Professional Documents
Culture Documents
This topic contains guidelines for monitoring Active Directory Domain Services (AD DS) and domain controllers that run
Windows Server 2008. These domain controllers may be writable domain controllers in hub sites or read-only domain
controllers (RODCs) in branch offices. Many of the guidelines presented here are updated from the monitoring guidelines in
the Windows Server 2003 Active Directory Branch Office Planning and Deployment Guide (http://go.microsoft.com/fwlink
/?LinkID=28523).
Monitoring domain controllers gives you the best opportunity to detect problems before they jeopardize your
environment and the ability of your users to access network resources. Schedule daily automated health checks for your
domain controllers, and monitor the following aspects of the Active Directory environment on all domain controllers in the
deployment:
General domain controller health (specifically, CPU utilization and disk space use)
1 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
Windows Server 2008 and Windows Vista both include Windows Reliability and Performance Monitor (Perfmon.msc).
You can use this tool to monitor these performance counters. However, we recommend that you use a more
comprehensive monitoring solution, such as Microsoft System Center Operations Manager 2007. For more information
about using System Center Operations Manager 2007 to monitor AD DS, see the Active Directory Management Pack
Guide (http://go.microsoft.com/fwlink/?LinkID=139785).
To monitor a domain controller’s CPU utilization, use Windows Reliability and Performance Monitor to monitor the
Processor\% Processor Time counter.
Consequently, you must monitor the available disk space for these partitions.
By default, these files and the folder are stored in either C:\WINDOWS\NTDS or C:\WINDOWS\SYSVOL. To monitor
the free disk space on the partition that contains these files and the folder, use Windows Reliability and Performance
Monitor to monitor the LogicalDisk\Free Megabytes counter.
Use Windows Reliability and Performance Monitor to observe the queue length. Specifically, use the PhysicalDisk
object and the Avg. Disk Queue Length counter. We recommend that the outstanding requests on a domain
controller not average more than 10. If the queue length consistently exceeds 10 outstanding requests, you might
want to consider using a higher-performance disk configuration or reducing the workload on the domain controller.
2 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
counter in the Memory object in Windows Reliability and Performance Monitor to monitor the amount of memory
available. We recommend that domain controllers always have at least 50 megabytes (MB) of available memory.
Note
The process that runs AD DS is LSASS.exe. This process is designed to maximize the utilization of available memory
but release memory to other processes as they request it. The result is that if you examine memory utilization
through Task Manager, it appears that LSASS.exe is monopolizing the memory. On a domain controller, this is
expected behavior that helps AD DS run more efficiently.
Domain Name dcdiag /test: These Dcdiag tests replace the tests that you could perform
System (DNS) and <testName> by using Netdiag.exe in previous versions of
network Windows Server. Netdiag.exe is not included in
configuration Performs the following Windows Server 2008 or Remote Server Administration Tools
tests: (RSAT).
Connectivity
DNS
RegisterinDNS
3 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
Domain controller Windows Reliability and Windows Reliability and Performance Monitor is included in
performance Performance Monitor Windows Server 2008 and Windows Vista. Each performance
counter is individually specified.
Repadmin.exe and Dcdiag.exe are tools that you can use to monitor replication activity between domain controllers.
These tools make it easier to detect problems within the replication topology by showing the current status of the
various replication connections between domain controllers. These tools are available on servers that run
Windows Server 2008 and that have the AD DS server role installed. The tools are also available in RSAT. For more
information about RSAT, see RODC Administration (http://go.microsoft.com/fwlink/?LinkID=133521) and Installing
Remote Server Administration Tools (http://go.microsoft.com/fwlink/?LinkId=153624).
Repadmin
You can use Repadmin.exe to view the replication topology from the perspective of an individual domain controller
and to diagnose replication problems. In addition, you can use the repadmin command to force replication events
between domain controllers and to view both the replication metadata and the up-to-dateness vectors. On each
domain controller, you can use the /showrepl, /showconn, /replsummary, and /showutdvec switches with the
repadmin command to monitor replication information. To organize the repadmin /showrepl output in a more
readable, comma-separated value (CSV) format, you can also use the /csv option. For more information about using
the /csv option, see Repadmin Requirements, Syntax, and Parameter Descriptions (http://go.microsoft.com/fwlink
/?LinkId=147380).
/showrepl
Specifying the /showrepl switch displays both inbound and outbound replication partners for each directory
partition that a domain controller hosts. (In the tool, each directory partition is referred to as a “naming context.”)
You can examine the replication partners to determine whether the domain controller has the correct connection
objects.
For each replication partner, /showrepl also displays the last time that replication was attempted and whether the
attempt was successful. For more information about using /showrepl, see Display Replication Partners and Status
of a Domain Controller (http://go.microsoft.com/fwlink/?LinkId=124353).
/showconn
Specifying the /showconn switch displays the connection objects on the domain controller. You can examine the
connection objects to determine whether the domain controller is configured to replicate with the correct
bridgehead servers in the hub site. In addition, you can use this switch to verify that the connection is enabled, to
identify the transport being used, and to check when the connection object was created and when it was last
4 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
changed. For more information about using /showconn, see Can I Look at My Connection Objects and Schedule
Details? (http://go.microsoft.com/fwlink/?LinkId=124354).
/replsummary
Specifying the /replsummary switch can be a very useful way to check the replication health of your deployment
and determine where potential issues might be. To create this summary, repadmin contacts each domain
controller in the forest and collects replication status information.
The information that is collected is summarized, and two views are generated: one from the source perspective and
one from the destination perspective. The information is presented in three columns: Source DC, Largest Delta,
and Fails/total.
From the source domain controller perspective, the columns can be interpreted as follows:
Source DC: The domain controller that other domain controllers are attempting to replicate from.
Largest Delta: The amount of time that has elapsed since all replication partners successfully replicated
from this domain controller.
Fails/total: A number that shows how many of the total number of replica links are failing. A high ratio of
fails to total may indicate that the source domain controller is probably causing a problem.
From the destination domain controller perspective, the columns can be interpreted as follows:
Destination DC: The domain controller on which the replica links that specify inbound replication are
located.
Largest Delta: The amount of time that has elapsed since this domain controller last successfully replicated
with each replication partner.
Fails/total: A number that shows how many of the replication links on the destination domain controller are
failing. A high ratio indicates that the failure is likely attributable to the destination domain controller.
In general, the source domain controller perspective is often more useful because a 100-percent failure rate
indicates that the source domain controller cannot be reached by any of its replication partners and that it is offline
or experiencing network issues. For more information about using /replsummary, see Monitor Forest-Wide
Replication (http://go.microsoft.com/fwlink/?LinkId=124355).
/showutdvec
Examining the up-to-dateness (UTD) vector from time to time on one bridgehead server is another good way to
ensure that replication is healthy. The UTD vector shows the last time that a domain controller has received
updates from each replication partner for a particular naming context. The UTD vector is transitive in that one
domain controller does not have to communicate directly with another domain controller to receive an update
from it.
5 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
Note
/showutdvec shows the health of only inbound replication, which is sufficient for an RODC.
The output of this switch is a list of dates and times indicating the last time that inbound replication of the
Configuration container occurred from each domain controller. If an excessive amount of time has passed since
replication last took place, it could indicate a problem and there is reason to be concerned.
The entries are listed by domain controller. Occasionally, a globally unique identifier (GUID) appears instead of the
name of a domain controller. It is safe to ignore the GUID entries because they indicate invocation IDs for domain
controllers that have been demoted or rebuilt. These entries do not affect the health of the topology.
Note
The invocation ID is the server database GUID that domain controllers use to ensure replication consistency
after a restore operation. For more information, see article 885875 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=137184).
Dcdiag
You can use Dcdiag.exe to analyze the state of a domain controller and its interaction with other domain controllers.
Dcdiag.exe performs the following tests and reports both status and problems:
Connectivity
Replication
Topology Integrity
Intersite Health
Check Roles
Trust Verification
To monitor Active Directory replication, use the following switches with the dcdiag command.
6 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
Switch Description
Monitoring should be integrated into your deployment plan. Building your monitoring solution into your deployment
plan provides two key benefits:
If you are able to discover problems during the deployment process, you can address them as they are revealed.
If necessary, you can pause the deployment operations so that you can solve problems that might not have been
discovered during your deployment testing. Monitoring during your deployment helps to ensure that your new
environment is operating as expected.
Having your monitoring plan in place during the deployment operations means that you already know where
your monitoring components must be located. Therefore, you might be able to use your deployment process to
also distribute your monitoring components. In this way, newly deployed computers will already have their
monitoring components in place when they are brought online at their new locations. Implementing your
monitoring solution during deployment eliminates the need for a second deployment operation to implement
monitoring after the initial deployment is complete.
After the deployment is complete, continue to perform daily monitoring operations and keep track of the daily
health of your directory environment. The items that you should monitor are described in other sections of this
topic. Over time, you will determine which items you need to track in your particular environment. It is not likely
that everyone will need to track every option all the time. Rather, you will learn over time which items are useful
to you for your particular circumstances. When your environment is stable, continue your monitoring activities on
a daily basis. Monitoring is something that you should continue to perform throughout the lifetime of your
directory.
7 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
Scheduling
If your branch office domain controllers replicate with the bridgehead servers in the hub site only once a day,
schedule the daily quality assurance check to occur after the replication cycle completes. You can then verify that the
day’s replication was successful, detect problems that might have occurred, and correct those problems before the
next replication cycle begins. If the quality assurance check is performed before the daily replication cycle, you might
not detect problems for up to 24 hours, which might allow the problem to have a greater effect on your environment.
To monitor the general performance of domain controllers, use Windows Reliability and Performance Monitor to observe
performance counters for CPU utilization and disk space availability. Monitor these performance counters regularly on all
bridgehead servers. If you experience problems with a branch office domain controller, monitor these counters on that
domain controller.
Using Windows Reliability and Performance Monitor involves collecting monitoring data over a period of time and then
viewing the results. For example, to monitor whether a server is regularly receiving and applying directory replication
updates, you can select one or more counters from the NTDS performance object and then view the current activity in
Windows Reliability and Performance Monitor.
When they are monitored over time, the NTDS and Database performance counters should all show some activity.
However, the amount of activity depends on your environment. Factors that affect activity include the number of branch
office domain controllers and clients in your environment, how often replication is scheduled, the number of directory
changes that occur, and so on.
Installing performance objects and running the Active Directory Diagnostics Data Collector Set
The NTDS and Database object counters are not installed by default. This section explains how to install the NTDS and
Database object counters and how to run the Active Directory Diagnostics Data Collector Set to capture NTDS and
Database object data over time.
1. Click Start, click Administrative Tools, and then click Reliability and Performance Monitor.
8 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
2. Double-click Monitoring Tools, right-click Performance Monitor, and then click Properties.
4. Double-click the name of the Performance object whose counters you want to install, click the name of each
counter, and then click Add. For example, double-click NTDS, and then click each counter that is listed in the
following section. After you select the appropriate counters, click Add.
5. Click OK to close the Add Counters dialog box, and then click OK to close Performance Monitor Properties.
1. Click Start, click Administrative Tools, and then click Reliability and Performance Monitor.
2. Double-click Data Collector Sets, double-click System, right-click Active Directory Diagnostics, and then
click Start.
3. To stop the data collection, right-click Active Directory Diagnostics, and then click Stop.
NTDS\DRA Inbound Indicates the total number of This counter should show activity over time. If it does
Bytes Total/sec bytes received per second not, the network is probably slowing replication.
through inbound replication.
This number is the sum of the
bytes of uncompressed and
compressed data received
during inbound replication.
NTDS\DRA Inbound Indicates the number of object This counter indicates that the monitored server is
Object Updates updates received in the most receiving changes, but it is taking a long time to apply
Remaining in Packet recent directory replication them to the database. This counter should be as low as
update packet that have not possible. If it is not, it usually indicates that server
yet been applied to the local hardware is slowing replication.
server.
9 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
NTDS\DRA Outbound Indicates the total number of This counter should show activity over time, except on
Bytes Total/sec bytes sent per second during an RODC, where outbound replication does not occur. If
outbound replication. This this does not show activity, either server hardware or
number is the sum of bytes of network problems are slowing replication.
uncompressed and
compressed data.
NTDS\DRA Pending Indicates the number of This counter should be as low as possible. If it is not, the
Replication directory synchronizations that server hardware is probably slowing replication.
Synchronizations are queued for this server. This
counter helps identify
replication backlogs—the
higher the number, the larger
the backlog.
NTDS\ATQ Threads Indicates the number of If values for this counter and the NTDS\ATQ Threads
LDAP threads that are being used by Total counter are equal, a queue is likely building on the
the directory service. LDAP port, which will result in long response times. If the
two counters are always equal, use Server Performance
Advisor to troubleshoot the problem.
NTDS\ATQ Threads Indicates the number of If values for this counter and NTDS\ATQ Threads LDAP
Total threads that are being used by counter are equal, a queue is likely building on the LDAP
the directory service. port, which will result in long response times. If the two
counters are always equal, use Server Performance
Advisor to troubleshoot the problem.
NTDS\Kerberos Indicates the number of This counter should show activity over time. If it does not
Authentications/sec Kerberos authentications that and the clients use the Windows Server 2008 operating
the domain controller services system, network problems are indicated.
per second.
NTDS\LDAP Bind Time Indicates the time in This counter should be as low as possible. If it is not,
milliseconds (msec) that was hardware or network-related problems are indicated.
required to complete the last
successful LDAP binding.
NTDS\LDAP Client Indicates the number of This counter should show activity over time. If it does
Sessions sessions of connected LDAP not, it usually indicates that network-related problems
clients. are occurring.
NTDS\LDAP Indicates the number of search This counter should show activity over time. If it does
Searches/sec operations performed by LDAP not, network problems are probably hindering the
clients per second. processing of client requests.
NTDS\NTLM Indicates the number of NTLM This counter should show activity over time. If it does not
Authentications authentications serviced by the and the clients use the Windows® 98 or Windows NT®
domain controller per second. operating systems, network-related problems are
indicated.
10 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
NTDS\DS Directory Indicates how many searches This counter should show activity over time. If it does
Searches/sec are occurring. not, network problems are probably hindering the
processing of client requests.
NTDS\DS Search Indicates how “large” the This counter should show activity over time. If it does
Sub-operations/sec directory service search not, network problems are probably hindering the
operations are. processing of client requests. If the ratio of this counter
to DS Directory Searches/sec is very high, the server
might be getting bogged down by a large number of
expensive queries. You can run the Active Directory
Diagnostics Data Collector Set to analyze the load on the
server to see if the load is expected.
Database\Database Indicates the percentage of page requests This counter should show activity over time.
Cache % Hit for the database file that were fulfilled by If it does not, the server does not have
the database cache without causing a file enough free memory. In this case, add
operation. more memory.
Database\Database Indicates the number of page faults that This counter should be 0. If it is not, the
Page Fault Stalls/sec occur per second that cannot be serviced server probably needs more memory.
because no pages are available in the
database cache for allocation.
Database\Database Indicates memory pressure on the If this counter is too high, the
Page Evictions/sec database cache. Active Directory host computer needs more
memory.
Database\Database Indicates the current amount of memory If the amount of memory that AD DS uses is
Cache Size that AD DS uses to cache its database. low and the Database Page Eviction rate is
high, the host computer might need more
memory.
Database\Log Threads Indicates the number of threads that are This counter should be as low as possible. If
Waiting waiting for data to be written to the log so it is not, the server probably needs more
11 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
You can use the DFS Management snap-in to administer DFS Replication. DFS Management is not installed by default. You
can use the following procedure to install it.
To install DFS Management
3. Double-click Remote Server Administration Tools, double-click Role Administration Tools, double-click File
Services Tools, select the Distributed File System Tools check box, and then click Next.
You can use the DFS Management snap-in to create a health report about DFS Replication of SYSVOL.
2. Double-click Replication, right-click Domain System Volume (SYSVOL), click Create Diagnostic Report, and
then follow the instructions in the Diagnostic Report Wizard.
12 of 13 3/20/2017 12:05 PM
Monitoring Your Branch Office Environment https://technet.microsoft.com/en-us/library/dd736504(v=ws.10).aspx?f=...
Management packs are preconfigured, technology-specific monitoring solutions that are loaded into the System Center
Operations Manager 2007 environment so that you can monitor specific aspects of your deployment. For example, in a
branch office environment, you can use the Active Directory Management Pack to monitor the domain controllers in your
organization’s data center. For more information about using System Center Operations Manager 2007 to monitor AD DS,
see the Active Directory Management Pack Guide (http://go.microsoft.com/fwlink/?LinkID=139785).
Community Additions
© 2017 Microsoft
13 of 13 3/20/2017 12:05 PM