Module 8:

Implementing an Active
Directory Domain®
Services Monitoring
Tools
Module Overview
• Monitoring AD DS Using Event Viewer

• Monitoring Active Directory Domain Servers Using

Reliability and Performance Monitor
• Configuring AD DS Auditing
Lesson 1: Monitoring AD DS Using Event Viewer
• Event Viewer Features

• Demonstration: Overview of the Event Viewer

• AD DS Logs

• What Are Custom Views?

• What Are Subscriptions?

• Demonstration: Configuring Custom Views

and Subscriptions
Event Viewer Features
Demonstration: Overview of the Event Viewer
In this demonstration, you will see how to navigate the
Event Viewer
AD DS Logs

The following logs can provide specific information about AD DS

issues:

• Application log
• Directory Service Log
connections
• DNS Server log
• System Log
• Group Policy\Operational
• DFS Replication log
What Are Custom Views?

Custom views:

• Allow you to aggregate

and filter information
from multiple logs
into a single view
Event 1.
• Are reusable
Security log
• Can be exported to
other computers
Event 2.
System log

Event 3:
Event Viewer DFS log
What Are Subscriptions?

Subscriptions collect
events from multiple
computers, and store
them locally
Demonstration: Configuring Custom Views
and Subscriptions
In this demonstration, you will see how to:
• Create a custom view, and then add the AD DS-specific
logs to the view
• Create a subscription to collect logs from multiple
domain controllers
• AD monitor tools: SCOM: System Center Operation
Manager (Management Pack AD)
Lesson 2: Monitoring Active Directory Domain
Servers Using Reliability and Performance Monitor
• Reliability and Performance Monitor Features

• Demonstration: Overview of the Reliability and

Performance Monitor
• Monitoring AD DS Using Performance Monitor

• What Is an Active Directory Baseline?

• Monitoring Service Availability with Reliability Monitor

• Monitoring AD DS Using Data Collector Sets

• Demonstration: Monitoring AD DS
Reliability and Performance Monitor Features

Reliability and Performance Monitor allows you to:

 Perform real-time monitoring

 Collect data

 Track performance of applications and services

 Generate alerts (Threshold alerts)

 Take action when thresholds are reached

 Generate reports
Demonstration: Overview of the Reliability and
Performance Monitor
In this demonstration, you will see an overview of the
Reliability and Performance monitor
NTDS: NT directory service
Monitoring AD DS Using Performance Monitor

Useful NTDS Counters for Monitoring Active Directory:

NTDS\ Directory replication Agent/DRA


Inbound Bytes Total/sec

 NTDS\ DRA Inbound Object

 NTDS\ DRA Outbound Bytes Total/sec

 NTDS\ DRA Pending Replication Synchronizations

 NTDS\ Kerberos Authentications/sec

 NTDS\ NTLM Authentications

What Is an Active Directory Baseline?

A baseline defines what a server looks like under normal

 workload conditions

Servers performing different functions will have different

 baselines measurements

Baseline measurements should include basic server counters

 and function specific counters

Problems areas can be identified by comparing baseline

 measurements to current statistics
Monitoring Service Availability with
Reliability and Performance Monitor
 Monitoring AD DS Using Data Collector Sets

• Organizes multiple data collection points into a

single component

• Can be grouped with other data collection sets

• Can be incorporated into logs

• Can be created individually, or from templates

Data Collector Sets can contain the following types of

data collectors:

• Performance counters
• Event trace data /event log
• System configuration information (registry key values)
Demonstration: Monitoring AD DS
In this demonstration, you will see how to set up AD DS
monitoring
Lesson 3: Configuring AD DS Auditing
• What Is AD DS Auditing?

• Demonstration: Configuring an Audit Policy

• Types of Events to Audit

• Demonstration: Configuring AD DS Auditing

What Is AD DS Auditing?
• AD DS auditing can show both the old values and new
values of changed attributes in audit entries
• AD DS audit policy is divided into four subcategories
 Directory service access
 Directory service changes
 Directory service replication
 Detailed Directory service replication

• Only directory service access is enabled for success by

default
• Use the Auditpol.exe command-line tool to view or set
audit policy subcategories
Demonstration: Configuring an Audit Policy
In this demonstration, you will see how to configure an
audit policy
 Types of Events to Audit

Event ID Category Event

4662 Directory service access An operation was performed on an AD DS

object

4722 User account management A user account was enabled

4726 User account management A user account was deleted

4738 User account management A user account was changed

5136 Directory service changes An AD DS object was modified

5137 Directory service changes A new AD DS object was created

5138 Directory service changes An AD DS object was undeleted

Demonstration: Configuring AD DS Auditing
In this demonstration, you will see how to configure the site
link object to manage replication between sites
Lab: Monitoring AD DS
• Exercise 1: Monitoring AD DS Using Event Viewer

• Exercise 2: Monitoring AD DS Using Performance and

Reliability Monitor
• Exercise 3: Configuring AD DS Auditing

Logon information
Virtual machine NYC-DC1, NYC-DC2

User name Administrator

Password Pa$$w0rd

Estimated time: 60 minutes

Lab Review
• You want to enable the Directory Service Changes
subcategory without enabling a global audit policy. How
could you do this?
• What services must be running on a source computer in
order to provide information to a subscription?
• You have enabled a global audit policy to collect directory
service access events, but no events are showing up in the
security log. What might the problem be?
Module Review and Takeaways
• Review questions

• Considerations