how to manage Microsoft Active Directory with hp OpenView Microsoft Active Directory
hp OpenView Microsoft ® Active Directory manage white paper how to manage Microsoft Active Directory with hp OpenView what is Active Directory? Microsoft ® Active Directory is a central and inseparable component of the Windows® 2000 operating system when used as a network operating system. The Active Directory functions as a distributed, replicated, multimaster and fault-tolerant directory service. In a Windows 2000 infrastructure, the Active Directory is used as the repository for storing user identity data, computer and application configuration information, system configuration and security policies. In fact, Windows 2000 stores configuration information about the directory service itself in Active Directory. The Active Directory acts as a distributed authentication mechanism for the Windows infrastructure, providing single sign-on for all systems, users and applications with access to the directory. Coupling distributed authentication with policy dissemination allows Active Directory to increase enterprise-wide security by allowing for tightly managed systems which can ensure that corporatewide compliance with established security policies and best practices is maintained. The Active Directory can contain a vast amount of information related to a plethora of objects (applications, computers, users, groups, distribution lists, network devices, etc.). As such, it can act as a central point for managing these objects. Organizational management structures often form a hierarchical structure with the individuals at the highest levels of that structure delegating responsibilities and tasks to those at lower levels. The Active Directory functions in the same way by allowing for a hierarchical structure to be defined within the directory and allowing the objects within the directory to be organized within this hierarchy as appropriate. The Active Directory is built on open standards so it can also act as an integration point for other enterprise applications and systems requiring directory or authentication services, or requiring other data for processing related to the Windows infrastructure and its users. Many enterprise applications are now being written specifically to take advantage of the Active Directory, including e-mail systems, public key infrastructures, remote access providers, human resource systems, customer relationship management applications and more. These applications act as the mainstay of many day-to-day operations in enterprise environments. In short, today many businesses are becoming heavily dependant on enterprise directory services, which may include a single directory service, like Active Directory, or a variety of integrated directory services. These directories sustain many of the internal operations of the business, and their availability and reliability is becoming as important as the underlying network. Active Directory is a relatively new player in the directory services market. However, considering the installed base of Windows servers around the world, Active Directory is and will continue to be a formidable force. why does Active Directory need to be managed? Page 1 Active Directory and directory services in general can be an extremely far-reaching technology component in an enterprise infrastructure. As the reach of Active Directory expands, day-to-day business dependencies on Windows and Active Directory are increasing. Disruptions to the directory service, including outages, non-optimal configurations, latencies and inconsistent data, will begin to have a widespread impact on business operations. The impact may come in the form of lost productivity, disabled manufacturing systems, lost sales and more, all of which result in a cost, be it opportunistic or financial. The advent of Active Directory and its adoption for use as the NOS and enterprise directory service will further drive the importance of proper management and monitoring for Windows-based systems once pushed down the list of enterprise priorities. In fact, the new features of Active Directory, which allow for very distributed and complex deployments, are in many cases so fault tolerant that when a true outage occurs the system may be in a catastrophic state. hp OpenView Microsoft ® Active Directory white paper Traditionally, management and monitoring in a Windows environment was often disregarded as a low priority task because most systems supported workgroup applications and tasks while most mission-critical applications were supported by mainframe and UNIX® hosts. Aside from the role played by Windows servers in the enterprise infrastructures of the past, managing and monitoring Windows servers was not an easy task, especially in medium and large enterprise environments. Tools and interfaces available for managing Windows-based computing had several substantial shortcomings. Windows 2000 brings with it a host of new tools and interfaces native to the operating system to help deal with the problem of management and monitoring. Open interfaces based on industry standards like Active Directory Services Interface and Windows Management Instrumentation provide a robust base to develop solutions for managing and monitoring the Windows infrastructure, which now more than ever is critical to the success of Windows in the enterprise space. As Windows becomes more pervasive in the enterprise space, Active Directory will become a leveraging point for an increasing number of enterprise-wide applications (such as Exchange 2000). Many of these types of applications have a global scope. As they will rely on Active Directory it too must function with a distributed global environment in mind. Considering that enterprise applications may need to both read and write to the directory, Active Directory acts in a multimaster configuration, allowing changes and queries to be made to any domain controller. As such, objects may be created on different domain controllers spread around the world. Active Directory, via replication, will consolidate the state of these objects—new, modified and removed—but due to the network latency and the potentially distributed nature of the directory, data in the Active Directory is seen as loosely consistent or not immediately convergent. Applications that rely on Active Directory typically expect to get the same data regarding objects regardless of from where the request originates throughout the infrastructure. As consistency waivers, applications may behave incorrectly. Therefore, ensuring that you have a properly functioning Active Directory infrastructure with minimal, or at least a known amount of, replication latency is key when deploying business applications on top of the directory. detailed architecture review of Active Directory the database The Active Directory is built atop the JET Blue database, also known as the Extensible Storage Engine. Microsoft has built many of its products using a version of JET, including DHCP, WINS and Exchange 4.0-2000. Each domain controller in the forest hosts at least a partial copy of the Active Directory. From the file system perspective, JET Blue manifests itself as a series of files. The Active Directory database itself is stored in the ntds.dit file. Since JET is a transactional database, a series of log files exist to ensure that all transactions are committed to disk in case of a system crash. The log files include: • Several EDB*.log files, the transaction logs, each 10 MB in size, • Two “reserve” log files, Res1.log and Res2.log, which each reserve 10 MB of disk space to ensure that if the EDB*.log files fill, additional space will be available for writing transactions, • An EDB.chk file, which is the checkpoint file telling the system which transactions have been committed, and in the case of a failure, which log files need to be replayed to ensure the database is in the most up-to-date state possible. From a functional perspective, all write transactions to a given domain controller are written first to the transaction logs. The write process is sequential; therefore placing the transaction log files on a disk volume optimized for writes will improve transaction processing performance. All transactions written to the log files are later committed to the ntds.dit database file. Most read transactions are Page 2 hp OpenView Microsoft ® Active Directory white paper performed against the ntds.dit file and read requests can be made asynchronously. Therefore, placing the ntds.dit file on a disk volume optimized for reads will improve query performance. Given the different usage patterns of the database and its log files, these file sets are commonly split among different disk volumes to further improve performance by allowing for more I/Os per second and different configurations per volume to meet the specific needs of the component utilizing the volume. forests, trees and domains The Active Directory can be carved out into different sections to increase its manageability and performance. Any single Active Directory is logically referred to as “the forest.” The forest is a collection of domains that all share a common set of configuration information, which includes the database schema, as well as a common global catalog for forest-wide queries. The forest also acts as the ultimate security boundary of the Active Directory. The first domain created in the forest is referred to as the root domain. The root domain can never be removed from the forest without dismantling the forest itself. As with all other domains, the root domain has a fully qualified DNS style domain name associated with it, for example hp.com. Additional domains can be added to the forest and can either be created as child domains within the root domains tree or can be created as the root for new trees. While a number of differences do exist, the most pronounced is that the name of the domain will differ depending on how it is created. For example, if a child domain is added to the hp.com tree it might be called na.hp.com, whereas if a new domain tree were created it might be called compaq.com. The domains hp.com and na.hp.com are said to be in the same tree because their naming structure is hierarchical in nature. Each domain itself represents a clear administrative boundary. Each domain is hosted by one or more domain controllers, meaning that those domain controllers retain a complete and writable replica of that domain’s database, also referred to as the domain naming context. Special instances of domain controllers, called global catalogs, host a partial read-only replica of every domain database in the forest; however any domain controller can only host a complete and writable replica of the database for the domain to which it belongs. In order to retain consistency throughout the forest and domains, data is replicated among domain controllers. The data to be replicated is determined by the domain membership of the domain controller. Domain controllers of the same domain replicate configuration, schema, and the local domain- naming context between each other. Domain controllers of different domains only replicate configuration and schema information. In the case of the global catalog, some domain naming context data from other domains is replicated to and from this special domain controller. domain name services Windows 2000 and the Active Directory rely on Domain Name Services (DNS) as the primary name resolution method for all domains, server principal names (SPN), user principal names (UPN) and services. Domain controllers and global catalogs register host, alias and server resource records (SRV) in DNS. These records are used by many processes in the Active Directory to identify domain controllers, global catalogs, Kerberos Key Distribution Centers, among other functional roles. For example, if a domain controller does not properly register its GUID (globally unique identifier) as a CNAME (alias), Active Directory replication to the domain controller will not be possible, and therefore data changes may not be able to be replicated to or from the domain controller. For this and many other reasons, DNS becomes extremely critical to the operations of the Active Directory. If DNS is not functioning properly the Active Directory will typically follow suit. Page 3 hp OpenView Microsoft ® Active Directory white paper sites, site links and subnets Unfortunately, the current implementation of Active Directory cannot interact with routers, switches and the various routing protocols to determine how the physical network is configured. However, this can be done manually by an administrator. The information provided by the administrator is referred to as the site topology. The site topology is typically implemented to represent the physical network, but it does not have to match the physical layout in its entirety. The site topology is used by Active Directory to determine locality and the replication topology. Typically, a site is defined to represent a physical location or a closely tied group of locations. The Active Directory believes a site to be a group of subnets with high speed connectivity. As such, administrators define a site and attach particular subnets to the site to define its boundaries. The result of this, for example, is that a workstation can determine what site it resides in and access resources, such as a domain controller, that reside in the same site. From a replication perspective, domain controllers use site definitions to determine the most appropriate partner domain controllers to replicate with. For example, if three sites exist, New York is connected to Seattle with a T1 link and is also connected to Spokane with a 56Kbps link, and Seattle is connected to Spokane with a T1 link, it may be beneficial for New York to always replicate information with Seattle, even if it is destined for Spokane. An administrator defines this scenario by creating site links to join New York to Seattle and Seattle to Spokane. An administrator can further define the structure by defining a site link between New York and Spokane (a more exact representation of the physical topology) yet still ensure that most replication will occur over the link between New York and Seattle by defining a lower “cost” for that link while at the same time utilizing the direct connection between New York and Spokane in the case where the New York to Seattle link is unavailable. replication Replication is the process of transmitting additions, modifications and removals to the Active Directory among domain controllers. Replication in an Active Directory infrastructure is critical as users and applications always desire up-to-date information. Stale data can provide unwanted outcomes for users and processes that consume the data, which might include security information and policies. In addition, incorrect configurations in the site topology and the inability to reach replication partners in the environment can result in replication queue backlogs, which can further result in delays to replication and at worst the unavailability of services such as the global catalog. In many cases an infrastructure that is not closely monitored may see no symptoms of any outage or delay as Active Directory replication can be designed in a very fault-tolerant manner. Two basic replication scenarios exist: intrasite replication and intersite replication. When replication occurs between domain controllers in the same site (intrasite), how often replication occurs is governed by configuration of the connection object created (manually or automatically) between the two domain controllers. The default configuration for replication between two domain controllers in the same site is once per hour. However, by default, as domain controllers modify objects they will notify their replication partners of such events, which in turn may result in replication attempts being made at a higher rate than that defined by the connection object. When replication occurs between two sites (intersite), how often and at what time of the day replication occurs is governed by configuration of the site link between the two sites. The way in which the site link is configured will also determine the minimum time from when changes are made in one site until they are replicated to other, referred to as replication latency. The default configuration of a site links allows replication to occur throughout a 24-hour period every 180 minutes. However, in some environments heavy network utilization of WAN links might make directory replication unreasonable during certain times (such as normal operating hours of the business). In this case, the site link conPage 4 hp OpenView Microsoft ® Active Directory white paper figuration offers some flexibility, allowing link availability to be defined on an hour-by-hour basis and the replication interval to occur from as few as every 15 minutes to as many as 10,080 minutes. Regardless, as the configuration is adjusted the replication latency between the sites will be impacted. Note: The notification process discussed for intrasite replication can be enabled for intersite replication; however this is typically less than desirable as it may result in increased traffic over the WAN due to more frequent replication attempts than as defined in the site link. A special replication case is that of a global catalog. As previously defined, a global catalog is a special instance of a domain controller that hosts a partial read-only replica of every domain database in the forest in addition to a fully writable replica from its own domain. Some applications, such as Exchange 2000, rely heavily on forest-wide queries returned by a global catalog. As domains themselves may be geographically dispersed, replication latency from the various domains to the global catalogs in the forest may be higher than that of the latency within a domain. Monitoring of global catalog latency becomes an important factor in maintaining consistent data for those applications requiring forest-wide queries. organizational units, group policy objects and SYSVOL Organizational Units (OUs) are logical containers that can be created with an Active Directory domain. OUs are used to organize groups of objects within the directory. Organizing objects in such a way allows the administrator the ability to delegate authority over a group of objects to another user and apply policies to a set of objects quickly and easily. The ease of this is made so by the concept of inheritance; i.e. objects within an OU inherit the policies and security permissions applied to their “parent” container. In most information technology (IT) environments, there are too many tasks to allow a single administrator to handle them all. Therefore, often a variety of tasks are delegated to a number of different individuals. Sometimes these individuals are part of the IT team while other times they are part of the end-user community. Regardless, OUs in combination with access control lists and inheritance provide an IT organization with the means necessary to delegate permissions to objects at a very granular level. OUs are often the point of application for delegated permissions, as it is uncommon that a user is given permission to only a single object. However, it is possible to provide delegated permissions to individuals on a per-object basis. Most IT organizations have written policies reflecting what users, machines and applications should and should not be able to do. The Active Directory allows for the translation of these written policies by an administrator into technical policies that can be enforced by the underlying infrastructure. The application of these policies is done by way of group policy objects (GPOs). GPOs can be applied to a domain, site and OU, and are inherited by the underlying structure. Common usage of GPOs includes the application of: • Login, logout, startup and shutdown scripts • Software deployment and installation • Security policies, such as password length and complexity, account lockout and reset, Kerberos ticket lifetime (applied at the level of the domain only) • Desktop settings, such as background and color schemes, • System control settings like limiting access to the control panel, screen saver or other display settings • And many others … Page 5 hp OpenView Microsoft ® Active Directory white paper While the application of a GPO to a domain, site or OU is stored in the Active Directory, the policy itself and other scripts that the policy refers to are not stored in the Active Directory. Instead these are stored as files in the SYSVOL share. SYSVOL is a distributed file system (DFS) share that is replicated among domain controllers of the same domain using file replication system (FRS). While FRS is a different replication mechanism than what is used by Active Directory, FRS respects the site topology defined by an administrator and the connections created by the KCC and ISTG when replicating SYSVOL data. As with the Active Directory, SYSVOL can be quite fault tolerant, as it is supported by DFS. Also like Active Directory, without a sound monitoring system in place, when problematic symptoms begin to appear with SYSVOL, the problem may be in an advanced stage. operations masters Although Windows 2000 is predominantly a multi-master environment, there are certain roles that handle critical operations which could not easily be resolved in the case that they were generated in more than one place at the same time. Certain changes, such as the addition or deletion of a domain or changes to the Active Directory schema, have a significant impact throughout the entire forest. For this reason Active Directory adheres to a single-master to handle the most critical of forest and domain operations. Schema Master—A single domain controller in the forest owns this role. The schema master is allowed to make changes to the schema. In the event that the schema master is unavailable, changes to the schema cannot be made. Domain Naming Master—A single domain controller in the forest owns this role. The domain naming master controls changes to the domain namespace, including additions, removals and modifications to the names of domains to the forest. In the event that the domain naming master is unavailable, domains cannot be added or removed from the forest and their names cannot be changed. PDC Emulator—A single domain controller in each domain owns this role. The PDC emulator is used for down-level compatibility. The PDC emulator provides a “flat” replica of the directory compatible with a Windows NT® SAM database when replicating to previous non-Windows 2000 (and greater) domain controllers. The PDC emulator will also fulfill all requests made to the PDC by down-level clients. The PDC emulator gets expedited replication of password changes performed by other DCs in the domain. The PDC Emulator also acts as the primary time source for its domain. In the event that the PDC emulator is unavailable, down-level domain controllers will fail to receive replicas of the directory, requests for the PDC from down-level clients (e.g. for password changes) will fail, and time throughout the domain may become unsynchronized resulting in Kerberos ticket, and other time-sensitive processes, to become invalid and function erratically. RID Master—A single domain controller in each domain owns this role. The RID master manages and allocates relative identifiers (RIDs) within each domain. The RID master allocates a pool of RIDs to each domain controller. These RIDs are required when new objects such as users, groups and computers are created. The RID master also is required when moving an object from one domain to another. In the event that the RID master becomes unavailable domain controllers will fail to create new objects once their existing RID pool has been exhausted. Infrastructure Master—A single domain controller in each domain owns this role. The infrastructure master ensures that references to objects outside the local domain can be made, as domain controllers do not typically know about objects outside of their domain. The infrastructure master maintains consistency in group memberships when objects belonging to the group, and objects from other domains, are renamed or moved. The infrastructure master does this by creating phantom objects that essentially act as pointers to the objects of other domains. The infrastructure master should not reside on a global catalog, as the infrastructure master will only create phantom objects for those objects that it does not contain a replica of (even if only a partial replica). A global catalog contains a partial copy of every object in the forest; if the two roles Page 6 hp OpenView Microsoft ® Active Directory white paper existed on the same machine, phantom objects would never be created, which would lead to nonresolvable references on all other domain controllers within the domain. In the event that the infrastructure master is unavailable, object renames and moves outside the local domain will not be reflected in the group memberships of the local domain, thereby resulting in some processes not including a particular user in a group. hp OpenView and Active Directory It is likely that Active Directory is or will be a vital part of the computing infrastructure. Users may depend on it for things such as login and address books, and applications may depend on it for such things as access control and publication of application services. Failure or unavailability of the directory can result in downtime for users and applications, which translates into lost money and business. By monitoring directory services, administrators can learn of outages as soon as they occur. With more sophisticated monitoring strategies, administrators can anticipate problems before they become an outage. In addition, information gathered from this type of monitoring can be used to fine-tune Active Directory server with regard to CPU utilization and the I/O subsystem. HP provides a comprehensive solution in monitoring distributed, heterogeneous e-business infrastructures with its HP OpenView management solution offering. HP OpenView Operations for Windows (OVOW) is a distributed, client/server software solution designed to provide service-driven event and performance management of business-critical enterprise systems, applications and services. It enables management of distributed, heterogeneous infrastructures and includes support for a broad range of Windows systems and applications. Additionally, Operations for Windows provides console and server functionality to monitor performance and events using agents installed on nodes to be managed. Agents evaluate conditional rules, monitor events that occur on managed nodes, and forward appropriate events to the management server or execute specific actions requested by the operator. Rules, threshold values and tools come with the Smart Plug-in (SPI) components, which possess all the knowledge about a specific system or application. HP OpenView Operations for Windows provides several base SPIs that ship with the product. Administrators can deploy additional SPIs to complement the base SPIs or to get advanced monitoring capabilities. Preconfigured policies, conditional rules, threshold values and tools specific to a component or an application are provided through SPIs. In general, the SPI components include policies for service monitoring and reports for consolidating collected data, predefined graphs and tools. Policies allow controlling the monitoring schedule and defining rules and thresholds to filter events with relevant information and status data. Policies also control receipt of collected information in the form of service map alerts and messages. Service map alerts are shown in the HP OpenView Operations for Windows service map, while messages can be viewed in the Operations message browser, as shown in Figure 1. Page 7 hp OpenView Microsoft ® Active Directory white paper Figure 1: Message Browser and Service Map consoles. Starting with releases 6.x and 7.0, HP OpenView Operations for Windows provides support for the Windows 2000 platform. Operations for Windows 7.1 can manage Windows 2000 server nodes. Support for Windows 2003 server is planned with the 7.2 release of HP OpenView Operations for Windows. Active Directory monitoring is provided in two SPIs: • The Windows Operating System SPI (WINOS-SPI) is provided as part of the base product and includes basic monitoring and management capabilities. • The Active Directory SPI adds replication, operations master, global catalog, DNS monitoring capabilities as well as enhanced visualization features. The combination of the two SPIs offers a broad range of possibilities to manage and monitor Active Directory. These SPIs will keep administrators informed about the various conditions that are occurring across the network with regard to Active Directory. how hp OpenView monitors and manages Active Directory HP OpenView provides choices in the levels of Active Directory monitoring implemented at a site. The WINOS-SPI provides Active Directory availability and performance monitoring along with firstlevel discovery, while the Active Directory SPI provides more detailed and thorough capabilities. components of the Windows OS SPI The WINOS-SPI provides preconfigured policies and tools for managing the operations and performance on Windows nodes. This functionality is provided as part of the HP OpenView Operations for Windows product and includes system and application basic management. The WINOS-SPI also includes policies to manage the Active Directory component. Those policies can be classified under the following categories: Page 8 hp OpenView Microsoft ® Active Directory white paper Category Inventory Description Policies of this category perform the following operations: • Discover the infrastructure related to Active Directory and update the service map with domain and site information • Monitor the state of critical system services, such as the Netlogon service and the KCC service • Forward events related to Domain Naming Service (DNS), File Replication Service (FRS), Directory Services (DS) and SNMP logs to the management console Control change Policies of this category, when deployed, report changes in the infrastructure including: • Domain Change: addition, deletion of domains in the forest • Organizational Unit (OU) change: creation of new OU, modification of contents in an OU • Site topology change: addition, deletion of Windows 2000 Active Directory sites Performance data collection Policies of this category, when deployed, collect performance data of the following events: • Authentication request • Replication service • LDAP queries They also send alert messages to the console when threshold values are met Security auditing Policies of this category, when deployed, perform security auditing on access to certain objects Active Directory policies belonging to the WINOS-SPI have their names prefixed with “WINOSSPIADS-” and are located under the Policy Management\Policy Groups\Microsoft Windows Core hierarchy of the HP OpenView Operations for Windows management console. All the Active Directory policies are not deployed by default except for the WINOSSPI-WINSys_AutoDiscovery policy. It is a mandatory policy added to any new Windows managed node to discover the Windows infrastructure. components of the Active Directory SPI The Active Directory SPI adds master operations and replication monitoring capabilities to HP OpenView Operations for Windows. It complements the base WINOS-SPI in monitoring specific components of Active Directory related to replication and FSMO roles. Components of the Active Directory SPI include: • Replication latency—Replication policies measure the time required to propagate a change to all DCs in the domain. In addition, a policy can also monitor the replication time for intersite replication and intrasite replication. • Master operations monitoring—Policies of this category measure the general responsiveness of different FSMO roles servers. • DNS-focused monitoring and reporting. Page 9 • Global catalog monitoring and reporting. hp OpenView Microsoft ® Active Directory white paper • Directory Information Tree (DIT) monitoring and reporting • Visualization and tuning with the Active Directory Topology Viewer tool and Service Map • Web-based reports and graphs related to replication performance data. using hp OpenView operations for Windows to monitor Active Directory Deploying a monitoring solution on Active Directory can possibly be a daunting task, as Active Directory configuration is a distributed and complex environment. Before deciding on a monitoring tool, solution architects should: • Assess the business requirements in terms of service level agreements (SLAs) for the business applications. • Understand the current environment. • Define technical requirements for a monitoring solution. • Determine components of the infrastructure to be monitored—Active Directory replication, DNS, authentication services, etc. • Define and agree on an SLA for each component. Determine acceptable threshold values and level of alerts to be reported to the management console. These planning items result in the selection of policies to be used and possible configurations of threshold values and timing intervals to be used in the HP OpenView Operations for Windows and Active Directory SPI policies. When implementing this solution, administrators can follow the steps below as a guideline for using Operations for Windows to monitor Active Directory. step 1: discovery of the Active Directory environment After installing HP OpenView Operations for Windows on a management console, administrators can add Windows computers into the management database. By default, the WINOSSPIWINSys_AutoDiscovery is deployed to new managed nodes to record its role in the Active Directory hierarchy of the services map as shown in the Figure 2 below. Figure 2: Discovery of new nodes in the services map. Page 10 hp OpenView Microsoft ® Active Directory white paper New managed nodes appear in the services map the day after they have been added as the discovery policy is scheduled to run at 2 a.m. each day. Administrators can change the default schedule by modifying the value in the properties of the corresponding policy and forcing its deployment on targeted nodes, as Figure 3 shows. Figure 3: Modify the schedule of the policy In addition, administrators can update the service map with information related to replication and master operations by running the discovery services policies provided with the Active Directory SPI. step 2: monitoring basic services There are some basic services that HP OpenView Operations for Windows can monitor to ensure that Active Directory is at least present and responding to requests on the network: • Domain Naming Service (DNS)—DNS is the first service used by clients to locate Active Directory Domain Controller (DC) and Global Catalog servers (GC). DCs and GCs register their service record (SRV) in DNS at startup time and DNS uses those records to provide name resolution for those servers. Monitoring the health of DNS is usually the first step to ensure that Active Directory services are present on the network. HP OpenView Operations for Windows 7.2 provides advanced monitoring capabilities for DNS in the Active Directory SPI as shown in the figure below. Page 11 hp OpenView Microsoft ® Active Directory white paper Figure 4: ADSPI policies related to DNS • NetLogon service—The NetLogon service runs on a Domain Controller to satisfy network requests to authenticate users. During its startup, it registers SRV records in DNS to advertise Active Directory services offered by the domain controller. Monitoring the state of the NetLogon service is absolutely critical for continued Active Directory operations. The WINOSSPIADS_NetLogon can be used for this purpose. • Kerberos Distribution Center (KDC) service—Working in conjunction with the NetLogon service, the KDC service is in charge of delivering Kerberos tickets. In Windows 2000, Kerberos provides a more secure authentication service when compared to the NTLM authentication and Kerberos is the default authentication method used in a Windows network. Therefore, monitoring the state of the KDC service is essential to Active Directory operations. step 3: monitoring changes in Active Directory Best practices in management of an infrastructure recommend having processes in place to control deployment and change operations. A deployment control process ensures that the construction of the infrastructure is solid and coherent. A change control process ensures that the infrastructure remains stable and consistent when modifications are made to the environment. Administrators can use HP OpenView Operations for Windows to monitor deployment operations and change operations in a Windows network. Different policies provided with the WINOS-SPI can be used as follow: Process Policy name Deployment control WINOSSPI-ADS_SiteChanges WINOSSPI-ADS_DomainChanges Change control Page 12 Description Monitors changes in the site topology Monitors change in the Domain configuration WINOSSPI-ADS_DirComputerModif Monitor changes in the Domain WINOSSPI-ADS_DirUserModif Naming context WINOSSPI-ADS_DirUserCreationDeletion WINOSSPI-ADS_SAMServerPropChange WINOSSPI-ADS_SecAdminGroupChange WINOSSPI-ADS_OUChanges hp OpenView Microsoft ® Active Directory white paper step 4: monitoring responsiveness of DC/GC The faster systems respond to network requests, the more likely it is that an SLA will be met. Users’ perception of the infrastructure completely depends on the response time to their requests satisfied by the systems. If users can lookup information in Active Directory very quickly, they will perceive that the infrastructure is performing well and will likely meet their expectations as defined in the SLA for directory lookup. Measuring and monitoring the response time for different activities of DC/GC help in determining and validating that different SLAs are being met. ADSPI provides the following policies to monitor response time: • ADSPI-ResponseTime_Bind and ADSPI-ResponseTime_Query measure response time for accessing DC and perform LDAP queries on the DC • ADSPI-ResponseTime_GCBind and ADSPI-ResponseTime_GCQuery measure response time for accessing GC and perform LDAP queries on the GC step 5: monitoring replication Active Directory replication plays a vital role in the directory ecosystem. It ensures that directory information is available on multiple servers, and thus increases the reliability and performance of the Active Directory service. Active Directory reliability is improved because there is no single point of service failure—clients can locate a different server for directory services if the current one fails or becomes unreachable. Having multiple replicas that contain the same Active Directory information improves the performance of Active Directory because directory client requests may be distributed across multiple servers. To achieve those objectives, directory administrators must ensure that replication is correctly functioning and that directory information is consistent across multiple servers locally and in remote sites. Monitoring tools should be deployed to verify that scheduled replication and directory updates are sent to all servers in a timely manner. ADSPI offers some capabilities to monitor Active Directory replication based on the following deployable policies: • ADSPI-Rep_Mon: Checks replication latency between DCs • ADSPI-Rep_InBoundObjs: Monitors the number of inbound replication objects The different steps described above provide the basic foundation to monitor Active Directory with HP OpenView Operations for Windows. Administrators can deploy additional policies to monitor Active Directory services, such as authentication service. what needs to be monitored and managed to maintain the Active Directory The HP OpenView Operations for Windows console provides different views to browse messages reported by agents. These range from managed node and service map views to display alerts in a graphical window. Also, the Operations for Windows console uses a hierarchical view to organize policies and tools that are available from the base product or with the addition of an SPI. Here are some best practices for first-time Operations for Windows operators: deployment of policy • Before deploying a policy to a set of managed nodes, you should verify and eventually change the schedule of the policy. A policy may be deployed immediately on targeted nodes but the agent will run the policy at the next schedule as defined in the properties of the policy as shown in Figure 3 above. • Modifying a property of a policy increases the version number of the policy. You should ensure that the latest version of the policy is currently deployed on a targeted node. Figure 5 shows how to view the resultant set of policies deployed on a specific node. Page 13 hp OpenView Microsoft ® Active Directory white paper Figure 5: Resultant set of policies deployed on a managed node • When deploying a policy, you should always check the contents of the Deployment jobs sub-hierarchy. It shows the status of policies to be deployed on managed nodes. In general, the contents of the folder should be empty. Figure 6: Policies waiting to be deployed Page 14 hp OpenView Microsoft ® Active Directory white paper policy management To ease management of policies, you can cluster policies that are of your interest and create customized groups of policies. Figure 7 shows an example of a customized group of policies. Figure 7: Defining group of policies monitoring DNS As described above, the health of DNS is crucial to the ongoing stability of an Active Directory. HP OpenView Operations for Windows provides in-depth monitoring of the DNS infrastructure. The WINOS-SPI offers basic monitoring of DNS services running on Windows 2000 servers. including the following deployable policies: • WINOSSPI-DNS_LogDNSPagesSec—monitors the pages per second used by the DNS server for capacity planning. • WINOSSPI-DNS_Server_Response—monitors the response time of the managed DNS server for capacity planning and performance service levels. • WINOSSPI-DNS_MsDnsServer—monitors the state of the DNS service and processes running on the server. When coupling the WINOS-SPI with the Active Directory SPI, an organization will realize a greatly enhanced set of deployable policies related to DNS. The result of deploying both the WINOS-SPI and the Active Directory SPI is a robust DNS monitoring system specifically tuned for DNS support of the Active Directory and Windows authentication services. The Active Directory SPI will ensure that DNS has the correct A, CNAME and SRV records for each DC and GC in the forest and report to the management server any missing or erroneous records. The following deployable policies support this functionality: • ADSPI-DNS_GC_StrandedSite—checks each site in the Active Directory to determine if a GC is available within the site. • ADSPI-DNS_Extra_GC_SRV_Chk—checks that all GC SRV records have a matching GC known by the Active Directory. • ADSPI-DNS_Kerberos_SRV_Chk—checks that all KDCs known to the Active Directory have a corresponding SRV record related to the KDC in DNS. Page 15 hp OpenView Microsoft ® Active Directory white paper • ADSPI-DNS_Extra_LDAP_SRV_Chk—checks that LDAP SRV records have a matching DC known by the Active Directory. • ADSPI-DNS_Extra_Kerberos_SRV_Chk—checks that all KDC SRV records have a matching DC known by the Active Directory. • ADSPI-DNS_LDAP_SRV_Chk—checks that all DCs known to the Active Directory have a corresponding SRV record related to LDAP in DNS. • ADSPI-DNS_GC_A_Chk—checks that all GCs known to the Active Directory have a corresponding A record for the GC in DNS. • ADSPI-DNS_DC_A_Chk—checks that all DCs known to the Active Directory have a corresponding A record for the DC in DNS. • ADSPI-DNS_DC_Response—monitors the response time of DNS queries made by the domain controller. • ADSPI-DNS_Island_Server—checks to see if the DC is configured to use itself as a DNS server, which can result in isolating the DC in some cases. • ADSPI-DNS_DC_CNAME_Chk—checks that all DCs known to the Active Directory have a CNAME record registered in DNS which corresponds to their GUID. • ADSPI-DNS_GC_SRV_Chk—checks that all GCs known to the Active Directory have a corresponding A record for the GC in DNS. • ADSPI-DNS_Obsolete_GUIDs—validates all Active Directory GUIDs registered in DNS as CNAME records that correspond to an existing DC in the Active Directory forest. Active Directory Topology Viewer The Active Directory SPI provides one new HP OpenView Operations for Windows tool: the Active Directory Topology Viewer (ADTV). ADTV can be used to generate a unique and powerful visual representation of an Active Directory forest. ADTV queries the Active Directory of a single forest for the following information: • Active Directory partitions, including configuration, schema, domain and Windows Server 2003 application partitions. • Active Directory sites and their associated DCs and GCs. • Intrasite and intersite connection objects, their associated GUID, partners and the partitions that are replicated over them. • Site links, including members and costs. Figure 8: ADTV retrieving data from the Active Directory Page 16 hp OpenView Microsoft ® Active Directory white paper Once ADTV has collected all the data it needs for display, an administrator can organize the objects easily on the display map. Figure 9: ADTV display map If desired, the administrator can zoom in on any part of the display map and view the intra- and/or intersite connection objects. Figure 10: ADTV viewing intrasite connection objects The administrator can further drill down into any DC or GC by double-clicking the object in the display map. Page 17 hp OpenView Microsoft ® Active Directory white paper Figure 11: ADTV property pages for domain controllers In addition to the display map, ADTV provides a data tree that allows navigation throughout the collected data by way of partitions, sites and site links. Page 18 hp OpenView Microsoft ® Active Directory white paper Figure 12: ADTV data tree benefits of using hp OpenView to manage Active Directory HP OpenView Operations for Windows, when coupled with the OpenView Smart Plug-in for Active Directory, provides robust features that efficiently and effectively monitor components of the Active Directory infrastructure. Various Operations for Windows features help ensure the health, performance, accuracy and availability of the Active Directory. Capabilities include: • Understanding the true end-to-end performance of Active Directory with probing of the directory via LDAP. One of the most useful ways to monitor Active Directory is to probe it by binding to it and performing LDAP requests. HP OpenView Operations for Windows has policies that connect to an Active Directory server (DC or GC) and measure the respective response times to LDAP queries. • Monitoring operating system and Active Directory performance data. HP OpenView Operations for Windows provides tools and policies to query operating subsystem functions, such as DNS, Replication Monitoring, FSMO services, and Directory Information Tree. This type of information can help identify the performance of directory servers and associated Active Directory elements. • Event log file analysis. HP OpenView Operations for Windows reports event messages with error conditions that may signal a potential problem on a directory service. • Visualization of your Active Directory environment. The Active Directory Topology Viewer, a patent-pending component of the Active Directory SPI, affords a visual troubleshooting tool for tuning and configuring the Active Directory topology. Its visually unique mapping algorithm maps a forest, associated Domain Controllers and connection objects in a way that allows quick identification of topology and configuration irregularities. Additionally, HP OpenView Page 19 hp OpenView Microsoft ® Active Directory white paper Operations’ dynamic Service Map allows for real-time status reporting and troubleshooting. This allows for quicker identification and resolution of problems and enables the visual mapping of Active Directory elements to a business view. • Unique root-cause analysis and service management visual modeling capabilities for Active Directory provide opportunities for business-focused problem identification and resolution. Using standard features of the HP OpenView Operations for Windows solution, logical relationships for monitoring and alerting are easily created for an Active Directory environment. This affords a great way to manage from the view of the business and not just the organization. You can easily see the Active Directory components and how they relate to your IT organization. moving forward: the future of hp OpenView and Active Directory management Active Directory and the underlying operating system Windows server provide a solid framework to host business applications in the enterprise. On the other hand, enterprise applications leverage features of the infrastructure such as network services and directory services and rely ultimately on those services to run properly. Exchange 2000 server is a prime example of the tight integration between applications and operating systems. In the near future, you can expect that more and more applications will depend on OS services. Therefore, monitoring solutions should cover a large spectrum, from applications to OS and hardware, and should be able to express the dependency of applications with regard to OS services. There is a need to build customized service views and develop knowledge of how to optimize those views. A good example might be to build a service view showing dependency of Exchange components like DSACCESS and GC/DC availability and response time inside the same site and between different sites. Another example is a service view linking the message store service of Exchange and IIS service that updates the IIS metabase. Without updated information in IIS, the store cannot mount and is in conflict with the SMTP service. The ability to provide high quality service for monitoring, identifying and troubleshooting application problems is the proven strength of the HP OpenView Operations for Windows solution As your Active Directory environment evolves, you can depend on HP OpenView to ensure its health and accuracy. for more information For more information on HP OpenView, please contact your local HP reseller or HP sales office. Argentina 0 800 888 1030 Europe [email protected] Philippines +63 2 888 5900 Australia/New Zealand +61 3 8877 4097 [email protected] Hong Kong +85 2 2805 3551 [email protected] Singapore +65 6275 3888 [email protected] India +91 11 690 6176 [email protected] Taiwan +886 2 2712 0404 [email protected] Japan +81 3 3331 6111 Thailand +662 661 3900 Korea +82 2 2199 0913 [email protected] United States of America 1-877-OV-OWNER Chile 800 360 999 Malaysia +603 2698 6555 [email protected] Venezuela 0 800 HPINVENT (0 800 4746 8368) China +86 10 6564 3678 [email protected] México City, Mexico 01 800 468 4247 Or visit: www.openview.hp.com Colombia 9 800 11 47 26; 01 8000 114726 (presales); 01 8000 919200 (post-sales) Perú 0 800 50 500 and 0 800 10 111 (technical support) Brasil 0 800 15 77 51 or 0 800 13 0999 Grande S. Paulo (11) 3747 7799 Central America and Caribbean Main # 1 800 711 2884 © Copyright 2003 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice and is provided “as is” without warranty of any kind. Microsoft, Windows and Windows NT are U.S. registered trademarks of Microsoft Corporation. UNIX is a registered trademark of The Open Group. April 2003 Page 20
© Copyright 2024