Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 97 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
97
Dung lượng
2,33 MB
Nội dung
Lesson 3: Monitoring Active Directory CHAPTER 8 457 The tool enables you to do the following: n View the properties of directory replication partners and detect when a replication partner fails n View the history of successful and failed replication changes n View a snapshot of performance counters and registry confi guration n Create your own applications or scripts to extract specifi c data from AD DS n Generate status reports n Force replication n Trigger the Knowledge Consistency Checker (KCC) to recalculate the replication topology n Display changes from a given replication partner that have not yet replicated n List the trust relationships maintained by the domain controller being monitored n Display the metadata of an AD DS object’s attributes n Monitor the replication status of domain controllers from multiple forests MORE INFO REPLMON For more information about the replmon support tool, see http://technet.microsoft.com /en-us/library/cc772954.aspx and http://technet.microsoft.com/en-us/library/cc775394 .aspx. These are Windows Server 2003 links but should give you the information you need. THE DIRECTORY SERVICE LOG The Directory Service log (in Event Viewer under Application Logs) reports replication errors that occur after a replication link has been established. Event logs were discussed earlier in this lesson. The time required to replicate directory data between domain controllers is known as the replication latency. This can vary, depending on the number of domain controllers, the num- ber of sites, the available bandwidth between sites, the replication frequency, and so on. You can monitor replication to determine the normal replication latency on your net- work. If you know the normal replication latency, you can determine whether a problem is occurring. You also must check the Directory Service log and use the repadmin /showrepl command to discover recent replication errors. MORE INFO SITE TOPOLOGY A good site topology design is important for replication effi ciency. For more information about site topology design, see http://technet.microsoft.com/en-us/library/cc772013.aspx. MORE INFO REPLMON For more information about the replmon support tool, see http://technet.microsoft.com /en-us/library/cc772954.aspx and http://technet.microsoft.com/en-us/library/cc775394 .aspx . These are Windows Server 2003 links but should give you the information you need. .aspx. These are Windows Server 2003 links but should give you the information you need aspx MORE INFO SITE TOPOLOGY A good site topology design is important for replication effi ciency. For more information about site topology design, see http://technet.microsoft.com/en-us/library/cc772013.aspx . http://technet.microsoft.com/en-us/library/cc772013.aspx.http://technet.microsoft.com/en-us/library/cc772013.aspx 4 5 8 CHAPTER 8 Maintaining the Active Directory Environment Using Resultant Set of Policy You can use the Resultant Set of Policy (RSoP) snap-in to create detailed reports about applied policy settings in two modes: logging mode and planning mode. Logging mode displays policy settings applied to computers or users who have logged on. Planning mode simulates policy settings that you intend to apply to a computer or user. You can also use planning mode to check assigned policy settings for a computer that is not currently available or for a user who is not currently logged on. To open RSoP as an MMC snap-in and display RSoP logging mode for the currently logged-on user and computer, type rsop.msc in the Search or Run box. Figure 8-29 shows the RSoP console. FIGURE 8-29 The RSoP console. To open RSoP as an MMC snap-in and display RSoP logging mode for a specified namespace and target computer, type rsop.msc /RsopNamespace:<NameSpace>/ RsopTargetComp:<TargetComputer> (for example, rsop.msc /RsopNamespace:contoso. internal /RsopTargetComp:Glasgow) in the Search or Run box. RoSP operation has not changed significantly from Windows Server 2003. What has changed is the introduction of fine-grained password policies in Windows 2008. This adds flexibility but makes it more important to have an automatic method of determining the result of actual or planned password policy settings. Lesson 3: Monitoring Active Directory CHAPTER 8 459 MORE INFO ROSP AND FINE-GRAINED PASSWORD POLICIES For more information about the RSoP snap-in, see http://technet.microsoft.com/en-us /library/cc736424.aspx. This is a Windows Server 2003 link, but the information it contains also applies to Windows Server 2008. For more information about fi ne-grained password policies, see http://technet.microsoft.com/en-us/library/cc770394.aspx. PracticE AD DS Performance Analysis In this practice, you install WSRM on the Glasgow domain controller and view the policies it provides. You then create a custom data collector set on the same computer, run the collector set, and use WRPM to view the diagnostics report. ExErcisE 1 Install WSRM In this exercise, you install the WSRM service and view WRSM policies. 1. Log on to Glasgow with the Kim_Akers account. 2. If necessary, start Server Manager. 3. In Server Manager, right-click Features and select Add Features. 4. Select the Windows System Resource Manager check box on the Select Features page of the Add Features Wizard, and then click Next. 5. If Server Manager prompts you to add Windows Internal Database, click Add Required Features. Click Next. Windows Internal Database (WID) was discussed in Chapter 6, “Confi guring Active Directory Federation Services and Active Directory Rights Management Services Server Roles.” 6. Review the Confi rm Installation Selections page shown in Figure 8-30 and click Install. MORE INFO ROSP AND FINE-GRAINED PASSWORD POLICIES For more information about the RSoP snap-in, see http://technet.microsoft.com/en-us /library/cc736424.aspx . This is a Windows Server 2003 link, but the information it contains /library/cc736424.aspx. This is a Windows Server 2003 link, but the information it contains /library/cc736424.aspx also applies to Windows Server 2008. For more information about fi ne-grained password policies, see http://technet.microsoft.com/en-us/library/cc770394.aspx . http://technet.microsoft.com/en-us/library/cc770394.aspx.http://technet.microsoft.com/en-us/library/cc770394.aspx 4 6 0 CHAPTER 8 Maintaining the Active Directory Environment FIGURE 8-30 The Confirm Installation Selections page. 7. Click Close when your installation is complete. 8. Open the WRSM console in the Administrative Tools program group. 9. Select This Computer and click Connect. 10. View the WRSM interface shown in Figure 8-31 and experiment with the features it provides. FIGURE 8-31 The WRSM interface. Lesson 3: Monitoring Active Directory CHAPTER 8 461 ExErcisE 2 Create a Custom Data Collector Set and Generate a Report In this exercise, you use a data collector template to create a data collector set. You configure this set for five minutes to generate report data. However, you choose to run an immediate report in the first instance. 1. If necessary, log on to Glasgow with the Kim_Akers account and start Server Manager. 2. In Server Manager, expand Diagnostics, expand Reliability And Performance, and expand Data Collector Sets. 3. Right-click User Defined, select New, and then select Data Collector Set. 4. On the Create New Data Collector Set page, type My New Data Collector Set. Ensure that Create From A Template (Recommended) is selected, and then click Next. The Create New Data Collector Set page is shown in Figure 8-32. FIGURE 8-32 The Create New Data Collector Set page. 5. Select the Active Directory Diagnostics template and click Next. By default, the wizard selects %systemdrive%\PerfLogs\Admin as the root directory. In a production environment, you would probably keep your collector sets on a separate drive. 6. For the purposes of this exercise, accept the default and click Next. 7. In the Run As field on the Create The Data Collector Set page, you have the option to click Change and enter an account name and the password to run the Data Collector Set. Click Finish to accept the default. Your data collector set is created and is displayed in Server Manager. 4 6 2 CHAPTER 8 Maintaining the Active Directory Environment NOTE ACCOUNT TO RUN DATA COLLECTOR SETS When you create data collector sets on a production network, create an account to run your collector sets. This account should be a member of the Performance Log Users group. Note that the Performance Log Users group has the Log On As A Batch Job right assigned to it by default. 8. To schedule the start condition for your data collector set, right-click My New Data Collector Set and select Properties. 9. To create a start date, time, or day schedule, click the Schedule tab and click Add. 10. In the Folder Action dialog box, specify today’s date as the beginning date, select Expiration Date, and set it for a week hence. Ensure that the report time is set to the current time. Your Folder Action dialog box should look similar to Figure 8-33. 11. Click OK. FIGURE 8-33 Scheduling the start of your data collector set. NOTE FAILURE TO SCHEDULE A COLLECTOR SET If you do not confi gure a collector set to run on a schedule, it will stop as soon as you (or the specifi ed account under which it is running) logs off. 12. Click the Stop Condition tab, select the Overall Duration check box, and ensure that it lists fi ve minutes. Select the Stop When All Data Collectors Have Finished check box. Click OK. NOTE ACCOUNT TO RUN DATA COLLECTOR SETS NOTE ACCOUNT TO RUN DATA COLLECTOR SETS NOTE When you create data collector sets on a production network, create an account to run your collector sets. This account should be a member of the Performance Log Users group. Note that the Performance Log Users group has the Log On As A Batch Job right assigned to it by default. NOTE FAILURE TO SCHEDULE A COLLECTOR SET NOTE FAILURE TO SCHEDULE A COLLECTOR SETNOTE If you do not confi gure a collector set to run on a schedule, it will stop as soon as you (or the specifi ed account under which it is running) logs off. Lesson 3: Monitoring Active Directory CHAPTER 8 463 Note that if you do not specify a stop condition, the collector set continues to gather data and could quickly fi ll up your allocated disk resource. NOTE STOP WHEN ALL DATA COLLECTORS HAVE FINISHED If you have confi gured an overall duration, select the Stop When All Data Collectors Have Finished check box to allow all data collectors to fi nish recording the most recent values before Data Collector Set is stopped. My New Data Collector set appears in Server Manager. Note that it is currently stopped. 13. Right-click My New Data Collector Set and select Data Manager. Note the defaults on the Data Manager tab. If you are short of hard disk space, you might want to change the Minimum Free Disk setting. 14. Click the Actions tab. Select 1 Day(s), and then click Edit. Note the policy settings. In a production environment, you might change these set- tings, but in this exercise, you accept the defaults. 15. Click OK, and then click OK again. 16. To view an immediate report, right-click My New Data Collector Set, and then select Start. 17. Expand Reports under Reliability and Performance. Expand User Defi ned, and then expand My New Data Collector Set. Select the report name to view the report status, as shown in Figure 8-34. FIGURE 8-34 Generating a report. NOTE STOP WHEN ALL DATA COLLECTORS HAVE FINISHED NOTE STOP WHEN ALL DATA COLLECTORS HAVE FINISHED NOTE If you have confi gured an overall duration, select the Stop When All Data Collectors Have Finished check box to allow all data collectors to fi nish recording the most recent values before Data Collector Set is stopped. 4 6 4 CHAPTER 8 Maintaining the Active Directory Environment When the report completes, you see a screen similar to Figure 8-35. On your small test network, it might not contain much of interest. FIGURE 8-35 The report completes. 18. Under Data Collector Sets, select User Defined. Check that My New Data Collector Set is stopped. If you do not want this data collector set to write to your hard disk for the rest of the week, it is a good idea to delete it. Lesson Summary n Tools to manage and monitor domain controller resource usage include Task Manager, Event Viewer, WRPM, WSRM, and command-line utilities. n Windows Server 2008 Performance Monitor incorporates the functionality of other tools used in previous versions of Windows. n WSRM controls how resources behave on a scheduled basis. It monitors resource usage over time and logs activity. It also controls access to resources based on specific policies. n You can use the Directory Service log and the repadmin and dcdiag command-line tools to report and diagnose AD DS replication errors. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 3, “Monitoring Active Directory.” The questions are also available on the companion DVD if you prefer to review them in electronic form. Lesson 3: Monitoring Active Directory CHAPTER 8 465 NOTE ANSWERS Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book. 1. You are an administrator for Northwind Traders. You want to display the replication partners for the Chicago domain controller in the northwindtraders.com domain. What command do you use? A. Repadmin /showrepl Chicago. northwindtraders.com B. Dcdiag /test:replications C. Rsop.msc /RsopNamespace:northwindtraders.com/RsopTargetComp:Chicago D. Rsop.msc 2. You access a collector set that a colleague has confi gured on one of your organiza- tion’s domain controllers. You fi nd that the set is running continuously and has fi lled the allocated storage area. What could be the problem? (Choose two. Each correct answer presents a complete solution.) A. Your colleague has not created a special account under which the collector set runs. B. Your colleague has not set the collector set to run on a schedule. C. Your colleague has not specifi ed an expiration date. D. Your colleague has not specifi ed a stop condition. E. Your colleague has not specifi ed a duration limit. 3. Which data collector set template created for the AD DS role would you choose if you wanted your data collector set to collect data from registry keys, performance coun- ters, and trace events related to AD DS performance on a local domain controller? A. LAN Diagnostics B. Active Directory Diagnostics C. System Performance D. System Diagnostics 4. You are investigating issues on a domain controller and believe that the performance of the AD DS service has deteriorated. Which of the following tools could help you diagnose the problem? (Choose four. Although each answer could present a complete solution, it is likely you would use several tools in combination.) A. Reliability Monitor B. Repadmin.exe C. Event Viewer D. SPA E. Task Manager F. Performance Monitor NOTE ANSWERS NOTE ANSWERSNOTE Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book. 4 6 6 CHAPTER 8 Maintaining the Active Directory Environment Chapter Review To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks: n Review the chapter summary. n Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution. n Complete the suggested practices. n Take a practice test. Chapter Summary n You can use Windows Server Backup or the wbadmin.exe command-line tool to perform Windows Server 2008 backups. A system state backup backs up the AD DS database and Windows Server 2008 roles. n A full server recovery performs a nonauthoritative restore of system state data. How- ever, Microsoft recommends booting into DSRM to restore system state data. You recover deleted Active Directory objects by using the ntdsutil utility to mark them as authoritative. n You can stop the AD DS service to compact and defragment the AD DS database offline and mark restored AD DS objects as authoritative. You cannot stop the AD DS service if your domain controller is the only domain controller authenticating logons in the domain. n You can protect AD DS objects from accidental deletion. AD DS access auditing logs old and new values for AD DS objects in the Directory Services event log. You can use the ldp.exe utility to recover tombstoned AD DS objects. n You can allocate disk storage by expanding the partition or partitions on the disk that currently stores these files. If this is not possible or practicable, you can use ntdsutil.exe to move a database or log file to a larger existing partition. You cannot move AD DS objects that are protected from deletion. n Tools to manage and monitor domain controller resource usage include Task Manager, Event Viewer, WRPM, and WSRM. You can use the Directory Service log and the repadmin and dcdiag command-line tools to report and diagnose AD DS replication errors. Case Scenarios In the following case scenarios, you apply what you’ve learned about maintaining the Active Directory environmnent. You can find answers to the questions in this scenario in the “Answers” section at the end of this book. [...]... Viewer 2005 from the Microsoft Web site at http://www .microsoft. com/downloads /details.aspx?familyid=8a 166 cac-758d-45c8-b637-dd7726e61 367 &displaylang=en n Report Viewer 2005 SP1 from the Microsoft Web site at http://www .microsoft. com /downloads/details.aspx?FamilyId=35F23B3C-3B3F-437 7-9 AE1 -2 63 21F99FDF0&displaylang=en n Network Monitor from the Microsoft Web site at http://www .microsoft. com/downloads... Scenario 1: Designing Backup and Restore Procedures Northwind Traders currently has a mixture of Windows 2000 Server and Windows Server 2003 member servers and Windows Server 2003 domain controllers on its domain The company intends to upgrade all member servers to Windows Server 2003 and all domain controllers to Windows Server 2008 You need to develop consistent backup and restore procedures Answer the following... ntbackup to write backup data to tape are to be upgraded to Windows Server 2008 What hardware is required so you can take scheduled daily backups, using the Windows Server Backup utility? 2 You are considering a future upgrade of your hardware storage solution for domain controller backups to Fibre Channel SAN What Microsoft backup software do you need to use? 3 You need to ensure that you can restore... Approval drop-down list to Unapproved and the status to Any, and then click Refresh Lesson 1: Managing Windows Server Update Services CHAPTER 9 483 This displays a list of Windows Server 2008 updates similar to that shown in Figure 9-1 3 Figure 9-1 3 Updates awaiting approval 5 Right-click the update at the top of the list, and then select Approve This launches the Approve Updates dialog box 6 Right-click... mbsacli.exe command-line options by typing mbsacli.exe /? into an elevated command prompt FiguRE 9-1 7 MBSA command-line output MORE INFO MORE ON MBSA To learn more about the MBSA tool, consult the following article on the Microsoft Web site: http://msdn .microsoft. com/en-au/library/aa302 360 .aspx http://msdn .microsoft. com/en-au/library/aa302 360 .aspx Simple Network Management Protocol You can use SNMP to configure... scroll down and ensure that only updates for Windows Server 2008 are selected, as shown in Figure 9-1 2, and then click Next 4 82 CHAPTER 9 Managing Software Updates and Monitoring Network Data NOTE ONLY WiNDOWS SERVER 2008 uPDATES Selecting only updates for Windows Server 2008 minimizes the number of updates downloaded from the Microsoft Update servers FiguRE 9-1 2 Selecting updates 27 On the Classifications... integral to the operation of your organization Generally, you want to avoid explaining to your manager why an update you applied to a mission-critical server led to that server experiencing a couple of hours of downtime Although Microsoft goes to all possible lengths to ensure that the updates it publishes do not conflict with existing software, it is possible that some special application or driver on your. .. in a position to roll back to your previous configuration easily 470 CHAPTER 9 Managing Software Updates and Monitoring Network Data Lesson 1: Managing Windows Server update Services As an experienced administrator, you most likely already employ a patch management solution such as Windows Server Update Services (WSUS) on your organization’s network When you were completing your Windows Server 2003 certification... Create A Windows Server Update Services 3.0 SP1 Web Site, as shown in Figure 9-1 0 Figure 9-1 0 WSUS Web site location Lesson 1: Managing Windows Server Update Services CHAPTER 9 481 19 Click Next twice to begin the installation process Click Finish to dismiss the setup wiz- ard when the installation completes The Windows Server Update Services Configuration Wizard automatically begins 20 If your computer,... server If the group does not exist, WSUS allocates the computer to the Unassigned Computers group The alternative to client-side targeting is server- side targeting When a computer first contacts a WSUS server for updates, and clientside targeting is not in effect, the WSUS server allocates the computer to the Unassigned Computers group With server- side targeting, you assign the computer to a WSUS server . http://www .microsoft. com/downloads /details.aspx?familyid=8a 166 cac-758d-45c8-b637-dd7726e61 367 &displaylang=en. n Report Viewer 2005 SP1 from the Microsoft Web site at http://www .microsoft. com /downloads/details.aspx?FamilyId=35F23B3C-3B3F-437 7-9 AE1 -2 63 21F99FDF0&displaylang=en http://www .microsoft. com /downloads/details.aspx?FamilyId=35F23B3C-3B3F-437 7-9 AE1 -2 63 21F99FDF0&displaylang=en. n Network Monitor from the Microsoft Web site at http://www .microsoft. com/downloads /details.aspx?familyid=18b1d59d-f4d 8-4 21 3-8 d1 7-2 f6dde7d7aac&displaylang=en mixture of Windows 2000 Server and Windows Server 2003 member servers and Windows Server 2003 domain controllers on its domain. The company intends to upgrade all member servers to Windows Server