Ser$er 2003 #hese ser$ices pro$ide support for commands in the :cti$e +irector" module for 6indo!s Po!erShell commands3 as !ell as the :cti$e +irector" :dministrati$e Center *f :+6S or the :cti$e +irector" Management Gate!a" .L

Ser$ice is not functioning properl" on their respecti$e operating s"stems3 6indo!s Po!erShell commands and the :cti$e +irector" :dministrati$e Center !ill not function properl" #he :+MP monitors the :+6S to ensure it is running and a$ailable
Monitor Description

:+6S Ser$ice Monitor

?erifies that :cti$e +irector" 6eb Ser$ices and the ser$ice port on ser$ers that run 6indo!s Ser$er 200- 52 or later and the :cti$e +irector" Management Gate!a" Ser$ice on 6indo!s Ser$er 2003 or 6indo!s Ser$er 200- ser$ers are functioning3 and reports an" ser$ice failures or port blockages

Configuration
#here are no recommended configuration settings for this scenario

Domain Contro""er Performance

*t is critical to an :cti$e +irector" en$ironment that ser$ices and responses are not onl" a$ailable but that the" can be located and Jueried !ithin an acceptable amount of time #he specific areas of domain controller performance include the follo!ing: #he )S:SS process is using an acceptable amount of CP4 resources ;inding can occur !ith a domain controller !ithin an acceptable amount of time

*f the 7et )ogon ser$ice is running and if the s"stem has been running for more than 20 minutes3 the :cti$e +irector" Management Pack uses the +sGet+C7ame application programming interface &:P*/ to check the domain controller )ocator &+C)ocator/ #he script then compares the name that is returned !ith the name of the local domain controller *f the names do not match3 the script generates an error message indicating that the domain controller is not ad$ertising *f the names match and +C)ocator !as pre$iousl" not !orking3 the script clears the $ariable and generates an e$ent indicating that +C)ocator is no! !orking

Configuration
#here are no recommended configuration settings for this scenario

$ie/s
#o perform the procedures in this section3 "ou must be a member of at least the Operations Manager ead0On"y Operators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'( )ink*d,1L.C3L/

.C

4se the $ie!s to get an understanding of the current state of "our en$ironment #he DC Active A"erts $ie! and the DC State $ie!3 located under the :cti$e +irector" Ser$er 2000 or :cti$e +irector" 2003 folder3 pro$ide a Juick o$er$ie! of "our domain controllers and an indication of !hat reJuires "our immediate attention *f the ser$er running :cti$e +irector" s"stem looks health"3 check the C"ient A"erts and C"ient State $ie!s under the Client Monitoring folder to $erif" that "our client computers are not e2periencing an" problems *t is possible for client computers to disco$er problems that are not $isible from the ser$er monitoring function

State $ie/
6hen "ou monitor the state of :cti$e +irector" deplo"ment !ith this management pack for Microsoft S"stem Center Operations Manager 200C3 "ou can get an instant $ie! of :cti$e +irector" health Management pack scripts run predefined tests at regular inter$als to test the state ;ased on the test results3 e$ents might be generated @$ents3 in turn3 trigger rules that affect the state of the components and raise alerts 5ather than !aiting for an alert to be raised3 "ou can $ie! the summar" state for :cti$e +irector" components at an" time b" clicking State in the Pu("ic $ie/s pane of the Operations Manager Operator console #he state of a component is indicated in the State Detai"s pane !ith colored icons: : green icon indicates success3 or it indicates that there is information a$ailable that does not reJuire action : "ello! icon indicates an error or a !arning : red icon can indicate either a critical error or a securit" issue or that a ser$ice is una$ailable 7o icon indicates that no data affecting state has been collected #here are four state components that are monitored b" the management pack: C"ient $ie/: Checks !hether :cti$e +irector" is responding to clients that ha$e the :cti$e +irector" Client Management Pack installed ep"ication !ea"th: Checks !hether domain controllers are configured properl" and that the" are replicating :lso checks !hether replication is occurring in a timel" fashion and that initial domain controller replication has been completed after :cti$e +irector" has been installed on a computer Server !ea"th: Checks !hether the director" ser$ice and processes that are $ital to the :cti$e +irector" deplo"ment are health" Service !ea"th: Checks !hether the operations master &also kno!n as fle2ible single master operations or =SMO/ role holders and the director" ser$ice are responsi$e and !hether clients can connect to the director" #he follo!ing table lists each state component3 the source of the state change3 and the rules affecting the state for the component State Component Source 5ule affecting state

.-

Client ?ie! Client ?ie! 5eplication >ealth 5eplication >ealth

?arious Client Pack scripts :+ Client P+C 5esponse &script/ :+ 5eplication Monitoring &script/ :+ 5eplication Monitoring &script/ :+ 5eplication Monitoring &script/ :+ @ssential Ser$ices 5unning &script/ :+ +atabase and )og &script/ :+ @ssential Ser$ices 5unning &script/ :+ CP4 O$erload &script/

:cti$e +irector" client side test failed #he P+C @mulator cannot be contacted :cti$e +irector" 5eplication is occurring slo!l" *nitial replication after domain controller promotion has not been completed 5eplication is not occurring 1 :ll replication partners ha$e failed to s"nchroni<e 6indo!s #ime Ser$ice is not running +atabase )og =ile @2cessi$e Gro!th 6arning 7et )ogon Ser$ice is not running #he )S:SS process is using a high percentage of a$ailable CP4 time +atabase and )og =ile +ri$e Space 1 @rror +atabase @2cessi$e Gro!th 6arning CP4 is o$erloaded *ntersite Messaging Ser$ice is not running Kerberos Ke" +istribution Center Ser$ice &K+C/ is not running Cannot connect to local S8S?O) share =ile 5eplication Ser$ice is not running #he domain controller is not .F

5eplication >ealth

Ser$er >ealth Ser$er >ealth Ser$er >ealth Ser$er >ealth

Ser$er >ealth Ser$er >ealth Ser$er >ealth Ser$er >ealth Ser$er >ealth

:+ +atabase and )og &script/ :+ +atabase and )og &script/ :+ CP4 O$erload &script/ :+ @ssential Ser$ices 5unning &script/ :+ @ssential Ser$ices 5unning &script/ :+ @ssential Ser$ices 5unning &script/ :+ @ssential Ser$ices 5unning &script/ :+ @ssential Ser$ices 5unning

Ser$er >ealth Ser$er >ealth Ser$er >ealth

&script/ Ser$ice >ealth Op Master +omain 7aming )ast ;ind &performance counter/ Op Master Schema )ast ;ind &performance counter/ Op Master *nfrastructure )ast ;ind &performance counter/ Op Master 5*+ )ast ;ind &performance counter/ Op Master P+C )ast ;ind &performance counter/ :cti$e +irector" )ast ;ind &performance counter/ Global Catalog Search #ime &performance counter/ :cti$e +irector" )ost ObMects &performance counter/

ad$ertising 1 Clients !ill not be able to locate this domain Op Master +omain 7aming )ast ;ind 1 #hreshold @2ceeded Op Master Schema )ast ;ind 1 #hreshold @2ceeded Op Master *nfrastructure )ast ;ind 1 #hreshold @2ceeded Op Master 5*+ )ast ;ind 1 #hreshold @2ceeded Op Master P+C )ast ;ind 1 #hreshold @2ceeded :cti$e +irector" )ast ;ind 1 #hreshold @2ceeded Global Catalog Search #ime 1 #hreshold @2ceeded :cti$e +irector" )ost ObMects 1 #hreshold @2ceeded

Ser$ice >ealth Ser$ice >ealth Ser$ice >ealth Ser$ice >ealth Ser$ice >ealth Ser$ice >ealth Ser$ice >ealth

Diagram $ie/
:cti$e +irector" replication topolog" diagrams displa" the replication topolog" of "our net!ork3 !ith dashed lines indicating intersite connections and solid lines indicating intrasite connections @ach computer is annotated for its role and state #he state of domain controllers in the replication topolog" diagrams is indicated b" icons that ha$e the same color: : green icon indicates that replication is functioning and no action is reJuired : "ello! icon indicates that replication failures ha$e been detected

: red icon indicates multiple consecuti$e failures or that replication is not occurring on the domain controller #he diagrams also contain #ool#ips that pro$ide detailed information3 such as subnet configuration details3 link costs3 replication inter$als3 consecuti$e failures3 and partition names =rom the diagram $ie!3 "ou can na$igate to other $ie!s =or e2ample3 to see alerts that pertain to onl" a specific domain controller3 "ou can right1click that domain controller in a diagram3 point to $ie/3 and then click A"erts 8ou can also select one or more domain controllers in a diagram and run a task remotel" on that domain controller from the diagram $ie! #his management pack pro$ides four d"namic replication topolog" diagrams3 !hich are described in the follo!ing sections L0

C"ient0Side Monitoring
#he follo!ing table describes the $ie!s that pro$ide information about client1side monitoring ?ie! 7ame Client :+S* ;ind and Search #ime +escription +ispla"s the time3 in seconds3 reJuired to perform a search for the domain controller &using a subtree search in the default director" partition and cn,computername as the filter/ that is retrie$ed from the root+S@ obMect #his search is done onl" after the script has completed a bind to the root+S@ of the domain controller using :+S* Pro$ides a list of alerts generated from the client monitoring function +ispla"s the time3 in seconds3 reJuired b" the :+ Client GC :$ailabilit" script to perform a search of the global catalog +ispla"s the time3 in seconds3 reJuired for the client to perform an )+:P ping and bind operation on the domain controller +ispla"s the time3 in seconds3 reJuired for the client to ping and bind the domain controller that hosts the P+C operations master role : $ie! that displa"s the )+:P Ping and ;ind $ie!3 the Client GC Search #ime $ie!3 the Client :+S* ;ind and Search #ime $ie!3 and the Client P+C Ping and ;ind #ime $ie! in the same pane +ispla"s the current state of all monitoring clients

Client :lerts Client GC Search #ime

Client )+:P Ping and ;ind

Client P+C Ping and ;ind #ime

Client Performance O$er$ie!

Client State

Active Directory Performance $ie/s

#he follo!ing table describes the $ie!s that pro$ide information about :cti$e +irector" performance ?ie! 7ame :+ +*#')og =ree Space +escription +ispla"s the free space3 in b"tes3 on the $olumes containing the :cti$e +irector" L1

+irector" *nformation #ree &+*#/ and log files :ll Performance +ata 8ou can choose the information that "ou !ant to displa" from the entire set of :cti$e +irector" performance data : $ie! that displa"s the +atabase Si<e $ie!3 the )og =ile Si<e $ie!3 and the :cti$e +irector" +*#')og =ree Space $ie! in the same pane +ispla"s the si<e3 in b"tes3 of the :cti$e +irector" database : $ie! that displa"s the )S:SS Processor #ime $ie! and the Memor" Metrics $ie! in the same pane +ispla"s the time3 in seconds3 for a domain controller to respond to a reJuest : $ie! that displa"s the +C 5esponse #ime $ie! and the GC 5esponse #ime $ie! in the same pane +ispla"s the time3 in seconds3 for a global catalog to respond to a reJuest +ispla"s3 in b"tes3 the si<e of the :cti$e +irector" )og =ile +ispla"s3 as a percentage of the total time a$ailable3 the processor time consumed b" the )ocal Securit" :uthorit" Subs"stem &)S:SS/ 8ou can choose the memor" metrics that "ou !ant to displa" from the entire set of :cti$e +irector" data +ispla"s the performance data collected b" the :+ OpMaster 5esponse script #he script measures the responsi$eness of all monitored domain controllers that host an operations master role

+atabase and )og O$er$ie!

+atabase Si<e +C OS Metrics O$er$ie!

+C 5esponse #ime +C'GC 5esponse

GC 5esponse #ime )og =ile Si<e )S:SS Processor #ime

Memor" metrics

Op Master Performance

ep"ication $ie/s
#he follo!ing table describes the $ie!s that pro$ide information about :cti$e +irector" replication ?ie! 7ame +escription L2

*ntersite 5eplication #raffic 5eplication :lerts last C da"s 5eplication *nbound ;"tes'sec

+ispla"s3 in b"tes per second3 the amount of inbound compressed replication data +ispla"s the last se$en da"s of alerts 8ou can choose the +irector" 5eplication :gent &+5:/ inbound b"tes metrics that "ou !ant to displa" on one graph +ispla"s3 in minutes3 the time for a change that is made in one :cti$e +irector" location to be reflected in all connected :cti$e +irector" domain controllers : $ie! sho!ing the pre$ious four $ie!s in the same pane

5eplication )atenc"

5eplication Performance O$er$ie!

&opo"ogy $ie/s
#he follo!ing table describes the :cti$e +irector" topolog" $ie!s ?ie! 7ame :+ +omains :+ Sites Connection ObMects +escription +ispla"s a topolog" of all "our :cti$e +irector" domains +ispla"s a topolog" of all "our :cti$e +irector" sites +ispla"s a topolog" for all "our connection obMects Stale connection obMects are sho!n as an error3 or red3 state #o see onl" "our stale connection obMects3 click *i"ter (y !ea"th abo$e the $ie! to sho! onl" obMects in the error state : topolog" that contains all information in the pre$ious three $ie!s

#opolog"

Configuring &ask Settings

#he follo!ing tasks reJuire that "ou set command1line options specificall" for "our computing en$ironment before "ou run the tasks on remote domain controllers: 7@#+*:G 7@#+OM L3

&o set task parameters 7)#@S# 5@P:+M*7 S@#SP7

,ote

#o perform the procedures in this section3 "ou must be a member of at least the Operations Manager Operators group in the Operations console =or more information3 see Account #nformation for Operations Manager 200; &http:''go microsoft com'f!link'()ink*d,1L.C3L/ 1 Open the Operations console3 and then click Monitoring

2 @2pand Microsoft .indo/s Active Directory Management Pack O(<ects 3 and then click u"es 3 *n the Monitoring pane3 e2pand Microsoft .indo/s Active Directory3 and then click DC State H *n the DC State pane3 select the domain controller that "ou !ant to target for running the task . *n the Actions pane3 right1click the task that "ou !ant to run &for e2ample DCD#AG/3 and then click un &ask L *n the un &ask dialog bo23 click Override C *n Override &ask Parameters3 "ou can see the configurable options for o$erride and set them b" adding the appropriate information in the ,e/ $a"ue column #he o$errides for running tasks do not modif" the task configuration permanentl"V the" must be set each time that "ou run the task

Appendi+B

eports

#he follo!ing table describes the reports that are implemented in this release of the :cti$e +irector" Management Pack &:+MP/
,ame eport description e9uired Description@instructions

:+ +omain Changes

#he purpose of the :+ +omain Changes report is to displa" an" e$ents seen on the monitored domain controllers that !ould indicate a change in the role of that domain controller #he report displa"s an" e$ents collected on a

Start +ata3 @nd +ata3 and #ime Uone ObMect #"pe

Start +ata3 @nd +ata3 and #ime Uone: +ate information regarding !hen the data used in the report should be collected ObMect #"pe: #he specific domain controllers to list in the report *f indi$idual domain controllers are chosen3 the :cti$e +irector" +omain Controller LH

,ame

eport description

e9uired

Description@instructions

monitored domain controller !ith the e$ent *+ of 1LH0-3 122FC3 or 1LL.2 #hese e$ents are internal to 6indo!s Ser$er and indicate specific changes in the domain controllers operation on the domain :+ +omain Controllers #he :+ +omain Controllers report displa"s a list of domain controllers monitored b" the :+MP =or each domain controller3 the *P :ddresses3 :cti$e +irector" Site3 6indo!s ?ersion3 and =ull" Bualified +omain 7ame are displa"ed Start +ata3 @nd +ata3 and #ime Uone ObMect #"pe

Computer 5ole obMects must be chosen #o run a report containing all domain controllers3 a user can add the :+ +omain Controllers Group for each $ersion of 6indo!s Ser$er supported

Start +ata3 @nd +ata3 and #ime Uone: +ate information regarding !hen the data used in the report should be collected ObMect #"pe: #he specific domain controllers to list in the report *f indi$idual domain controllers are chosen3 the :cti$e +irector" +omain Controller Computer 5ole obMects must be chosen #o run a report containing all domain controllers3 a user can add the :+ +omain Controllers Group for each $ersion of 6indo!s Ser$er that is supported

:+ Machine :ccount #he :+ Machine :uthentication :ccount =ailures :uthentication =ailures 5eport contains e$ents logged on the domain controllers that indicate a failure of a machine account to authenticate

Start +ata3 @nd +ata3 and #ime Uone ObMect #"pe

Start +ata3 @nd +ata3 and #ime Uone: +ate information regarding !hen the data used in the report should be collected ObMect #"pe: #he specific domain controllers to list in the report *f indi$idual domain controllers are chosen3 the :cti$e +irector" +omain Controller L.

,ame

eport description

e9uired

Description@instructions

Computer 5ole obMects must be chosen #o run a report containing all domain controllers3 a user can add the :+ +omain Controllers Group for each $ersion of 6indo!s Ser$er supported :+ 5eplication Site )inks #he :+ 5eplication Site )inks report contains a list of site links in the en$ironment and the t"pe of transport3 cost3 and replication inter$al for each of these links Start +ata3 @nd +ata3 and #ime Uone ObMect #"pe Start +ata3 @nd +ata3 and #ime Uone: +ate information regarding !hen the data used in the report should be collected ObMect #"pe: #he :cti$e +irector" Site )ink obMects from the en$ironment =or the purpose of reporting3 the user ma" !ant to create a d"namic group that contains all of the site links and use that group for the report so that the" do not ha$e to manuall" add each link e$er" time that the" !ant to run the report Start +ata3 @nd +ata3 and #ime Uone ObMect #"pe Start +ata3 @nd +ata3 and #ime Uone: +ate information regarding !hen the data used in the report should be collected ObMect #"pe: #his report utili<es three different t"pes of obMects #o make full use of this report3 a user !ill need to include the rele$ant :cti$e +irector" +omain3 :cti$e +irector" =orest3 and an" :cti$e +irector" +omain Controller Computer 5ole obMects to be included #o run a report containing all LL

:+ 5ole >olders

#he :+ 5ole >olders report is probabl" the report that is most used b" customers3 because it gi$es a detailed list of the domains3 forests3 and domain controllers that make up the en$ironment

,ame

eport description

e9uired

Description@instructions

domain controllers3 a user can add the :+ +omain Controllers Group for each $ersion of 6indo!s Ser$er that is supported :+ S:M :ccount Changes #he :+ S:M :ccount Changes report collects specific S:M e$ents logged on domain controllers Start +ata3 @nd +ata3 and #ime Uone ObMect #"pe Start +ata3 @nd +ata3 and #ime Uone: +ate information regarding !hen the data used in the report should be collected ObMect #"pe: #he specific domain controllers to list in the report *f indi$idual domain controllers are chosen3 the :cti$e +irector" +omain Controller Computer 5ole obMects must be chosen #o run a report containing all domain controllers3 a user can add the :+ +omain Controllers Group for each $ersion of 6indo!s Ser$er that is supported +C +isk Space Charts #he +C +isk Space Chart sho!s the si<e of the +*# as it changes o$er time ;" adMusting the start and end dates3 the user can customi<e the $ie! of timeframe for the si<e of the +*# +ata :ggregation #"pe Start +ata3 @nd +ata3 and #ime Uone ObMect #"pe +ata :ggregation #"pe: >o! to aggregate the data3 either >ourl" or +ail" Start +ata3 @nd +ata3 and #ime Uone: +ate information regarding !hen the data used in the report should be collected ObMect #"pe: #he specific domain controllers to list in the report *f indi$idual domain controllers are chosen3 the :cti$e +irector" +omain Controller Computer 5ole obMects must be chosen #o run a report containing all domain LC

,ame

eport description

e9uired

Description@instructions

controllers3 a user can add the :+ +omain Controllers Group for each $ersion of 6indo!s Ser$er that is supported +C 5eplication ;and!idth #he +C 5eplication ;and!idth 5eport sho!s the amount of band!idth replication is using in the en$ironment for each domain controller +ata :ggregation #"pe Start +ata3 @nd +ata3 and #ime Uone ObMect #"pe +ata :ggregation #"pe: >o! to aggregate the data3 either >ourl" or +ail" Start +ata3 @nd +ata3 and #ime Uone: +ate information regarding !hen the data used in the report should be collected ObMect #"pe: #he specific domain controllers to list in the report *f indi$idual domain controllers are chosen3 the :cti$e +irector" +omain Controller Computer 5ole obMects must be chosen #o run a report containing all domain controllers3 a user can add the :+ +omain Controllers Group for each $ersion of 6indo!s Ser$er that is supported

Appendi+B 'sing %o/0Privi"ege Accounts to un Scripts

C"ient0Side Monitoring
Script e9uired permissions

:+OClientOConnecti$it" $bs

)ocal :dmin L-

Script

e9uired permissions

:+OClientOGCO:$ailabilit" $bs :+OClientOP+CO5esponse $bs :+OClientOSer$erlessO;ind $bs :+OClientO4pdateO+Cs $bs :+ClientPerspecti$e $bs

+omain 4ser )ocal :dmin +omain 4ser )ocal 4ser )ocal :dmin

Domain Contro""er Monitoring

Script e9uired permissions

:+O+atabaseOandO)og $bs :+O+CO+emoted $bs :+O+7SO?erification $bs :+O@numerateO#rusts $bs :+OGeneralO5esponse $bs :+OGlobalOCatalogOSearchO5esponse $bs :+O)ostO:ndO=oundOObMectOCount $bs :+OMonitorO#rusts $bs :+OOpOMasterO5esponse $bs :+O5eplicationOMonitoring $bs :+O5eplicationOMonitoringO>elper1 $bs :+O5eplicationOMonitoringO>elper2 $bs :+O5eplicationOPartnerOCount $bs :+O5eplicationOPartnerOOpOMaster $bs :+OSer$erOMo$edOSite $bs :+OS"s$olOShareO+ataSource $bs :+O#imeOSke! $bs :+O?alidateOSer$erO#rustO@$ent $bs +C)ocator5unning $bs

)ocal 4ser )ocal :dmin +omain 4ser +omain 4ser +omain 4ser +omain 4ser +omain 4ser +omain 4ser +omain 4ser )ocal :dmin )ocal 4ser )ocal 4ser +omain 4ser +omain 4ser +omain 4ser )ocal 4ser +omain 4ser +omain 4ser )ocal 4ser LF

&o vie/ kno/"edge for a monitor

Script e9uired permissions

General5esponseCheck $bs

+omain 4ser

Domain Contro""er Discovery

Script e9uired permissions

:+)ocal+isco$er" $bs :+5emo$e#opolog"+isco$er" $bs :+#opolog"+isco$er" $bs Prepare@ssential+isc+ata] $bs

)ocal :dmin +omain 4ser +omain 4ser )ocal 4ser

Appendi+B Monitors and Overrides for Management Packs

#his section pro$ides detailed procedures and scripts that "ou can use to displa" rules and other information about the management packs that "ou import #o perform the procedures in this appendi23 "ou must be a member of the at least the Operations Manager Operators group in the Operations console and ha$e the abilit" to run scripts on the 5oot Management Ser$er &5MS/ =or more information3 see :ccount *nformation for Operations Manager 200C &http:''go microsoft com'f!link'()ink*d,1L.C3L/

!o/ to $ie/ Management Pack Detai"s

=or more information about a monitor and the associated o$erride $alues3 see the kno!ledge for the monitor 1 On "our management ser$er3 click Start3 t"pe Operations Conso"e3 and then click Operations Conso"e on the Start menu 2 3 *n the na$igation pane3 click Authoring @2pand Management Pack O(<ects3 and then click Monitors

H *n the Monitors pane3 e2pand the targets until "ou reach the monitor le$el :s an alternati$e3 "ou can use Search to find a particular monitor . Click the monitor3 and in the Monitor detai"s pane3 click $ie/ kno/"edge C0

&o disp"ay monitors for a management pack L Click the Product =no/"edge tab

,ote

,ote &o disp"ay overrides for a management pack

!o/ to Disp"ay Monitors for a Management Pack

#o displa" a list of outputs for a management pack^s monitors and o$errides b" using the Command Shell3 use the follo!ing procedure 1 On "our management ser$er3 click Start3 t"pe Operations Manager She""3 and then click Operations Manager She"" on the Start menu 2 *n Operations Manager She""3 t"pe the follo!ing command: get>+onitor
>+anage+ent$ac? na+e.+p @ e6port>csv filena+e

=or e2ample3 the follo!ing command retrie$es data for the monitors that are associated !ith one of the core management packs:
get-monitor -managementPack System.Health.Library.mp | export-csv "C:\monitors.csv"

*f "ou recei$e an error message indicating that access to the path is denied3 modif" the path Ac:B+onitors.csvC in the command to use a path to !hich the user account has access =or e2ample3 user accounts should ha$e access to their profile path =rom a command prompt3 "ou can run the command echo DuserprofileD to find out the ph"sical path to the user profile &for e2ample3 C:R4sersR:)"on/ 6hen "ou ha$e the user profile path3 use that instead of c:R as sho!n in the e2ample commands3 for e2ample3
Ac:BusersBAL#onB+onitors.csvC

: cs$ file is created 8ou can open the cs$ file in Microsoft @2cel *n @2cel3 "ou might be reJuired to specif" that the cs$ file is a te2t file

!o/ to Disp"ay Overrides for a Management Pack

#o displa" o$errides for a management pack3 use the follo!ing procedure 1 On "our management ser$er3 click Start3 t"pe Operations Manager She""3 and then click Operations Manager She"" on the Start menu 2 *n Operations Manager She""3 t"pe the follo!ing command:
get>override >+anage+ent$ac? na+e.+p @ e6port>csv filena+e

=or e2ample3 the follo!ing command displa"s the o$errides for one of the core management packs:
get-overri e -managementPack !icroso"t.SystemCenter.#perations!anager.$nternal.mp | export-csv "c:\overri es.csv"

*f "ou recei$e an error message indicating that access to the path is denied3 modif" the path Ac:Boverrides.csvC in the command to use a path to !hich the user account has access =or e2ample3 user accounts should ha$e access to their profile path =rom a C1

&o disp"ay management pack ru"es command prompt3 "ou can run the command echo DuserprofileD to find out the ph"sical path to the user profile &for e2ample3 C:R4sersR:)"on/ 6hen "ou ha$e the user profile path3 use that instead of c:R as sho!n in the e2ample commands3 for e2ample3
Ac:BusersBAL#onBoverrides.csvC

: cs$ file is created 8ou can open the cs$ file in Microsoft @2cel *n @2cel3 "ou might be reJuired to specif" that the cs$ file is a te2t file

!o/ to Disp"ay A"" Management Pack u"es

4se the follo!ing procedure to displa" a list of rules for the management packs that "ou imported 8ou can $ie! the list of rules in Microsoft @2cel 1 On "our management ser$er3 click Start3 t"pe Operations Manager She""3 and then click Operations Manager She"" on the Start menu 2 *n Operations Manager She""3 t"pe the follo!ing command: get>rule @ select>ob3ect EF'a+eGH/$HI96pressionGF foreach> ob3ect FJK.2et/anage+ent$ac?().Displa#'a+e LLL&Displa#'a+e @ sort>ob3ect >propert# /$ @ e6port>csv Hc:Brules.csvH ,ote *f "ou recei$e an error message indicating that access to the path is denied3 modif" the path Ac:Brules.csvC in the command to use a path to !hich the user account has access =or e2ample3 user accounts should ha$e access to their profile path =rom a command prompt3 "ou can run the command echo DuserprofileD to find out the ph"sical path to the user profile &for e2ample3 C:R4sersR:)"on/ 6hen "ou ha$e the user profile path3 use that instead of c:R as sho!n in the e2ample commands3 for e2ample3 Ac:BusersBAL#onBrules.csvC : cs$ file is created 8ou can open the cs$ file in @2cel *n @2cel3 "ou might be reJuired to specif" that the cs$ file is a te2t file

!o/ to Disp"ay Monitor &hresho"ds

#o displa" monitor thresholds3 use the script that is pro$ided in this topic #his script !orks for the maMorit" of monitors #he script creates a cs$ file that includes the follo!ing columns 8ou can $ie! the script b" using Microsoft @2cel
Co"umn Description

&ype Disp"ay,ame

#he t"pe of obMects to !hich the monitor is targeted #he displa" name of the monitor C2

Co"umn

Description

&hresho"d A"ertOnState Auto eso"veA"ert

#he threshold used b" the monitor +etermines !hether the monitor generates an alert !hen the state changes +etermines !hether the generated alert !ill be resol$ed automaticall" !hen the monitor state goes back to green #he se$erit" of the generated alert

A"ertSeverity

Cop" the follo!ing script to a te2t file and sa$e the file as a 6indo!s Po!erShell script b" renaming the file to monitors ps1 5un the script in Operations Manager She"" #his script creates a cs$ file that displa"s the monitor thresholds:
"%nction &et'hreshol +con"ig . )xml* ("/con"ig0" 1 +con"ig%ration 1 "/2con"ig0", +threshol . +con"ig.Con"ig.'hreshol -e3 +n%ll, ()String* +con"ig%ration,

i"(+threshol +threshol 4 i"(+threshol +threshol 4 i"(+threshol -

. +con"ig.Con"ig.!emory'hreshol

-e3 +n%ll,

. +con"ig.Con"ig.CP5Percentage'hreshol

-e3 +n%ll,

i"(+con"ig.Con"ig.'hreshol 6 -ne +n%ll -an +threshol . ""irst threshol

+con"ig.Con"ig.'hreshol 7 -ne +n%ll,

is: " 1 +con"ig.Con"ig.'hreshol 6 1 " secon

threshol

is:

" 1 +con"ig.Con"ig.'hreshol 7 4 4 i"(+threshol i"(+con"ig.Con"ig.'hreshol 8arnSec -ne +n%ll -an +n%ll, +con"ig.Con"ig.'hreshol 9rrorSec -ne -e3 +n%ll,

C3

,ote
+threshol threshol 4 4 i"(+threshol i"(+con"ig.Con"ig.Learning;n <aseliningSettings -ne +n%ll, +threshol 4 4 ret%rn +threshol 4 +per"!onitors . get-monitor -Criteria:"$s5nit!onitor.6 an Category.=Per"ormanceHealth=" . "no threshol (baseline monitor," -e3 +n%ll, . ":arning threshol is: " 1 +con"ig.Con"ig.'hreshol 8arnSec 1 " error

is: " 1 +con"ig.Con"ig.'hreshol 9rrorSec

+per"!onitors | select-ob>ect ?-name."'arget"@expression.-"oreach-ob>ect -(&et!onitoringClass -$ :+A.'arget.$ ,.BisplayCame444DBisplayCameD ?-name."'hreshol "@expression.-"oreach-ob>ect -&et'hreshol +A.Con"ig%ration444D ?-name.";lert#nState"@expression.-"oreach-ob>ect -+A.;lertSettings.;lert#nState444D ?-name.";%toEesolve;lert"@expression.-"oreach-ob>ect -+A.;lertSettings.;%toEesolve444D ?-name.";lertSeverity"@expression.-"oreach-ob>ect -+A.;lertSettings.;lertSeverity444 | sort 'argetD BisplayCame | export-csv "c:\monitorAthreshol s.csv"

*f "ou recei$e an error message indicating that access to the path is denied3 modif" the line e6port>csv A*B+onitorKthresholds.csvC to use a path to !hich the user account has access =or e2ample3 user accounts should ha$e access to their profile path =rom a command prompt3 "ou can run the command echo DuserprofileD to find out the ph"sical path to the user profile &for e2ample3 C:R4sersR:)"on/ 6hen "ou ha$e the user profile path3 use that instead of c:R in the script3 for e2ample3 e6port>csv
Ac:BusersBAL#onB+onitorKthresholds.csvC

!o/ to Disp"ay Performance Co""ection u"es

#o displa" performance collection rules3 use the script in this topic #his script !orks for the maMorit" of monitors #he script creates a cs$ file that includes the follo!ing columns 8ou can $ie! the script b" using Microsoft @2cel
Co"umn Description

.riteAction .rite&oD5 or Co""ectionPerformanceData

Contains information about !here the performance counter is !ritten 6rites to the Operations Manager database CH

Co"umn

Description

.rite&oD. or Co""ectPerfData.arehouse .C

6rites to the data !arehouse Stores baseline data for a performance counter in the operational database

Cop" the follo!ing script to a te2t file3 and then sa$e the file as a 6indo!s Po!erShell script b" renaming the file to monitors ps1 5un the script in Operations Manager She"" #he script creates a cs$ file that displa"s the performance collection rules that are present in the management group
function 2et$erf*ounter'a+e (<%tring= Jconfiguration) +con"ig . )xml* ("/con"ig0" 1 +con"ig%ration 1 "/2con"ig0", ret%rn (+con"ig.Con"ig.#b>ectCame 1 "\" 1 +con"ig.Con"ig.Co%nterCame, 4 "%nction &etFre3%ency ()String* +con"ig%ration, +con"ig . )xml* ("/con"ig0" 1 +con"ig%ration 1 "/2con"ig0", +"re3%ency . +con"ig.Con"ig.Fre3%ency@ i"(+"re3%ency -e3 +n%ll, +"re3%ency . +con"ig.Con"ig.$ntervalSecon s@ 4 ret%rn (+"re3%ency, 4 "%nction &etBisplayCame(+per"ormanceE%le, i"(+per"ormanceE%le.BisplayCame -e3 +n%ll, ret%rn (+per"ormanceE%le.Came,@ 4 else ret%rn (+per"ormanceE%le.BisplayCame,@ 4 4

C.

,ote
"%nction &et8rite;ctionCames(+per"ormanceE%le, +:rite;ctions . ""@ "oreach(+:rite;ction in +per"ormanceE%le.8rite;ctionCollection, +:rite;ctions 1. " " 1 +:rite;ction.Came@ 4 ret%rn (+:rite;ctions,@ 4 +per"AcollectionAr%les . get-r%le -criteria:"Category.=Per"ormanceCollection=" +per"AcollectionAr%les | select-ob>ect ?-name."'ype"@expression.-"oreach-ob>ect -(&et!onitoringClass -i : +A.'arget.$ ,.BisplayCame444D?-name."E%leBisplayCame"@expression.-"oreach-ob>ect -&etBisplayCame +A444 D?-name."Co%nterCame"@expression.-"oreach-ob>ect -&etPer"Co%nterCame +A.BataSo%rceCollection)G*.Con"ig%ration444D?-name."Fre3%ency"@expression.-"oreach-ob>ect -&etFre3%ency +A.BataSo%rceCollection)G*.Con"ig%ration444D?-name."8rite;ctions"@expression.-"oreachob>ect -&et8rite;ctionCames +A444 "c:\per"AcollectionAr%les.csv" | sort 'ypeDE%leBisplayCameDCo%nterCame | export-csv

*f "ou recei$e an error message indicating that access to the path is denied3 modif" the line e6port>csv A*BperfKcollectionKrules.csvC to use a path to !hich the user account has access =or e2ample3 user accounts should ha$e access to their profile path =rom a command prompt3 "ou can run the command echo DuserprofileD to find out the ph"sical path to the user profile &for e2ample3 C:R4sersR:)"on/ 6hen "ou ha$e the user profile path3 use that instead of c:R in the script3 for e2ample3 e6port>csv
Ac:BusersBAL#onBperfKcollectionKrules.csvC

%inks
#he follo!ing links connect "ou to information about common tasks that are associated !ith S"stem Center management packs:

System Center 2012 0 Operations Manager

Management Pack )ife C"cle >o! to *mport a Management Pack #uning Monitoring b" 4sing #argeting and O$errides CL

#mportant >o! to Create a 5un :s :ccount >o! to @2port a Management Pack >o! to 5emo$e a Management Pack

Operations Manager 200; 2

:dministering the Management Pack )ife C"cle >o! to *mport a Management Pack in Operations Manager 200C >o! to Monitor 4sing O$errides >o! to Create a 5un :s :ccount in Operations Manager 200C >o! to Modif" an @2isting 5un :s Profile >o! to @2port Management Pack Customi<ations >o! to 5emo$e a Management Pack

=or Juestions about Operations Manager and management packs3 see the S"stem Center Operations Manager communit" forum : useful resource is the S"stem Center Operations Manager 4nleashed blog3 !hich contains D;" @2ampleE posts for specific management packs =or additional information about Operations Manager3 see the S"stem Center 2012 1 Operations Manager Sur$i$al Guide and Operations Manager 200C Management Pack and 5eport :uthoring 5esources :ll information and content on non1Microsoft sites is pro$ided b" the o!ner or the users of the !ebsite Microsoft makes no !arranties3 e2press3 implied3 or statutor"3 as to the information at this !ebsite

CC