Introduction

This chapter deals with tracking the activity and usage of various Active Directory components. Whenever you need to troubleshoot a problem, often the first place you look is log files. With Active Directory, there are several different log files, and each have different ways to increase or decrease the verbosity of information that is logged. Viewing log messages can be useful, but you may also want to look at performance metrics to determine if the system is being over-utilized. I'll review a couple of ways you can view performance metrics and monitor Active Directory performance. For more extensive monitoring, I suggest looking at NetPro's (http://www.netpro.com/) Active Directory monitoring tools or Microsoft Operations Manager (http://microsoft.com/mom/).

I'll also cover a somewhat-related topic in this chapter called quotas, which allow you to monitor and limit the number of objects a security principal (user, group, or computer) can create in a partition. This feature, introduced in Windows Server 2003, closes a hole that existed in Windows 2000 where users that had access to create objects in Active Directory could create as many as they wanted. These users could even cause a denial of service by creating objects until the disk filled on the domain controllers. This kind of attack is not likely to happen in most environments, but the possibility should still be considered.

The Anatomy of a Quota Object Container

Quota objects are stored in the NTDS Quotascontainer in all Windows Server 2003-based naming contexts and application partitions except the schema-naming context (quotas cannot be associated with the schema-naming context). By default, this container is hidden from view within tools, such as Active Directory Users and Computers, but can be seen by selecting View Advanced Features from the menu. The quota object container has an objectClass of msDS-QuotaContainer, and contains several attributes that define default quota behavior. Table 15-1 lists some of the important attributes of msDS-QuotaContainer objects.

Table 15-1. Attributes of msDS-QuotaContainer objects

Attribute

Description

cn

RDN of quota container objects. By default, this is equal to NTDS Quotas.

msDS-DefaultQuota

The default quota applied to all security principals that do not have another quota specification applied. See Recipe 15.16 for more details.

msDS-QuotaEffective

A constructed attribute that contains the effective quota of the security principal that is viewing the attribute. See Recipe 15.17 for more details.

msDS-QuotaUsed

A constructed attribute that contains the quota usage of the security principal that is viewing the attribute. See Recipe 15.17 for more details.

msDS-TombstoneQuotaFactor

Percentage that tombstone objects count against a quota. The default is 100, which means a tombstone object has equal weighting to a normal object. See Recipe 15.15 for more details.

msDS-TopQuotaUsage

Multivalued attribute that contains information about the security principals with the top quota usage. See Recipe 15.17 for more details.

The Anatomy of a Quota Object

Quota objects have an objectClass of msDS-QuotaControl, which defines three attributes that relate to quotas. Table 15-2 contains these attributes and provides a description for each.

Table 15-2. Attributes of msDS-QuotaControl objects

Attribute

Description

cn

RDN of the quota object.

msDS-QuotaAmount

Number of objects that can be created by the security principals that the quota applies to. See Recipe 15.13 for more information.

msDS-QuotaTrustee

SID of the security principal that the quota applies to. This can be a user, group, or computer SID. See Recipe 15.13 for more information.



Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net