Monitoring Active Directory performance is an important part of maintaining and administering your Microsoft Windows 2000 installation. You use Active Directory performance data to
This lesson introduces you to the Active Directory performance monitoring tools and guides you through the steps required to set up Active Directory performance monitoring.
After this lesson, you will be able to
Estimated lesson time: 50 minutes
Windows 2000 provides several tools for monitoring Active Directory performance. On the Administrative Tools menu, the Event Viewer console allows you to view log files and error messages sent by applications. The Performance console provides a graphical way to view performance of Active Directory according to measurements, or counters, that you select. The Performance console also provides a means to log activity or send alerts according to those measurements and view the logs either printed or online.
Windows 2000 provides the Event Viewer console as a way to monitor Windows-wide events such as application, system, and security events, and service-specific events such as directory service events. These events are recorded in event logs. For example, if you need detailed information about when directory partitions are being replicated, you would study the File Replication Service log in the Event Viewer.
Also, if you experience problems with Active Directory, it is recommended that the directory service event logs be the first item that you use to investigate the causes of the problem. By using information from the event log, you can better understand the sequence and types of events that led up to a particular performance problem.
Event Viewer can be used to view, locate, filter, and archive information contained in Windows 2000 security logs and to configure security logs. The procedures for each of these tasks are similar for the event logs used to monitor Active Directory performance. These logs are described in Table 19.5.
Table 19.5 Event Logs for Monitoring Active Directory Performance
Log | Description |
---|---|
Application | Contains errors, warnings, or information generated by applications, such as a database server or an e-mail program. The application developer presets which events to record. |
Directory Service | Contains errors, warnings, and information generated by Active Directory (see Figure 19.8). |
File Replication Service | Contains errors, warnings, and information generated by the File Replication service. |
System | Contains errors, warnings, and information generated by Windows 2000. Windows 2000 presets which events to record. |
Figure 19.8 The Directory Service log
The Performance console allows you to monitor conditions within local and remote computers anywhere in your network and to summarize performance at selected intervals. The Performance console can use various counters for monitoring real-time resource usage. It can log results into a file so that you can view and diagnose historical performance problems. With appropriate permissions, it can monitor resource usage of other computers that run server services on the network. The Performance console can also be used for collecting baseline performance data and then configured to send alerts to the Event Log or other locations about exceptions to the baseline.
The Performance console contains two snap-ins: System Monitor (an ActiveX control) and Performance Logs And Alerts.
With System Monitor, you can measure Active Directory performance on your own computer or other computers on a network. You can perform the following tasks:
A sample System Monitor is shown in Figure 19.9.
You can define the Active Directory data you want to collect in the following ways:
Figure 19.9 A sample System Monitor
In addition to options for defining data content, you have considerable flexibility in designing the appearance of your System Monitor views:
To begin monitoring data, you specify performance objects and performance counters. A performance object is a logical connection of counters that is associated with a resource or service that can be monitored. For the purposes of monitoring Active Directory, you monitor the activity of the NTDS (NT Directory Service) performance object. By using System Monitor, you can track the activity of performance objects through the use of counters. Performance counters refer to the multitude of conditions that can apply to a performance object. For example, if you need to find out the number of connected LDAP client sessions, you can select the LDAP Client Sessions counter under the NTDS performance object and then view the current activity by using System Monitor.
The NTDS performance object contains many performance counters that provide statistics about Active Directory performance. After determining the statistics you want to monitor, you must find the matching performance counters.
Performance counters can provide some baseline analysis information for capacity and performance planning. Typically, counters that are suited for capacity planning contain the word "total" in their name. These counters fall into three types: statistic counters, ratio counters, and accumulative counters. Statistic counters show totals per second. An example is DRA (Directory Replication Agent) Inbound Properties Total/Sec, which is the total number of object properties received from inbound replication partners. Ratio counters show percentage of total. An example is DS (Directory Service) % Writes From LDAP, which is the percentage of directory writes coming from LDAP query. Accumulative counters show totals since Active Directory was last started. An example is DRA Inbound Bytes Total Since Boot, which is the total number of bytes replicated in, the sum of the number of uncompressed bytes (never compressed) and the number of compressed bytes (after compression).
Each counter has its own guidelines and limits. The counters in Table 19.6 are of special interest for the reasons described.
Table 19.6 Important Active Directory System Monitor Counters on the NTDS Performance Object
Counter | Description |
---|---|
DRA Inbound Bytes Compressed (Between Sites, After Compression)/Sec | The compressed size (in bytes) of inbound compressed replication data (size after compression, from Directory System Agents [DSAs] in other sites). |
DRA Inbound Bytes Compressed (Between Sites, Before Compression)/Sec | The original size (in bytes) of inbound compressed replication data (size before compression, from DSAs in other sites). |
DRA Inbound Bytes Not Compressed (Within Site)/Sec | The number of bytes received through inbound replication that were not compressed at the source— that is, from other DSAs in the same site. |
DRA Inbound Bytes Total/Sec | The total number of bytes received through replication, per second. It is the sum of the number of uncompressed bytes (never compressed) and the number of com- pressed bytes (after compression). |
DRA Inbound Full Sync Objects Remaining | The number of objects remaining until the full synchronization process is completed, or set. |
DRA Inbound Objects/Sec | The number of objects received, per second, from replication partners through inbound replication. |
DRA Inbound Objects Applied/Sec | The rate, per second, at which replication updates are received from replication partners and applied by the local directory service. This count excludes changes that are received but not applied (for example, when the change is already present). This indicates how much replication update activity is occurring on the server as a result of changes generated on other servers. |
DRA Inbound Objects Filtered/Sec | The number of objects received per second from inbound replication partners that contained no updates that needed to be applied. |
DRA Inbound Object Updates Remaining in Packet | The number of object updates received in the current directory replication update packet that have not yet been applied to the local server. This tells you whether the monitored server is receiving changes but taking a long time applying them to the database. |
DRA Inbound Properties Applied/Sec | The number of properties that are applied through inbound replication as a result of reconciliation logic. |
DRA Inbound Properties Filtered/Sec | The number of property changes that are already known received during the replication. |
DRA Inbound Properties Total/Sec | The total number of object properties received per second from inbound replication partners. |
DRA Inbound Values (DNs Only)/Sec | The number of object property values received from inbound replication partners that are Distinguished Names (DNs), per second. This includes objects that reference other objects. Distinguished Names values, such as group or distribution list memberships, are more expensive to apply than other kinds of values because group or distribution list objects can include hundreds and thousands of members and therefore are much bigger than a simple object with only one or two attributes. This counter might explain why inbound changes are slow to be applied to the database. |
DRA Inbound Values Total/Sec | The total number of object property values received from inbound replication partners per second. Each inbound object has one or more properties, and each property has zero or more values. Zero values indicate property removal. |
DRA Outbound Bytes Compressed (Between Sites, After Compression)/Sec | The compressed size (in bytes) of outbound compressed replication data, after compression, from DSAs in other sites. |
DRA Outbound Bytes Compressed (Between Sites, Before Compression)/Sec | The original size (in bytes) of outbound compressed replication data, before compression, from DSAs in other sites. |
DRA Outbound Bytes Not Compressed (Within Site)/Sec | The number of bytes replicated out that were not compressed, that is, from DSAs in the same site. |
DRA Outbound Bytes Total/Sec | The total number of bytes replicated out per second. The sum of the number of uncompressed bytes (never compressed) and the number of compressed bytes (after compression). |
DRA Outbound Objects/Sec | The number of objects replicated out per second. |
DRA Outbound Objects Filtered/Sec | The number of objects acknowledged by outbound replication that required no updates. They also represent objects that the outbound partner did not already have. |
DRA Outbound Properties/Sec | The number of properties replicated out per second. This tells you whether a source server is returning objects or not. |
DRA Outbound Values (DNs Only)/Sec | The number of object property values containing DNs sent to outbound replication partners. DN values, such as group or distribution list memberships, are more expensive to read than other kinds of values because group or distribution list objects can include hundreds and thousands of members and therefore are much bigger than a simple object with only one or two attributes. |
DRA Outbound Values Total/Sec | The number of object property values sent to outbound replication partners per second. |
DRA Pending Replication Synchronizations | The number of directory synchronizations that are queued for this server but not yet processed. This helps in determining replication backlog; the larger the number, the larger the backlog. |
DRA Sync Requests Made | The number of synchronization requests made to replication partners. |
DS Directory Reads/Sec | The number of directory reads per second. |
DS Directory Writes/Sec | The number of directory writes per second. |
DS Security Descriptor Suboperations/Sec | The number of Security Descriptor Propagation sub-operations per second. One Security Descriptor Propagation operation is made up of many suboperations. A suboperation roughly corresponds to an object the propagation causes the propagator to examine. |
DS Security Descriptor Propagations Events | The number of Security Descriptor Propagation events that are queued but not yet processed. |
DS Threads in Use | The current number of threads in use by the directory service (different than the number of threads in the directory service process). Threads in Use is the number of threads currently servicing client application programming interface (API) calls and can be used to indicate whether additional processors can be of benefit. |
Kerberos Authentications/Sec | The number of times per second that clients use a ticket to this domain controller to authenticate this domain controller. |
LDAP Bind Time | The time (in milliseconds) taken for the last successful LDAP binding. |
LDAP Client Sessions LDAP Searches/Sec | The number of connected LDAP client sessions. The number of search operations per second performed by LDAP clients. |
LDAP Successful Binds/Sec | The number of successful LDAP binds per second. |
NTLM Authentications | The number of NT LAN Manager (NTLM) authentications per second serviced by this domain controller. |
XDS Client Sessions | The number of connected Extended Directory Service (XDS) client sessions. This indicates the number of connections from other Windows NT services and the Windows NT Administrator program. |
You can select the performance counters to monitor and then view them graphically in the System Monitor as a chart, histogram, or log file data display.
Follow these steps to monitor Active Directory performance counters:
Figure 19.10 The Add Counters dialog box
NOTE
For a description of a particular counter (see Figure 19.10), click the name of the counter from the list, and then click Explain.
NOTE
Because there are many counters, monitoring all counters affects processing time and is not a practical solution.
- To monitor only selected counters, click Select Counters From List and select the counters you want to monitor. You can select multiple counters by clicking on a counter and holding the Ctrl key.
The counters that you selected appear in the lower part of the screen; each counter is represented by its own color. Choose either the chart, histogram, or report display view by clicking the appropriate toolbar button.
NOTE
When creating a System Monitor snap-in for export, make sure to select Use Local Computer Counters on the Select Counters dialog box. Otherwise, System Monitor obtains data from the computer named in the text box, regardless of where the snap-in is installed.
The Performance Logs And Alerts snap-in enables you to create counter logs, trace logs, and system alerts automatically from local or remote computers.
Counter logs, which are similar to System Monitor, support the definition of performance objects and performance counters and setting sampling intervals for monitoring data about hardware resources and system services. Counter logs collect performance counter data in a comma-separated or tab-separated format for easy import to spreadsheet or database programs. You can view logged counter data using System Monitor or export the data to a file for analysis and report generation.
Using the default system data provider or another nonsystem provider, trace logs record data when certain activities such as a disk I/O operation or a page fault occur. When the event occurs, the provider sends the data to the Performance Logs and Alerts service. This differs from the operation of counter logs; when counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
Active Directory nonsystem providers include those for NetLogon, the Kerberos protocol, SAM, and Windows NT Active Directory Service. These providers generate trace log files containing messages that may be used to track the operations performed.
A parsing tool is required to interpret the trace log output. Developers can create such a tool using APIs provided on the Microsoft Developer Web site (http://msdn.microsoft.com/).
For both counter and trace logs you can
To create or modify a log, you must have Full Control permission for the following registry key, which controls the Performance Logs and Alerts service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries
Administrators usually have this permission by default. Administrators can grant permission to users by using the Security menu in REGEDT32.EXE.
To run the Performance Logs and Alerts service (which runs in the background when you configure a log), you must have permission to start or otherwise configure services on the system. Administrators have this right by default and can grant it to users by using group policy. To log data on a remote computer, the Performance Logs and Alerts service must run under an account that has access to the remote system.
To create a counter log, you first define the counters you want to log and then set log file and scheduling parameters.
Follow these steps to create a counter log:
Any existing logs will be listed in the details pane. A green icon indicates that a log is running; a red icon indicates that a log has been stopped.
Table 19.7 Options on the Log Files Tab
Option | Description |
---|---|
Location | The name of the folder where you want the log file created, or click Browse to search for the folder. |
File Name | A partial or base name for the log file. You can use File Name in conjunction with End File Names With if appropriate. Appears on the details pane. |
End File Names With | The suffix style you want from the list. Distinguish between individual log files with the same log filename that are in a group of logs that have been automatically generated. |
Start Numbering At | The start number for automatic file numbering, when you select nnnnnn as the End File Names With. |
Log File Type | The format you want for this log file. Text File—CSV, defines a comma-delimited log file (with a .csv extension). Use this format to export the log data to a spreadsheet program. Text File—TSV defines a tab-delimited log file (with a .tsv extension). Use this format to export the log data to a spreadsheet program. Binary File defines a sequential, binary-format log file (with a .blg extension). Use this file format if you want to be able to record data instances that are intermittent—that is, stopping and resuming after the log has begun running. Nonbinary file formats cannot accommodate instances that are not persistent throughout the duration of the log. Binary Circular File defines a circular, binary-format log file (with a .blg extension). Use this file format to record data continuously to the same log file, overwriting previous records with new data. |
Comment | A comment or description for the log file. Appears in the details pane. |
Log File Size | Maximum Limit - data is continuously collected in a log file until it reaches limits set by disk quotas or the operating system. Limit Of - the maximum size (in kilobytes, up to two gigabytes) of the log file. Select this option if you want to do circular logging. |
Figure 19.11 The Log Files tab of a counter log's dialog box
Table 19.8 Options on the Schedule Tab
Option | Description |
---|---|
Start Log | Manually - logging starts manually. At - logging starts according to the time and date parameters you set. |
Stop Log | Manually - logging stops manually. After - logging stops after the time you specify. At - logging stops at the time and date parameters you set. When The Log File Is Full - logging stops when the log file reaches a maximum size. |
When A Log File Closes | Start A New Log File - logging resumes in a new file after logging stops for the current log file. Run This Command - a command you specify is run when a log file closes. |
Figure 19.12 The Schedule tab of a counter log's dialog box
NOTE
When creating a Performance Logs and Alerts snap-in for export, make sure to select Use Local Computer Counters on the Select Counters dialog box. Otherwise, counter logs will obtain data from the computer named in the text box, regardless of where the snap-in is installed.
To create a trace log, you first define how you want events logged and then set log file and scheduling parameters.
Follow these steps to create a trace log:
Any existing logs will be listed in the details pane. A green icon indicates that a log is running; a red icon indicates that a log has been stopped.
In the General tab of the trace log's Properties dialog box, the name of the path and filename of the log file is shown in the Current Log File Name box. By default, the log file is created in the PerfLogs folder in the root directory, and a sequence number is appended to the filename you entered and the sequential trace file type with the .etl extension.
For a list of the installed providers and their status (enabled or not), click Provider Status.
NOTE
You can have only one trace log that uses the system provider running at a time. In addition, you cannot concurrently run multiple trace logs from the same nonsystem provider. If the system trace provider is enabled, nonsystem providers cannot be enabled, and vice versa. However, you can enable multiple nonsystem providers simultaneously.
Table 19.9 Trace Log-Specific Options in the Log Files Tab
Option | Description |
---|---|
Log File Type | The format you want for this log file: Circular Trace File - defines a circular trace log file (with an .etl extension). Use this file format to record data continuously to the same log file, overwriting previous records with new data. Sequential Trace File defines a sequential trace log file (with an .etl extension) that collects data until it reaches a user-defined limit and then closes and starts a new file. |
Log File Size | Maximum Limit - data is continuously collected in a log file until it reaches limits set by disk quotas or the operating system. Limit Of - the maximum size (in megabytes) of the log file. Select this option if you want to do circular logging. |
NOTE
Trace logging of file details and page faults can generate an extremely large amount of data. It is recommended that you limit trace logging using the file details and page fault options to a maximum of 2 hours.
Alerts, which are similar to System Monitor and counter logs, support the use of performance objects and performance counters and setting sampling intervals for monitoring data about hardware resources and system services. Using this data, you can create an alert for a counter, which logs an entry in the application event log, sends a network message to a computer, starts a performance data log, or runs a program when the selected counter's value exceeds or falls below a specified setting.
You can start or stop an alert scan either manually on demand or automatically based on a user-defined schedule.
To create an alert, you first define the counters you want to monitor for the alert and then set alert triggering and scheduling parameters.
Follow these steps to create an alert:
Any existing alerts will be listed in the details pane. A green icon indicates that the alerts are running; a red icon indicates alerts have been stopped.
Options on the Action Tab
Option | Description |
---|---|
Log An Entry In The Application Event Log | Creates an entry visible in Event Viewer |
Send A Network Message To | Triggers the messenger service to send a message to the specified computer |
Start Performance Data Log | Runs a specified counter log when an alert occurs |
Run This Program | Triggers the service to create a process and run a specified program when an alert occurs |
Command Line Arguments | Triggers the service to copy specified command-line arguments when the Run This Program option is used |
Figure 19.13 The Action tab of an alert's dialog box and the Command Line Arguments dialog box
In this practice, you monitor specified performance counters using System Monitor. Then you use Performance Logs and Alerts to create a counter log and an alert for the LDAP Searches/Sec counter.
In this exercise, you select performance counters to monitor and then view them graphically in the System Monitor as a chart, histogram, or log file data display.
The counters that you selected appear in the lower part of the screen; each counter is represented by its own color. Choose either the chart, histogram, or report display view by clicking the appropriate toolbar button.
In this exercise, you create a counter log by first defining the counters you want to log and then setting log file and scheduling parameters.
In this exercise, you create an alert by first defining the counters you want to monitor for the alert and then setting alert triggering and scheduling parameters.
In this lesson, you learned about the Active Directory performance monitoring tools, the Event Viewer console, and the Performance console.
The Event Viewer console is a tool to monitor events such as application or system errors or the successful starting of a service. If you experience problems with Active Directory, it is recommended that the directory service event logs be the first item that you use to investigate the causes of the problem.
The Performance console allows you to monitor conditions within local and remote computers anywhere in your network and to summarize performance at selected intervals. The Performance console contains two snap-ins: System Monitor (an ActiveX control) and Performance Logs And Alerts. With System Monitor, you can measure Active Directory performance on your own computer or other computers on a network. The Performance Logs And Alerts snap-in enables you to create counter logs, trace logs, and system alerts automatically from local or remote computers.
In the practice portion of this lesson, you monitored specified performance counters using System Monitor. Then you used Performance Logs And Alerts to create a counter log and an alert for the LDAP Searches/Sec counter.