Monitoring the Database It’s important to implement a consistent Active Directory monitoring strategy to ensure database integrity, reliability, and performance within your forest. Regular monitoring can also improve your knowledge of Active Directory and assist you in determining when a problem is in the early stages of unfolding.This will lead to performance and service issues being resolved in a much more timely manner. It is important to remember that Active Directory does not exist in a vacuum. Performance and service issues that seem to relate to Active Directory can be caused by other key infrastructure com- ponents, such as name resolution services. In the following sections, we look at some of the primary tools that you can use to monitor Active Directory. Using Event Viewer to Monitor Active Directory You can use the Windows Server 2003 Event Viewer tool is accessed via Start | Programs | Administrative Tools | Event Viewer, to view a variety of event logs on the DC. For moni- toring the directory service, the following event logs are of particular interest: ■ DNS Server This event log displays information relating to the DNS server service if it is installed on the DC. It is common in small environments and remote offices to have a single server acting as both DC and DNS server (along with other roles). Because clients running Windows 2000 and later operating systems use DNS to locate DCs and GC servers, problems with this service can severely impact Active Directory availability on the network. ■ System This event log displays critical information concerning the state of the operating system as a whole. Examining the System log should be part of the review procedure because underlying system stability is critical to optimum functionality of a DC.The System event log is also used to display messages that notify you when the DC’s DNS record was not registered or updated properly. ■ Application This event log displays extensive information from Group Policy and other related Active Directory components. ■ Directory Service This is the primary event log for Active Directory. It includes infor- mation related to when the directory service starts and stops, the Garbage Collection pro- cess, online defragmentation, and much more. ■ File Replication Service This service controls the replication of SYSVOL, which con- tains critical data such as Group Policy and replication topology connection information. In a large domain, event logs can grow quite rapidly, which makes it difficult to search through them for key events. Microsoft recommends using the filter or search functionality to specifically seek out events matching the following criteria: ■ All records with an Error severity level in the Directory Service or FRS event logs. ■ All LSASS records in the System event log with a severity level of Error.The Local Security Authority subsystem (LSASS) is the primary security subsystem for Active Directory. 636 Chapter 19 • Ensuring Active Directory Availability 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 636 ■ All Kerberos V5 Key Distribution Center (KDC) records in the System event log with a severity level of Error.The KDC is the primary logon service for Windows 2000 and later clients in Active Directory. ■ All USERENV records in the Application event log with a severity level of Error.This setting can indicate problems with the application of Group Policy. Using the Performance Console to Monitor Active Directory The Performance console is another tool that comes preinstalled in Windows Server 2003 and can be very helpful in monitoring Active Directory.The Performance console is accessed via Start | Programs | Administrative Tools | Performance, is capable of monitoring the server on which it is installed, and other remote servers. Data from any number of Windows Server 2003 computers can be combined for tracking or display purposes. Windows contains a variety of perfor- mance metrics that can be monitored with this utility.The Performance utility consists of the three following components: ■ System Monitor This portion of the utility is used to graphically display performance metrics. ■ Counter and Trace logs These options allow for detailed levels of logging over time. In most cases, you won’t have time to sit around all day watching the System Monitor, which charts real-time information. Instead, you’ll need data that you can review and work with when it is convenient. ■ Alerts The Alerts option allows you to specify critical thresholds that, when exceeded, cause some type of action to take place.The default action is to have the alert generate a message in Event Viewer.You can also have it send a network message, start logging to a preconfigured counter log, or execute a script, batch file, or program. The metrics that are monitored using the Performance console are called counters.These coun- ters are grouped according to the objects to which they pertain. Figure 19.5 some of the counters available for the NTDS (directory services) object. Ensuring Active Directory Availability • Chapter 19 637 Figure 19.5 The Add Counters Dialog Box 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 637 Microsoft recommends that you use the following performance counters for monitoring Active Directory: ■ NTDS performance object counters: ■ DRA inbound and outbound counters These counters are used to track the amount of replication information that flows into and out of a site. Significant changes can indicate a major increase in the amount of replication traffic or a shift in the site replication topology. ■ DS Search sub-operations/sec Significant changes in this counter can indicate an application that is incorrectly targeting a DC, or performance problems involving the DC. ■ LDAP Searches/sec This counter corresponds to the overall number of LDAP searches per second on the DC. It should be relatively consistent across all of your DCs in a well-planned and balanced environment. If it isn’t, this counter can indi- cate that an application is incorrectly targeting a DC (rather than spreading its use out across several DCs). It can also indicate uneven client loads.This counter is also useful for tracking trends over time for capacity planning. ■ LDAP Client Sessions This counter displays the number of clients that are con- nected to the LDAP services. It can also be used to track uneven client loads, which might be indicative of connection failures to other DCs in a well-planned and balanced environment. Like the LDAP Searches/sec counter, this counter is useful for tracking trends over time for capacity planning. ■ NTLM Authentications This counter indicates the number of domain authenti- cations taking place using the NTLM protocol. Windows 2000 and later clients should use Kerberos for authentication, but will fail back to NTLM when they are unable to authenticate using Kerberos.This counter can be used to indicate Kerberos authentication issues in these types of environments. ■ Kerberos Authentications This counter indicates the number of domain authentications that take place using the Kerberos protocol.This counter is helpful in tracking authentication trends over time for capacity planning. ■ Processor object counters: ■ % Processor Time This counter can be used to track the overall consumption of processor resources in the DC. Microsoft recommends that this counter not exceed 85 percent on a sustained basis. ■ % DPC Time This counter alerts you to delayed execution of processes resulting from the DC being too busy to execute them. Microsoft recommends a sustained threshold of 10 for this counter. 638 Chapter 19 • Ensuring Active Directory Availability 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 638 ■ System object counters: ■ Processor Queue Length This counter indicates that the system cannot keep up with processing requests. When you see the word queue in any counter, the counter tracks the number of things “waiting in line” to use the resource. Microsoft recommends that this counter not exceed a value of 6 on a sustained basis. ■ Context Switches/sec Most modern processors can only execute one thread at a time. Although it appears that the computer is running many programs at once, each program is actually sharing the processor with all others. Each thread (the smallest unit of executable code in a program) uses the processor for a short period of time and then passes it on to the next.This concept is referred to as time slicing. A context switch occurs when the processor switches between waiting processes. This counter can indicate too many applications (including operating system appli- cations) for the processor to service, or applications that are too busy for the pro- cessor to keep up with. Microsoft recommends that this counter not exceed 70,000 on a sustained basis. ■ Memory object counters: ■ Page Faults/sec This counter indicates when needed program code is not resi- dent in memory and must be loaded from disk (from the page file).This is often an indication of a system in need of more physical RAM. Microsoft recommends a sustained threshold of 700 for this counter. ■ Available MBytes This counter indicates the amount of available system memory. Microsoft recommends using this counter to configure an alert that will notify you when the DC is running low on memory resources. ■ PhysicalDisk:Current Disk Queue Length counter This counter can be used to track the number of disk reads and writes that are waiting to be filled.This can be the result of a busy processor that is not able to keep up with IRQ requests, or a slow disk drive or subsystem. Microsoft recommends that this counter not exceed a value of 2 on a sustained base. Use the following steps to configure System Monitor to display the key NTDS object counters. Use System Monitor to Monitor Active Directory 1. Open the Windows Server 2003 Performance console from Start | Programs | Administrative Tools | Performance. 2. Select the System Monitor node in the left pane. Ensuring Active Directory Availability • Chapter 19 639 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 639 3. In the right pane, right-click on the graph and select Add Counters… in the context menu that appears. Note that you can also click the + button on the toolbar above the graph to add a new counter. 4. In the Add Counters dialog box, select NTDS from the Performance object: drop- down box. 5. In the Select counters from list: box, select the DS Search sub-operations/sec counter. 6. Click the Add button. 7. Repeating steps 5 and 6 after each addition, add the following counters: LDAP Searches/sec, LDAP Client Sessions, NTLM Authentications, and Kerberos Authentications. 8. Click the Close button in the Add Counters dialog box. 9. Your new counters should appear in the list in the right pane under the graph, as shown in Figure 19.6. Select one of these counters by clicking on it in this list. 10. Press Ctrl + H to highlight the counter in the graph.This tool is often used to display a large number of counters, making it very difficult to tell them apart in the graph. Using the highlight feature makes this much easier. 11. Close the Performance console. Backing Up and Restoring Active Directory Although it’s technically just a collection of files, Active Directory has its own unique backup and restore methods. In this section, we’ll discuss backing up and restoring the Active Directory database. 640 Chapter 19 • Ensuring Active Directory Availability Figure 19.6 The Performance Console without Highlighting Enabled 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 640 Backing Up Active Directory Several different methods can be used to back up Active Directory: ■ As part of a full system backup ■ As part of a partial system backup ■ Back up the system state data only In the past, the Active Directory database had to be backed up as system state data. Microsoft Backup and some other third-party backup programs are now able to use a new Windows Server 2003 feature known as the Volume Shadow Copy service to work around this open file issue. Volume Shadow Copy makes a read-only copy of the information in these open files, which can be used for backup purposes.The original files continue to be accessed without any interference from the backup operation. When the backup is complete, the Volume Shadow Copy is deleted.The amount of disk space required by the Volume Shadow Copy will vary, based on the amount of data that changes on the disk during the backup procedure. If the underlying disk does not have enough free space to support Volume Shadow Copy, open files are not backed up. When preparing a backup job, rather than specifying the individual files for Active Directory to be backed up, it is best to always use the system state data selection in the utility. System state will be backed up automatically when a full system backup is selected, and can be specified manually when a partial backup is selected. Using the system state backup feature ensures that all necessary files are backed up. When using the Windows Server 2003 backup utility, if you select system state data, Volume Shadow Copy is enabled by default and cannot be disabled. If you do not select system state data, you can choose to use Volume Shadow Copy (still selected by default) or not within the Backup Wizard. Backing Up at the Command Line Instead of using the graphical Backup utility, you can back up the system state data by using the command-line version of the Backup utility.This might be desirable for use with administrative scripts.The command-line utility is a full-featured backup program that can specify many of the same options covered in the previous section.To back up the system state data, open a command prompt (Start | Run and type cmd) and use the following command and options: ntbackup backup systemstate /J “Syngress Backup Job” /F “C:\backupfile.bkf ”. ■ Ntbackup is the name of the command-line backup utility. ■ Backup is the option to specify a backup operation. ■ Systemstate is the option used to specify that the system state data should be backed up. ■ /J specifies the backup job name, which should be surrounded in quotes if it contains spaces. ■ /F specifies the name of the backup file. Ensuring Active Directory Availability • Chapter 19 641 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 641 Note that when you run this command, the graphical utility appears to show you the progress of the job. There are many more switches that you can use with the Ntbackup command-line utility; those described here are the ones you will most commonly use to back up the system state data. Restoring Active Directory Windows Server 2003 includes three types of directory services restore methods: ■ Primary ■ Normal ■ Authoritative The Active Directory restore options have seen some significant changes since Windows 2000. In Windows 2000, there were only two methods of restoration:Authoritative and Non- Authoritative. With Windows Server 2003, Authoritative restores remain unchanged; however, Non- Authoritative restores are now referred to as Normal restores. Despite the name change, they function exactly as they always have. A new type of restore is added, the Primary restore.This is designed to be used when all DCs for a given domain have been wiped out and need to be restored. Under Windows 2000, this could be an exhaustive Authoritative restore process involving many hours of labor and double-checking. With the new Primary restore type, it is as simple as selecting a check box. Directory Services Restore Mode Before we discuss the three different restore methods that can be used, it is important to discuss the Directory Services Restore Mode. Remember that the special feature of this mode is that it allows a DC to boot without initializing its copy of the Active Directory database. Because you must always log on to a Windows Server 2003 computer before you can use the operating system, a small ver- sion of a local directory service database (called a SAM database) remains on the computer after it has been promoted to a DC.This database has a single account, the local administrator account. When you have booted to the Directory Services Restore Mode using the directions given ear- lier in the chapter, you must log on with this account. After you are authenticated, you can perform certain limited maintenance functions, such as running the Ntdsutil utility mentioned earlier.You can also run the Backup utility to perform restores of the Active Directory database. It is necessary to perform all restores while running in this mode, because the Active Directory database must be offline to be restored. In this mode, you are logged on to a local account and the Active Directory database is not in use. Normal Restore The simplest of all restore methods is the normal restore.This method can be used in the following circumstances: ■ When a domain only has one DC, and the DC needs to be restored.You can also opt to use the primary restore method (covered later) for this scenario. 642 Chapter 19 • Ensuring Active Directory Availability 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 642 ■ If there are multiple DCs on the network for the domain, and at least one remains func- tional, a normal restore can be used to bring the downed DCs back to life. Like all Active Directory restores, a normal restore is performed by running the Backup utility while logged on to Directory Services Restore Mode. When the restore has completed, the DC is rebooted. When it comes back up, it begins normal replication with its replication partners. Because it was restored from a backup, some of its objects will have older version numbers than ones cur- rently on the network.This will cause updates and deletions to be replicated to the DC and will bring its Active Directory database up to date.To perform a normal restore, follow these steps: 1. Boot or reboot the computer. 2. When prompted, press F8 during Windows Server 2003 startup. 3. Select Directory Services Restore Mode (Windows DCs only) in the Windows Advanced Options menu that appears, and press the Enter key. 4. Select your operating system (for example, Windows Server 2003, Enterprise), and press the Enter key. 5. You will see a number of checks performed while the system is booting, and eventually you will receive the Safe Mode logon prompt. 6. Log on by providing the password for the local administrator account and clicking the OK button. 7. Click the OK button in the dialog box that notifies you that Windows is running in safe mode. 8. Open the Windows Server 2003 Backup utility from Start | All Programs | Accessories | System Tools | Backup. 9. On the initial page of the wizard, click the Next button. 10. Select the option button next to Restore files and settings and click the Next button. 11. The What to Restore page contains an Explorer style interface similar to the one you encountered while configuring your backup job. Click the plus sign next to File in the left pane.This should reveal the file to which you backed up the system state data earlier. If it doesn’t, you can click the Browse… button and select the file from the Open Backup File dialog box. Click the plus sign next to the file to which you backed up and select the check box next to the backup you want to restore that appears beneath it. Click the Next button after making your selection. 12. At this point in the wizard, you can click the Finish button and allow the restore to pro- ceed with the default advanced settings. However, we want you to see more of the settings that are available within the wizard, so click the Advanced… button. 13. The Where to Restore page appears with three options that can be selected from the Restore files to: drop-down box. ■ Original location This option restores all files to their original locations and is the default. When you select this option and click the Next button, a dialog box Ensuring Active Directory Availability • Chapter 19 643 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 643 appears, informing you that restoring system state will always overwrite the current system state information unless you restore to an alternate location. Click the OK button to proceed to the next screen. ■ Alternate location Selecting this option reveals the Alternate location: text box and a Browse… button that opens the Restore Path dialog box.You can use this option to restore the files to a different location.This can be helpful for verifi- cation and file comparison purposes. ■ Single folder This option reveals the Alternate location: text box and Browse… button, which opens the Restore Path dialog box. As with the Alternate location setting, you can use this option to restore the files to an alter- nate location. When this option is selected, all restored files are placed in a single directory, rather than having their directory structures restored. 14. Click the Next button after making your selection. 15. Depending on your selection, a Warning dialog box (shown in Figure 19.7) might appear to inform you that a restore of system state data will always overwrite the current system state data unless you choose to restore it to an alternate location. Click the OK button if you receive this dialog box. 16. The How to Restore page contains the following three options: ■ Leave existing files (Recommended) This option ensures that the restore pro- cess does not overwrite any files that currently exist on the DC. ■ Replace existing files if they are older than the backup files This option permits the files on the disk to be overwritten, but only if the backup file is newer than the one currently on the DC. ■ Replace existing files Always copies the files from the backup media to the DC and replaces all files existing on the DC, regardless of whether they are newer. 17. After making your selection, click the Next button to proceed. 18. The Advanced Restore Options page contains the following five check boxes: ■ Restore security settings This option is selected by default, and should remain selected. It shows the power that a user with restore rights has, because any such 644 Chapter 19 • Ensuring Active Directory Availability Figure 19.7 The System State Restore Warning Dialog Box 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 644 user can, by deselecting this check box, restore the files without their associated permissions. In some circumstances, difficulties can arise when restoring data that was on a disk formatted in the NTFS file system, which supports file level permis- sions, to one using the FAT file system, which does not support file level permis- sions. In circumstances like these, clearing this check box has been known to resolve some of the issues.This is because selecting this box restores a wide range of extended data (permissions, auditing information, and ownership information) that is not supported by the FAT file system. ■ Restore junction points, but not the folders and file data they reference Among other things, junction points are used to reference mounted drives. In Windows Server 2003, volumes can be mounted in folders of another volume, instead of being accessed through a drive letter. If you do not restore junction points, you will not be able to restore the information on mounted drives unless you recreate the junction points manually. ■ Preserve existing volume mount points This option relates to the preceding point. When using mounted drives, it is necessary to create mount points, which are the empty folders to which the volume is mounted (thus creating the mounted drive). When selected, this box protects existing mount points on the volume being restored.This is helpful if you have already formatted the disk to which you are restoring and added these mount points prior to beginning the restore. However, if you have formatted the disk to which you are restoring and have not added these mount points back manually, clearing this check box will restore your old mount points from tape.This option is selected by default. ■ Restore the Cluster Registry to the quorum disk and all other nodes This option restores the cluster quorum database and replicates it to all of the nodes in the server cluster.This option will be grayed out if the DC is not part of a server cluster. ■ When restoring replicated data sets, mark the restored data as the pri- mary data for all replicas This option is used to perform a primary restore and is covered in detail later in the chapter. 19. Click the Next button after making your selections. 20. Click the Finish button to begin the restore. 21. The restore will take at least a few minutes and display its progress as shown in Figure 19.8. When it is finished, click the Close button (shown in Figure 19.9) to close the Restore Progress dialog box, or click the Report… button to view the backup log asso- ciated with the job. Clicking the Report… button will display the Notepad application with the log file displayed, as shown in Figure 19.10.You should review the log for any error messages, such as those pertaining to files that had to be skipped. When you have finished reviewing the log, close the Notepad application. Ensuring Active Directory Availability • Chapter 19 645 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 645 . that Windows is running in safe mode. 8. Open the Windows Server 2003 Backup utility from Start | All Programs | Accessories | System Tools | Backup. 9. On the initial page of the wizard, click the. Sessions, NTLM Authentications, and Kerberos Authentications. 8. Click the Close button in the Add Counters dialog box. 9. Your new counters should appear in the list in the right pane under the graph,. steps: 1. Boot or reboot the computer. 2. When prompted, press F8 during Windows Server 2003 startup. 3. Select Directory Services Restore Mode (Windows DCs only) in the Windows Advanced Options