PATROL KM for Microsoft Windows Active Directory

The PATROL Knowledge Module for Microsoft Windows Active Directory lets you monitor and analyze your Microsoft Windows Active Directory environments. Whether you choose to monitor and analyze one environment or many, PATROL KM for Microsoft Windows Active Directory helps you:

  • Detect and notify if Microsoft Windows Active Directory generates errors or performs slowly
  • Monitor performance of system resources
  • Plan for capacity and availability
  • Monitor all domain controllers within a site
  • Monitor all domain controllers between sites
  • Anticipate and eliminate problems before they become apparent to users of the monitored Active Directory environments

For a brief description of product features, see the sections that follow. For information about descriptions of the application classes and parameters, see Monitor types and attributes

Managed systems

PATROL KM for Microsoft Windows Active Directory monitors the performance of managed systems in a Microsoft Windows Active Directory environment. A PATROL KM for Microsoft Windows Active Directory managed system is a Windows domain controller onto which PATROL for Windows Servers has been installed.

A managed system provides a view of its Microsoft Windows Active Directory environment. Each managed system is responsible for monitoring Microsoft Windows Active Directory's key indicators that are required to ensure and maintain the consistency of the Directory data and the desired level of service throughout the Microsoft Windows Active Directory forest.

Replication monitoring

PATROL KM for Microsoft Windows Active Directory monitors the Microsoft Windows Active Directory replication for errors and latency (to verify that replication occurs within a reasonable time), both within a site (intrasite) and between sites (intersite) in the configuration naming context and/or the domain context of the current domain controller.

Directory replication is monitored at each managed system (domain controller). This functionality includes monitoring basic replication by creating synthetic transactions and verifying the replication of those transactions.

Intrasite replication monitoring

PATROL KM for Microsoft Windows Active Directory monitors the replication status of the domain controller upon which it is installed. It determines whether updates from each domain controller within the site have been replicated successfully and in a timely manner.

Intersite replication monitoring

Intersite replication monitoring verifies that Microsoft Windows Active Directory updates are successfully distributed between sites. Each bridgehead server in a site is checked to determine if Microsoft Windows Active Directory updates from other sites have been successfully replicated to the bridgehead server. The intersite replication interval is automatically determined at each collection; it requires no configuration. However, if you want, you can override the automatic replication interval determination, on a site-by-site basis, by configuring the configuration database (pconfig ) variable, /ActiveDirectory/Configuration/ <site>/IntersiteReplicationSchedule.

Replication collisions monitoring

PATROL KM for Microsoft Windows Active Directory enables users to configure the Active Directory object types that should be monitored for replication collisions. The AD_AD_CNF application class monitors replication collisions that occur during replication when an object with the same Relative Distinguished name is created in the same container on two or more different domain controllers.

Replication health monitoring

PATROL KM for Microsoft Windows Active Directory monitors the performance of Active Directory replication for the local server. The AD_AD_REPLICATION application class monitors this activity.

FSMO monitoring

PATROL KM for Microsoft Windows Active Directory monitors the availability of the forest-wide and domain-wide flexible single master operations (FSMO) roles.

FSMO role connectivity monitoring

PATROL KM for Microsoft Windows Active Directory monitors the connectivity status of each of the five FSMO role holders from a domain controller. The AD_AD_FSMO_ROLE_CONNECTIVITY application class monitors the domain controllers ability to locate and establish an LDAP connection with the FSMO role holder.

FSMO role placement monitoring

PATROL KM for Microsoft Windows Active Directory monitors the placement of Active Directory FSMO roles in the domain and forest. The AD_AD_FSMO_ROLE_PLACEMENT application class monitors the placement of these roles.

LDAP monitoring

PATROL KM for Microsoft Windows Active Directory monitors Lightweight Directory Access Protocol (LDAP) locally at each monitored system for connection availability and response time. The AD_AD_LDAP application class monitors the performance of these LDAP requests.

SAM monitoring

PATROL KM for Microsoft Windows Active Directory monitors the Security Account Manager (SAM). SAM provides legacy NT authentication support. The AD_AD_SAM application class monitors these security requests. By default, SAM monitoring is inactive.

Address book monitoring

PATROL KM for Microsoft Windows Active Directory monitors the performance of Address Book requests made against the Microsoft Windows Active Directory server. The AD_AD_ADDRESS_BOOK application class monitors these requests. By default, Address book monitoring is inactive.

Authentication monitoring

PATROL KM for Microsoft Windows Active Directory monitors Kerberos and NTLM authentication requests made against the Microsoft Windows Active Directory server. The AD_AD_AUTHENTICATION application class monitors these requests.

Domain Naming Service monitoring

PATROL KM for Microsoft Windows Active Directory verifies and monitors various DNS record data for the Microsoft Windows Active Directory server. The AD_AD_DNS application class monitors the DNS specific information.

File Replication Service monitoring

PATROL KM for Microsoft Windows Active Directory monitors various aspects of file replication service health. The AD_AD_FRS application class monitors the FRS specific information.

Group policy monitoring

PATROL KM for Microsoft Windows Active Directory detects when a user account in one or more Group Policy Objects (GPO) cannot be resolved to a security identifier (SID). The AD_AD_GPO application class reports this condition.

Lost and found objects monitoring

PATROL KM for Microsoft Windows Active Directory monitors for the presence of objects in the LostAndFound container in the domain naming context of the domain controller. The AD_AD_LOST_AND_FOUND_OBJECTS application class monitors for lost and found objects.

Event monitoring

To measure the overall health of the domain controllers, PATROL KM for Microsoft Windows Active Directory configures the PATROL KM for Microsoft Windows OS to monitor various events pertaining to

  • DNS name registration
  • Core Active Directory service
  • File replication service and group policy
  • Time synchronization service
  • Kerberos
  • Netlogon

Events monitored by parameters

Some parameters now monitor specific Active Directory events. See the Help for the PATROL KM for Window Active Directory for information about these parameters.

Events monitored for specific areas of failure

The following tables contain event information that is classified by specific areas of failure.

DNS name registration

To identify failures with the DNS name registration, PATROL KM for Windows Active Directory configures PATROL KM for Microsoft Windows OS to obtain event information, as shown in the following table:

Monitored events - DNS name registration

Event Log

Source

Event

Significance

System

DNSAPI

11154, 11166

domain controller does not have rights to perform a secure dynamic update.

System

DNSAPI

11150, 11162

DNS server timed out

System

DNSAPI

11152, 11153, 11164, 11165

Zone or currently-connected DNS server does not support dynamic update.

System

DNSAPI

11151,11155, 11163, 11167

A resource record for the domain controller is not registered in DNS.

System

NETLOGON

5773

DNS locator record is not registered because the primary DNS server does not support dynamic update.

System

NETLOGON

5774

A DNS domain controller locator record is not registered.

Core Active Directory service

To identify failures with the core Active Directory service, PATROL KM for Microsoft Windows Active Directory configures PATROL KM for Microsoft Windows OS to obtain event information, as shown in the following table:

Core Active Directory service monitored events

Event Log

Source

Event

Significance

Directory Service

all sources

Severity = error

primary error events for Active Directory

System

LSASS

Severity = error

Local security authority is the core security subsystem for Active Directory.

File replication service and group policy

To identify failures with the file replication service and group policy, PATROL KM for Microsoft Windows Active Directory configures PATROL KM for Microsoft Windows OS to obtain event information, as shown in the following table:

File replication service/group policy monitored events

Event log

Source

Event

Significance

FRS

all sources

Severity = error

Synchronizes policy between all domain controllers in the forest.

Application

USERENV

Severity = error User = System

Applies group policy and profiles on domain controllers.

Application

SCECLI

Severity = error

Security Configuration Engine error messages

Time synchronization service

To identify events that might indicate problems maintaining uniform time in the Active Directory forest, PATROL KM for Microsoft Windows Active Directory monitors the events shown in the following table:

Time synchronization service monitored events

Event log

Source

Event

Significance

System

W32TIME

Severity = error Severity = warning

Problem maintaining uniform time throughout the Microsoft Windows Active Directory forest

Kerberos

To identify events that may indicate problems with Kerberos, the default authentication protocol, PATROL KM for Microsoft Windows Active Directory monitors the event shown in the following table:

Kerberos monitored events

Event Log

Source

Event

Significance

System

KDC

Severity = error

Critical Kerberos Distribution Center service error messages

Net Logon

To identify events that might indicate problems with Net Logon service and protocol, which is required for proper domain controller functionality, PATROL KM for Microsoft Windows Active Directory monitors the events shown in the following table:

Netlogon monitored events

Event log

Source

Event

Significance

System

NETLOGON

Severity = error 5705, 5723

Critical NETLOGON service errors