Module 8: Implementing An Active Directory Domain Services Monitoring Plan

Download as pdf or txt
Download as pdf or txt
You are on page 1of 25

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Presentation: 60 minutes Lab: 60 minutes

This module helps students to implement an Active Directory Domain Services (AD DS) monitoring plan.

After completing this module, students will be able to: Monitor Active Directory Domain Services Using Event Viewer. Monitor Active Directory Domain Servers Using Reliability and Performance Monitor. Configure Active Directory Domain Services Auditing.

Required materials To teach this module, you need the Microsoft Office PowerPoint file 6425A_08.ppt.

Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly.

Preparation tasks To prepare for this module: Read all of the materials for this module. Complete the practices.

This section contains information that will help you to teach this module.

For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information.

Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD.

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Explain that Event Viewer has been rewritten from the ground up. It has a new interface and is integrated with a new, centralized event logging system. Event Viewer works with native Windows Server2008 and Windows Vista event log files (.elf). It also provides backward compatibility with Event Viewer files from earlier Windows operating systems. Point out that updated features include summary and custom views, subscriptions, cross-log queries, integration with Task Scheduler, many new log files, and increased multipage support for larger result sets.

Reference Event Viewer http://go.microsoft.com/fwlink/?LinkId=99509

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Demonstration steps: 1. Open Event Viewer and briefly discuss the new look of the Microsoft Management Console (MMC). 2. Point out the default summary view. 3. Expand custom views and show the default custom views. 4. Expand Windows Logs, and then point out the traditional logs and the new logs. 5. Open one of the logs, and then briefly discuss the options available in the Actions pane. 6. Show how you could attach a task to an event using the Create a Basic Task Wizard. 7. Demonstrate copying an events details as text into Notepad. 8. Double-click an event to show the details. 9. Expand the Microsoft Windows folder, and then show the logs. 10. Show how you would connect to another computer. Mention that the Remote event-log management must be enabled on the remote computers firewall.

Discussion Question and Answer Question: You have an issue with Group Policy. What log should you view for detailed Group Policy events? Answer: The Group Policy log is one of the new application and service logs that Event Viewer provides.

References Event Viewer http://go.microsoft.com/fwlink/?LinkId=99509

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Comment on slide: Change Active Directory to AD DS, or Active Directory Domain Services.

Event Viewer now provides a wide range of application and service logs. Explain how these logs can provide granular information about Active Directory Domain Services (AD DS), and other services, like Group Policy, offline files, Windows Update client, and many others. Point out that the system log is often the first stop in troubleshooting. You can use a number of logs to track AD DS issues. For example, the Distributed File System (DFS) Replication log, Directory Service log, Domain Name Service (DNS) Server log, and Group Policy\Operational log, can all provide valuable information about Active Directory-related problems. Discuss how the event log online help feature provides the latest information about known issues.

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Explain that Custom Views allow you to view event log information based on dynamic queries. Point out how to create a custom view. Custom views allow you to select from which event logs you want to view information, and then puts it into a single view. This can be useful for monitoring services such as AD DS, because you can view all of the AD DS specific logs in one view rather than checking multiple logs. Explain that once you have queried and sorted your way to just the events you wanted to analyze, you can save that work as a named view, and it will be available for your future reuse. You even can export the view to use on other computers, or to share with others.

References Event Viewer http://go.microsoft.com/fwlink/?LinkId=99509.

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Explain that Event Viewer includes the ability to collect copies of events from multiple remote computers, and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected, and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Explain that before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector), and each computer from which events will be collected (source).

Discussion Question and Answer Question: Where would subscriptions be most useful on in your organization? Answer: Answers will vary

Reference Event Viewer http://go.microsoft.com/fwlink/?LinkId=99509

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Demonstration steps: 1. Create a custom view A. Create a new custom view that captures error events from some Active Directory-related logs. B. Export the view to an XML file. C. Delete the original custom view, and then import the XML file. 2. Create a Subscription Log on to all collector and source computers as administrator. A. On each source computer, at an elevated command prompt, type: winrm quickconfig B. On the collector computer, at an elevated command prompt, type: Wecutil qc C. Add the computer account of the collector computer to the local Administrators group on each of the source computers. D. Create the subscription. E. Filter events to show only errors from the system log.

Discussion Question and Answer Question: You want to monitor a particular group of events across multiple Web servers. What is the best way to accomplish this? Answer: Use subscriptions to gather the particular events, and then filter them to a central workstation.

References Create Manage a Custom View http://go.microsoft.com/fwlink/?LinkId=99511 Configure Computers to Forward and Collect Events http://go.microsoft.com/fwlink/?LinkId=99513

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

10

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Explain that the Windows Reliability and Performance Monitor feature enables you to track the performance impact of applications and services, and to generate alerts or take action when user-defined thresholds for optimum performance are exceeded. Describe the new Microsoft Management Console (MMC). Explain that the resource overview gives you real-time graphic monitoring with expandable sections to see activity details. Explain that Performance Monitor allows you to add counters for real-time viewing, or display logging results. Describe the Reliability Monitor. Reliability Monitor provides a system-stability overview and trend analysis with detailed information about individual events that may affect the systems overall stability, such as software installations, operating-system updates, and hardware failures. It begins collecting data when the system is installed. Describe Data Collector Sets, including -- how and when you would use them. Explain that a Data Collector Set is the building block of performance monitoring and reporting. It organizes multiple data collection points into a single component that you can use to review or log performance. A Data Collector Set can be created and then recorded individually, grouped with other Data Collector Sets and incorporated into logs, viewed in Performance Monitor, configured to generate alerts when thresholds are reached, or used by other non-Microsoft applications. It can be associated with scheduling rules for data collection at specific times. Discuss the built-in reporting features.

References Windows Vista Performance and Reliability Monitoring Step-by-Step Guide http://go.microsoft.com/fwlink/?LinkId=99517 Windows Reliability and Performance Monitor http://go.microsoft.com/fwlink/?LinkId=99514

11

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Demonstration steps: 1. Open Reliability and Performance Monitor. 2. Briefly show the resource overview screen. Expand some sections to show details. 3. Open Performance Monitor. Mention that this has not changed significantly from Windows Server2003. 4. Open Reliability Monitor. Expand some details. 5. Open Reports, and then show the system reports that are available.

Discussion Question and Answer Question: Where can you find real-time information about network activity? Answer: The Resource Overview page has a Network section that supplies real-time data on network activity.

Reference Windows Vista Performance and Reliability Monitoring Step-by-Step Guide http://go.microsoft.com/fwlink/?LinkId=99517

12

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Explain that in addition to the normal baseline counters that you monitor for all servers, there are objects and counters that are specific to AD DS. The Directory Services object provides access to the NT Directory Service (NTDS) counters. Briefly describe the most important counters. Mention that there are also a number of database counters that allow you to monitor the Active Directory database at an advanced level. These counters provide information regarding the performance of the database cache, database files, and database tables. You can use some of these counters to determine whether you need more hard disks to store additional Active Directory data. Also mention that there is a predefined data collector set for Active Directory Diagnostics that collects data from many different objects.

13

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Describe the basic counter set that should be included in any server baseline: Pages/sec, Avg. Disk Queue Length, %Processor Time. Refer to the previous topic for the AD DS counters that you should include in the AD DS baseline. Explain that a baseline needs to be established prior to troubleshooting. You need to know what the counters look like under normal conditions before you can understand a problems source. Data needs to be collected for a period of time, over weeks or months, to establish a baseline. During that period, collect data at different times of the day. For example, collect it during the morning when users are authenticating, or during idle times and periods of replication. When AD DS problems arise, compare the baseline findings to the current statistics to help identify the problems source.

Reference Deploying Active Directory for Branch Office Environments Chapter 9 - Post Deployment Monitoring of Domain Controllers http://go.microsoft.com/fwlink/?LinkId=99516

14

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Explain that Reliability Monitor calculates a System Stability Index that reflects in graph form whether unexpected problems reduced the systems reliability. A graph of the Stability Index over time quickly identifies dates when problems began to occur. The accompanying System Stability Report provides details to help troubleshoot the root cause of reduced reliability. By viewing system changes (installation or removal of applications and updates to the operating system,) and failures (application, operating system, or hardware failures), you can develop a strategy for quickly addressing issues.

Reference Windows Vista Performance and Reliability Monitoring Step-by-Step Guide http://go.microsoft.com/fwlink/?LinkId=99517

15

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Explain that a Data Collector Set is the building block of performance monitoring and reporting in the Windows Reliability and Performance Monitor. It organizes multiple data collection points into a single component that you can use to review or log performance. You can create a Data Collector Set, and then record it individually, group it with other Data Collector Sets and incorporate it into logs, view it in Performance Monitor, configure it to generate alerts when thresholds are reached, or configure it for use by other non-Microsoft applications. You also can associate it with scheduling rules for data collection at specific times. Explain that you can create a Data Collector Set from a template, from an existing set of Data Collectors in a Performance Monitor view, or by selecting individual Data Collectors and setting each individual option in the Data Collector Set properties. Discussion Question and Answer Question: You want to create an alert to notify you when free disk space is low. How would you create one? Answer: Manually create a new data collector set, and then check the Performance Counter Alert. Add the %Free Space counter in the Logical Disk object, and set the threshold as required.

Reference Creating Data Collector Sets http://go.microsoft.com/fwlink/?LinkId=99518

16

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. Demonstration steps: 1. Create a new data collector set named Active Directory. 2. Add the server baseline counters. 3. Add some of the Active Directory counters, and then start the data collector set. 4. Perform some activity to generate statistics. 5. Stop the data collector set, and then look at the user-defined report. 6. In the system container, start the Active Directory Diagnostics data collection set. 7. Perform some activity to generate statistics. 8. Stop the data collector set, and then look at the system-defined report.

Discussion Question and Answer Question: What is the easiest way to log the same set of data across multiple computers? Answer: Create a data collector set that captures the information you want, and then save it as an XML template.

17

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

18

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Explain that Active Directory auditing is a critical part of Active Directory administration and security. It is often a legal requirement to maintain a certain audit policy. Explain how in Windows2000 and Windows Server 2003, there was one audit policy, Audit directory service access. That policy controlled whether auditing for directory service events was enabled. In Windows Server 2008, this policy is divided into four subcategories: -Directory service access (enabled by default) -Directory service changes -Directory service replication -Detailed Directory service replication Describe how to enable the global audit policy. Explain that using the Group Policy Management Console (GPMC) to enable Directory service auditing will enable all the subcategories. Explain that you must use Auditpol.exe to view or set audit policy subcategories; there is no Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories. Explain that the system access control list (SACL) on the object is still the ultimate authority in determining whether an access check must be audited. If there is no access control entry (ACE) in the SACL that requires that attribute modifications be logged, then no change-auditing events are logged, even if the Directory Service Changes subcategory is enabled.

References Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide http://go.microsoft.com/fwlink/?LinkId=99519 How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain http://go.microsoft.com/fwlink/?LinkId=99520 Auditpol set http://go.microsoft.com/fwlink/?LinkId=99521

19

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Demonstration steps: 1. Open a command prompt as Administrator. 2. Use the Auditpol.exe to see the current audit policy. The only subcategory that is enabled is Directory Service Access - Success Auditpol /get /category:DS Access Note: Auditpol /get /category:* will display the entire audit policy

3. Use the GPMC to enable Directory Service Access auditing for successes and failures in the Default Domain Controllers Policy. 4. Use gpupdate to refresh the policy. 5. Run the Auditpol utility again to see that the status has changed because you have enabled a global audit policy for all the subcategories of the DS Access service, which are set to success and failure. 6. Use Auditpol to disable Detailed Directory Service Replication. Auditpol /set /subcategory:"Detailed Directory Service Replication " /failure:disable Auditpol /set /subcategory:" Detailed Directory Service Replication " /success:disable 7. Use the Auditpol command again to show that the policy has been modified: Auditpol /get /category:DS Access.

Discussion Question and Answer Question: What log shows you the audit results? Answer: The Security log displays the audit results.

Reference Auditpol set http://go.microsoft.com/fwlink/?LinkId=99521

20

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

The Directory Service Access category still provides information about all the events that occur in the directory. It is enabled by default. Directory Service Replication and Detailed Directory Service Replication provide information about replication events. These subcategories are disabled by default, unless you enable a global directory access policy. Explain that Directory Services Changes category provides new functionality. The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS: When a successful modify operation is performed on an attribute, AD DS logs the attributes previous and current values. If a new object is created, values of the attributes that are populated at creation time are logged. If the user adds attributes during the create operation, those new attribute values are logged. If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. If an object is undeleted, the location to which the object is moved is logged. This subcategory is also disabled by default.

Reference Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide http://go.microsoft.com/fwlink/?LinkId=99519

21

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

To complete this demonstration, you must have the 6425A-NYC-DC1 virtual machine running. This demonstration is carried over from the last demo where you used Group Policy to enable a global audit policy. Demonstration steps: 1. Create a new organizational unit (OU). 2. Use the Properties page to access the OU Security properties. Ensure that Advanced View is enabled. 3. Use the Auditing tab in Advanced Security to enable auditing for Administrator, for successful account-object creation. 4. Refresh Group Policy. 5. Create a new user in the OU. Set logon hours and a profile path for the user. 6. Open Event Viewer and display the results. Examine event 4720 A user account was created. Examine the last events, 4738, that show the values for logon hours and profile path that you configured.

Question: How would enable the tracking of failure events for the directory service change subcategory? Answer: You must use the Auditpol.exe to enable failure tracking.

22

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Lab objectives Objectives covered in the Lab: Monitoring AD DS using the Event Viewer. Monitoring AD DS using Performance and Reliability Monitor. Configuring AD DS Auditing. Scenario: Woodgrove Bank has completed their deployment of AD DS. As the AD DS administrator, you must monitor AD DS availability and performance. The server administrator has provided a monitoring plan that includes service availability, performance, and Event log monitoring components. Using Performance and Reliability Monitoring, Event Viewer, and other tools, you will monitor AD DS domain controllers. This lab consists of three exercises. Exercise 1: Monitoring AD DS Using Event Viewer The student will configure Event Viewer to monitor AD DS based on the monitoring plan prepared by the server administrator. Tasks include creating custom views, and creating subscriptions to capture all of the AD DS relevant log information in a single location. Exercise 2: Monitoring AD DS Using Performance and Reliability Monitor The student will configure Performance and Reliability Monitor to monitor AD DS based on the monitoring plan prepared by the server administrator. Tasks include creating data collector sets, monitoring server performance by using Performance Monitor, and configuring alerts that are triggered when services are not available. Exercise 3: Configuring AD DS Auditing The student will configure AD DS auditing to comply with the monitoring plan prepared by the server administrator. Inputs: AD DS monitoring plan provided by the server administrator. Outputs: AD DS monitoring is configured in compliance with the monitoring plan.

23

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Lab Review Questions and Answers: Question: You want to enable the Directory Service Changes subcategory without enabling a global audit policy. How could you do this? Answer: Use the auditpol.exe command to enable just the Directory Service Changes subcategory for success, failure, or both. Question: What services must be running on a source computer to provide information to a subscription? Answer: The Windows Event Collector Service and the Windows Remote Management (WS-Management) services must be running. Question: You have enabled a global audit policy to collect directory service access events, but no events are showing up in the security log. What might be the problem? Answer: You have not configured the SACL for the container that you are trying to audit.

24

Course 2786B Module 8: Implementing an Active Directory Domain Services Monitoring Plan

Review Questions and Answers Question: What kinds of events are logged in the Setup log? Answer: The setup log records events relating to each new application installation. Question: For what event ID would you filter to see deleted user accounts? Answer: Event ID 4726. Question: What service would you enable on computers collecting subscription events from remote computers? Answer: The Windows Event Collector (Wecsvc) service must be enabled on the collecting computer. Question: Where can you get up-to-date information about event IDs? Answer: Event log online help. Question: Where can you get historical information about application failures? Answer: The Reliability Monitor tracks historical information about application failures. Question: The NTDS\ DRA Pending Replication Synchronizations counter is now consistently higher than the established baseline value for that counter. What might this indicate? Answer: Higher values indicate that the hardware is not adequately servicing replication. Question: You want to view all the occurrences of a particular event ID across multiple logs. What is the best way to accomplish this? Answer: Create a custom view for that event ID across multiple logs. Event Viewer allows you to save filters as reusable custom views.

25

You might also like