Network and Active Directory Performance Monitoring and

Troubleshooting

NETW4008

Lecture 8

• Why Evaluate and Monitor Performance?

• Active Directory Performance-Monitoring Tools

• Different Types of Logs

• Creating Performance Logs and Alerts

• Replication errors

Content

• Periodically monitoring Active Directory (AD) performance

– To anticipate problems

– To take preventive measures

– To maintain efficient functioning of the NW

Why Evaluate and Monitor Performance? (1)

• Performance monitoring tools

– Statistics of the load placed on NW resources over time

– Diagnose/solve performance bottlenecks

– Understand effects of AD (SW) performance on the HW resources of computer

Why Evaluate and Monitor Performance? (2)

• Performance Console

– System Monitor

• View graphical real-time representation of resource performance with Perfmon

• Performance data displayed as a chart/histogram/report

– Performance Logs and Alerts tools

• Performance of resources in logs as mmc snap-ins

• Used to configure alerts

– To perform specific actions

– To notify a specific status has been reached (Threshold)

Active Directory Performance-Monitoring Tools (1) (Skill 1)

The System Monitor (Skill 1)

The System Monitor

The Performance Logs and Alerts(Skill 1)

• Event Viewer (EV)– Mainly a passive tool that tracks system errors and events of interest.

Track problems relating to applications, services and OS: about hardware, software, and system problems

– Events can be created by users with the appropriate authority (administrative privileges)

– Messages generated by applications and OS in logs: applications and services can generate custom errors

– Different sections (at least 6: see next slide)• At least, Application, Security, and Systems logs since NT

• Directory Services: Windows 2000 and WS2008 which monitor NTDS (NT Directory Services) events in member servers and XP systems or Active Directory events in DCs; DNS logs; and Replication logs

– New with WS 2008: automatic search the Microsoft Technet Web site for meaning of a particular event message

Active Directory Performance - Monitoring Tools (2) (Skill 1)

Directory Service Event log with

Event Viewer

• Application log– Information/errors/warnings by the applications on a computer– For example, file error of a DB program might record a file error– Program owner decide which events to monitor

• Security log– Valid and invalid logon attempts, and resource usage: events related

to creating, opening, or deleting files or other objects

– Specify by administrator

– For example, if logon auditing attempts enabled auditing entries

– After auditing configuration, use log to track unauthorized access to objects

• System log– Information/errors/warnings by Win XP OS

– Example: if trouble to start a service, look at these logs or if driver failures

Different Types of Logs (1)(Skill 1)

The System Event log(Skill 1)

• Directory Service log

– Information/errors/warnings by AD

– Only on DCs

• DNS Server log

– Information/errors/ warnings by the DNS server

• File Replication Service (FRS) log

– Information/errors/warnings by FRS

– FRS used to replicate the shared system volume (Sysvol) folder

Different Types of Logs (2)(Skill 1)

• Information (see [4])

– Successful operation of a task: driver loaded

• Warning

– May indicate a future problem: low disk space

• Error

– Indicate significant problem: failure to load a service

• Failure (Security log)

– Failure of an audited security event: user cannot access NW drive

• Success (Security log)

– Success of an audited security event: user logs on computer

Type of Messages Logged(Skill 1)

• Performance console metrics

– Performance objects: system resource = memory, disk, processor, a network interface

– Performance counters = object performance measures calculated as numeric value

Type of Metrics Used(Skill 2)

• Performance Logs and Alerts snap-in

– To collect and record data specific to hardware resources and services

– To create

• Counter logs

• Trace logs

• Alerts

Creating Performance Logs and Alerts (1)(Skill 3)

• Counter logs

– Use performance objects and performance counters to record data

• About hardware resources

• About Active Directory

Creating Performance Logs and Alerts (2)(Skill 3)

The Performance Logs and AlertsAdding Counters

• Trace logs

– Record data only if OS or application events occur

– Establish effects of HW resources on AD performance

Creating Performance Logs and Alerts (3)

• Alerts

– If resource/service performance counter is above/below a specified threshold → Alert

– Based on reference data previously collected

– Compute deviations from reference data → high deviation indicates problems

Creating Performance Logs and Alerts (4)(Skill 3)

Types of Logs(Skill 2)

• Slow replication is the most common problem

– Causes of replication latency• Link speed

• Available bandwidth

• Replication topology

• Replication timers

• Disabled Web sites

• Overloaded DCs

• …

Replication Errors (1)(Skill 6)

• Event ID 1311 shown in the Directory Service Log (see [3]) – In AD domain, a schema, a configuration, an application

partition, or the global catalog naming contexts cannot be replicated between DCs or sites

• Event ID 1265 and the error “RPC Server is Unavailable” shown in the Directory Service Log (see [4])– Often the result of DNS problems

• “Access is denied” message when attempting to force replication (see [4])– Local DC failed to authenticate against its replication partner

when creating the replication link or when trying to replicate over an existing link: DC has been disconnected from the rest of the network for long time and its computer account password is not synchronized with its computer account password stored in the directory of its replication partner (see [4])

Replication Errors – Common Examples (2)(Skill 6)

References(click on references)

1. http://technet2.microsoft.com/windowsserver/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true

2. http://support.microsoft.com/kb/3084273. http://support.microsoft.com/kb/3253754. http://support.microsoft.com/kb/307593