DOC

Operations_Manager_2007Active_Directory_Management_Pack_Guide

By Jorge Watkins,2015-04-10 20:44
8 views 0
Active Directory Management Pack Guide for Operations Manager 2007 Microsoft Corporation Published: March, 2007 Author Jonobie Ford Feedback Send suggestions and comments about this document to momdocs@microsoft.com. Please include the Management Pack guide name with your feedback. Information in this document, including URL and other Intern..

    Active Directory Management Pack Guide for Operations Manager 2007 Microsoft Corporation

    Published: March, 2007

    Author

    Jonobie Ford

    Feedback

    Send suggestions and comments about this document to momdocs@microsoft.com.

    Please include the Management Pack guide name with your feedback.

    Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

    ? 2007 Microsoft Corporation. All rights reserved.

    Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    All other trademarks are property of their respective owners.

Contents

    Active Directory Management Pack Guide ...................................................................... 5 Getting the latest Management Pack and Management Pack Documentation .............. 5 What's New ................................................................................................................ 5 Getting Started with the Active Directory Management Pack........................................... 6 Before You Import the Management Pack ................................................................... 6

    Files to Download .................................................................................................... 6

    64-bit Considerations on Windows Server 2003 ....................................................... 7 How to Import the Active Directory Management Packs .............................................. 8

    After You Import the Active Directory Server Pack ................................................... 8

    Enable the Agency Proxy Setting on All Domain Controllers ................................. 8

    Configure an Account for Replication Monitoring................................................... 9

    After You Import the Active Directory Client Management Pack ..............................10 Optional Configuration for the Active Directory Management Pack ................................11 Setting the Intersite Replication Latency Threshold Value ..........................................13 Disabling Performance Data ......................................................................................14 Enable Data Collection for the Replication Latency Report .........................................14 Setting Parameters for Tasks .....................................................................................15 Security Considerations for the Active Directory Management Pack ..............................16 Low-Privilege Environments .......................................................................................16 Computer Groups ......................................................................................................16 Understanding Management Pack Operations ...............................................................16 Objects the Active Directory Management Pack Discovers .........................................17 How Health Rolls Up ..................................................................................................17 Key Monitoring Scenarios ..........................................................................................18 Viewing Information in the Operations Manager Console............................................23

    Views .....................................................................................................................23

    Client-Side Monitoring .........................................................................................23

    Active Directory Performance Views ....................................................................24

    Replication Views ................................................................................................26

    Topology Views ...................................................................................................26

    Reports ..................................................................................................................27

    Configuration Information ....................................................................................27

    Operations Information ........................................................................................28

Miscellaneous Reports ........................................................................................28

Management Pack Details .........................................................................................29

Troubleshooting the Active Directory Management Pack ...............................................29

     5

    Active Directory Management Pack

    Guide

    Microsoft Operations Manager 2007 provides two Management Packs for Active Directory Domain Services (AD DS): one that monitors the domain controllers, and one that monitors Active Directory clients. To monitor the domain controllers, the Active Directory Server Management Pack provides a predefined, ready-to-run set of processing rules, monitoring scripts, and reports that are designed specifically to monitor the performance and availability of the Active Directory domain controllers. This Management Pack monitors events that are placed in the Application, System, and Directory Service event logs by various Active Directory components and subsystems. It also monitors the overall health of Active Directory and alerts you to critical performance issues.

    Member servers or desktop clients can sometimes experience issues even though the servers are healthy. The Active Directory Client Management Pack helps to identify these issues. This Management Pack is used with the Active Directory Management Pack and ensures that Active Directory is available for Microsoft Exchange and other directory-enabled applications. It also provides additional information about whether the domain controllers are available by running synthetic transactions against the directory service, such as LDAP binds and LDAP pings.

    This Management Pack does not address Sysvol replication, even though some aspects of Active Directory, such as Group Policy settings for scripts for startup, shut down, logon, and logoff, rely directly on Sysvol replication. If monitoring the File Replication System (FRS) or Distributed File System Replication (DFSR) event log is not sufficient, import the FRS or DFSR Management Packs and, in the case of FRS, deploy the Ultrasound monitoring and troubleshooting tool.

    Getting the latest Management Pack and

    Management Pack Documentation

    You can find the latest Active Directory Management Packs at

    http://go.microsoft.com/fwlink/?LinkId=82105. The latest version of this document is

    available at http://go.microsoft.com/fwlink/?LinkId=85414.

    What's New

    The following features are new in this release of the Active Directory:

     6

    ;;Domain discovery that enables Operations Manager 2007 to automatically discover

    domains in your Active Directory environment

    ;;New performance and client monitoring views to provide more ways to view your

    monitoring data

    ;;A new child domain topology view, allowing you to see subdomains of other domains ;;New dashboard views that combine multiple views into one view to allow analysis of

    trends and similarities between related metrics

    Getting Started with the Active Directory Management Pack

    Before You Import the Management Pack Before you import the Active Directory Management Pack and the Active Directory Client Management Pack, note the following limitations of both Management Packs: ;;Neither of the Management Packs support agentless monitoring.

    ;;The Active Directory Management Pack does not support monitoring across multiple

    forests.

    Before you import the Active Directory Management Pack, take the following actions: ;;Decide whether you want to deploy the Active Directory Client Management Pack.

    This Management Pack integrates with the server-side monitoring capabilities of the

    Active Directory Management Pack to provide a more robust view of Active Directory

    health.

    ;;Verify that each domain controller and client you plan to monitor has an agent

    installed.

    ;;If you plan to use the Active Directory Client Management Pack, deploy it on

    computers that are running directory-enabled applications, such as Microsoft

    Exchange 2000 Server and Microsoft Exchange Server 2003.

    Files to Download

    Download the latest Management Pack files from

    http://go.microsoft.com/fwlink/?LinkId=82105, or access the files described in the

    following table in the ManagementPack directory on the installation media.

     7

    File Name Description

    Microsoft.Windows.Server.AD.2000.Discovery Required for monitoring Active

    Directory in Windows Server 2000

    Microsoft.Windows.Server.AD.2000.Monitoring Required for monitoring Active

    Directory in Windows Server 2000

    Microsoft.Windows.Server.AD.2003.Discovery Required for monitoring Active

    Directory in Windows Server 2003

    Microsoft.Windows.Server.AD.2003.Monitoring Required for monitoring Active

    Directory in Windows Server 2003

    Microsoft.Windows.Server.AD.Library Required for all versions of Active

    Directory

    Microsoft.Windows.Server.AD.ClientMonitoring Optional; enables client monitoring

64-bit Considerations on Windows Server 2003

    There are some migration restrictions if you are running Microsoft Operations Manager 2005 simultaneously with Operations Manager 2007 on domain controllers running the x64-based version of Windows Server 2003.

    These restrictions exist because the 2005 agent running on 64-bit domain controllers is the 32-bit version of the agent, but the 2007 agent is a 64-bit version. The 2005 agent contains the 32-bit version of the Active Directory Helper Object (version 1.0.3, also referred to as OOMADS) and the Operations Manager 2007 64-bit agent cannot use the 32-bit OOMADS.

    There are the following restrictions:

    ;;You cannot monitor a domain controller running on the x65-bit version of Windows

    Server 2003 with Operations Manager 2007 and Microsoft Operations Manager 2005

    simultaneously. Exclude the domain controller from the Microsoft Operations

    Manager 2005 monitoring and for each 64-bit domain controller and use Add or

    Remove Programs to remove OOMADS 1.0.3. The 32-bit OOMADS will be removed,

    the 64 bit OOMADS will be automatically installed during the next scheduled

    discovery, and monitoring will begin for Operations Manager 2007. ;;If an Operations Manager 2007 64-bit agent is installed on a domain controller

    running in 64-bit mode, the existing 32-bit version of OOMADS remains and will not

    be upgraded. This means that the 2007 Active Directory Management Pack

    monitoring will not work. The Microsoft Operations Manager 2005 monitoring will

    continue to work.

     8

    How to Import the Active Directory

    Management Packs

    In the Operations Console, on the Administrator pane, right-click the Management

    Packs node, click Import Management Pack(s), and then follow the prompts in the

    wizard. For more information about importing Management Packs, see the "How to Import Management Packs in Operations Manager 2007" topic in the product help. Once you have imported the Management Pack, see the following sections for your next steps:

    ;;After You Import the Active Directory Server Pack

    ;;After You Import the Active Directory Client Pack

    After You Import the Active Directory Server Pack After the Active Directory Management Pack is imported, follow these procedures to finish your initial configuration:

    1. Create a Management Pack in which you store your overrides. This enables you to

    reuse overrides created in your test environment in your production environment. For

    example, you can have a Management Pack that contains all overrides that apply to

    Active Directory for a particular Management Group.

    2. Enable the Agency Proxy setting on all domain controllers. For more information, see

    the Enable the Agency Proxy Setting on All Domain Controllers section.

    3. Configure an account for replication monitoring. For more information, see the

    Configure a User Account for Replication Monitoring section.

    Enable the Agency Proxy Setting on All Domain Controllers Enabling the Agency Proxy allows each domain controller to discover its connection object between other domain controllers. Connection objects are hosted by the forest, and the forest is discovered by the topology discovery, which is run on the Operations Manager 2007 principal Management Server.

    Note

    If you do not want to change this security setting, or if you do not need to

    discover connection objects, disable the AD Remote Topology discovery rule by

    using an override.

    To enable the Agency Proxy setting on all domain controllers

    1. Open the Operations Console and click the Administration button.

     9

    2. In the Administration pane, click Agent Managed.

    3. Double-click a domain controller in the list.

    4. Click the Security tab.

    5. Select Allow this agent to act as a proxy and discover managed objects on

    other computers.

    6. Repeat steps 3 through 5 for each domain controller.

    Configure an Account for Replication Monitoring

    To monitor replication, you must configure an account that will be used for the monitoring. This account will only be used for replication monitoring and can be either a new or existing account. If possible, use a dedicated domain account without a password expiration policy to avoid requiring password updates. If the password expires, replication monitoring will stop.

    The steps in this section describe how to configure the user account by: 1. Granting the domain account the correct permissions.

    2. Associating the account with the Active Directory Management Pack Account Profile.

    To grant an account the correct permissions

    1. Grant the account the following minimum permissions:

    ;Member of the Local Users Group

    ;Member of the Local Performance Monitor Users group

    ;Access to Windows Event logs

    ;Manage auditing and security log privilege (SeSecurityPrivilege)

    ;Generate security audits privilege (SeAuditPrivilege)

    ;Allow log on locally log on right (SeInteractiveLogonRight)

    2. Create the MomLatencyMonitors container as a child container of the root of

    each domain and application directory partition that you are going to monitor. The

    MomLatencyMonitors container needs to be created on only one domain

    controller and will replicate to the other domains in the forest. If you are going to

    monitor the configuration partition, create the MomLatencyMonitors container as

    a child object of the configuration partition as well.

    a. Click Start, click Run, and then type adsiedit.msc.

    b. In ADSI Edit, double-click Domain [computername].

    c. Right-click DC=domainname,DC=com, click New, and then click Object.

    d. In Select a class, click Container, and then click Next.

     10

    e. In Value, type MomLatencyMonitors, and then click Next.

    f. Click Finish.

    3. If an application directory partition crosses domain boundaries, provide the

    appropriate access for the account in each domain.

    4. For each domain controller, give the account Read access to the registry key

    HKLM\System\CurrentControlSet\Service\NTDS\Parameters. This enables the

    Action Account to find the location of NTDS.dit and the Active Directory log files.

    5. While still at the registry path used in Step 17, note the directory locations

    contained in the DSA Database File and Database Log Files Path data values.

    6. For each domain controller, give the account Read access for the two directories

    you noted in Step 18.

    To create a RunAs account and associate it with the AD MP Account Profile 1. Open the Operations Console, and then click the Administration button.

    2. In the Administration pane, expand Security, and then click Run As Accounts.

    3. Right-click and select Create RunAs Account, and then follow the prompts to

    complete the wizard. When you enter the account password, be careful to type

    the correct password; the field is not validated. For additional information, click

    the Help button.

    4. In the Administration pane, click Run As Profiles.

    5. Double-click AD MP Account.

    6. Click the Run As Accounts tab, and then click New.

    7. Associate the AD MP Account to all domain controllers in your environment.

    Because of security restrictions, you must manually select each domain

    controller and associate the account until all managed domain controllers are

    associated with this account.

    After You Import the Active Directory Client Management

    Pack

    Do not enable client monitoring on all of your member servers or desktop client

    computers running Windows. Too many clients running synthetic transactions can

    degrade the performance of your Active Directory deployment.

    To enable client monitoring after you import the Active Directory Client Pack 1. Open the Operations Console, and then click the Authoring button.

Report this document

For any questions or suggestions please email
cust-service@docsford.com