Active Directory Management and Monitoring

1
(No Transcript)
2
Active Directory Management and Monitoring

• Jenny Mulcahy, Regional Sales Manager
• Juli Kerr, Sr Systems Engineer

3
Agenda

• Architecture of AD
• DC
• Domains, trees, forest
• Sites
• OUs
• Replication
• What is replicated
• How is it replicated
• Monitoring
• Critical processes
• Best practices

4
Description of AD

• A Directory is a hierarchical structure that
  stores information about objects on the network
• Directory Service is the directory information
  and the services that make the information
  available
• AD is a namespace integrated with the Internet
  Domain Name Service (DNS)
• Extensible schema
• Information Replication

5
Domain Controllers

• A DC can host exactly one domain
• Store domain wide directory data and manage user
  domain interactions
• First DC in a domain houses a Global catalog
• First DC in a domain houses the FSMO roles
• Schema Master
• Domain Naming Master
• Infrastructure Master
• RID Master
• PDC Emulator

6
Information stored on DC

• Every DC (whether it is a GC or not) stores three
  partitions (units of replication) of directory
  data
• Domain data
• Schema data
• Configuration data
• If DC contains a GC, it holds and replicates
  additional data from all other domain data
  partitions in the forest
• Subset, read only

7
Domains

• AD is one or more domains
• Each domain is identified by a DNS domain name
• Administrative boundary
• Domainpartition or a naming contextunit of
  replication
• Structure the network
• Delegate administrative authority

8
Trees, forests

• Tree is a set of one or more domains with
  contiguous name space.
• May have more than one tree if company has
  additional unit that has its own DNS name and
  runs its own DNS servers.
• Forest is one or more domains
• A forest has a single root domain and it is the
  first domain created. Enterprise Admins and
  Schema Admins reside in this domain

9
Logical Structure
10
Domains in domain trees in a forest have the
following traits

• Transitive trust relationships among domains in
  the tree
• Transitive trust relationships among the domain
  trees in the forest
• Share common configuration information
• Share a common schema
• Share a common global catalog

11
Organizational Units (OUs)

• Directory object
• Represented by a folder in AD Users and Computers
• Logically store and organize objects in AD
• Use as administrative authority

12
Sites

• Set of computers in one or more IP subnets,
  connected using LAN technologies, or a set of
  LANS connected by a high speed backbone
• Separate sites are connected by less than LAN
  speed
• Site links are created and assigned costs,
  replication frequency and availability
• AD creates connection objects as a result of Site
  links
• Replication Protocols
• IP and SMTP
• Sites map the physical structure and are
  independent of domains
• AD allows multiple domains in one site and
  multiple sites can consist of one domain

13
Physical Structure
Bridgehead server
Bridgehead server
14
Sites provide the following services

• Clients can request service from a DC in the site
• AD tries to minimize replication latency for
  intra-site replication
• AD tries to minimize bandwidth consumption for
  inter-site replication
• Sites let you schedule inter-site replication

15
Replication Topology

• Automatically generated by the KCC
• Connections between DCs for directory replication
• KCC selects at least two connections for each DC
• KCC re-evaluates the physical topology on a
  periodic basis to take in to account changes
  occurring on the network

16
Multi-master replication

• Ensures data consistency over time
• Update Sequence Numbers
• 64-bit number maintained by each DC to track
  changes Propagation dampening
• Maintains a table of USNs from all replication
  partners
• Collision detection and Property Version Numbers

17
Why Should We Monitor?

• There are a lot of moving pieces within AD, and
  they are dependent on each other for
  functionality
• Reduce down time!
• Guarantee resource access
• Guarantee data is up-to-date and what we expect
• Being pro-active reduces amount of critical, time
  consuming, hard-to-detect problems
• Stop band-aiding a problem and get to the root
  cause
• Know your network!

18
What Should We Be Monitoring?

• Security access to resources
• Changes to AD
• Ensure backups are reliable
• Physical hardware health, adequacy
• WAN links, connectivity between sites
• DNS
• Domain Controllers
• DCs with Global Catalogs
• Replication progress
• FSMO role holders

19
How Do We Monitor?

• Use various tools within the Resource Kit
• ReplMon, RepAdmin, Netstat, NTDSUtil, NetDiag,
  DNSCmd
• Create scripts to automate
• Review results!
• Performance Monitor
• MMC Snap ins
• Check backups!
• Change Control enforcement
• Create SOPs and adhere to them
• Use diagnostics that come with hardware (CIM)
• Establish good communication with Telecom/DNS
  group
• Third party solutions