The PATROL Knowledge Module for Microsoft Windows Active Directory lets you monitor and analyze your Microsoft Windows Active Directory environments. Whether you choose to monitor and analyze one environment or many, PATROL KM for Microsoft Windows Active Directory helps you
For a brief description of product features, see the sections that follow. For information about descriptions of the application classes and parameters, see Monitor types or application classes.
PATROL KM for Microsoft Windows Active Directory monitors the performance of managed systems in a Microsoft Windows Active Directory environment. A PATROL KM for Microsoft Windows Active Directory managed system is a Windows domain controller onto which PATROL for Windows Servers has been installed.
A managed system provides a view of its Microsoft Windows Active Directory environment. Each managed system is responsible for monitoring Microsoft Windows Active Directory's key indicators that are required to ensure and maintain the consistency of the Directory data and the desired level of service throughout the Microsoft Windows Active Directory forest.
PATROL KM for Microsoft Windows Active Directory monitors the Microsoft Windows Active Directory replication for errors and latency (to verify that replication occurs within a reasonable time), both within a site (intrasite) and between sites (intersite) in the configuration naming context and/or the domain context of the current domain controller.
Directory replication is monitored at each managed system (domain controller). This functionality includes monitoring basic replication by creating synthetic transactions and verifying the replication of those transactions.
PATROL KM for Microsoft Windows Active Directory monitors the replication status of the domain controller upon which it is installed. It determines whether updates from each domain controller within the site have been replicated successfully and in a timely manner.
Intersite replication monitoring verifies that Microsoft Windows Active Directory updates are successfully distributed between sites. Each bridgehead server in a site is checked to determine if Microsoft Windows Active Directory updates from other sites have been successfully replicated to the bridgehead server. The intersite replication interval is automatically determined at each collection; it requires no configuration. However, if you want, you can override the automatic replication interval determination, on a site-by-site basis, by configuring the configuration database (pconfig ) variable, /ActiveDirectory/Configuration/ <site>/IntersiteReplicationSchedule.
PATROL KM for Microsoft Windows Active Directory enables users to configure the Active Directory object types that should be monitored for replication collisions. The AD_AD_CNF application class monitors replication collisions that occur during replication when an object with the same Relative Distinguished name is created in the same container on two or more different domain controllers.
PATROL KM for Microsoft Windows Active Directory monitors the performance of Active Directory replication for the local server. The AD_AD_REPLICATION application class monitors this activity.
PATROL KM for Microsoft Windows Active Directory monitors the availability of the forest-wide and domain-wide flexible single master operations (FSMO) roles.
PATROL KM for Microsoft Windows Active Directory monitors the connectivity status of each of the five FSMO role holders from a domain controller. The AD_AD_FSMO_ROLE_CONNECTIVITY application class monitors the domain controllers ability to locate and establish an LDAP connection with the FSMO role holder.
PATROL KM for Microsoft Windows Active Directory monitors the placement of Active Directory FSMO roles in the domain and forest. The AD_AD_FSMO_ROLE_PLACEMENT application class monitors the placement of these roles.
PATROL KM for Microsoft Windows Active Directory monitors Lightweight Directory Access Protocol (LDAP) locally at each monitored system for connection availability and response time. The AD_AD_LDAP application class monitors the performance of these LDAP requests.
PATROL KM for Microsoft Windows Active Directory monitors the Security Account Manager (SAM). SAM provides legacy NT authentication support. The AD_AD_SAM application class monitors these security requests. By default, SAM monitoring is inactive.
PATROL KM for Microsoft Windows Active Directory monitors the performance of Address Book requests made against the Microsoft Windows Active Directory server. The AD_AD_ADDRESS_BOOK application class monitors these requests. By default, Address book monitoring is inactive.
PATROL KM for Microsoft Windows Active Directory monitors Kerberos and NTLM authentication requests made against the Microsoft Windows Active Directory server. The AD_AD_AUTHENTICATION application class monitors these requests.
PATROL KM for Microsoft Windows Active Directory verifies and monitors various DNS record data for the Microsoft Windows Active Directory server. The AD_AD_DNS application class monitors the DNS specific information.
PATROL KM for Microsoft Windows Active Directory monitors various aspects of file replication service health. The AD_AD_FRS application class monitors the FRS specific information.
PATROL KM for Microsoft Windows Active Directory detects when a user account in one or more Group Policy Objects (GPO) cannot be resolved to a security identifier (SID). The AD_AD_GPO application class reports this condition.
PATROL KM for Microsoft Windows Active Directory monitors for the presence of objects in the LostAndFound container in the domain naming context of the domain controller. The AD_AD_LOST_AND_FOUND_OBJECTS application class monitors for lost and found objects.
To measure the overall health of the domain controllers, PATROL KM for Microsoft Windows Active Directory configures the PATROL KM for Microsoft Windows OS to monitor various events pertaining to
Some parameters now monitor specific Active Directory events. See the Help for the PATROL KM for Window Active Directory for information about these parameters.
The following tables contain event information that is classified by specific areas of failure.
To identify failures with the DNS name registration, PATROL KM for Windows Active Directory configures PATROL KM for Microsoft Windows OS to obtain event information, as shown in the following table:
Monitored events - DNS name registration
Event Log | Source | Event | Significance |
---|---|---|---|
System | DNSAPI | 11154, 11166 | domain controller does not have rights to perform a secure dynamic update. |
System | DNSAPI | 11150, 11162 | DNS server timed out |
System | DNSAPI | 11152, 11153, 11164, 11165 | Zone or currently-connected DNS server does not support dynamic update. |
System | DNSAPI | 11151,11155, 11163, 11167 | A resource record for the domain controller is not registered in DNS. |
System | NETLOGON | 5773 | DNS locator record is not registered because the primary DNS server does not support dynamic update. |
System | NETLOGON | 5774 | A DNS domain controller locator record is not registered. |
To identify failures with the core Active Directory service, PATROL KM for Microsoft Windows Active Directory configures PATROL KM for Microsoft Windows OS to obtain event information, as shown in the following table:
Core Active Directory service monitored events
Event Log | Source | Event | Significance |
---|---|---|---|
Directory Service | all sources | Severity = error | primary error events for Active Directory |
System | LSASS | Severity = error | Local security authority is the core security subsystem for Active Directory. |
To identify failures with the file replication service and group policy, PATROL KM for Microsoft Windows Active Directory configures PATROL KM for Microsoft Windows OS to obtain event information, as shown in the following table:
File replication service/group policy monitored events
Event log | Source | Event | Significance |
---|---|---|---|
FRS | all sources | Severity = error | Synchronizes policy between all domain controllers in the forest. |
Application | USERENV | Severity = error User = System | Applies group policy and profiles on domain controllers. |
Application | SCECLI | Severity = error | Security Configuration Engine error messages |
To identify events that might indicate problems maintaining uniform time in the Active Directory forest, PATROL KM for Microsoft Windows Active Directory monitors the events shown in the following table:
Time synchronization service monitored events
Event log | Source | Event | Significance |
---|---|---|---|
System | W32TIME | Severity = error Severity = warning | Problem maintaining uniform time throughout the Microsoft Windows Active Directory forest |
To identify events that many indicate problems with Kerberos, the default authentication protocol, PATROL KM for Microsoft Windows Active Directory monitors the event shown in the following table:
Kerberos monitored events
Event Log | Source | Event | Significance |
---|---|---|---|
System | KDC | Severity = error | Critical Kerberos Distribution Center service error messages |
To identify events that might indicate problems with Net Logon service and protocol, which is required for proper domain controller functionality, PATROL KM for Microsoft Windows Active Directory monitors the events shown in the following table:
Netlogon monitored events
Event log | Source | Event | Significance |
---|---|---|---|
System | NETLOGON | Severity = error 5705, 5723 | Critical NETLOGON service errors |