Microsoft CSS ADPerf Core Team and Justin Turner

Slides:

Advertisements

Similar presentations

Monitoring Exchange 2010 with System Center Operations Manager

Advertisements

Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.

13.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Chapter 9 Overview  Reasons to monitor SQL Server  Performance Monitoring and Tuning  Tools for Monitoring SQL Server  Common Monitoring and Tuning.

Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.

Andrew Hennessy Automating Server Application migrations to the Cloud – Goodbye Server INF21 3.

Chris Hewitt Adding magic to your business with Perceptual Intelligence ARC323 B.

Matt McSpirit Software-defined Networking in Windows Server 2016 INF32 4.

Jorke Odolphi Product Technology Specialist WebCentral Using Microsoft Operations Manager To Monitor And Maintain Your Farm.

Alessandro Cardoso, Microsoft MVP Creating your own “Private Cloud” with Windows 10 Hyper- V WIN443.

Mahesh Krishnan Architecting highly resilient applications on Azure ARC42 7.

Jessica Payne Microsoft Global Incident Response and Recovery

Mike James Building a cross-platform pedometer app with Xamarin & Azure MOB334.

Orin Thomas 30 Bad Habits of Server Administrators INF32 3.

Building a Microservices solution using Docker,

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Rick Claus Architect like a PRO for Performance and Availability of your Microsoft Azure VMs ARC43 6.

A deep dive into Azure AD B2C

Identity; What you need to know to be in the Microsoft Cloud

3 Ways to Integrate Business Systems to Partners

Serverless in Office 365 Build services with Azure Functions

Making of the Ignite Bot

What's New in System Center Configuration Manager, Current Branch and Intune INF324a Steven Hosking.

30 Tips and Tricks for Managing and Running Ubuntu/Bash/Windows Subsystem for Linux WIN321B Orin Thomas.

Introduction to ASP.NET Core

The Zen of Package Management

Power BI for the Enterprise

Conversation As a Platform - Part 1

Building Business Application with Office 365 and Other Line Business Systems

Power BI Architecture, Best Practices, and Performance Tuning

Microsoft Virtual Academy

6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

Microsoft Ignite /19/2018 2:35 AM

Need for Speed: Why Applications With No Database and No Services are Fast ARC334 Nick Randolph – Built to Roam.

Mastering Connectivity to O365

Jenkins and Azure OPEN322 Michael Friedrich.

Microsoft /6/ :30 PM BRK3293 Explore adventures in the underland: Forensic techniques against hackers evading the hook Paula Januszkiewicz.

02 | Design and implement database

Darren Neimke and Jonathan Ruckert

Migration Strategies – Business Desktop Deployment (BDD) Overview

Microsoft Ignite /11/2018 7:03 PM BRK4021

Ewan MacKellar & Mario Tevanian

Dynamics AX Performance

Build vNext in VSO and TFS 2015

What’s new in Visual Studio in 2015?

TechEd /14/2018 6:26 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.

Microsoft Edge for Developers

Microsoft Ignite /19/ :53 AM Applying DevOps principals in applications integrated with Office 365 Evergreen Ben Parker ARC231B © 2015 Microsoft.

Rob Farley, LobsterPot Solutions

Microsoft Virtual Academy

Application Insights:

Modern cloud PaaS for mobile apps, web sites, API's and business logic apps

Bare Metal Development for the Universal Windows Platform

Microsoft Ignite /2/2019 1:15 AM Power Up Your Cross Platform Mobile Code with Platform Specific Features using Xamarin Alec Tucker MOB331 © 2015.

The Power of a Great API Damian Brady

What is Visual Studio Code?

Microsoft Virtual Academy

Deep Dive into Azure API Apps and Logic Apps

Jonathan Ruckert & Darren Neimke

UI test automation of MVC apps with Microsoft Edge WebDriver

Microsoft Virtual Academy

Chris Henley & Ben DiQual

Empower your users with Azure Active Directory Premium

Bob Duffy 27 years in database sector, 250+ projects

Microsoft Virtual Academy

Securing ASP.NET in an Azure Environment

Making Windows Azure Relevant to IT Professionals

SharePoint 2013 Best Practices

Presentation transcript:

Microsoft CSS ADPerf Core Team and Justin Turner Active Directory Performance Troubleshooting Microsoft CSS ADPerf Core Team and Justin Turner INF341

Overview / Agenda Symptoms, Cause and Resolution of AD Performance issues Troubleshooting workflow “Peeling the Onion” Common Scenario review Preventative Measures and References

Symptoms, Cause and Resolution Microsoft Ignite 2015 11/23/2018 11:37 AM Symptoms, Cause and Resolution A high level overview before we go deeper © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Symptoms DC side symptoms Client side symptoms Microsoft Ignite 2015 11/23/2018 11:37 AM Symptoms DC side symptoms Primarily: High LSASS CPU Utilization (could be high memory) Client side symptoms Timeouts, application failures due to slow / no DC response Slow LDAP(S) bind Repeated prompts for credentials © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Cause Excessive or Inefficient Workloads Other Bottleneck conditions Microsoft Ignite 2015 11/23/2018 11:37 AM Cause Excessive or Inefficient Workloads LDAP; SAM; LSA; Change notification (LDAP); Other Bottleneck conditions MaxConcurrentAPI (MCA); Null domain Auth; Null domain lookups © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Resolution Client DC Client DC Reduce Optimize Redistribute Microsoft Ignite 2015 11/23/2018 11:37 AM Reduce Modify app/script Implement a cache Apply updates and rollups Optimize Index Modify config. Client DC Resolution Client DC Redistribute AD Site configuration Increase Capacity More DCs, CPUs etc. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Troubleshooting Workflow “Peeling the Onion” DC-Side Data Collection AD Diagnostics Data Collector Set (With DC workload review) 1644 Event Logging Client-Side Data Collection

Troubleshooting process Microsoft Ignite 2015 11/23/2018 11:37 AM Reduce, Optimize, Distribute, Increase Capacity Client and DC-side methods If it hurts, stop doing it. Client-Side Data Collection Identify application, process, or script Tasklist, netstat, network trace, process monitor, etc. DC-Side Data Collection Map workload to client-side caller AD Diagnostics, 1644 Events, network trace, etc. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DC-Side Data Collection Microsoft Ignite 2015 11/23/2018 11:37 AM DC-Side Data Collection AD Diagnostic Data Collector Set (SPA) 1644 Event Logging – Tracking Inefficient / Expensive Queries Network trace, netstat –anob, tasklist /svc, Netlogon.log © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo: AD Diagnostics Data Collector Set Microsoft Ignite 2015 11/23/2018 11:37 AM Demo: AD Diagnostics Data Collector Set © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DC Workload Directory operations AD Replication Search and Bind Microsoft Ignite 2015 11/23/2018 11:37 AM Directory operations AD Replication Search and Bind Kerberos ticket operations DSCrackNames, Account operations Sid2Name and Name2Sid NTLM operations © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Ignite 2015 11/23/2018 11:37 AM 1644 Event Logging Enable logging of expensive and inefficient searches in Event ID 1644 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering Set to a value of 0x5 to log one event per LDAP search that exceeds the threshold (Increase the size of the Directory Service Event Log) Thresholds If no threshold value is specified (registry value not set) then the following values are applied: Data analysis is difficult when looking at individual events. Event 1644 script available from TechNet Script Gallery Extracts 1644 events into Excel with pivot tables to make analysis easier Registry Path Data Type Default value OS Comment HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold DWORD 10,000 ALL Using the default values, a search is considered expensive if it visits more than 10,000 entries HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold 1,000 A search is considered inefficient if the search visits more than 1,000 entries and the returned entries are less than 10 percent of the entries that it visited. HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold (msecs) 30,000 Server 2012 R2 or later or MSKB 2800945 is installed (Server 2008, Server 2008 R2, Server 2012) Event is logged if search exceeds 30,000 milliseconds (30 seconds) – probably a bit too long for a threshold © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Common Issues LDAP Search vs ATQ Threads SAM calls Microsoft Ignite 2015 11/23/2018 11:37 AM Common Issues LDAP Search vs ATQ Threads SAM calls Null Domain Auth / Null Domain Lookups How long queued requests take to be serviced Requests are being queued Max ATQ Threads is equal to ATQ Threads Total © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Data Analysis Demos: High CPU Utilization LSASS Scenario 1 and Scenario 2

Preventative Measures DC and Client-side Updates / Rollups DC Sizing / Capacity General Configuration/Optimization Guidance

Updates to install: Recommendations for Clients Microsoft Ignite 2015 11/23/2018 11:37 AM Updates to install: Recommendations for DC role computers Update for 1644 Event log details LDAP Query Optimizer Update MS15-096 / KB 3072595 LSASS Memory Usage – Windows Server 2012 R2 only (Due 12/15) Recommendations for Clients Install relevant updates / rollups SBSL rollup for Windows 7 and Windows Server 2012 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

DC Sizing / Capacity 64-bit OS only Microsoft Ignite 2015 11/23/2018 11:37 AM DC Sizing / Capacity 64-bit OS only Sufficient memory to cache NTDS.DIT (even more with Windows Server 2012 R2) DIT + log files deployed to different drive than OS with sufficient spindles to support I/O volume generated by environment See capacity planning document Sufficient cores to handle load Proximity to load (location of servers/clients- to workload) –ie. in-site DCs Sufficient boxes to handle availability / redundancy © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Configuration / Optimization Identify and optimize inefficient LDAP queries Find and consider disabling null domain lookup behavior Have a well-defined AD Topology –clients map to AD sites Increase MCA API settings

Additional Resources Creating More Efficient Microsoft Active Directory-Enabled Applications LDAP Query Optimizer changes 1644 Event Improvements AD Data Collector Sets ATQ Performance Counters How to Find Expensive Inefficient Queries using 1644 and script LDAP

Summary AD Diagnostic Data Collector set and 1644 event logging Map DC workload to client-side caller Get client-side data to identify culprit Reduce, Optimize, Redistribute or Increase Capacity

A. Connor, Ming Chen, Ken Brumfield, Herbert Mauerer, Wayne McIntyre Contributors A. Connor, Ming Chen, Ken Brumfield, Herbert Mauerer, Wayne McIntyre

Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.

Continue your Ignite learning path Microsoft Ignite 2015 11/23/2018 11:37 AM Continue your Ignite learning path Visit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/ Head to the TechNet Eval Centre to download trials of the latest Microsoft products http://Microsoft.com/en-us/evalcenter/ © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.