1. 1 Directory Service Continuity Monitor Active Directory Manage the Active Directory Database Back Up and Restore AD DS and Domain Controllers

2. 2 Understand Performance and Bottlenecks Key system resources  CPU  Disk  Memory  Network Bottleneck: Resource that is currently at peak utilization Tools  Task Manager  Event Viewer  Resource Monitor  Reliability Monitor  Performance Monitor  System Center Operations Manager

3. 3 Task Manager Starting taskmgr.exe  CTRL+SHIFT+ESC  CTRL+ALT+DEL  Right-click taskbar  Start taskmgr.exe Real-time performance  Applications  Processes  Services  Performance High-level CPU, network, memory No disk counters  Logged-on users Entry point to Resource Monitor

4. 4 Resource Monitor Full view of key system components  Click each graph to expand/collapse the component Launching Resource Monitor  Task Manager  Performance  Resource Monitor  Start perfmon /res  Home view of Windows Reliability and Performance Monitor (WRPM) snap-in

5. 5 Event Viewer What you see  Many more logs  Summary and custom views based on cross- log queries  Role-based views in Server Managers  More detailed events What you can do  Integrate with Task Scheduler: E-mails or actions based on event  Subscribe to events from other computers

6. 6 Demonstration: Event Viewer In this demonstration, we will Explore Event Viewer Identify the Active Directory logs  Directory Service  Domain Name System (DNS)  Distributed File System Replication (DFSR)  Group Policy Operational log Discover the new features in the Windows Server 2008 Event Viewer

7. 7 Custom Views Aggregate events from multiple logs Filter Reuse Export for import to other computers Event 1 Security log Event 2 System log Event 3 DFS log Event Viewer

8. 8 Subscriptions Collect events from one or more computers Store the events locally Use Windows Remote Management (WinRM) Require WinRM exceptions in firewall

9. 9 Windows Reliability and Performance Monitor (WRPM) Track system changes (Reliability Monitor) Display real-time or logged performance data (Performance Monitor)  Generate reports or graphical views of performance  Generate alerts  Take action when thresholds are reached Collect data (Data Collector Sets and Reports)  Generate reports  Generate graphical views of logged performance

10. 10 Reliability Monitor Tracks system changes  Software install/uninstall  Application failures  Windows failures  Hardware failures

11. 11 Performance Monitor Useful counters in any server baseline  Memory \ Pages/sec  PhysicalDisk \ Avg. Disk Queue Length  Processor \ %Processor Time Useful counters for monitoring Active Directory  NTDS\ DRA Inbound Bytes Total/sec  NTDS\ DRA Inbound Object  NTDS\ DRA Outbound Bytes Total/sec  NTDS\ DRA Pending Replication Synchronizations  NTDS \ Kerberos Authentications/sec  NTDS\ NTLM Authentications

12. 12 Data Collector Sets Collections of data points  Performance counters  Event trace data  System configuration information (registry keys) Use to  View real-time performance with Performance Monitor  Create a log (manually invoked or scheduled) and then view Reports  Generate alerts based on thresholds  Use by other applications Create  Start from a template; role templates added by Windows  Save an existing set of counters in a Performance Monitor view  Manually specify and configure data collectors in a set  Export/import data collector set as XML

13. 13 Monitoring Best Practices 1. Monitor early to establish baselines!  Document performance when things are working well  Include server and role-related counters during idle and busy times 2. Monitor often to identify potential problems  Compare to baseline and watch for troublesome deviation 3. Know how to monitor and interpret performance before a meltdown  Establish Data Collector Sets  Build the skills to interpret performance counters 4. Capture appropriately  Don’t overcapture Degrades performance Creates “noise,” making it difficult to identify real problems

14. 14 Active Directory Database Files Description NTDS.dit EDB*.log EDB.chk File The AD DS database file All AD DS partitions and objects on the domain controller Default location: systemroot\NTDS Transaction log Default transaction log: EDB.log Overflow logs: Edb000x.log Checkpoint file Pointer into transaction log: which transactions have or have not been committed ebdres00001.jrs ebdres00002.jrs Reserved transaction log files Used if disk runs out of space, so that transaction logs do not crash

15. 15 How the Database Is Modified Write Request Transaction is initiated Write to the transaction buffer Write to the database on disk NTDS.dit on Disk EDB.log Write to the transaction log file Commit the transaction Update the checkpoint EDB.chk

16. 16 NTDSUtil Manage and control single master operations (Module 11) Perform AD DS database maintenance (Module 13)  Perform offline defragmentation  Create and mount snapshots  Move database files Clean domain controller metadata  Domain controller removal or demotion while not connected to domain Reset Directory Services Restore Mode password  set dsrm

17. 17 Perform Database Maintenance Garbage collection  Scavenging: Removing deleted items that have reached their tombstone lifetime Defragmentation  Online defrag (part of garbage collection): reclaims unused space  Offline defrag (manual): releases unused space, reduces file size Use NTDSUtil Restartable AD DS  You can stop AD DS in Services just like any other service  For applying updates that affect AD DS files  Before performing offline defragmentation

18. 18 Active Directory Snapshots Create a snapshot of Active Directory  NTDSUtil Mount the snapshot to a unique port  NTDSUtil Expose the snapshot  Right-click the root node of Active Directory Users and Computers and choose Connect to Domain Controller  Enter serverFQDN:port View (read-only) snapshot  Cannot directly restore data from the snapshot Recover data  Manually re-enter data or  Restore a backup from the same date as the snapshot

19. 19 Restore Deleted Objects When an object is deleted  Stripped of almost every attribute except SID, objectGUID, lastKnownParent, sAMAccountName  Moved to Deleted Objects container, marked as isDeleted You can restore (“reanimate”) deleted (“tombstoned”) objects when  Domain functional level is Windows Server 2003 or greater  Deleted object has not yet been scavenged Steps  LDP.exe Modify isDeleted Provide distinguished name (DN)  Repopulate all other attributes

20. 20 Backup and Recovery Tools Windows Server Backup snap-in (use locally or remotely)  Back up a full server (all volumes)  Back up selected volume(s)  Back up system state (includes all critical volumes)  Recover volumes, folders, files, or system state wbadmin.exe Perform manual or automated backup Back up to CD/DVD/HDD  No tape!  Use a dedicated HDD for backup: recommended or required

21. 21 Overview of AD DS and Domain Controller Backup You must back up all critical volumes  System volume: The volume that contains boot files  Boot volume: The volume that contains the Windows operating system and the registry  Volume(s) hosting SYSVOL, AD DS database (NTDS.dit), logs  Do not store other data on these volumes as it will increase backup and restore times Windows Server Backup (wbadmin.exe)

22. 22 Other Backup and Recovery Tools Active Directory Snapshots PowerShell cmdlets Windows Recovery Environment  Boot to Windows Server 2008 DVD and choose System Recovery Options  Install locally as a boot option  Useful for full system recovery Microsoft System Center Data Protection Manager 2007

23. 23 Active Directory Restore Options Nonauthoritative (normal) restore  Restore domain controller to previously known good state of Active Directory  Domain controller will be updated using standard replication from up-to-date partners Authoritative restore  Restore domain controller to previously known good state of Active Directory  “Mark” objects that you want to be authoritative Windows sets the version numbers very high  Domain controller is updated from its up-to-date-partners  Domain controller sends authoritative updates to its partners Full Server Restore  Typically performed in Windows Recovery Environment Alternate Location Restore

24. 24 Nonauthoritative Restore Restart the domain controller in DSRM  Locally: Press F8 on restart  Remotely using remote desktop: Configure restart in DSRM: bcdedit /set safeboot dsarepair Restart: shutdown -t 0 -r Log on with the Administrator account and the DSRM password Perform the nonauthoritative restore  Use Windows Server Backup (wbadmin.exe) to restore AD DS Restart  Set normal restart: bcdedit /deletevalue safeboot dsarepair  Restart: shutdown -t 0 -r Domain controller replicates all changes since date of backup from its partners

25. 25 Authoritative Restore Restart the domain controller in DSRM Log on with the Administrator account and the DSRM password Perform the nonauthoritative restore  Use Windows Server Backup (wbadmin.exe) to restore AD DS Mark selected objects as authoritative  restore [object|subtree] “objectDN"  Authoritative changes have a higher version number than on partners Restart Restored domain controller replicates changes since date of backup Partners see authoritative changes with high version numbers  Partners pull the authoritative changes from the restored domain controller