2007 Quest Software, Inc. ALL RIGHTS RESERVED. TRADEMARKS. Disclaimer

Transcription

1 User Guide 6.7

2 2007 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA USA legal@quest.com Refer to our Web site for regional and international office information. TRADEMARKS Quest, Quest Software, the Quest Software logo, Aelita, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, InTrust, IT Dad, JClass, JProbe, LeccoTech, LiveReorg, NBSpool, NetBase, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLab Tuner, SQLab Xpert, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, Toad, T.O.A.D., Tag and Follow, Vintela, Virtual DBA, and XRT are trademarks and registered trademarks of Quest Software, Inc. This product contains Zlib from Other trademarks and registered trademarks used in this guide are property of their respective owners. Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Spotlight on Active Directory User Guide Updated - November 2007 Software Version - 6.7

3 CONTENTS ABOUT THIS GUIDE VII OVERVIEW VIII CONVENTIONS VIII ABOUT QUEST SOFTWARE IX CONTACTING QUEST SOFTWARE IX CONTACTING QUEST SUPPORT IX CHAPTER 1 USING QUEST SPOTLIGHT ON ACTIVE DIRECTORY TOPOLOGY VIEWER INTRODUCING QUEST SPOTLIGHT ON ACTIVE DIRECTORY TOPOLOGY VIEWER QUEST SPOTLIGHT ON ACTIVE DIRECTORY VIEWER FEATURES.16 INTEGRATION WITH SPOTLIGHT ON ACTIVE DIRECTORY DIAGNOSTIC CONSOLE RUNNING QUEST SPOTLIGHT ON ACTIVE DIRECTORY TOPOLOGY VIEWER CONNECTING TO DIAGNOSTIC SERVICES DISCOVERING THE TOPOLOGY NAVIGATING THE INTERFACE PARTS OF THE INTERFACE BROWSING BY SITE, DOMAIN, OR GROUPING CENTER ON SERVER SELECT SERVER INFORMATION TOOLS SETTING IMPERSONATION CREDENTIALS SETTING NOTIFICATION GROUPS CUSTOMIZING THE TOPOLOGY VIEWER APPLYING A SYSTEM VIEW CREATING A CUSTOM VIEW DELETING A CUSTOM VIEW EDITING A CUSTOM VIEW RESETTING THE LAYOUT OF THE CURRENT VIEW i

4 Quest Spotlight on Active Directory SETTING OPTIONS ANALYSIS TEST OPTIONS GLOBAL NOTIFICATION OPTIONS DATABASE OPTIONS MOM OPTIONS FOREST DISCOVERY OPTIONS WEB REPORTS OPTIONS INTRUST INTEGRATION SETTING PROPERTIES GENERAL PROPERTIES OPERATING SYSTEM PROPERTIES DNS PROPERTIES TIME SYNC PROPERTIES REPLICATION PROPERTIES NTFRS PROPERTIES GPO PROPERTIES LATENCY PROPERTIES LOCAL CHANGES PROPERTIES MOM PROPERTIES CONFIGURING MOM INTEGRATION CHAPTER 2 DETECTING ACTIVE DIRECTORY PROBLEMS DETECTING ACTIVE DIRECTORY PROBLEMS RUNNING ANALYSIS TESTS SCHEDULING ANALYSIS TESTS SCHEDULING ANALYSIS TESTS WITH IMPERSONATION OPTIONS SCHEDULING ANALYSIS TESTS WITH NOTIFICATION OPTIONS.71 EDITING A SCHEDULED ANALYSIS TEST PAUSING AND RESUMING A SCHEDULED ANALYSIS TEST DELETING A SCHEDULED ANALYSIS TEST RUNNING ANALYSIS TESTS USING THE ASSISTANT PANE NAMING AN ANALYSIS TEST ii

5 Contents VIEWING TEST RESULTS THE TEST RESULT DETAILS PANE CHAPTER 3 DIAGNOSING PROBLEMS DIAGNOSING PROBLEMS DIAGNOSING PROBLEMS USING SPOTLIGHT ON ACTIVE DIRECTORY DIAGNOSTIC CONSOLE DIAGNOSING PROBLEMS USING INTRUST FOR ACTIVE DIRECTORY CHAPTER 4 RESOLVING REPLICATION AND TIME SYNC PROBLEMS RESOLVING DIRECTORY REPLICATION MANAGING REPLICATION LINKS RESOLVING FILE REPLICATION MANAGING THE NT FILE REPLICATION SERVICE (NTFRS)...91 MANAGING NTFRS LOGGING INCREASING USN JOURNAL SIZE MANAGING ADVANCED GPO LOGGING RESOLVING TIME SYNCHRONIZATION SETTING TIME SYNCHRONIZATION PARAMETERS CHAPTER 5 MANAGING ACTIONS AND RESULTS MANAGING ACTIONS AND RESULTS CANCELING PENDING ACTIONS SAVING ACTION RESULTS CLEARING ACTION RESULTS LAUNCHING SPOTLIGHT ON ACTIVE DIRECTORY DIAGNOSTIC CONSOLE VIEWING CHANGES FROM INTRUST FOR ACTIVE DIRECTORY. 102 CHAPTER 6 CUSTOMIZING THE TOPOLOGY LAYOUT UNDERSTANDING SYSTEM VIEWS APPLYING A SYSTEM VIEW CREATING A CUSTOM VIEW iii

6 Quest Spotlight on Active Directory DELETING A CUSTOM VIEW EDITING A CUSTOM VIEW RESETTING THE LAYOUT OF THE CURRENT VIEW CHAPTER 7 WORKING WITH GROUPS WORKING WITH GROUPS AUTOGROUPING CENTERING ON GROUP COLLAPSING EXPANDING GROUPING TOGETHER UNGROUPING CHAPTER 8 GETTING STARTED WITH QUEST SPOTLIGHT ON ACTIVE DIRECTORY DIAGNOSTIC CONSOLE INTRODUCING SPOTLIGHT ON ACTIVE DIRECTORY DIAGNOSTIC CONSOLE STARTING SPOTLIGHT ON ACTIVE DIRECTORY DIAGNOSTIC CONSOLE CHAPTER 9 USING QUEST SPOTLIGHT ON ACTIVE DIRECTORY DIAGNOSTIC CONSOLE USING SPOTLIGHT ON ACTIVE DIRECTORY DIAGNOSTIC CONSOLE.120 USING DRILLDOWNS USING THE PERFORMANCE DRILLDOWN USING THE REPLICATION DRILLDOWN USING THE CONFIGURATION DRILLDOWN USING THE DNS DRILLDOWN USING THE LSASS DRILLDOWN USING THE LDAP DRILLDOWN USING THE FSMO ROLES DRILLDOWN USING COMPONENTS NETWORK COMPONENTS DATAFLOW COMPONENTS iv

7 Contents LSASS COMPONENTS NTFRS COMPONENTS AD STORE COMPONENTS ACTIVE DIRECTORY COMPONENTS OPERATING SYSTEM COMPONENTS CHAPTER 10 USING QUEST SPOTLIGHT ON ACTIVE DIRECTORY WEB REPORTS. 141 UNDERSTANDING QUEST WEB REPORTS TYPES OF REPORTS VIEWING AND INTERACTING WITH REPORTS BROWSING REPORTS USING THE COMMAND BUTTONS USING THE TREEVIEW USING THE FILE-BASED MODEL FILE MENU COMMANDS CONFIGURING REPORT PARTS VIEWING REPORT INFORMATION CREATING AND MODIFYING REPORTS CREATING CUSTOM REPORTS EDITING REPORTS USING QUICK FILTERS CHANGING GROUPING OPTIONS SETTING SECURITY ROLE-BASED SECURITY CONFIGURING THE REPORT SUBSCRIPTION SERVICE THE SUBSCRIPTION WIZARD WELCOME PAGE SCHEDULING THE SUBSCRIPTION SERVICE SENDING THE SUBSCRIPTION SELECTING REPORTS FOR THE SUBSCRIPTION SELECTING A USER ACCOUNT DISPLAYING SUBSCRIPTIONS IMPORTING AND EXPORTING SUBSCRIPTIONS v

8 Quest Spotlight on Active Directory USING PRECONFIGURED REPORTS REPORTS IN SPOTLIGHT ON ACTIVE DIRECTORY TOPOLOGY VIEWER GENERATING REPORT DATA ACCESSING PRECONFIGURED REPORTS FILTERING PRECONFIGURED REPORTS CHAPTER 11 USING DISTRIBUTED COLLECTION OF ANALYSIS TEST DATA (COLLECTORS) USING DISTRIBUTED COLLECTORS DIAGNOSTIC SERVICES COLLECTOR SERVICE COLLECTOR MANAGEMENT CONSOLE INSTALLING DISTRIBUTED COLLECTORS USING THE COLLECTOR MANAGEMENT CONSOLE USING THE SPOTLIGHT ON ACTIVE DIRECTORY INSTALLATION CD ADDING SITES AND SERVERS TO DISTRIBUTED COLLECTORS VIEWING MANAGED SITES AND SERVERS CONFIGURING COLLECTORS UPGRADING DISTRIBUTED COLLECTORS UPDATING COLLECTOR STATUS UNINSTALLING DISTRIBUTED COLLECTORS USING THE COLLECTOR MANAGEMENT CONSOLE USING ADD/REMOVE PROGRAMS IN THE CONTROL PANEL GLOSSARY INDEX vi

9 About This Guide Overview Conventions About Quest Software Contacting Quest Software Contacting Quest Support

10 Quest Spotlight on Active Directory Overview This document has been prepared to assist you in becoming familiar with Spotlight on Active Directory, an integral component of Spotlight Suite. The User Guide contains the information required to install and use Spotlight on Active Directory. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product. For information on Spotlight basics, please refer to the Spotlight Basics section of the Help menu of the Spotlight on Active Directory Diagnostic Console. Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references. ELEMENT Select Bolded text Italic text Bold Italic text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Used for emphasis. Blue text Indicates a cross-reference. When viewed in Adobe Reader, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. viii

11 About Quest Software ELEMENT CONVENTION A pipe sign between elements means that you must select the elements in that particular sequence. About Quest Software Quest Software, Inc., Microsoft's 2007 Global Independent Software Vendor Partner of the Year, delivers innovative products that help organizations get more performance and productivity from their applications, databases and Windows infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 50,000 customers worldwide meet higher expectations for enterprise IT. Quest's Windows Management solutions simplify, automate and secure Active Directory, Exchange Server, SharePoint, SQL Server,.NET and Windows Server as well as integrating Unix, Linux and Java into the managed environment. Quest Software can be found in offices around the globe and at Contacting Quest Software Mail Web site info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA USA Please refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). ix

12 Quest Spotlight on Active Directory Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: Support Guide.pdf. x

13 1 Using Quest Spotlight on Active Directory Topology Viewer Introducing Quest Spotlight on Active Directory Topology Viewer Connecting to Diagnostic Services Discovering the Topology Navigating the Interface Setting Impersonation Credentials Setting Notification Groups Customizing the Topology Viewer Setting Options Setting Properties

14 Quest Spotlight on Active Directory Introducing Quest Spotlight on Active Directory Topology Viewer Spotlight on Active Directory Topology Viewer displays the configuration of your organization s Active Directory. It gives you the tools to diagnose and repair replication, Group Policy Objects (GPO), and time synchronization issues. You can view replication between domain controllers (DCs), change replication links, and run diagnostics to pinpoint key problems with your Active Directory environment. Quest Spotlight on Active Directory Viewer Features Spotlight on Active Directory Topology Viewer provides the following features for managing a network topology: Live Topology View Spotlight on Active Directory s Live Topology View displays the entire AD site and replication infrastructure. It visually indicates where replication, performance, and availability problems exist in the environment. Administrators can view an entire Active Directory forest at a glance, view links between AD domain controllers, and with a simple green=good, red=bad paradigm quickly locate and troubleshoot AD problems. The Live Topology View enables administrators to view the specific sections of AD on which they are focusing diagnostics and to access views by the FSMO role. Because of its easy-to-understand graphical representation of the AD environment, even first-level administrators can use this tool to determine the root cause of a problem. Comprehensive Analysis Tests Spotlight on Active Directory Topology Viewer provides pre-configured analysis tests, so administrators do not have to determine on their own where to start their diagnosis. These tests allow them to analyze the core processes of Spotlight on Active Directory across all enterprises, to ensure that they are functioning properly. The tests automate several manual steps into a single intelligent analysis. They generate immediate feedback in the Live Topology View, and ensure that domain controller status is healthy and core Active Directory processes, such as directory and file replication and time synchronization, are working properly. 16

15 Using Quest Spotlight on Active Directory Topology Viewer Integration with Microsoft Operations Manager (MOM) 2005 Spotlight on Active Directory Topology Viewer provides expanded monitoring of Active Directory, as well as comprehensive status of key Spotlight on Active Directory processes to MOM 2005, for a consolidated view of proactive diagnostic data and performance information. Web-Based Trending Reports - Web-based reports trend analysis data over time, highlighting problem areas with key AD processes such as directory replication, DNS, and domain controller performance. The reports enable administrators to identify trouble areas in the organization s AD and resolve them before they impact clients. Integrated DNS Diagnostics - The DNS Health analysis test checks all the necessary conditions to determine if DNS is healthy and responsive and that domain controllers are properly configured to use DNS. Given the Active Directory s reliance on a healthy DNS, the integrated DNS diagnostics provide administrators with a single interface to ensure that both the Active Directory and DNS are functioning properly. Expert Help The Expert Help explains each process and counter on a domain controller, and what a raised alarm means. The Help system offers suggestions on how to resolve the alarm, common solutions, and next steps. It also enables additional drilldown into more detailed Windows processes and counters through Spotlight on Windows, which is included with Spotlight on Active Directory. Integration with Spotlight on Active Directory Diagnostic Console In addition to its other features, Spotlight on Active Directory Topology Viewer integrates with Spotlight on Active Directory Diagnostic Console. You can launch Spotlight on Active Directory Diagnostic Console from within Spotlight on Active Directory Topology Viewer. Spotlight on Active Directory Diagnostic Console then connects to the DC in question and displays information on the performance of the DC. For more information, see the Spotlight on Active Directory Diagnostic Console section in the Help menu of the Spotlight on Active Directory Diagnostic Console. 17

16 Quest Spotlight on Active Directory Running Quest Spotlight on Active Directory Topology Viewer You can start Spotlight on Active Directory Topology Viewer from the Windows Start menu or from a command prompt. To run Quest Spotlight on Active Directory Topology Viewer Select Start Programs Quest Software Spotlight on Active Directory Spotlight on Active Directory Topology Viewer. To run Spotlight on Active Directory Topology Viewer from the command prompt 1. Open a command prompt. 2. Go to the directory where sladtv.exe is located. The default directory is C:\Program Files\Quest Software\Spotlight on Active Directory. 3. Type SladTV. To run Spotlight on Active Directory Topology Viewer from the Quest Management Console 1. Open the Quest Management Console. 2. From the treeview, select Console Root Quest Management Console for Active Directory Solutions Performance and Availability. 3. Right-click Spotlight on Active Directory and select Launch Topology Viewer. You can run the Spotlight on Active Directory Topology Viewer from the Quest Management Console by clicking the Launch Topology View icon. 18

17 Using Quest Spotlight on Active Directory Topology Viewer Connecting to Diagnostic Services Before using Spotlight on Active Directory Topology Viewer, you must be connected to the Diagnostic Services. Diagnostic Services (DiagnosticTestEngineSLAD and DataManagerSLAD) are automatically installed during the standard installation of Spotlight on Active Directory Topology Viewer. If you select this installation option, the Spotlight on Active Directory Topology Viewer will automatically connect to the Diagnostic Services. However, you can also install Diagnostic Services on a different computer. If you select this installation option, then you will need to connect to Diagnostic Services the first time you run the Spotlight on Active Directory Topology Viewer. Once you have connected to the Diagnostic Services the first time, it will not be necessary to do so again unless the Diagnostic Services are located on a different server. The account used to run the Diagnostic Services must be a member of the Local Administrators group on the server where the Diagnostic Services are running. To connect to the Diagnostic Services 1. Select File Connect to Diagnostic Services. When you launch Spotlight on Active Directory Topology Viewer, Diagnostic Services will attempt to autoconnect to the local host. 2. Enter the address of the computer where the Diagnostic Services reside. Enter the IP address, the NetBIOS name, or the fully-qualified name of the computer. You can enter "Localhost" if the Diagnostic Services reside on the same computer as Spotlight on Active Directory Topology Viewer. 3. Click OK. The Diagnostic Services connection status is shown in the bottom left corner of the Spotlight on Active Directory Topology Viewer window. 19

18 Quest Spotlight on Active Directory Discovering the Topology You discover the topology of your Active Directory forest by connecting to a domain or DC in the forest. This DC becomes the query server, which is used to gather information about the forest. When you launch Spotlight on Active Directory Topology Viewer, Diagnostic Services will attempt to autoconnect to the local host. To connect and discover your topology 1. Start Spotlight on Active Directory Topology Viewer. 2. Click Discover in the Assistant pane at the top of the Assistant pane. OR Select File Discover Topology. 3. Enter the name of the DC. You can also enter either the IP address of the DC or the domain name. If you enter the domain name, the first server in the domain to answer the request becomes the query server. 4. Click OK. To search for different DCs 1. Start Spotlight on Active Directory Topology Viewer. 2. Click Discover in the Assistant pane at the top of the Assistant pane. OR Select File Discover Topology. 3. Click. 4. Browse to the DC, select it, and click OK. 20

19 Using Quest Spotlight on Active Directory Topology Viewer Navigating the Interface This section introduces the Spotlight on Active Directory Topology Viewer interface. The topics describe how the different menus, dialog boxes, and windows work together, and they provide details of how the parts of the application work together when administering your organization s Active Directory network. Parts of the Interface Browsing by Site, Domain, or Grouping Center on Server Select Server Information Tools Parts of the Interface The Spotlight on Active Directory Topology Viewer consists primarily of three panes. The pane on the left is the Navigation pane, the center pane is the Main pane, and the pane on the right is the Assistant pane. Using the Navigation pane, you can view your topology layout, test results, manage action results, and run Web Reports. Your selection in the Navigation pane dictates the display in the Main pane and whether the Assistant pane is displayed. The Navigation Pane The Spotlight on Active Directory Topology Viewer contains tabs in the Navigation pane on the left: Topology Analysis Test Results Management Action Results Web Reports Getting Started 21

20 Quest Spotlight on Active Directory Topology The Topology tab displays the topology of the Active Directory forest to which you are connected. When you click this tab, the left pane expands to show a treeview of the forest while the main pane shows the topology view. The Assistant pane on the right provides you with quick access to the Assistant pane, native Microsoft administrative tools, detection tests, and resolution options. Analysis Test Results The Analysis Test Results tab displays the results of the various Analysis Tests. The Main pane lists the type of test, the last update, and the last result. You can expand the test node itself to show the actual test, the server that was the focus of the test and the actions, or steps, that took place as part of the test. If you select an actual test or server, further details are displayed below the main pane. The Analysis Test Results tab also includes the Assistant pane on the right. This gives you quick access to the Assistant pane, native Microsoft administrative tools, detection tests, and resolution options. Management Action Results The Management Action Results tab displays pending and completed management actions. When you click this tab, the main pane that is displayed has two tabs at the top of the pane: Pending Actions and Completed Actions. Any Directory Replication, File Replication, or Time Synchronization (Time Sync) action performed in Spotlight on Active Directory Topology Viewer is listed in the Pending Actions tab. When the action is complete, it is moved to the Completed Actions tab. Web Reports The Web Reports tab expands to display a treeview showing all available Web Reports. When you select a report in the treeview, the main pane displays the actual report. Getting Started The Getting Started tab guides you through the process of discovering your topology, running analysis tests, verifying results, and using the Diagnostic Console to troubleshoot and resolve problems in Active Directory. 22

21 Using Quest Spotlight on Active Directory Topology Viewer The Assistant Pane The Assistant pane contains panes located on the right side of the Spotlight on Active Directory Topology Viewer interface: Assistant Native Tools Directory Replication Testing DNS Testing File Replication Testing Status/Performance Testing Time Synchronization Testing Resolve Directory Replication Resolve File Replication Resolve Time Synchronization Click to hide the Assistant pane. When you hide the Assistant pane, all of the icons in the various panes are still visible. You can launch a tool or run a test by selecting a server and clicking the desired icon. Assistant The Assistant pane gives you quick access to some of the most commonly used tools and analysis tests. These are as follows: ICON RESOURCE Discover Use this to discover the topology of a Active Directory forest. Launch Diagnostic Console Verify DNS Health Verify Directory Replication Health 23

22 Quest Spotlight on Active Directory ICON RESOURCE Verify File Replication Health Verify Server Health Verify FSMO Best Practices Verify Site Configuration Verify Schema Consistency Verify Time Synchronization Native Tools When a problem occurs on a DC, to further troubleshoot and resolve the problem you may want to check some common information for that DC using native Microsoft management tools. From the Native Tools pane, you can launch any Microsoft tool: 24 AD Sites & Services - allows you to review AD configuration AD Users & Computers - allows you to review security and permissions Computer Management - allows you to review service status, and manage a service DNS Management Console - allows you to examine DNS configuration Event Viewer - allows you to look for recent System event log errors on the DC Directory Replication Testing The Directory Replication Testing pane provides quick access to the Find Replication Failures, Check GPO Synchronization, Track Object Replication, and Test Replication Links tests. You can launch any of these tests by clicking the appropriate icon or the name of the test.

23 Using Quest Spotlight on Active Directory Topology Viewer DNS Testing The DNS Testing pane provides quick access to the Check DNS Entries and Check Partners DNS Entries tests. You can launch either of these tests by clicking the appropriate icon or the name of the test. File Replication Testing The File Replication Testing pane provides quick access to the Confirm File Presence, GPO Synchronization, and Check NTFRS Status tests. You can launch any of these tests by clicking the appropriate icon or the name of the test. Status/Performance Testing The Status/Performance Testing pane provides quick access to the Check Service Pack and Hotfixes test and the Check Service Status test. You can launch either of these tests by clicking the appropriate icon or the name of the test. Time Synchronization Testing The Time Synchronization Testing pane provides quick access to the Check W32Time Differential, Check W32Time Parent Synchronization, and Check W32Time Status tests. You can launch any of these tests by clicking the appropriate icon or the name of the test. Resolve Directory Replication The Resolve Directory Replication pane allows you to exercise various management actions that address directory replication problems for selected servers. These include managing links, forcing replication, configuring Knowledge Consistency Checker (KCC) and flexible single master operation (FSMO) role transfers. You can perform any of these actions by clicking the appropriate icon or the name of the test. Resolve File Replication The Resolve File Replication pane offers various management actions that you can take to address file replication problems for selected servers. These include managing the NT File Replication Service (NTFRS) and NTFRS logging, setting USN Journal size, and enabling and disabling advanced GPO logging. You can perform any of these actions by clicking the appropriate icon or the name of the test. Resolve Time Synchronization The Resolve Time Synchronization pane contains the Set Parameters action with which you can set time synchronization parameters for selected servers. 25

24 Quest Spotlight on Active Directory Scroll Bars You can scroll to view different regions of your topology by clicking the red arrows on the borders of the Topology View pane. Browsing by Site, Domain, or Grouping You can browse by domain, site, or grouping. This makes it easier to navigate the treeview by reducing the number of branches. It is also an efficient way of finding a particular DC within its domain, site, or group structure. The default view of the Browse pane is by site. Select Browse by Domain if your network contains a large number of sites, but only a small number of domains. To browse by site 1. Right-click the Forest node in the treeview. OR Right-click the My Favorites node in the treeview. 2. Select Browse By Site. The DCs in the Browse pane are organized by their site membership. To browse by domain 1. Right-click the Forest node in the treeview. OR Right-click the My Favorites node in the treeview. 2. Select Browse By Domain. The DCs in the Browse pane are organized by their domain membership. To browse by grouping 1. Right-click the Forest node in the treeview. OR Right-click the My Favorites node in the treeview. 2. Select Browse By Grouping. 26

25 Using Quest Spotlight on Active Directory Topology Viewer The DCs in the Browse pane are organized by their group membership. Center on Server Use the Center on Server feature to focus on a specific server. Center on Server is useful in large topologies as you can bring a specific server to the center of the Topology View pane. To center the topology view on a specific server 1. Click the Forest node in the treeview to see the list of DCs. 2. Select the DC you want to center in the Topology View pane. 3. Right-click the DC and select Center on Server. Select The Select menu allows you to select specific DCs in the Topology View pane: OPTION All By Name DCs in Domain Server Roles DESCRIPTION Selects all DCs in the forest. Selects a specific server when you enter the server s name. Selects all DCs in the same domain as a selected DC. Selects which DCs have server roles: PDC Emulators RID Servers Infrastructure Masters Domain Naming Master Schema Master GC Servers ISTG Servers 27

26 Quest Spotlight on Active Directory OPTION My Favorites DESCRIPTION A list of all your favorite configurations. My Favorites are logical groups of DCs that you define. This makes it easy to select many DCs at once: Create Favorite Edit Favorite(s) Delete Favorite Rename Favorite Create Favorite Favorites you create are added to the Browse pane under the My Favorites node and to the Select My Favorites menu. Each Favorite grouping expands to show the full Domain Naming System (DNS) names of its DCs. To create a Favorite 1. Select the DCs in the Browse or Topology View pane that you want to include in the Favorite. 2. Right-click and select Select My Favorites Create Favorite. This launches the Favorites dialog box. The DCs you selected are displayed in the DCs in Favorite list. You can also right-click in the Browse or Topology View pane and select Select My Favorites Create Favorite. 3. Enter a name for the Favorite in the Favorite Name box. 4. Click OK. The Favorite you created will be added in the Browse pane under the My Favorites node and to the Select My Favorites menu. You can select to Browse by Site or Browse by Domain within the Create Favorite dialog box by right-clicking in the Available DCs pane. 28

27 Using Quest Spotlight on Active Directory Topology Viewer Delete Favorite You can select and delete Favorite groupings. To delete a Favorite 1. Select the Favorite you want to delete in the Browse pane. 2. Right-click and select Select My Favorites Delete Favorite. The Favorite you deleted will be removed from the Browse pane under the My Favorites node and from the Select My Favorites menu. Edit Favorite(s) You can edit the Favorites you create and perform the various tasks: Add or remove a DC Add a site Add a domain Add an entire forest Add another Favorite Change the name of the Favorite To add items to a Favorite 1. Right-click in the Browse or Topology View pane and select Select My Favorites Edit Favorite(s). This launches the Favorites dialog box. Previously configured Favorites are displayed in the Configured Favorites list. 2. Select the Favorite you want to edit in the Configured Favorites list. The name of the Favorite is displayed in the Favorite Name box, and the DCs that make up the Favorite are displayed in the DCs in Favorite list. 3. Select the DC/site/domain/forest you want to add to the Favorite in the Available DCs list and click Add. OR Select the Favorite you want to add in the Available DCs list and click Add. 29

28 Quest Spotlight on Active Directory You can select to Browse by Site or Browse by Domain within the Edit Favorite(s) dialog box by right-clicking in the Available DCs pane. To remove DCs from a Favorite 1. Right-click in the Browse or Topology View pane and select Select My Favorites Edit Favorite(s). This launches the Favorites dialog box. Previously configured Favorites are displayed in the Configured Favorites list. 2. Select the Favorite you want to edit in the Configured Favorites list. The name of the Favorite is displayed in the Favorite Name box, and the DCs that make up the Favorite will display in the DCs in Favorite list. 3. Select the DC you want to remove from the Favorite in the DCs in Favorite list and click Remove. Rename Favorite To rename a Favorite 1. Select the Favorite you want to rename in the Browse pane. 2. Right-click and select Select My Favorites Rename Favorite. 3. Enter the new name for the Favorite. Server Information Server Information is displayed when you place the pointer over a DC in the Topology View pane. The name of the DC or server is shown. To view Server Information 1. Discover your topology. 2. Place the pointer over a DC in the Topology View pane. The DC name is shown. Server Information is enabled by default when you first launch Spotlight on Active Directory. 30

29 Using Quest Spotlight on Active Directory Topology Viewer Tools Spotlight on Active Directory Topology Viewer provides you with various tools when working with the Topology view: TOOL NAME DESCRIPTION Toggle Site Grouping On/Off Toggles Site grouping on and off. For more information, see Working with Groups on page 109. Toggle CustomGroup Grouping On/Off Toggle Replication Links On/Off Toggles CustomGroup groupings on and off. For more information, see Working with Groups on page 109. Toggles the display of replication arrows on and off. Replication arrows are dark aqua in color. Toggle Time Sync Links On/Off Toggle Labels On/Off Toggles the display of time synchronization arrows on and off. Time synchronization arrows are blue in color. When interpreting Time Sync arrows, for example, a line from DC1 to DC2 indicates that DC1 sends its time to DC2. Therefore, DC2 synchronizes its time with DC1. Toggles the display of computer and site names on and off. Toggle Details On/Off Collapse Selected Grouping Toggles the display of server information on and off. Server information appears when you position your mouse over a DC in the topology. It displays the name, domain, and site of the DC, as well as the top 3 diagnostic and monitoring errors on that DC. If there are less than 3 monitoring errors, more diagnostic errors are shown. Collapses selected expanded groups in the Topology View pane. Expand Selected Grouping Expands selected groups in the Topology View pane. 31

30 Quest Spotlight on Active Directory TOOL NAME DESCRIPTION Group Selected Grouping(s) Groups selected sites in the Topology View pane. Ungroup Selected Grouping(s) Ungroups selected sites in the Topology View pane. Select Server or Groupings in the Topology Pan the Topology Allows you to select servers or groupings in the Topology View pane. Allows you to reposition DCs in your topology view by clicking a DC and dragging it to a different position in the Topology View pane. Zoom In Magnifies the topology. Click the area of the topology where you want to zoom in. Zoom Out Zooms out the entire topology so you can see more in the Topology View pane. Center on Point Zooms in on the topology on the exact location you click (you do not have to click a server). Toggle Prominent Links On/Off Autogrouping Highlights the links for a selected group or node in the topology view. Links for other non selected groups or nodes in the topology view will appear as dimmed. Opens the Autogrouping Rules dialog box, which allows you to create rules used to automatically organize your sites into groups. 32

31 Using Quest Spotlight on Active Directory Topology Viewer Setting Impersonation Credentials You can configure alternate credentials under which to execute analysis tests. The user credentials you specify must have sufficient permissions to execute the analysis test. To set impersonation credentials 1. Select Edit Analysis Test Credentials. This opens the Credential Management dialog box. 2. Click Add. 3. Enter the domain\user name and password you want to use. You must enter a valid Windows user name, and this account must have sufficient administrative privileges to run the analysis tests. 4. Click OK. The credentials are stored in a list of valid credentials for running analysis tests. You can also specify alternate credentials for impersonation in the Impersonation pane of the Analysis Test Options on page 39, or when scheduling an analysis test. For more information, see Scheduling Analysis Tests on page 69. To use impersonation with Windows 2000 Professional and Server 1. Close Spotlight on Active Directory Topology Viewer. 2. Select Start Programs Administrative Tools Services. 3. Right-click DiagnosticTestEngineSLAD and select Stop. 4. Select Start Programs Administrative Tools Local Security Policy to open the Local Security Settings dialog box. 5. Select Local Policies User Rights Assignment and double-click Act as part of the operating system. 6. Add the user account under which the Diagnostic Test Engine service is running. 7. Start DiagnosticTestEngineSLAD. You can now use the Credential Management dialog box to add impersonation credentials. 33

32 Quest Spotlight on Active Directory Setting Notification Groups You can configure different notification groups to be notified upon failure of an analysis test. To set notification groups 1. Select Edit Notification Groups. This opens the Notification Groups dialog box. 2. Enter the name of the SMTP server. 3. Click New in the Notification Groups pane to add a new group. 4. Enter the new group name, the subject, and the originating address for the group. 5. Click New in the Group Members pane. 6. Enter the recipient's First Name, Last Name, Address, and select Yes in the Enable field. 7. Click OK. To delete a notification group or a member of a notification group, select the group or group member you want to delete and click Delete. Customizing the Topology Viewer Initially, Spotlight on Active Directory Topology Viewer defaults to a layout view of the entire forest you have specified. However, it also provides system Views that you can apply to that forest. In addition, Spotlight on Active Directory Topology Viewer allows you to filter the topology view to suit your needs. This makes it much easier for you to view the status of, and work with, the servers you are concerned about. This ability is of particular value to local administrators who are responsible for a small number of domain controllers (DCs). 34

33 Using Quest Spotlight on Active Directory Topology Viewer Spotlight on Active Directory Topology Viewer provides system Views that you can apply to the forest you have specified. Also, instead of dealing with the entire forest, you can create custom Views that display only specific domains or groups of DCs. You can also delete or edit these custom Views. In addition to the topology view, system and custom Views are also applied to the treeview and the Analysis Test Results tab. Test results are shown only for the target servers that are part of the system or custom View currently applied. Spotlight on Active Directory Topology Viewer retains the last View. This last View is loaded the next time you launch Spotlight on Active Directory Topology Viewer. For more information, refer to: Applying a System View Creating a Custom View Deleting a Custom View Editing a Custom View Resetting the Layout of the Current View Applying a System View Spotlight on Active Directory Topology Viewer provides system Views that you can apply to the current discovered forest: All (default - shows entire forest) Domain Naming Masters Global Catalogs Infrastructure Masters Intersite Topology Generators PDC Emulators RID Masters Schema Masters 35

34 Quest Spotlight on Active Directory Any custom views you create are also added to this list. You cannot delete or modify these system views. When you apply another system or custom View, this can affect what is shown in the Analysis Test Results tab. If a server whose test results are shown is not included in the View you select, then those test results disappear from the Analysis Test Results tab. To select a system view 1. Click in the View box above the topology view pane. 2. Select the system view you want to apply. Creating a Custom View You can create custom views and define them by site, domain, server or naming convention. You can select the domains or servers you want to include, or use naming conventions to filter only the servers you want to include. To create a View 1. Select View Create View. This launches the View Wizard. You can also do this by clicking next to the View list above the main topology view pane. 2. Click Next. 3. Select the type of view you want and click Next. 4. Select the sites you want to include in the view and click Next. Your selection can also be domains, servers or naming conventions, depending on the type of view you selected. 5. Enter a name for the view you are creating and click Next. 6. Review the settings you have selected. To make changes, click Back until the Wizard displays the page you want, make your corrections and then click Next until you are at the Summary page. 7. Click Finish to save and apply the view you have created. Your custom view will be added to the View list above the main pane. 36

35 Using Quest Spotlight on Active Directory Topology Viewer Deleting a Custom View You can delete the custom View currently displayed. However, you cannot delete the systems views provided with Spotlight on Active Directory Topology Viewer. To delete the current View 1. Select View Delete Current View. 2. Click Yes to confirm you want to delete the current View. Editing a Custom View Once you have created a custom View, you can modify it. Spotlight on Active Directory Topology Viewer allows you to change any of the parameters of the custom View currently displayed. You cannot modify the system views that are provided with Spotlight on Active Directory Topology Viewer. To edit the current View 1. Select View Edit Current View. This launches the View Wizard. You can also do this by clicking next to the View list above the main topology view pane. 2. Click Next. 3. Modify the type of view if necessary and click Next. 4. Modify the sites included in the View if necessary and click Next. You can also modify domains, servers or naming conventions, depending on the type of view you selected. 5. Change the name of the View if necessary and click Next. 6. Review the settings you have selected. To make further changes, click Back until the Wizard displays the page you want, make your corrections and then click Next until you are at the Summary page. 7. Click Finish to save and re-apply the View you have modified. 37

36 Quest Spotlight on Active Directory Resetting the Layout of the Current View If you have adjusted the server layout in your topology view by moving the servers, you can reset the view back to its original layout. To reset the layout of the current View Select View Reset Current View Layout. Setting Options Spotlight on Active Directory Topology Viewer allows you to customize or define default settings for: Analysis Test Options Global Notification Options Database Options MOM Options Forest Discovery Options Web Reports Options InTrust Integration To access the options dialog box Select Edit Options. Analysis Test Options You can specify default Analysis test settings for newly created analysis tests. These settings include Scheduling, Impersonation, and Notification options. To configure the default analysis test options 1. Select Edit Options Click the Analysis Tests icon in the Options pane. 3. In the Execution Schedule pane, select Run every and specify the interval for running the test. OR Select Run every day at and enter the time you want the test to run.

37 Using Quest Spotlight on Active Directory Topology Viewer You can select the Between check box to run the test during specified hours. The default setting is to execute the test every 30 minutes, daily, between 8 AM and 5 PM. 4. In the Notification Settings pane, accept the default, <no notification group>. OR Select a notification group from the list. If you select a notification group, you must specify the number of consecutive alarms needed to trigger the notification, whether you want to limit the number of notifications sent, and the maximum number of notifications sent per alarm. 5. In the Impersonation Settings pane, select Execute the credentials of the diagnostic services. These are the credentials entered during the installation of the diagnostic services. This is the default option. OR Select Execute using a credential. Select the credentials you want to use from the list of available credentials. Click Configure Credentials to open the Credential Management dialog box and add existing Windows credentials to the list of credentials you can use to execute analysis tests. When you run an analysis test using the Run Once option, default notification and impersonation settings are used. The default options or setting are used when you configure a new analysis test. To edit any of the test settings for an existing test, you must go to the Analysis Test Schedule Management dialog box. For more information, see Editing a Scheduled Analysis Test on page

38 Quest Spotlight on Active Directory Global Notification Options You can configure Spotlight on Active Directory Topology Viewer to globally send notifications upon failure of an analysis test. All users in a defined notification group are notified when a test fails. In addition to notifications, you can configure notifications to launch external applications. Notifications are not sent if the test does not complete. Notifications are sent only if the test fails upon completion. To configure the global notification options 1. Select Edit Options. 2. Click the Global Notifications icon in the Options pane on the left of the dialog box. 3. Enter the name of SMTP server for sending notifications. 4. Enter the application to run on alert. The application is launched by the Diagnostic Services and has no interaction with the desktop. 5. Enter the parameters to run the application. 6. Click OK. The system stores this information for future use. Should you change any of the global settings after a test has been configured and scheduled to run, that test will still run with its original configuration. To modify the settings for an existing test, select Edit Analysis Test. 40

39 Using Quest Spotlight on Active Directory Topology Viewer Database Options The supported databases are SQL Server 2000, SQL Server 2005, SQL Server 2005 Express, and MSDE. To activate database storage 1. Select Edit Options. 2. Click the Database icon in the Options pane. 3. Enter the interval for data retention for raw, hourly, and daily in the Database Retention box. (The default interval is 30 days. Database retention specifies the length of time analysis test results are stored. Test results older than the specified retention period are purged from the database on a nightly basis.) 4. Click OK. MOM Options You can configure Spotlight on Active Directory Topology Viewer to integrate with Microsoft Operations Manager (MOM). This provides end-to-end discovery, diagnosis, and resolution of Active Directory issues from a single console. You can set the location of the MOM Database to read alerts from the MOM database and display them in Spotlight on Active Directory. These alerts can be viewed by right-clicking a domain controller in the Topology Viewer, and navigating to the MOM Properties tab. You can set the location of the MOM Connector Framework to allow forwarding alerts generated from Spotlight on Active Directory to MOM. Forwarding alerts applies to MOM 2005 only. To configure MOM options 1. Select Edit Options. 2. Click the MOM icon in the Options pane to the left of the dialog box. 3. Enter the location of the MOM database Server. 4. Enter the location of the MOM Connector Framework Server. 41

40 Quest Spotlight on Active Directory 5. Click OK. Forest Discovery Options Every two hours, Spotlight on Active Directory Topology Viewer automatically refreshes the topology of all the forests you have discovered. However, you can configure Spotlight on Active Directory Topology Viewer to refresh only selected forests. To configure Forest Discovery options 1. Select Edit Options. 2. Click the Forest Discovery icon in the Options pane on the left of the dialog box. The dialog box displays a list of all the discovered forests. By default they are all selected. 3. Clear the check box for the forests you do not want refreshed. 4. Click OK. Web Reports Options If the computer running IIS also has SSL installed, Spotlight on Active Directory Topology Viewer must use the SSL format in order for Web Reports to work properly. You can make this configuration change using the Web Reports options. To configure Web Reports options 1. Select Edit Options. 2. Click the Web Reports icon in the Options pane on the left of the dialog box. 3. Select the Use SSL when browsing Web Reports check box. 4. Click OK. 42

41 Using Quest Spotlight on Active Directory Topology Viewer InTrust Integration In order to view changes from InTrust for Active Directory, you must first link it into Spotlight on Active Directory. To integrate InTrust for Active Directory 1. Select Edit Options. 2. Click the InTrust Integration icon in the Options pane on the left of the dialog box. 3. Enter the name of the InTrust Database Server. 4. Click OK. If you have renamed your InTrust database, you must specify the new name of the database in InTrust Database Name box. Setting Properties The Properties dialog box provides you with Replication and Time Synchronization properties. You can view general computer information, view and configure the monitored objects list, view messages returned by monitored objects, and view local changes on specific servers. To view properties 1. Right-click a node in the forest. 2. Select Properties. Spotlight on Active Directory Topology Viewer contains the these properties tabs: General Properties Operating System Properties DNS Properties Time Sync Properties Replication Properties NTFRS Properties GPO Properties 43

42 Quest Spotlight on Active Directory Latency Properties Local Changes Properties MOM Properties General Properties The General Properties tab contains the following: DNS Name - indicates the name of the selected DC on the Active Directory network IP Address - indicates the IP address assigned to the selected DC Domain - indicates the domain to which the selected DC belongs Site - indicates the site to which the selected DC belongs Server - indicates the roles which server roles are being performed by the DC. Available roles include the following: PDC Emulator RID Master Infrastructure Master Domain Naming Master Schema Master ISTG Server GC Total Physical Memory - indicates the total amount of memory available Processors - indicates the vendor, speed, and model number of the processors in the DCs on your network Operating System Properties The Operating System Properties tab contains the following: Version - indicates the current version of the operating system Build - indicates the build number of the version Service Pack - indicates the current service pack installed on the selected DC Hotfixes - indicates the details of any hotfixes that have been applied to the selected DC Hotfix ID - the Microsoft Knowledge Base Article Number Comments - the patch information for the Article Number 44

43 Using Quest Spotlight on Active Directory Topology Viewer Start the Service Pack and Hotfix Analysis using this configuration button - indicates the analysis process uses the Service Pack and Hotfix details of the selected DC when applying the diagnostic view. DNS Properties The DNS Properties tab contains the following: DNS Servers - indicates the names of the DNS servers on the network DNS Registered Records - lists the registered DNS records on the DSN servers on the network Time Sync Properties The Time Sync Properties tab contains the following: Configuration - indicates Time Synchronization details for the selected DC: Synchronization Type -indicates the type of synchronization performed. Parent - indicates the DC being used by the selected DC to synchronize its time. By default, this is the PDC Emulator for the domain. Period - indicates the specified number of times per day, if the Specified times per day option is selected. Service State - indicates the current state of Time Synchronization. The possible states are as follows: Running Paused Pausing Stopped Stopping Starting Resuming 45

44 Quest Spotlight on Active Directory Replication Properties The Replication Properties tab contains the following: Distinguished Name - indicates the distinguished name of the selected DC KCC Enabled (intersite) - shows if the intersite (between sites) KCC is enabled on the selected DC. If the KCC is enabled, it will return a value of Enabled. If it is disabled, it will return a value of Disabled KCC Enabled (intrasite) - shows if the intrasite (within sites) KCC is enabled on the selected DC. If the KCC is enabled, it will return a value of Enabled. If it is disabled, it will return a value of Disabled. Replication Links - shows replication link direction and the DCs that replicate with the selected DC: Inbound - indicates if the link is inbound from the DC in the Domain Controller column Outbound - indicates if the link is outbound to the DC in the Domain Controller column Domain Controller - gives a list of replication partners NTFRS Properties The NT File Replication Service (NTFRS) Properties tab contains the following: General Settings - shows the following general settings: Working Directory - shows the location of the Ntfrs.jdb file and associated log files Staging Space Limit - shows the maximum amount of disk space allocated to files held on disk until they are retrieved by all downstream replication partners USN Journal Size - shows the current size of the update sequence number (USN) Journal in megabytes (MB) Short Polling Interval - shows the interval the NTFRS uses to poll the Active Directory at service startup or after configuration changes Long Polling Interval - shows the interval with which NTFRS polls the Active Directory for configuration changes after eight short polling intervals have finished without interruption Log Settings - shows the following logging-related details: NTFRS Logging Enabled - Shows if NTFRS Logging is enabled or disabled on the selected domain controller. Log File Severity Detail - Shows the level of detail that the NTFRS records in its trace log files (Ntfrs_000n.log). Number of Log Files Generated - The number of debug log files that are kept on the selected domain controller. 46

45 Using Quest Spotlight on Active Directory Topology Viewer Number of Messages per Log File - The maximum number of messages logged to a file for the selected domain controller. View logs button - launches the NTFRS Log File Viewer dialog box Service State - shows the current state of NTFRS: Running, Stopped, or Missing NTFRS Log File Viewer The NTFRS Log File Viewer collects the names of all the log files currently existing on a DC. Click a specific log file in the Available Log Files list to load the log file information into the bottom listview of the dialog box. The NTFRS Log File Viewer displays the following: Location of Log Files - indicates the DC where the log files are located Available Log Files - indicates the name, size (bytes), and time stamp of the log files on the DC Log Files - indicates the specific log file you select in the Available Log Files list Number of Entries - indicates the number of entries in the log file you select Data - shows the Log file details including the Source, Thread ID, Line, Severity, Time, and Message for each entry in the log file Load Progress - shows the progress of the log file as it loads into the Data pane GPO Properties The Group Policy Object (GPO) Properties tab contains the following: GPO Logging - shows the following details: Advanced GPO Event Logging Enabled - shows Enabled or Disabled, depending on whether or not GPO Event Logging is enabled GPO Object List - shows the following details: GPO Name - shows the name given to the GPO when it is created GUID - shows the unique identifying number assigned to the GPO when it is created Created - shows the date and time the GPO was created Changed - shows the date and time the GPO was last changed SU - shows the Sysvol user version of the GPO SM - shows the Sysvol machine version of the GPO DU - shows the directory services user version of the GPO DM - shows the directory services machine version of the GPO 47

46 Quest Spotlight on Active Directory Latency Properties The Latency Properties tab contains the following: Replication Latency - shows how long it takes replication to occur from one DC to another: Domain Controller - shows the DCs to which the selected DC has a replication path. Site - shows the site to which the DC belongs. DS Replication Time - shows the amount of time it takes for AD replication to occur. File Replication Time - shows the amount of time it takes for file replication to occur. Local Changes Properties The Local Changes Properties tab contains the following: Distinguished name of Root Object to obtain list from - indicates the distinguished Name of the AD object to be used as the starting point of the search. You can browse for the AD object you want to use. Highest Committed USN - indicates the highest committed Update Sequence Number (USN) List changes since - shows the USN to be used as the starting point in the search. By default, this number is the Highest Committed USN, but you can enter a different number if you want to search based on a number other than the Highest Committed USN. List All Changes on this Server since USN - shows all of the objects with changes since the indicated USN Double-click an object in the list to display its properties. The Changed Object Properties dialog box lists the name of the Object Property that changed, the version of the Object Property, the time the change occurred, the originating server, the Originating USN, and Local USN. 48

47 Using Quest Spotlight on Active Directory Topology Viewer MOM Properties The MOM Properties tab contains the following: MOM database server - shows the location of the MOM database server Critical Errors - indicates the number of critical errors MOM has raised for a specific DC Errors - indicates the number of errors MOM has raised for a specific DC Warnings - indicates the number of warnings MOM has raised for a specific DC Alerts - shows the following details about the alerts: Description - shows the description of the alarm that was raised Name - shows the name of the alarm that was raised Repeat Count - shows the number of times a particular alarm has been raised Resolution State - shows the state of the event (whether it has been resolved or not) Severity - shows the severity of the alarm raised. 30 is warning, 40 is error, 50 is critical error Time Raised - shows the time the alarm was raised Double-click an entry on the MOM Properties tab to open the MOM Alerts dialog box. The MOM Alerts dialog box lists more detailed information about the entry. If there are multiple entries in the list, you can view them in the dialog box using the and buttons. Configuring MOM Integration Spotlight on Active Directory Topology Viewer offers integration with Microsoft Operations Manager (MOM) 2005 and MOM 2000, providing end-to-end discovery, diagnosis, and resolution of Active Directory issues from a single console. When you highlight a DC alert in the MOM console, you can right-click and launch Spotlight s Diagnostic Console to view the problem DC in real time, determine the root-cause of the issue, and resolve it. For Spotlight on Active Directory, the Console component must be installed on the MOM server. Spotlight on Active Directory must meet the following prerequisites for MOM 2005 integration: 49

48 Quest Spotlight on Active Directory The MOM Operator Console must be installed on the same machine as the Spotlight on Active Directory Console The Active Directory management pack must be installed and configured on the MOM administrator console Collectors must have deployed the domain controllers (DCs) to be monitored in order to see the MOM alerts for this pack In order for MOM integration to work, you must also install Spotlight Launcher. Copy the following two files to the directory where both MOM and Spotlight are installed: SpotlightLauncher.exe Spotlights.xml Both of these files are provided with Spotlight on Active Directory Topology Viewer and are located in Program Files\Quest Software\Spotlight\MOM Launcher. To configure MOM 2005 integration 1. Select Start Programs Microsoft Operations Manager 2005 Administrator Console. 2. Expand the Management Packs folder in the treeview. 3. Right-click the Tasks folder in the treeview and select Create Task. 4. Click Next. 5. Select Operator Console as the run location and click Next. 6. Select Events or Alerts as the view type in the Task Configuration dialog box. 7. In the Task Command Line box: a) Enter the path to the Spotlight Launcher. b) Click the arrow on the right side of the box. c) Select Generated by Computer in the Events view type or Computer Name in the Alerts view type. d) Enter the name of the MOM database server. The command syntax should be: Events view type: "Drive letter:\directory\spotlightlauncher.exe" $Generated by Computer$ <MOM database server name>. 50

49 Using Quest Spotlight on Active Directory Topology Viewer Alerts view type: "Drive letter:\directory\spotlightlauncher.exe" $Computer Name$ <MOM database server name>. Use quotation marks around the Spotlight Launcher path. Use a single space between items in the command line. 8. Click Next. 9. Enter a name and description of the task in the Task Name and Description dialog box. 10. Click Finish. The task name appears in the Task Pane of the MOM Operators Console. To launch Spotlight on Active Directory Diagnostic Console from the MOM Operators Console 1. Select an alert in the MOM Operators Console Alerts view. 2. Click in the Toolbar. 3. Select the name given to the custom task. By default, the name of the custom task is Diagnose using Spotlight. To launch Spotlight on Active Directory Diagnostic Console from a MOM Alerts or Events view Before you launch Spotlight on Active Directory Diagnostic Console from MOM Alerts or Events view, you must configure the Diagnostic Console as a task and assign the task name "Diagnose using Spotlight". 1. Select Start Programs Microsoft Operations Manager 2005 Operator Console. 2. Click Events or Alerts tab in the left pane. 3. In the treeview, select the Events folder in Active Directory folder if you have chosen the Events tab. OR In the treeview, select the Alerts folder in Active Directory folder if you have chosen the Alerts tab. 4. Select an item in the detail view pane. 5. Select the task name to launch the Spotlight Diagnostic Console from the Tasks pane. 51

50 Quest Spotlight on Active Directory By default, the task name is Diagnose using Spotlight. To configure MOM 2000 Integration 1. Open the Microsoft Operations Manager Console. 2. Right-click Monitor in the left pane treeview. 3. Select New Custom Task. 4. Select the Microsoft Operations Manager users who can use this task from the Task available to list. 5. Select alert items from the Task available for list. 6. Click Add. 7. Enter a name for the custom action. 8. Enter a description of the custom action. 9. Enter the path to SpotlightLauncher.exe in the Command box. 10. Click the arrow on the right side of the Command box and select Computer from the list. 11. Click OK. 12. Click OK. 52

51 2 Detecting Active Directory Problems Detecting Active Directory Problems Running Analysis Tests Scheduling Analysis Tests Running Analysis Tests using the Assistant Pane Naming an Analysis Test Viewing Test Results

52 Quest Spotlight on Active Directory Detecting Active Directory Problems Spotlight on Active Directory Topology Viewer provides analysis tests to help you detect and analyze Active Directory problems. You can run analysis tests instantaneously, or schedule them to run at specific times. You can also configure Spotlight on Active Directory Topology Viewer to notify you, based on the results of the different analysis tests. For more information, see Setting Notification Groups on page 34. Running Analysis Tests You can run any of the following analysis test categories: Directory Replication DNS File Replication Status/Performance Time Synchronization To run an analysis test 1. Select one or more DCs in the Topology View depending on the test you are running. Use your SHIFT key to make multiple selections. 2. Right-click one of the selected DCs and select Detect <Test Category> <Analysis Test> Run Once. 3. Click OK. You can run analysis tests using the Assistant Pane. For more information, see Running Analysis Tests using the Assistant Pane on page

53 Detecting Active Directory Problems Directory Replication The Directory Replication test category contains the following available analysis tests: Verify Directory Replication Health Verify Schema Consistency Find Replication Failures Check GPO Synchronization Track Object Replication Test Replication Links Verify Directory Replication Health The Verify Directory Replication Health analysis test creates an object in the domain partition that will be replicated to all other domain controllers. Based on what domain controllers are selected as targets, Spotlight on Active Directory will check those domain controllers for the replicated object and report back how long it took for the object to replicate. The container is found at the root of the domain naming partition and is named QuestReplicationMonitoring. A container for each target domain controller will be created within the QuestReplicationMonitoring container. It determines if a selected DC has replicated with its replication partners. When running or scheduling the Verify Directory Replication Health analysis test, select the following: You cannot have more than one active test with the same source server. The source server cannot be the same as the destination server. The timeout value cannot exceed the execution frequency. There must be at least one destination server in the same domain as the source server or Global Catalog (GC) server. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page

54 Quest Spotlight on Active Directory Verify Schema Consistency The Verify Schema Consistency analysis test checks all target domain controllers against the Schema Master to ensure Schema consistency. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. Find Replication Failures The Find Replication Failures analysis test checks all replication links for any errors that occurred in the last replication attempt. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. When Find Replication Failures Fails When this analysis tool fails, you should: Check to make sure the DC is running and is connected to the network. Check to see if you can connect to the DC through Microsoft Native Tools (ADSIEdit, Sites and Services, etc.). If not, then you probably do not have administrative access to bind to that computer. Check GPO Synchronization The Check GPO Synchronization analysis test first gets a list of all group policies from the PDC Emulator. It then compares the file and directory version of each group policy from the selected domain controllers to the version found on the PDC Emulator. If the PDC Emulator is in the list of target domain controllers, it will be skipped as the PDC Emulator is the source to which group policies are compared. This test shows if the following GPO properties are inconsistent across any of the selected DCs in the forest: Sysvol user version Sysvol machine version Directory Services user version Directory Services machine version For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page

55 Detecting Active Directory Problems When Check GPO Synchronization Fails When this analysis tool fails, you should: DCs flagged as red may not have received replication updates from their partners. Try forcing replication between any affected DC and its partners using the Force Replication analysis tool. Check to see if there have been any replication failures on the affected DC. Ensure that you have administrative access to the registry on the DC. The Sysvol location is stored in the remote registry. Ensure that you have access to the file system on the DC. The file portion of GPOs is read from the Sysvol container on the remote DC. Track Object Replication The Track Object Replication analysis test allows the user to select any object and track it as it is replicated throughout your Active Directory forest. This test is used to determine if all servers in the forest have the selected copy of an Active Directory object. The Update Sequence Number (USN)/source computer pair for each property on the selected object is recorded from the source computer. This ensures that the tested computer has received all changes made to the object on the source computer. When you run or schedule this analysis test, you must select more than one DC. The first DC becomes the source server. You must also enter the full LDAP path of the object you want to track. When tracking an object in the domain naming context, Global Catalog servers outside the domain might fail the analysis test. Any Global Catalog server in the forest will fail the analysis test if it does not have the selected copy of an Active Directory object. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. Test Replication Links The Test Replication Links analysis test ensures connectivity across all selected replication links. If you run this test on a computer that is offline, you may receive the error: There are no more end points available from the end point mapper. 57

56 Quest Spotlight on Active Directory For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. When Test Replication Links Fails When this action fails, you should: DNS Check to see if the replication partner is operational. Check if the replication partner can be contacted by the target computer. The Check Partners' DNS Entries analysis tool will tell you if the remote DC can find the DNS entries it needs from its replication partners. Run the Find Replication Failures analysis tool to see if there have been replication problems in the past. Run the Check W32Time Differential analysis tool to see if there is a time synchronization problem causing the failure. The DNS test category contains the following available analysis tests: Verify DNS Health Check DNS Entries Check Partners DNS Entries Verify DNS Health The Verify DNS Health analysis test checks the health and responsiveness of DNS, and whether domain controllers (DCs) are properly configured to use DNS. The Verify DNS Health test checks all dependencies that Active Directory has on DNS. This test validates numerous settings with DNS. If the Verify Netlogon entries check box is selected, the test will enumerate all network adapters, get all the DNS servers for those adapters, ensure each DNS server is online and responsive, and then validate each entry listed for that DNS server. If the Verify partner Netlogon entries check box is selected, the test will enumerate all replication partners for the target domain controller and validate all entries listed for each DNS server. 58

57 Detecting Active Directory Problems If the Verify PDC advertising check box is selected, the test will ensure that an entry is listed in DNS for each PDC Emulator in Active Directory. If the Verify GC advertising check box is selected, the test will ensure that an entry is listed in DNS for each Global Catalog in Active Directory. If the Skip Domain A record validation check box is selected, the test will not trigger an alarm on any missing Domain A records. If the Verify zone existence check box is selected, the test will ensure that there is a zone for that domain controller s domain. If the Verify forwarder availability check box is selected, the test will check the registry on the DNS server to enumerate the forwarders and then ensure each forwarder is online. User-specified external records of types A, SRV, and CNAME can be resolved. The DNS Health test retrieves installed network adapters once every four hours. DNS servers other then those used by domain controllers can be tested. The Verify DNS Health analysis test queries the DNS Server IP addresses specified for the network adapter of the targeted DCs. This test reconciles Netlogon entries found on the DC with the ones registered on the DNS server. It performs this same validation for the DC s replication partners. The status of the DNS entries registration with replication partners is shown in the test results. Click the link in the test results to see the DNS entries that have registered successfully or the individual records that are missing on the DNS server. When you run or schedule this analysis test, select the DNS Health options for which you want to gather information. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. Check DNS Entries The Check DNS Entries analysis test validates each DNS entry for the selected domain controllers. This test verifies that the DNS Entries registered by a specific DC can be found on the DNS Servers configured for the computer running Spotlight on Active Directory Topology Viewer. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page

58 Quest Spotlight on Active Directory When Check DNS Entries Fails When this analysis tool fails, you should: Ensure that the server operational. Ensure that you have access to the admin$ share on the server. The tool requires access to the netlogon.dns file stored in admin$\system32\config. Check to see if you can make DNS requests from your computer. (The tool contacts the default DNS Servers for the local computer.) Check Partners DNS Entries The Check Partners DNS Entries analysis test validates each DNS entry for the replication partners of the selected domain controllers. This test verifies that the DC can find the DNS records of each of its inbound replication partners on the DNS server that it is using. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. When Check Partners' DNS Entries Fails When this analysis tool fails, you should: Ensure that the DC and its partners are operational. Ensure that you have access to the admin$ share on the server. This tool requires access to the netlogon.dns file stored in admin$\system32\config on each of the target DNS server's inbound replication partners. Verify (either using nslookup or the Microsoft DNS snap-in) that the entries are actually registered. File Replication The File Replication test category contains the following available analysis tests: Verify File Replication Health Confirm File Presence Check GPO Synchronization Check NTFRS Status 60

59 Detecting Active Directory Problems Verify File Replication Health The Verify File Replication Health analysis test creates a file in the SYSVOL share to be replicated by FRS. Based on what domain controllers are selected as targets, Spotlight on Active Directory will check those domain controllers for the replicated file and report back how long it took for the file to replicate. The file will be created within the domain folder that resides in the SYSVOL share. The filename will be QuestNtfrsMonitoring<domain> where <domain> is the fully qualified domain name for that domain controller. This test determines if a selected domain controller (DC) can replicate files with its replication partners. When running the Verify File Replication Health analysis test, you should consider the following: You cannot have more than one active test with the same source server. The source server cannot be the same as the destination server. The timeout value cannot exceed the execution frequency. There must be at least one destination server in the same domain as the source server. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. For more information on starting the NT File Replication Service (NTFRS), see Starting NTFRS on page 91. Confirm File Presence The Confirm File Presence analysis test allows you to select any file and check for its presence on other domain controllers. This test verifies that the files stored on all shares are physically the same files. Confirm File Presence verifies the file size in bytes, file date, and file name between the source computer and all other selected computers. When you run or schedule this analysis test, select the source server from the list and enter the name of the file or folder you want confirmed. The Confirm File Presence analysis test will stop comparing files on a DC once 10 errors have been reached. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page

60 Quest Spotlight on Active Directory When Confirm File Presence Fails When this analysis tool fails, you should: Ensure that you have administrative rights to access the file system on the affected DC. Check NTFRS Status The Check NTFRS Status analysis test shows if the NTFRS service is not running on the selected domain controllers. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. For more information on starting the NTFRS service, see Starting NTFRS on page 91. When Check NTFRS Status Fails When this analysis tool fails, you should: Try starting the NTFRS service through Spotlight on Active Directory Topology Viewer. Try connecting to the Service Control Manager through Microsoft native tools (services.msc). If you cannot connect, you may not have the required administrative access to that DC. 62

61 Detecting Active Directory Problems Status/Performance The Status/Performance test category contains the following available analysis tests: Verify Server Health Verify FSMO Best Practices Verify Site Configuration Check Service Pack & Hotfixes Check Service Status Verify Server Health The Verify Server Health test collects key data to determine overall server health. Data collected includes performance counters, network availability, disk space, critical services, directory service availability, and event log errors. Custom counters and/or thresholds can be configured for performance counters, network availability, and disk space. Performance data is polled twice over 30 seconds and averaged. You can be notified when optional performance counters and optional services are missing from the target Domain Controllers (DC). The default action for the test is to present a warning if an optional performance counter or service is missing. If this warning is not needed, you can disable this warning so the Verify Server Health Analysis test can report a successful completion. When you run the Verify Server Health test once, all events logged within the past hour are scanned. When you schedule the Verify Server Health test, the hardware is inspected every four hours. All events logged within the past hour are scanned the first time the test runs. On every subsequent run, the event log is scanned starting back from the previous time the test ran. When you run or schedule this analysis test, select the components for which you want to gather information. Options include performance counters, network availability, disk space, critical services, directory service availability and the event log. You can modify the thresholds for the test by clicking Edit. This will launch the Server Health Configuration Wizard. Any modifications you make are applied only to the Server Health test you are scheduling. If you want to modify the thresholds used for all tests, access the Server Health Configuration Wizard by 63

62 Quest Spotlight on Active Directory selecting Start Quest Software Spotlight on Active Directory Server Health Configuration Wizard. For more information on the Server Health Configuration Wizard, refer to Spotlight on Active Directory Server Health Configuration Wizard User Guide. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. Verify FSMO Best Practices The Verify FSMO Best Practices test discovers the FSMO roles held by the target domain controllers and checks for violations based on the roles held. If the PDC Emulator and RID Master are on the same domain controller check box is selected, the test will check if both of these roles are located on the same domain controller. If the Infrastructure Master should not host the Global Catalog check box is selected, the test will check if any domain controllers that hold the Infrastructure Master host a copy of the Global Catalog. If the Schema Master and Domain Naming Master are on the same domain controller check box is selected, the test will check if the Schema Master is also holding the Domain Naming Master role. When you run or schedule this analysis test, select one or more best practices to test. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. Verify Site Configuration The Verify Site Configuration analysis test checks the following configurable site settings: If the Intersite Topology Generation is disabled check box is selected, the test will check all selected sites to see if Intersite Topology Generation is disabled. If the Intrasite Topology Generation is disabled check box is selected, the test will check all selected sites to see if Intrasite Topology Generation is disabled. 64

63 Detecting Active Directory Problems If the No authority to resolve Universal Group membership check box is selected, the test will check if a domain controller is within the target site that can resolve Universal Group membership. This requires either a Global Catalog or a Windows 2003 domain controller to be in the target site. If the Exchange Server to Global Catalog ratio has been exceeded check box is selected, the test will enumerate all Exchange Server and Global Catalogs in the target site and produce an Exchange Server to Global Catalog ratio. This ratio is then compared to the ratio provided by the user and if the actual ratio is greater that the supplied ratio the test will return as a failure. When you run or schedule an analysis test, select a site to test and the settings to test against each site. The list of DCs is modified based on the sites selected. One DC is selected for each site to prevent several DCs alarming with the same alert data. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. Check Service Pack & Hotfixes The Check Service Pack & Hotfixes test uses the remote registry service to enumerate all installed hot fixes and service packs on a domain controller. This is then compared to what the user selected to check if any service packs or hot fixes are missing the test will return a failure and list any missing entries. When you run or schedule this analysis test, enter a service pack number and a Microsoft Knowledgebase Article Number. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. When Check Service Pack Hotfixes Fails When this analysis tool fails, you should: Check to make sure you have administrative access to the registry on the remote DC. Install the missing Hotfix or service pack on the DC and run the tool again. 65

64 Quest Spotlight on Active Directory Check Service Status The Check Service Status analysis test opens a dialog box that lists all existing services on the query server. It checks that the services you chose are running on all selected domain controllers. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. When Check Service Status Fails When this analysis tool fails, you should: Try connecting to the Service Control Manager through Microsoft native tools (services.msc). If you cannot connect, then you may not have the required administrative access to that DC. Physically restart the affected services on the DC. Time Synchronization The Time Synchronization test category contains the following available analysis tests: Verify Time Synchronization Check W32Time Differential Check W32Time Parent Synchronization Check W32Time Status Indicators are applied to domain controllers (DCs) that cannot be contacted or that return errors. A status of yellow indicates that the DC could not be contacted, and a status of red indicates that the server has failed the test. Verify Time Synchronization The Verify Time Synchronization analysis test checks if all the pieces of the time synchronization solution function properly when Windows Time Service is used as a time synchronization solution. This test combines the functionality of three existing analysis tests: Check W32Time Status, Check W32Time Parent Synchronization, and Check W32Time Differential. The test also verifies synchronization with a specified time source server if a third-party NPT-based time synchronization solution is used, and allows you to ignore alarms associated with the specified time source server. 66

65 Detecting Active Directory Problems For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. Check W32Time Differential The Check W32Time Differential analysis test compares the time of the selected domain controllers to the PDC Emulator and compares this to the specified threshold. If the threshold is exceeded, the test will return a failure. This test shows you child DCs whose time is not synchronized with their parent time server within a user-defined margin. This margin is referred to as the time sync gap. The default time sync gap is two minutes. When you run or schedule this analysis test, enter a time differential as an acceptable threshold. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. When Check W32Time Differential Fails When this analysis tool fails, you should: Ensure that the server is operational. Check to make sure your time differential gap is set to the correct setting (default is 5 minutes). Check the properties of the server to see which computer is its time sync parent server. If necessary, change the Time Sync parameters of the server to point to a different server. Check W32Time Parent Synchronization The Check W32Time Parent Synchronization analysis test ensures that the selected domain controllers are using the PDC Emulator from their domain as their time source. The root PDC Emulator cannot be tested against external time sources. This test shows you any DC that is not synchronizing time with the Windows default time server. The Windows default time server is the PDC Emulator in its domain. If the selected DC is the PDC Emulator for the domain, the Windows default time server is the PDC Emulator of the root domain. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page

66 Quest Spotlight on Active Directory When Check W32Time Parent Synchronization Fails When this analysis tool fails, you should: Ensure that the server is operational. Make sure you have administrative access to the file system. The tool attempts to connect to the file system on the remote server. Ensure that you have access to query the registry on the remote server. The tool requires access to the registry to determine the server's time sync settings. Check to make sure you have access to query the domain object for that server. The tool attempts to find the Windows 2000 default parent for a particular server by binding to objects in Active Directory (starting with the object for the domain the server is in). If required, change the parameters of the server to point to the Windows 2000 default Time Sync server (for example, Resolve Time Sync - Set Parameters). Check W32Time Status The Check W32Time Status analysis test checks the status of the W32Time service. This test shows if the W32Time Service is not running on the selected domain controller. For information on running analysis tests, see Running Analysis Tests on page 54. For information on scheduling analysis tests, see Scheduling Analysis Tests on page 69. When Check W32Time Status Fails When this analysis tool fails, you should: Ensure that the server is operational. Ensure that you have administrative access to query services on that server. Try connecting to the Service Control Manager on the remote computer through services.msc. Try physically restarting the service. 68

67 Detecting Active Directory Problems Scheduling Analysis Tests To schedule an analysis test 1. Select one or more DCs in the Topology View depending on the analysis test you are scheduling. 2. Right-click a selected DC and select Detect <Test Category> <Analysis Test> Schedule. 3. Select Run every in the Scheduling tab and specify the interval for running the test. The default setting is to execute the test every 30 minutes, daily, between 8 AM and 5 PM. OR Select Run every day at in the Scheduling tab and enter the time you want the test to run. You can select the Between check box to run the test during specified hours or to run overnight. 4. Click OK. To view analysis test results Place your mouse pointer over a server node in the Topology View pane. The highest severity analysis test result is displayed in the Topology View. To view more detailed results 1. Right-click the server in question. 2. Select View Test Results. This displays the Result Pane, where you can select the test whose results you want to view. The Test Category, Test Name, Target, Time, and Result are displayed in the right side of the Result Pane. If a test has more than one target, a summary grid of information is displayed. All analysis tests will time out after either one hour or after the scheduled time, whichever is greater. 69

68 Quest Spotlight on Active Directory Scheduling Analysis Tests with Impersonation Options You can configure analysis tests to run under alternate credentials. The user credentials you use must have sufficient permissions to execute the analysis test. To schedule an analysis test with impersonation options 1. Select Detect <Analysis Test> Schedule. This opens the Analysis Test dialog box. 2. Select Run every in the Scheduling tab and specify the interval for running the test. The default setting is to execute the test every 30 minutes, daily, between 8 AM and 5 PM. OR Select Run every day at in the Scheduling tab and enter the time you want the test to run. You can select the Between check box to run the test during specified hours. 3. Click the Impersonation tab in the Advanced Options pane. 4. Select Execute using the credentials of the diagnostic services. These are the credentials entered during the installation of the diagnostic services. This is the default option. OR Select Execute using one of the following credentials. To execute using one of the following credentials 1. Select the credentials you want to use from the list of available credentials. 2. Select Configure Credentials to open the Credential Management dialog box. 3. Add existing Windows credentials to the list of credentials you can use to execute analysis tests. 5. Click OK. 70

69 Detecting Active Directory Problems Scheduling Analysis Tests with Notification Options You can configure Spotlight on Active Directory Topology Viewer to send notifications upon failure of an Analysis test. All users in a defined notification group are notified when a test fails. Notifications are not sent if the test does not complete. Notifications are sent only if the test fails upon completion. You can also forward any alerts to the Microsoft Operations Management (MOM) console. To schedule an analysis test with notification options 1. Select Detect <Analysis Test> Schedule. This opens the Analysis Test dialog box. 2. Select Run every in the Scheduling tab and specify the interval for running the test. OR Select Run every day at in the Scheduling tab and enter the time you want the test to run. You can select the Between check box to run the test during specified hours or to run overnight. The default setting is to execute the test every 30 minutes, daily, between 8 AM and 5 PM. 3. Select the Notifications tab in the Advanced Options pane. 4. Select the notification group you want to notify. 5. Enter the number of consecutive alarms. Once a specific number of alarms are triggered, the notification is sent. 6. Enter the number of maximum notifications to be sent per alarm. 7. If necessary, select the Forward alerts to MOM check box to send any alerts to the MOM console. 8. Click OK. The configured analysis test executes. If the test fails, a notification is sent to all members of the specified notification group. 71

70 Quest Spotlight on Active Directory Editing a Scheduled Analysis Test You can edit a scheduled analysis test through the Analysis Test Schedule Management dialog box. You can pause and resume a scheduled test, view a test, or delete a test. You can also edit the execution frequency of analysis tests; for example, you can change a Run Once test to a scheduled test, or a scheduled test to a Run Once test. To edit a scheduled analysis test 1. Select Edit Analysis Tests. The Analysis Test Schedule Management dialog box displays all scheduled analysis tests including Test Category, Test Name, Scheduled Status (Active, Paused, or Completed), next Run Time, Execution Frequency, Notification Group, and the credentials being used. 2. Select the test you want to edit and click the Edit button. This opens the Edit Test Configuration dialog box. 3. Edit the configuration information for the selected test. You can edit the target server list, test schedule, notification and impersonation information, and test configuration. 4. Click OK. All information for the test is updated, saved, and used the next time the test is run. 72

71 Detecting Active Directory Problems Pausing and Resuming a Scheduled Analysis Test You can pause and resume the execution of a previously scheduled analysis test. To pause a scheduled analysis test 1. Select Edit Analysis Tests. The Analysis Tests Schedule Manager displays all scheduled analysis tests including Test Category, Test Name, Scheduled Status (Active, Paused, or Completed), Execution Frequency, and Notification Group. 2. Select the test you want to pause and click Pause. The test is paused and will not execute until you click Resume. To resume a paused analysis test 1. Select Edit Analysis Tests. The Analysis Tests Schedule Manager displays all scheduled analysis tests including Test Category, Test Name, Scheduled Status (Active or Paused), Execution Frequency, and Notification Group. 2. Select the paused test you want to resume and click Resume. If a test is halted by the system because of invalid credentials, you can pause the test and resume it when the credentials are corrected. Also, if you pause a test and the Ending Time for that test passes during the pause, click Resume to resume the test schedule. Deleting a Scheduled Analysis Test You can delete a scheduled analysis test using the Analysis Tests Schedule Manager. To delete a scheduled analysis test 1. Select Edit Analysis Tests. The Analysis Tests Schedule Manager displays all scheduled analysis tests including Test Category, Test Name, Scheduled Status (Active, Paused, or Completed), Execution Frequency, and Notification Group. 2. Select the test you want to delete and click Delete. You will be prompted to confirm or cancel the deletion. 3. Click Yes to confirm the deletion. 73

72 Quest Spotlight on Active Directory Running Analysis Tests using the Assistant Pane You can quickly access all of the analysis tests provided in Spotlight on Active Directory Topology Viewer through the various panes in the Assistant pane. The three comprehensive analysis tests, Verify DNS Health, Verify Replication Health and Verify Server Health, can be found in the Assistant pane at the top of the Assistant pane. The other tests are organized according to troubleshooting category and grouped into the following panes: Directory Replication Testing DNS Testing File Replication Testing Status/Performance Testing Time Synchronization Testing For more information about these panes, see The Assistant Pane on page 23. To run an analysis test from the Assistant pane 1. Select the specific DC or DCs in the Topology View or in the Analysis Test Results pane. 2. Expand the pane of the troubleshooting category you want. 3. Click the name of the test you want to run. OR Click the icon for the test you want to run. 4. Select Run test once. OR Select Schedule test with advanced options. If you select Schedule test with advanced options, the configuration dialog box for that particular test opens and you must provide the appropriate information. If you select only one DC and attempt to run an analysis test that requires more than one target server, the following error message is displayed: You must select at least two servers in the Topology View to perform this action. 74

73 Detecting Active Directory Problems Naming an Analysis Test By default, when you schedule an analysis test, the name of the analysis test is generated automatically. If desired, you can enter a custom test name instead of using the generated test name. For example, you can schedule separate Server Health analysis tests in order to monitor different metrics of a domain controller at different intervals. You should give each test a different name to distinguish amongst the three Server Health analysis tests, and therefore, better manage the tests. To name an analysis test 1. Select one or more DCs in the Topology View. 2. Right-click a selected DC and select Detect <Test Category> <Analysis Test> Test Name. 3. Click the Test Name tab in the Advanced Options pane. 4. Enter a name for the test. 5. Click OK. You can also name an analysis test using the Assistant pane. To name an analysis test from the Assistant pane 1. Select the specific DC or DCs in the Topology View or in the Analysis Test Results pane. 2. Expand the pane of the troubleshooting category you want. 3. Click the name of the test you want to run. OR Click the icon for the test you want to run. 4. Select Schedule test with advanced options. 5. Click the Test Name tab in the Advanced Options pane. 6. Enter a name for the test. 7. Click OK. You can only give custom test names to analysis tests that have been scheduled. 75

74 Quest Spotlight on Active Directory Viewing Test Results You can view test results using the Analysis Test Results tab. The Analysis Test Results tab is divided into two sections, each providing analysis test status and results. You can resize each section by dragging the section borders. The Analysis Test Results tab does not provide test details until you run an analysis test. You can view details for scheduled tests and tests that run once. The Analysis Test Results tab also includes the Assistant pane on the right. This gives you quick access to the running of new analysis tests, native Microsoft administrative tools, and management actions. Results and status of analysis tests are shown in a tree structure, which you can expand and collapse. The individual tests are listed by test category and you can see the details for each test: Analysis Test the type of test, test name, test target, and test progression details. Last Update the date and time that the test results were updated in the test results tree. Last Result whether or not the test completed, failed, or was successful. The colors of the test icons represent test status: Green indicates that the test is running but may not be completed yet. Yellow indicates that the test failed to complete. Red indicates that the server failed the test. The color on the test category name indicates the highest severity in the test group. If you right-click a server, you are presented with the following options: OPTION Launch Diagnostic Console Run Again EXPLANATION Launches the Diagnostic Console for the server that was the focus of the test. Runs the test again immediately. Note: Applicable only for scheduled tests. At times, you may need to do corrections or adjustments based on the results of a scheduled test. This option allows you to run the test again once you have made your changes. This will not affect the current schedule for that test. 76

75 Detecting Active Directory Problems OPTION Expand All Collapse All Ignore Result EXPLANATION Expands the tree structure to show all the steps that took place for each test. Reduces the tree structure to the test category (highest level). Omits the selected test results from the current display. Note: This only affects existing test results. When the test is run again, the new results will appear. Once network problems are detected by Spotlight on Active Directory Topology Viewer, you can launch Spotlight on Active Directory Diagnostic Console to help you determine what corrective action to take. The Test Result Details Pane The details in this pane change according to which type of test is selected. The following test details are available: Test Name the type of test highlighted in the test result tree and the date and time of test executions. Target the name of the target server and target mailbox. Time a more detailed textual summary of the test highlighted in the test result tree. Result whether or not the test completed, failed, or was successful. In this example the store responsiveness test succeeded. Text Result a more detailed textual summary of the test highlighted in the test result tree. If the test selected in the test result tree contains multiple targets, a table is displayed in the Test Result Details pane. 77

76 Quest Spotlight on Active Directory 78

77 3 Diagnosing Problems Diagnosing Problems Diagnosing Problems using Spotlight on Active Directory Diagnostic Console Diagnosing Problems using InTrust for Active Directory

78 Quest Spotlight on Active Directory Diagnosing Problems Spotlight on Active Directory Topology Viewer offers seamless integration with Spotlight on Active Directory Diagnostic Console and the InTrust for Active Directory Event Log. When a network problem is detected using Spotlight on Active Directory Topology Viewer s analysis and observation tools, you can launch Spotlight on Active Directory Diagnostic Console from within Spotlight on Active Directory Topology Viewer. You can then use Spotlight on Active Directory Diagnostic Console to help diagnose the problem. Spotlight on Active Directory Diagnostic Console is a powerful diagnostic and resolution tool. Its unique user interface provides a real-time representation of the dataflow in your Microsoft Active Directory, allowing you to detect, diagnose, and resolve network problems. The InTrust for Active Directory Service operates on domain controllers. It captures and audits all changes made to Active Directory and Group Policy objects. The InTrust for Active Directory Service also, optionally, protects critical objects from accidental and unwanted changes, enabling an organization to audit and manage changes in their Active Directory environment. If a problem occurs in the Spotlight on Active Directory, it can be due to a change made in domain controller. Because change information is saved in the InTrust on Active Directory, you can view the Event Log and review any changes that have been made. For more information, see: Diagnosing Problems using Spotlight on Active Directory Diagnostic Console Diagnosing Problems using InTrust for Active Directory 80

79 Diagnosing Problems Diagnosing Problems using Spotlight on Active Directory Diagnostic Console Once network problems have been detected by Spotlight on Active Directory Topology Viewer, you can launch Spotlight on Active Directory Diagnostic Console to help you determine what corrective actions to take. Graphical flows illustrate the rate at which data is moving between DC components. Components display the value of key statistics and metrics. The power of Spotlight on Active Directory Diagnostic Console lies in its ability to provide visual and audible warnings if performance metrics exceed acceptable thresholds. Components change color to show you the source of the problem. A range of reports and graphs provide you with detailed information about a DC. This information can be viewed on the screen, or printed. Spotlight on Active Directory Diagnostic Console provides a number of drilldowns which display detailed information about the DC you are analyzing. You can locate and identify problem areas quickly using a visual representation of the major components in the DC being monitored. When you have isolated a problem, you can see a detailed breakdown by viewing a drilldown that displays the underlying statistics. Spotlight on Active Directory Diagnostic Console also provides various techniques to warn you when a DC is exceeding a threshold. You can set Spotlight on Active Directory Diagnostic Console to warn you when the system reaches a threshold, and you can set a number of thresholds to display warning messages before inbound or outbound traffic levels of a DC become critical. For more information on how to launch the Spotlight on Active Directory Diagnostic Console, see Launching Spotlight on Active Directory Diagnostic Console on page 101. For more information on the Spotlight on Active Directory Diagnostic Console, refer to the Spotlight on Active Directory Diagnostic Console section of the Help menu when you launch the Spotlight on Active Directory Diagnostic Console. 81

80 Quest Spotlight on Active Directory Diagnosing Problems using InTrust for Active Directory Quest InTrust provides collection, correlation, archival, and reporting on the heterogeneous audit data from your enterprise-wide network, as well as for real-time alerting and notification. InTrust s two main processes are audit data gathering and real-time monitoring for critical events. For more information on Quest InTrust, see Quest InTrust User Guide. If a problem arises in the Spotlight on Active Directory, it can be due to a change made to the configuration or schema in InTrust. You can launch the InTrust on Active Directory Event Log to find out what changes have been made. You must be integrated to InTrust on Active Directory. For more information on InTrust Integration, see InTrust Integration on page 43. For more information on how to view changes from InTrust on Active Directory, see Viewing Changes from InTrust for Active Directory on page

81 4 Resolving Replication and Time Sync Problems Resolving Directory Replication Managing Replication Links Configuring the Knowledge Consistency Checker (KCC) Understanding FSMO Role Transfer Resolving File Replication Managing the NT File Replication Service (NTFRS) Managing NTFRS Logging Resolving Time Synchronization Setting Time Synchronization Parameters

82 Quest Spotlight on Active Directory Resolving Directory Replication The Directory Replication actions let you change your replication topology in order to resolve replication issues in your Active Directory forest. You can perform these actions: Add, edit, and delete replication links Find the quickest replication path between two domain controllers (DCs) Force replication between two linked servers Enable or disable the Knowledge Consistency Checker (KCC) the KCC auto-generates and removes replication links Transfer Flexible Single-Master Operation (FSMO) roles For more information, see Managing Replication Links. Managing Replication Links Spotlight on Active Directory Topology Viewer provides various actions to allow you to manage your replication links. These actions include: Creating, editing, and deleting replication links Testing replication links to ensure replication can happen Forcing replication between two servers Identifying servers that have not received the latest data on the last replication attempt Finding the quickest replication path from one server to another Configuring the KCC to enable or disable automatic replication link maintenance Pending actions are displayed in the Pending Resolve Actions list at the bottom of the Results tab window. Pending actions can be cancelled. When the action is complete, it is posted to the Completed Resolve Actions list at the bottom of the Results tab window. For more information, see: Creating a Link Deleting a Link Editing a Link 84

83 Resolving Replication and Time Sync Problems Finding the Quickest Path Forcing Replication Configuring the Knowledge Consistency Checker (KCC) Understanding FSMO Role Transfer Creating a Link Replication links are automatically created by the Knowledge Consistency Checker, but you can also create them using Spotlight on Active Directory Topology Viewer. For more information, see Configuring the Knowledge Consistency Checker (KCC) on page 89. To create a link 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select a server in the Browse or Topology View pane. The first server selected becomes the source server. 3. Hold the CTRL key and select another server. The second server selected becomes the destination server. 4. Right-click and select Resolve Directory Replication Create Link. Optionally, you can change the source and destination computers. 5. Enter a name for the link. 6. Click a block of time that corresponds to the time and day you want to set in the Schedule section. OR Drag the pointer to create a selection region around the blocks of time you want to edit. 7. Select a replication frequency from the Frequency section. The four settings in the Frequency section represent how often replication will occur each hour. 8. Select a transport type. 9. Enter a description. 10. Click OK. 85

84 Quest Spotlight on Active Directory Deleting a Link Replication links are automatically deleted by the KCC, but you can also delete them using Spotlight on Active Directory Topology Viewer. This is useful when reorganizing sites and domains. The KCC does not delete manually created links. To delete a link 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select a server in the Browse or Topology View pane. The first server selected becomes the source server. 3. Hold the CTRL key and select another server. The second server selected becomes the destination server. 4. Right-click and select Resolve Directory Replication Delete Link. Optionally, you can change the source and destination computers. 5. Select the link you want to delete in the Links list. 6. Click OK. Editing a Link Spotlight on Active Directory Topology Viewer allows you to edit the replication schedule, frequency, and transport type properties of a replication link between two servers. To edit a link 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select a server in the Browse or Topology View pane. The first server selected becomes the source server. 3. Hold the CTRL key and select another server. The second server selected becomes the destination server. 86

85 Resolving Replication and Time Sync Problems 4. Right-click and select Resolve Directory Replication Edit Link. 5. If there are multiple links between the two selected DCs, select the link you want to edit from the Links list. 6. Click a block of time that corresponds to the time and day you want to edit in the Schedule section. OR Drag the pointer to create a selection region around the blocks of time you want to edit. 7. Select a replication frequency from the Frequency section. The four settings in the Frequency section represent how often replication will occur each hour. 8. Select a transport type. 9. Enter a description. 10. Click OK. Finding the Quickest Path The Find Quickest Path action finds the quickest replication path between two DCs. To find the quickest path 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select a server in the Browse or Topology View pane. The first server selected becomes the source server. 3. Hold the CTRL key and select another server. The second server selected becomes the destination server. 4. Right-click and select Resolve Directory Replication Find Quickest Path. A message is displayed in the Completed Resolve Actions tab in the lower pane of the Topology Viewer tab. Double-click the message to see the quickest replication path. 87

86 Quest Spotlight on Active Directory Forcing Replication The Force Replication action forces replication between two servers. To force replication 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select a server in the Browse or Topology View pane. The first server selected becomes the source server. 3. Hold the CTRL key and select another server. The second server selected becomes the destination server. 4. Right-click and select Resolve Directory Replication Force Replication. You can force replication for Configuration, Schema, and Domain naming contexts independently of each other by selecting the individual check boxes on the Force Replication dialog box. If Forced Replication fails because of a schema mismatch, Active Directory will attempt to replicate the schema partition. You can also force replication between unconnected servers. Spotlight on Active Directory Topology Viewer determines the quickest path between the selected servers, and all data from the source DC is replicated to all DCs along that path, up to and including the destination DC. To force replication between two unconnected servers 1. Connect to a DC. 2. Select a server in the Browse or Topology View pane. The first server selected becomes the source server. 3. Hold the CTRL key and select another server that is not directly connected to the first server. The second server selected becomes the destination server. 4. Right-click the source server and select Resolve Directory Replication Force Replication. When replication is complete, a message informing you of the exact replication path is displayed in the Completed Resolve Actions tab in the lower pane of the Topology Viewer tab. 88

87 Resolving Replication and Time Sync Problems Configuring the Knowledge Consistency Checker (KCC) The KCC automatically generates and maintains the replication topology within a site and between sites. You can disable the KCC within a site (intrasite) and between sites (intersite). The KCC runs at regular intervals, adjusting the replication topology if any changes occur in Active Directory. Changes may include the addition of new DCs, or the creation of new sites. The KCC also simultaneously reviews the replication status of existing connections and determines if any are not working. If a connection is not working, the KCC automatically builds temporary connections to other available replication partners to ensure that replication continues. Spotlight on Active Directory Topology Viewer allows you to disable the KCC if the default network replication infrastructure does not meet your organization s specific requirements. Before you disable the KCC, it is recommended that all DCs conform to the following rules: All DCs replicate changes to and from at least one other DC in the domain. All DCs in the domain must have a direct replication path to each other. All DCs must have a replication path to all other DCs. Global Catalog (GC) servers must be able to obtain a copy of every domain's naming context from a source. This can be another GC server or a DC in the domain. To disable the KCC 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more DCs in the Browse or Topology View pane that are in the sites where you want to disable the KCC. 3. Right-click and select Resolve Directory Replication Configure KCC. 4. Clear the Intersite KCC (Between Sites) check box to disable the KCC between sites. OR Clear the Enable Intrasite KCC (Within a Site) check box to disable the KCC within a site. You can clear both check boxes if required. 89

88 Quest Spotlight on Active Directory 5. Click OK. Understanding FSMO Role Transfer You can transfer any FSMO role to another DC on the network. You can change forest-wide FSMO roles and domain-wide FSMO roles. FSMO roles are: PDC Emulators - Domain specific and one per domain RID Servers - Domain specific and one per domain Infrastructure Masters - Domain specific and one per domain Domain Naming Master- Forestwide and one per forest Schema Master - Forestwide and one per forest To transfer forest FSMO roles 1. Select two or more DCs. 2. Right-click and select Resolve Directory Replication FSMO Role Transfer. 3. Select the DC you want to assign the Schema Master role to in the Schema Master Change To list. 4. Select the DC you want to assign the Domain Naming Master role to in the Domain Naming Master Change To list. 5. Click OK. Windows 2000 lets you switch the Domain Naming Master to Global Catalog Servers only. To transfer domain FSMO roles 1. Select two or more DCs. 2. Right-click and select Resolve Directory Replication FSMO Role Transfer. 3. Select a domain from the Domain list to display the current PDC Emulator, RID Master, and Infrastructure Master roles for that DC. 4. Select the DC you want to assign the PDC Emulator role to in the PDC Emulator Change To list. 5. Select the DC you want to assign the RID Master role to in the RID Master Change To list. 6. Select the DC you want to assign the Infrastructure Master role to in the Infrastructure Master Change To list. 7. Click OK. 90

89 Resolving Replication and Time Sync Problems Resolving File Replication The File Replication actions let you manipulate your File Replication settings and the NT File Replication Service (NTFRS). You can: Start, stop, and restart the NTFRS Increase Update Sequence Number (USN) journal size Configure Windows File Replication settings, including the number of NTFRS log files Windows creates, the number of messages Windows puts in each NTFRS log file, and the level of detail in each NTFRS log file For more information, see Managing the NT File Replication Service (NTFRS) on page 91, Managing NTFRS Logging on page 92, Increasing USN Journal Size on page 95, and Managing Advanced GPO Logging on page 96. Managing the NT File Replication Service (NTFRS) The NT File Replication Service (NTFRS) is the mechanism used to replicate system policies and logon scripts stored in System Volume (SYSVOL). NTFRS can also replicate data for Distributed file system (Dfs), synchronizing the content of each member in a replica set defined by Dfs. NTFRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by schedule between sites. This section demonstrates the procedures for starting, stopping, and restarting NTFRS. For more information, see: Starting NTFRS Stopping NTFRS Restarting NTFRS Starting NTFRS The Start NTFRS action starts the NTFRS on the selected DCs. To start NTFRS 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more DCs from the Browse or Topology View pane. 91

90 Quest Spotlight on Active Directory 3. Right-click and select Resolve File Replication Start NTFRS. Stopping NTFRS The Stop NTFRS action stops the NTFRS on selected DCs in order to install patches or run such maintenance tasks as hotfixes. To stop NTFRS 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more DCs from the Browse or Topology View pane. 3. Right-click and select Resolve File Replication Stop NTFRS. Restarting NTFRS The Restart NTFRS action restarts the NTFRS on all selected DCs. To restart NTFRS 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more domain controllers from the Browse or Topology View pane. 3. Right-click and select Resolve File Replication Restart NTFRS. Managing NTFRS Logging Spotlight on Active Directory Topology Viewer allows you to set specific details such as the number of NTFRS log files per DC, the number of messages per NTFRS file, and the level of detail of the information contained in each file. By default, NTFRS records its actions in trace log files. These log files are named Ntfrs_000x and are located in the Systemroot\debug directory. These files are typically used to investigate NTFRS replication problems. The following section describes how to enable and disable NTFRS logging, as well as set the number of files generated, the number of messages per NTFRS log file, and the level of detail logged in the file. For more information, see: Enabling NTFRS Logging Disabling NTFRS Logging Setting the Number of NTFRS Log Files Generated 92

91 Resolving Replication and Time Sync Problems Setting the Number of Messages per NTFRS Log File Setting NTFRS Log File Detail Enabling NTFRS Logging The Enable NTFRS Logging action allows you to enable the NTFRS trace log. To enable NTFRS logging 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more domain controllers from the Browse or Topology View pane. 3. Right-click and select Resolve File Replication Enable NTFRS Logging. Disabling NTFRS Logging The Disable NTFRS Logging action allows you to disable the NTFRS trace log. 93

92 Quest Spotlight on Active Directory To disable NTFRS logging 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more domain controllers from the Browse or Topology View pane. 3. Right-click and select Resolve File Replication Disable NTFRS Logging. Setting the Number of NTFRS Log Files Generated This action allows you to set the maximum number of NTFRS trace log files that will be generated on the selected servers. To set the number of log files generated 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more DCs in the Browse or Topology View pane. 3. Right-click and select Resolve File Replication Set Number of FRS Log Files Generated. 4. Click the up or down arrows in the Set the Number of Log Files to box to increase or decrease the number of files. OR Type the number of files. 5. Click OK. Setting the Number of Messages per NTFRS Log File This action allows you to determine how many entries can be stored in each NTFRS trace log file (Ntfrs_000x.log) on the selected DCs. To set the number of messages per NTFRS log file 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more DCs in the Browse or Topology View pane. 3. Right-click and select Resolve File Replication Set Number of Messages per NTFRS Log File. 94

93 Resolving Replication and Time Sync Problems 4. Click the up or down arrows in the Set the messages per file limit to box to increase or decrease the number of messages. OR Enter the number of messages. The minimum number of messages per NTFRS log file is Click OK. Setting NTFRS Log File Detail This action allows you to determine the level of detail that the NTFRS records in its trace log files (Ntfrs_000n.log) on the selected DCs. The level of detail is specified by a numeric scale from zero to five: zero being the least detailed and five being the most detailed. To set the NTFRS log file detail 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more DCs in the Browse or Topology View pane. 3. Right-click and select Resolve File Replication Set NTFRS Log File Detail. 4. Select the option that corresponds to the level of detail you require. 5. Click OK. Increasing USN Journal Size This action allows you to increase the size of the USN Journal, therefore allowing for more entries to be added to the journal. To increase the USN Journal size 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more DCs in the Browse or Topology View pane. 3. Right-click and select Resolve File Replication Increase USN Journal Size. 95

94 Quest Spotlight on Active Directory 4. Increase the journal size in the box labeled Increase the USN Journal Size to. Decreases in journal size can only be made by reformatting volumes that contain NTFRS-replicated content. 5. Click OK. Managing Advanced GPO Logging In Windows 2000, group policy events are logged to the Event Log using either Normal or Verbose mode. By default, they are logged using Normal mode, which means not all failures are displayed in the Event Log. To retrieve more detailed information on group policy processing from the Event Log, Spotlight on Active Directory Topology Viewer allows you to enable verbose logging. For more information, see: 96 Enabling Advanced GPO Logging Disabling Advanced GPO Logging Enabling Advanced GPO Logging Advanced Group Policy Object (GPO) Logging enables detailed event logging for group policies, which logs all Group Policy-related events to the event log. To enable advanced GPO logging 1. Start Spotlight on active Directory Topology Viewer and connect to a DC. 2. Select one or more DCs in the Browse or Topology View pane. 3. Right-click and select Resolve File Replication Enable Advanced GPO Logging. Disabling Advanced GPO Logging Disable advanced GPO logging to return group policy event logging to Normal mode. To disable advanced GPO logging 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select one or more DCs in the Browse or Topology View pane.

95 Resolving Replication and Time Sync Problems 3. Right-click and select Resolve File Replication Disable Advanced GPO Logging. Resolving Time Synchronization Spotlight on Active Directory Topology Viewer displays time synchronization lines between synchronized DCs. You have the ability to set parameters, run diagnostics, and monitor selected DCs or all DCs in your topology. You can also view time sync-related properties on selected DCs. Time Synchronization is the process by which DCs keep their time consistent across the forest. Each DC copies the time from another DC, and by arranging the synchronization partners in an appropriate fashion, all DCs will have nearly the same time. For more information, see: Setting Time Synchronization Parameters Setting Time Synchronization Parameters Spotlight on Active Directory Topology Viewer allows you to set time synchronization parameters for DCs on the network. To set time synchronization parameters for a DC 1. Start Spotlight on Active Directory Topology Viewer and connect to a DC. 2. Select a DC in the Browse or Topology View pane. 3. Right-click and select Resolve Time Sync Set Parameters. 4. Select a type from the Set the Time Sync Type to list. 5. Select a parent from the Set the Time Sync Parent to list (if available). 6. Select a time period from the Set the Time Sync Period to list. The Daily Skew option is defined as once every 45 minutes until one good synchronization occurs, then once every day. The Special Skew option is defined as once every 45 minutes until three good synchronizations occur, then once every eight hours (three per day). 7. Enter a frequency in the Times Per Day box (if available). The Times per Day box is disabled by default. Selecting the Specified times per day option in the Set the Time Sync Period to box makes the Times per Day box available. 97

96 Quest Spotlight on Active Directory 8. Click OK to save the changes. For more information on setting external time synchronization sources, go to 98

97 5 Managing Actions and Results Managing Actions and Results

98 Quest Spotlight on Active Directory Managing Actions and Results If you select the Management Action Results tab in the Navigation pane, pending and completed actions for directory replications, file replications, and time synchronizations are displayed. At the top of the main pane there are two tabs: Pending Actions and Completed Actions. Any directory replication, file replication, or time synchronization action performed in Spotlight on Active Directory Topology Viewer is displayed under the associated Pending Actions tab. When the action is complete, it is posted to the Completed Actions tab. The Completed Actions list displays each action that was performed, the domain controller (DC) on which it was performed, whether or not it was successful, the DC that performed the action, and the time the action was completed. You can save action results to a file for future reference, or delete them. For more information, see: Canceling Pending Actions Saving Action Results Clearing Action Results Launching Spotlight on Active Directory Diagnostic Console Viewing Changes from InTrust for Active Directory Canceling Pending Actions After you perform Directory Replication, File Replication, or Time Synchronization actions, these are posted to the list shown in the Pending Actions tab. You can cancel any or all pending actions. To cancel all pending actions Right-click in the associated Pending Actions list and select Cancel All Pending Action(s). To cancel selected pending actions 1. In the Pending Actions list, select the action you want to cancel. 2. Right-click the action and select Cancel Selected Pending Action. You cannot cancel an action while it is being executed. Actions currently being executed are indicated by an animated green arrow. 100

99 Managing Actions and Results Saving Action Results After performing Directory Replication, File Replication or Time Synchronization actions, you can save all results or selected results to a file. To save results to a file 1. Right-click in the Completed Actions tab and select Save All Message(s). OR Right-click and select Save Selected Message. 2. Enter a name for the file and click Save. Clearing Action Results You can clear individual action results or the entire list of action results. To clear results Right-click in the Completed Actions tab and select Clear All Message(s). OR Right-click and select Clear Selected Message. Launching Spotlight on Active Directory Diagnostic Console Once Spotlight on Active Directory Topology Viewer has detected Active Directory or performance problems, you can launch Spotlight on Active Directory Diagnostic Console to help you determine what corrective action to take. This applies to target servers only, not groups. To launch Spotlight on Active Directory Diagnostic Console 1. Select a domain controller (DC). 2. Click Launch Diagnostic Console in the Assistant pane. OR 101

100 Quest Spotlight on Active Directory Right-click and select Diagnose Launch Diagnostic Console. OR Right-click in the Completed Actions tab and select Launch Diagnostic Console. You can also launch the Spotlight on Active Directory Diagnostic Console from the Quest Management Console: From the Quest Management Console, click the Launch Diagnostic Console icon. OR 1. Open the Quest Management Console. 2. From the treeview, select Console Root Quest Management Console for Active Directory Solutions Performance and Availability. 3. Right-click Spotlight on Active Directory and select Launch Diagnostic Console. Viewing Changes from InTrust for Active Directory If a problem arises in the Spotlight on Active Directory, it can be due to a change made on a domain controller. Since changes to the domain controller are saved in the InTrust on Active Directory Event Log, you can launch the InTrust on Active Directory Event Log to find out what changes have been made. You must be integrated to InTrust on Active Directory. For more information on InTrust Integration, see InTrust Integration on page 43. To view changes made from InTrust 1. Select and right-click a domain controller (DC). 2. Select Diagnose View Changes from InTrust. In the Event Log, you can view configuration and schema changes made in the last X number of minutes, hours, or days. 102

101 6 Customizing the Topology Layout Understanding System Views

102 Quest Spotlight on Active Directory Understanding System Views Initially, Spotlight on Active Directory Topology Viewer defaults to a layout view of the entire forest you have specified. However, it also provides system Views that you can apply to that forest. In addition, Spotlight on Active Directory Topology Viewer allows you to filter the topology view to suit your needs. This makes it much easier for you to view the status of, and work with, the servers you are concerned about. This ability is of particular value to local administrators who are responsible for a small number of domain controllers (DCs). Spotlight on Active Directory Topology Viewer provides system Views that you can apply to the forest you have specified. Also, instead of dealing with the entire forest, you can create custom Views that display only specific domains or groups of DCs. You can also delete or edit these custom Views. In addition to the topology view, system and custom Views are also applied to the treeview and the Analysis Test Results tab. Test results are shown only for the target servers that are part of the system or custom View currently applied. Spotlight on Active Directory Topology Viewer retains the last View. This last View is loaded the next time you launch Spotlight on Active Directory Topology Viewer. For more information, see: Applying a System View Creating a Custom View Deleting a Custom View Editing a Custom View Resetting the Layout of the Current View Applying a System View Spotlight on Active Directory Topology Viewer provides the following system Views that you can apply to the current discovered forest: All (default - shows entire forest) Domain Naming Masters Global Catalogs Infrastructure Masters Intersite Topology Generators 104

103 Customizing the Topology Layout PDC Emulators RID Masters Schema Masters You cannot delete or modify these system views. Any custom Views you create are also added to this list. When you apply another system or custom View, this can affect what is shown in the Analysis Test Results tab. If a server whose test results are shown is not included in the View you select, then those test results disappear from the Analysis Test Results tab. To select a system view 1. Click in the View box above the topology view pane. 2. Select the system view you want to apply. Creating a Custom View You can create custom views and define them by site, domain, server or naming convention. You can select the domains or servers you want to include, or use naming conventions to filter only the servers you want to include. To create a View 1. Select View Create View. This launches the View Wizard. You can also do this by clicking next to the View list above the main topology view pane. 2. Click Next. 3. Select the type of view you want and click Next. 4. Select the sites you want to include in the view and click Next. Your selection can also be domains, servers or naming conventions, depending on the type of view you selected. 5. Enter a name for the view you are creating and click Next. 6. Review the settings you have selected. 105

104 Quest Spotlight on Active Directory To make changes, click Back until the Wizard displays the page you want, make your corrections and then click Next until you are at the Summary page. 7. Click Finish to save and apply the view you have created. Your custom view will be added to the View list above the main pane. Deleting a Custom View You can delete the custom View currently displayed. However, you cannot delete the systems views provided with Spotlight on Active Directory Topology Viewer. To delete the current View 1. Select View Delete Current View. 2. Click Yes to confirm you want to delete the current View. Editing a Custom View Once you have created a custom View, you can modify it. Spotlight on Active Directory Topology Viewer allows you to change any of the parameters of the custom View currently displayed. You cannot modify the system views that are provided with Spotlight on Active Directory Topology Viewer. To edit the current View 1. Select View Edit Current View. This launches the View Wizard. You can also do this by clicking next to the View list above the main topology view pane. 2. Click Next. 3. Modify the type of view if necessary and click Next. 4. Modify the sites included in the View if necessary and click Next. You can also modify domains, servers or naming conventions, depending on the type of view you selected Change the name of the View if necessary and click Next. 6. Review the settings you have selected.

105 Customizing the Topology Layout To make further changes, click Back until the Wizard displays the page you want, make your corrections and then click Next until you are at the Summary page. 7. Click Finish to save and re-apply the View you have modified. Resetting the Layout of the Current View If you have adjusted the server layout in your topology view by moving the servers, you can reset the view back to its original layout. To reset the layout of the current View Select View Reset Current View Layout. 107

106 Quest Spotlight on Active Directory 108

107 7 Working with Groups Working with Groups

108 Quest Spotlight on Active Directory Working with Groups As a network administrator, you may be responsible for domain controllers (DCs) located in various geographic locations. In particular, Global Catalog (GC) server administration can be a challenge in large network deployments with hundreds of DCs in multiple sites and domains that can span continents. Spotlight on Active Directory Topology Viewer addresses this challenge by allowing you to save DCs as groups. Once a group has been saved, accessing the list of DCs is as simple as selecting the group in the Browse pane. This saves you from having to select individual DCs and is particularly useful when applying common settings or actions to several DCs on your network. For more information, see: Autogrouping Centering on Group Collapsing Expanding Grouping Together Ungrouping Autogrouping You can autogroup existing groups using the Autogrouping tool toolbar and the autogrouping rules. You can autogroup: on the By site name using offset rules By site name using delimiter rules Offset rules allow you to group sites based on a certain number of letters in the group name. For example, an offset of 2 means that the autogrouping rule will use the next 2 characters as a group name. Delimiter rules allow you to group sites based on a delimiter. For example, a delimiter of '-' means that the autogrouping rule will use all of the characters up to the next '-' as a group name. Autogrouping rules are processed from the top down. 110

109 Working with Groups To create Autogrouping rules 1. Click. 2. Click Add. 3. Enter the name of the group in the Name of New Group Type box. 4. Select Offset in the Rule Type list. OR Select Delimiter in the Rule Type list. 5. Enter the offset you want to use in the Offset box. OR Enter the delimiter you want to use in the Delimiter box. 6. Click OK. The rule you created will be added to the list in the Autogrouping Rules dialog box. You can edit or remove rules you create. Click a rule in the list and click Edit to edit a rule or click Remove to remove a rule you have created. You can also reorder rules in the list by clicking a rule and using the and buttons. Select the Re-execute Layout check box and click OK to override the current site positioning. 111

110 Quest Spotlight on Active Directory Centering on Group Use the Center on Group feature to focus on a specific group in a large topology. Center on Group lets you bring a specific group to the center of the Topology View pane. Center on Group expands all parents of a group so that the selected group is visible. The group itself is not expanded. To center the topology view on a specific group 1. Select the group you want to center in the Topology View pane. 2. Right-click the selected group and select Center on Group. Collapsing Groups can be contracted into a single group node which has a visual representation of the group shape, but at a smaller size. To collapse a group 1. Select a group. 2. Right-click on the group you want to collapse and select Collapse. Expanding After a group has been collapsed into a single group node, you can expand it again. To expand a group 1. Select a group. 2. Right-click on the group node you want to expand and select Expand. 112

111 Working with Groups Grouping Together Groups are user-defined groups of DCs. You can group by site, region, country, and so on. Once you define the scope of a group, you must give it a name. Group names are also user defined. DCs are grouped by site by default. To group 1. Select a group in the Topology View pane. 2. Press the CTRL key, and select another group in the Topology View pane. 3. Right-click and select Group Together. Ungrouping You can ungroup DCs which you have previously grouped. To ungroup 1. Select a group in the Topology View pane. 2. Press the CTRL key, and select another group in the Topology View pane. 3. Right-click and select Ungroup. 113

112 Quest Spotlight on Active Directory 114

113 8 Getting Started with Quest Spotlight on Active Directory Diagnostic Console Introducing Spotlight on Active Directory Diagnostic Console Starting Spotlight on Active Directory Diagnostic Console

114 Quest Spotlight on Active Directory Introducing Spotlight on Active Directory Diagnostic Console Spotlight on Active Directory Diagnostic Console graphically displays, in real time, the actual flow of data between domain controllers (DCs) and various systems in your Active Directory so you can quickly identify congested areas and take appropriate corrective action. Spotlight on Active Directory Diagnostic Console provides a visual representation of Active Directory replication and response time identifies bottlenecks using flows, graphs and visual icons displays details including Lightweight Directory Access Protocol (LDAP) Bind times, inbound/outbound replication, Active Directory database size, Global Catalog response time, authentication traffic, Flexible Single-Master Operation (FSMO) roles, and Group Policy Object (GPO) recency Spotlight on Active Directory Diagnostic Console allows you to detect a problem in real time, drill down, and resolve it, thereby improving the efficiency of network administration, and reducing downtime for users. Spotlight on Active Directory Diagnostic Console also integrates seamlessly with Spotlight on Active Directory Topology Viewer, a powerful network management tool that provides a visual representation of your entire Active Directory topology. Spotlight on Active Directory Topology Viewer s unique user interface and functionality provide you with a wide range of remote administration functions and tools that assist you in pinpointing and resolving network replication and time synchronization performance issues. Spotlight on Active Directory Diagnostic Console and Spotlight on Active Directory Topology Viewer work together to help you detect, diagnose, and resolve network problems. Quest Spotlight on Active Directory Diagnostic Console offers expert help that explains each process and counter on a domain controller, and what a raised alarm means. The help system offers suggestions on how to resolve the alarm, common solutions, and next steps. It also enables additional drilldown into more detailed Windows processes and counters through Spotlight on Windows, which is included with Spotlight on Active Directory. 116

115 Getting Started with Quest Spotlight on Active Directory Diagnostic Console Starting Spotlight on Active Directory Diagnostic Console You can start Quest Spotlight on Active Directory Diagnostic Console from the Start menu or the Quest Management Console. To start Spotlight on Active Directory Diagnostic Console 1. Select Start Programs Quest Software Spotlight Spotlight. 2. Click Spotlight on Active Directory in the Spotlight Connection Manager window. 3. Click the connection icon that represents the system or DC you want to connect to in the Spotlight on Active Directory Diagnostic Console connections dialog box. 4. Click Connect. To run Spotlight on Active Directory Diagnostic Console from Quest Management Console 1. Open the Quest Management Console. 2. From the treeview, select Console Root Quest Management Console for Active Directory Solutions Performance and Availability. 3. Right-click Spotlight on Active Directory and select Launch Diagnostic Console. You can also run the Spotlight on Active Directory Topology Viewer from the Quest Management Console by clicking the Launch Diagnostic Console icon. If the connection icon for the system or DC you want to connect to does not appear in the Spotlight on Active Directory Diagnostic Console connections dialog box, you may have to create a new connection icon. For more information on creating connection icons and adding new connections, see the Spotlight Basics section in the Help menu of the Spotlight on Active Directory Diagnostic Console. To view a different system or DC when you have multiple connections 1. Select View Connection Browser. 2. In the Connections Browser, click the name of the system or DC you want to view. 117

116 Quest Spotlight on Active Directory 118

117 9 Using Quest Spotlight on Active Directory Diagnostic Console Using Spotlight on Active Directory Diagnostic Console Using Drilldowns Using Components

118 Quest Spotlight on Active Directory Using Spotlight on Active Directory Diagnostic Console Spotlight on Active Directory Diagnostic Console is a powerful diagnostic and resolution tool. Its unique user interface provides a real-time representation of the dataflow in your Windows 2000 forest, allowing you to detect, diagnose, and resolve Active Directory problems. Graphical flows illustrate the rate at which data is moving between domain controller (DC) components. Components display the value of key statistics and metrics. The power of Spotlight on Active Directory Diagnostic Console lies in its ability to provide visual and audible warnings if performance metrics exceed acceptable thresholds. Components change color to show you the source of the problem. A range of reports and graphs provide you with detailed information about a DC. This information can be viewed on the screen, or printed. Spotlight on Active Directory Diagnostic Console provides various techniques to warn you when a DC is exceeding a threshold. You can set Spotlight on Active Directory Diagnostic Console to warn you when any component reaches a specific threshold. This way, warnings are displayed when individual components (for example, memory consumption or CPU usage) approach alarm levels and you can take steps to remedy the situation before they cause significant problems. Spotlight on Active Directory also provides seamless integration with Spotlight on Windows. A Spotlight on Windows connection is automatically created when you create a connection to Spotlight on Active Directory. Therefore, you can double-click a Windows counter in the Spotlight on Active Directory homepage and connect directly to the appropriate Spotlight on Windows drilldown, without having to manually create a Spotlight on Windows connection, or re-enter a server name and credentials. Using Drilldowns Drilldowns display detailed information about the DC you are analyzing. Spotlight on Active Directory Diagnostic Console is designed to help you locate and identify problem areas quickly using a visual representation of the major components in the DC being monitored. When you have isolated a problem, you can see a detailed breakdown by viewing a drilldown that displays the underlying statistics. 120

119 Using Quest Spotlight on Active Directory Diagnostic Console You can display drilldowns by clicking a component in the main screen or by clicking a drilldown button on the toolbar. You can modify the way drilldowns display information. Each drilldown page contains displays that provide you with specific information about the components of your system. Drilldowns mainly use two different types of displays - tables and charts. Spotlight drilldowns have the following features: There is more than one way to view a specified drilldown. They can be configured to show all or some of the metrics associated with components. You can access further information about displays in drilldowns by moving the mouse over the displays, or by clicking or right-clicking on them. You can copy the data shown in drilldowns to other applications or save it to a file Spotlight on Active Directory Diagnostic Console provides the following drilldowns: Performance Drilldown Replication Drilldown Configuration Drilldown DNS Drilldown LSASS Status Drilldown LDAP Status Drilldown FSMO Roles Drilldown You can view Spotlight on Windows drilldown information through Spotlight on Active Directory. For example, when you view the expert help for the Ping Time component on the Spotlight on Active Directory homepage, click Show me the Network drilldown to connect to Spotlight on Windows and view the information in the Network drilldown. 121

120 Quest Spotlight on Active Directory Using the Performance Drilldown The Performance drilldown displays information on the applications running on a DC, including the process name and ID of the application the percentage of CPU usage the physical memory usage in megabytes To display the Performance drilldown Click the Performance drilldown button on the toolbar. The following tabs are displayed: Top CPU Consumers tab Top Memory Consumers tab All Processes tab Top CPU Consumers Tab The Top CPU Consumers tab displays information on the top ten CPU-consuming processes running on a DC. To display the Top CPU Consumers tab Click the Performance drilldown button on the toolbar. The Top CPU Consumers tab displays the following information in a table: COLUMN Process Name DESCRIPTION The process name of the application. % CPU The percentage of CPU that the process is using. 122

121 Using Quest Spotlight on Active Directory Diagnostic Console Top Memory Consumers Tab The Top Memory Consumers tab displays information on the top ten memoryconsuming processes running on a DC. To display the Top Memory Consumers tab Click the Performance drilldown button on the toolbar. The Top Memory Consumers tab displays the following information in a table: COLUMN Process Name Physical Memory (MB) DESCRIPTION The process name of the application. The amount of physical memory in megabytes that the process is consuming. All Processes Tab To display the All Processes tab Click the Performance drilldown button on the toolbar. The All Processes tab displays the following information in a table: COLUMN Process Name Process ID DESCRIPTION The process name of the application. The unique ID for the process. % CPU The percentage of CPU that the process is using. Physical Memory (MB) Virtual Memory (VB) The amount of physical memory in megabytes that the process is consuming. The amount of virtual memory in megabytes that the process is consuming. 123

122 Quest Spotlight on Active Directory Using the Replication Drilldown The Replication drilldown displays the amount of traffic to and from the DC and its replication partners the length of the Replication Queue the number of updates remaining in the replication packet the number of objects received per second from replication partners and applied by the local directory service the name, path, size, and staging information for FRS replicas the occurrence of any replication collisions To display the Replication drilldown Click the Replication drilldown button on the toolbar. The following tabs are displayed: Activity tab Queues tab Directory Partners tab FRS Replicas tab Collisions tab Activity Tab This tab shows the amount of inbound and outbound traffic being received and sent by the DC to its replication partners. To display the Activity tab Click the Replication drilldown button on the toolbar. 124

123 Using Quest Spotlight on Active Directory Diagnostic Console The Activity tab displays the following graphs: GRAPH DRA Activity NTFRS Activity DESCRIPTION The amount of inbound/outbound replication traffic the DC is sending and receiving from its replication partners. The graph shows occasional bursts of high activity during replication events followed by periods of zero activity where no replication is taking place. Inbound activity is shown in orange. Outbound activity is shown in blue. How many bytes have been read from the Active Directory database by the NTFRS process. Read activity is shown in orange. How many bytes have been written to the Active Directory database by the NTFRS process. Write activity is shown in blue. NTFRS CPU Usage The percentage of the CPU used by the NTFRS process. Queues Tab The Queues tab displays the length of the Replication Queue the number of updates remaining in the replication packet the number of objects received per second from replication partners and applied by the local directory service To display the Queues tab Click the Replication drilldown button on the toolbar. The Queues tab displays the following graphs: GRAPH Replication Queues DESCRIPTION The number of directory synchronizations queued for the DC but not yet processed. It helps determine the replication backlog; the higher the counter, the higher the backlog. DRA activity is shown in orange, and FRS activity is shown in blue. 125

124 Quest Spotlight on Active Directory GRAPH Remaining Objects Objects Applied per Second DESCRIPTION The number of object updates remaining in the current replication update packet that have not been applied on the local server. The rate at which the objects are applied to the Active Directory database Directory Partners Tab The Directory Partners tab displays detailed information about inbound and outbound replication links. To display the Directory Partners tab Click the Replication drilldown button on the toolbar. The Directory Partners tab displays the following information in a table: COLUMN Replication Partner Link Direction Site IP Address Enabled/Disabled Transport Type Options Consecutive Failures Naming Context Last Status DESCRIPTION The name of the DC that the server is replicating with. Shows whether replication is inbound (coming to the server from this replication partner) or outbound (going to the indicated replication partner.) The name of the site where the replication partner is located. The IP address of the replication partner. Shows whether the connection to the indicated replication partner is enabled or disabled. The transport type being used for replication. Shows whether or not the replication link was automatically generated by the Knowledge Consistency Checker (KCC). The number of consecutive replication errors that have occurred. The naming context that can be replicated between the replication partner and the currently connected DC. The result of the last replication attempt. 126

125 Using Quest Spotlight on Active Directory Diagnostic Console COLUMN Last Replication Attempt Last Successful Replication Consecutive Failures DESCRIPTION The time at which the last replication was attempted. The time at which the last successful replication was completed. The number of consecutive replication errors that have occurred. FRS Replicas Tab The FRS Replicas tab displays detailed information about FRS Replicas. To display the FRS Replicas tab Click the Replication drilldown button on the toolbar. The FRS Replicas tab displays the following information in a table: COLUMN Replica Name Replica Path Replica Size (MB) Replica Staging Path Replica Staging Size (MB) DESCRIPTION The display name of the FRS Replica. The path to the FRS Replica. The path to the replica staging folder. This folder acts as a queue for changed files and folders to be replicated to downstream partners. The size of the FRS Replica. The size of the replica staging folder. Collisions Tab The Collisions tab displays detailed information about any collisions that occurred during replication. To display the Collisions tab Click the Replication drilldown button on the toolbar. 127

126 Quest Spotlight on Active Directory The Collisions tab displays the following information in a table: COLUMN Distinguished Name Collision Time DESCRIPTION The distinguished name of the object involved in the replication collision. The time the collision occurred. Using the Configuration Drilldown The Configuration drilldown displays information on installed software, hotfixes, and installed network adapters. To display the Configuration drilldown Click the Configuration drilldown button on the toolbar. The following tabs are displayed: Installed Hotfixes tab Installed Software tab Network Adapters tab Installed Hotfixes Tab The Installed Hotfixes tab displays information on all installed hotfixes. A browser window in the lower half of the tab automatically opens to the corresponding support center home page for the installed operating system. As well, if a specific hotfix is selected, the browser window will automatically open to the Microsoft Knowledge Base article for that specific hotfix. To display the Installed Hotfixes tab Click the Configuration drilldown button on the toolbar. The Installed Hotfixes tab displays the following information in a table: COLUMN Name Description DESCRIPTION The name of the installed hotfix The description for the hotfix 128

127 Using Quest Spotlight on Active Directory Diagnostic Console COLUMN Type Installed By Installed Date DESCRIPTION The type of hotfix that is installed The user that installed the hotfix The date the hotfix was originally installed Installed Software Tab The Installed Software tab displays information about all software installed on a DC. To display the Installed Software tab Click the Configuration drilldown button on the toolbar. The Installed Software tab displays the following information in a table: COLUMN Application Name DESCRIPTION The application name of the installed software. Network Adapters Tab The Network Adapters tab displays information on all network adapters installed on a DC. To display the Network Adapters tab Click the Configuration drilldown button on the toolbar. The Network Adapters tab displays the following information in a table: COLUMN Network Card IP Address DNS Server(s) DESCRIPTION The display name of the network card. The IP address associated with the network card. The DNS Server(s) associated with the network card. Multiple entries are separated by a delimiter. 129

128 Quest Spotlight on Active Directory COLUMN Is DHCP Enabled DESCRIPTION Whether DHCP is enabled for the network card. Using the DNS Drilldown The Domain Naming System (DNS) drilldown indicates whether the DNS entries are registered by the currently connected DC, registered by another DC in the forest, or not registered at all. To display the DNS drilldown Click the DNS drilldown button on the toolbar. OR Click the DNS Entries component on the home page and click Show me the DNS Drilldown. The DNS drilldown displays the following information in a table: COLUMN Record Registration Status DESCRIPTION The name of the DNS record. Whether the DNS record is registered or not. 130

129 Using Quest Spotlight on Active Directory Diagnostic Console Using the LSASS Drilldown The Local Security Authority Subsystem (LSASS) drilldown displays information on database traffic and authentication requests. To display the LSASS drilldown Click the LSASS drilldown button on the toolbar. The LSASS drilldown displays the following information in graphs: GRAPH LSASS CPU Usage LSASS I/O Activity DESCRIPTION The percentage of the CPU used by the LSASS process. How many bytes have been read from the Active Directory database by the LSASS process. Read activity is shown in orange. How many bytes have been written to the Active Directory database by the LSASS process. Write activity is shown in blue. Authentications Directory Activity The number of NTLM NT Lan Manager Authentications and Kerberos Authentications per second being handled by the currently connected DC. NTLM Authentications are shown in orange and Kerberos Authentications are shown in blue. The number of directory read and write operations per second occurring on this DC. Read activity is shown in orange, and write activity is shown in blue. Using the LDAP Drilldown The LDAP drilldown displays detailed information regarding communications between clients and the DC. To display the LDAP drilldown Click the LDAP drilldown button on the toolbar. 131

130 Quest Spotlight on Active Directory The LDAP drilldown displays the following graphs: GRAPH LDAP Client Sessions LDAP Bind Time Directory Searches Per Second LDAP Search Time DESCRIPTION The number of clients that currently have open LDAP sessions with this DC The amount of time necessary to perform the last LDAP bind. Consistently high values might indicate a hardware or networking problem. The number of directory searches that are being executed per second on this DC. The time taken for a simple LDAP search against the DC. Using the FSMO Roles Drilldown The Flexible Single-Master Operation (FSMO) Roles drilldown indicates which DC owns each FSMO role. It also indicates which DC is the Global Catalog (GC) server. To display the FSMO Roles drilldown Click the FSMO Roles drilldown button on the toolbar. OR Click one of the FSMO Roles components on the home page. The FSMO Roles drilldown displays the following information in a table: COLUMN FSMO Role DESCRIPTION The five main roles a server can fulfill. These include Domain Naming Master, Schema Master, Infrastructure Master, PDC Emulator, and RID Server. Global Catalog and Intersite Topology Generator are not FSMO roles; they are listed here as extra information. Domain Controller Domain The network name of the computer that fulfills the associated FSMO role. The name of the domain to which the computer belongs 132

131 Using Quest Spotlight on Active Directory Diagnostic Console COLUMN Site IP Address DESCRIPTION The site to which the computer belongs The IP address of the computer By default, the FSMO Roles drilldown collects only the FSMO roles for the domain where the DC is located. Select the Collect FSMO role holders from other domains check box to collect all FSMO roles in the forest. If selected, this check box is applied to all current connections as well as new future connections. You can also connect to a DC from the FSMO Roles drilldown by using the right-click menu. Using Components The components on the Spotlight on Active Directory Diagnostic Console home page correspond to the elements of the DC that is being diagnosed. Components change color to alert you to specific performance problems. You can get more detailed information about a component s status by placing the pointer over the component to display its corresponding tip text, or by opening a drilldown to view the associated statistics in table and graph format. Spotlight on Active Directory Diagnostic Console displays the following types of components: Network components Dataflow components LSASS components NTFRS components AD Store components Active Directory components Operating System components 133

132 Quest Spotlight on Active Directory Network Components The following table describes the Network components: NETWORK COMPONENT Connected Users LDAP Client Sessions Ping Time LDAP Bind Time LDAP Search Time Theoretical Bandwidth DESCRIPTION The number of clients connected to this server. It does not show users connected to other applications that may be running on this computer; for example, Microsoft Exchange or SQL Server. It only shows the users that have established a Microsoft networking connection to the system. This component opens the Network drilldown. The number of LDAP clients that have sessions with this DC. This component opens the LDAP drilldown. The ping time, or average round trip time, from the computer where Spotlight on Active Directory Diagnostic Console is running to the connected DC. This component opens the Network drilldown. The time it took for the last LDAP client to bind to this DC. This component opens the LDAP drilldown. The time taken for a simple LDAP search against the DC. The time taken to bind to LDAP is not included in this value, providing a better representation of LDAP search performance. The level of network traffic graphed against a "theoretical" maximum bandwidth. The maximum bandwidth is calculated by totalling the capacity of all network devices reported by the operating system. This component opens the Network drilldown. For more information on the Network drilldown, see the Spotlight on Windows section in the online help. 134

133 Using Quest Spotlight on Active Directory Diagnostic Console Dataflow Components Dataflows illustrate the rate at which data is moving through the system and change their speed and color to alert you to performance issues. You can display a dataflow as a flow and graph. The following table describes the Dataflow components: DATAFLOW COMPONENT Auths/s (Authentications per second) Dir Searches/s (Directory Searches per second) Dir Reads/s (Directory Reads per second) Dir Writes/s (Directory Writes per second) Inbound KB/s (Inbound KBytes per second) Outbound KB/s (Outbound KBytes per second) DESCRIPTION The number of Kerberos and NTLM Authentications per second handled by the DC. This component should show activity over time. Prolonged periods of high usage or zero activity should be investigated. The PDC Emulator tends to show higher values for Kerberos authentication than other DCs as many older programs only authenticate with a PDC. Client programs can also ask for NTLM authentication as a preference over Kerberos. The number of search operations that have been requested by LDAP clients. This component opens the LDAP drilldown. The rate at which clients are reading data from the Active Directory Data Store. Global Catalog servers tend to have higher levels of directory activity than other DCs. This component opens the LSASS drilldown. The rate at which clients are writing data to the Active Directory Data Store. Global Catalogs tend to see higher levels of directory activity than other DCs. This component opens the LSASS drilldown. The number of kilobytes per second the server receives through replication. This component opens the Replication drilldown. The number of kilobytes per second that the server sends through replication. This component opens the Replication drilldown. 135

134 Quest Spotlight on Active Directory DATAFLOW COMPONENT KB Read/s (LSASS KBytes Read per second) KB Written/s (LSASS KBytes Written per second) KB Read/s (NTFRS KBytes Read per second) KB Written/s (NTFRS KBytes Written per second) DESCRIPTION How many kilobytes have been read from the Active Directory database by the LSASS process. The LSASS process is the part of Active Directory that is responsible for LDAP requests and for authentication requests. This component opens the LSASS drilldown. How many kilobytes have been written to the Active Directory database by the LSASS process. The LSASS process is the part of Active Directory that is responsible for LDAP requests and for authentication requests. This component opens the LSASS drilldown. How many kilobytes have been read from the Active Directory database by the NTFRS process. The NTFRS process is the part of Active Directory that is responsible for file replication. This component opens the Activity tab on the Replication drilldown. How many kilobytes have been written to the Active Directory database by the NTFRS process. The NTFRS process is the part of Active Directory responsible for file replication. This component opens the Activity tab on the Replication drilldown. The following components are not available when running Spotlight on Active Directory Diagnostic Console on a Windows 2003 Server: LSASS Bytes Read LSASS Bytes Written NTFRS Bytes Read NTFRS Bytes Written Kerberos is the default authentication mechanism in most Active Directory forests and is more secure than the older NTLM authentication. NTLM authentications are performed in many scenarios. Primarily, they are performed by pre-windows 2000 programs that use LanMan APIs. However, they may also be performed when Kerberos is unavailable or when Kerberos authentication fails. 136

135 Using Quest Spotlight on Active Directory Diagnostic Console LSASS Components The following table describes the LSASS components: LSASS COMPONENT CPU Usage Memory Usage Replication Queue DESCRIPTION The total amount of CPU used by the LSASS process. This component opens the LSASS drilldown. The total amount of physical memory (RAM) available and the total amount used by the LSASS process. This component opens the All Processes tab on the Performance drilldown. The number of directory synchronizations queued but not yet processed for this DC. This component opens the LSASS drilldown. NTFRS Components The following table describes the NTFRS components: NTFRS COMPONENT CPU Usage Memory Usage Replication Queue (NTFRS) DESCRIPTION The total amount of CPU used by the NTFRS process. This component opens the Activity tab on the Replication drilldown. The total amount of physical memory used by the NTFRS process. This component opens the All Processes tab on the Performance drilldown. The number of directory synchronizations queued but not yet processed for this DC. This component opens the Queues tab on the Replication drilldown. 137

136 Quest Spotlight on Active Directory AD Store Components The following table describes the AD Store components: AD STORE COMPONENT Database Size Free Space Total Space Objects Applied/Second Remaining Objects DESCRIPTION The total size in megabytes of the file that stores Active Directory. This file represents all of the data in the Active Directory and will grow as new objects are added. Total drive space available. The total drive space in use where Active Directory is stored. The rate at which objects are being applied to the Active Directory database. This component opens the Replication drilldown. The number of object updates remaining in the current replication update packet that have not yet been applied on the local DC. This component opens the Replication drilldown. Active Directory Components The following table describes the Active Directory components: ACTIVE DIRECTORY COMPONENT Replication Links DNS Entries Schema Mismatches DESCRIPTION The number of active replication links for the target DC. This component opens the Directory Partners tab on the Replication drilldown. Shows whether or not the DC has registered the proper DNS entries with its DNS server. The component is running the DNS check from the computer where the Spotlight on Active Directory Diagnostic Console is running on and not the DC to which it is connected. This component opens the DNS drilldown. The number of replication errors that have occurred as a result of a schema mismatch since the last refresh of the Spotlight on Active Directory Diagnostic Console. 138

137 Using Quest Spotlight on Active Directory Diagnostic Console ACTIVE DIRECTORY COMPONENT DRA Errors DESCRIPTION The number of replication errors that have occurred since the last refresh of the Spotlight on Active Directory Diagnostic Console. Operating System Components The following table describes the Operating System components: OPERATING SYSTEM COMPONENT CPU Usage System Disk (Free Space/Total Space) Physical RAM Processor Queue Top CPU Consumer DESCRIPTION The total amount of CPU being used on the computer being monitored. It includes CPU consumed by all Windows processes. This component opens the CPU drilldown. The total unused disk space on the system disk (the disk that houses the Windows Operating System). There should be enough free disk space to accommodate the operational requirements of the Windows Operating System. Total space refers to the total size of the system disk. The amount of physical memory (RAM) Windows is using. Physical memory usage normally remains close to the total amount of physical memory installed on the system unless the amount of physical memory exceeds the amount of virtual memory that Windows is using. Windows normally keeps some physical memory available for immediate reuse. This component opens the Memory drilldown. The number of process threads (program execution units) waiting to be run on all processors. A sustained processor queue length can indicate processor congestion. This component opens the CPU drilldown. The process name that is consuming the most CPU on this DC. This component opens the Top CPU Consumers tab on the Performance drilldown. 139

138 Quest Spotlight on Active Directory OPERATING SYSTEM COMPONENT Top Memory Consumer DESCRIPTION The process name that is consuming the most physical memory on this DC. This component opens the Top Memory Consumers tab on the Performance drilldown. For more information on the CPU and Memory drilldowns, see the Spotlight on Windows section in the online help. 140

139 10 Using Quest Spotlight on Active Directory Web Reports Understanding Quest Web Reports Viewing and Interacting with Reports Creating and Modifying Reports Setting Security Configuring the Report Subscription Service Using Preconfigured Reports

140 Quest Spotlight on Active Directory Understanding Quest Web Reports Quest Spotlight on Active Directory has a separate web-based reporting component called Quest Web Reports. Quest Web Reports provides a collection of preconfigured reports called Preconfigured Reports. Preconfigured Reports allow report consumers to view data across multiple subsections of your organization. You can change relevant report parameters immediately using Quick Filters. Quest Web Reports also provides a Web Report Wizard, which allows you to create customized reports based on any data available in your Quest Web Reports database. The following features are included in Quest Web Reports: A Web Report Wizard that allows you to quickly and easily configure and generate reports. The ability to group, insert, append, remove, and sort fields on reports. On-page Quick Filters allow you to change relevant report parameters quickly and easily. Configurable Report Parts that you can select and arrange on customizable reports. The ability to display report data in bar graphs and pie charts. Predefined role-based Security settings. A Report Subscription Service that allows you to notify users that reports have been generated. Subscription notices may be sent by containing links to where the reports are located. Tooltips for hovering over column headings. Tooltips for hovering over items in graphs to reveal detailed information. To access the Quest Web Reports component Select Programs Quest Software Quest Spotlight on Active Directory Quest Web Reports. OR Click View Reports on the Gathering screen of the Host Application. 142

141 Using Quest Spotlight on Active Directory Web Reports Types of Reports Quest Web Reports hosts two types of reports: Custom Reports and Preconfigured Reports. Custom Reports You can create custom reports using the Web Report Wizard. The Web Report Wizard allows you to build your own reports based on existing data sources. You can select fields, filters, format, grouping, and sorting options. Custom reports can be edited, depending on your security clearance within Quest Web Reports. For more information about the Web Report Wizard, see Creating Custom Reports on page 150. Preconfigured Reports Preconfigured Reports are specific to the application, and are delivered with the Quest Software product purchased. For more information about Preconfigured Reports, see Using Preconfigured Reports on page 168. Viewing and Interacting with Reports You can filter reports, change grouping options, and view report information in the Report Information dialog box. For more information, see Viewing Report Information on page 149. Browsing Reports You can browse reports in the following three ways: Using command buttons Using the treeview Using the file-based model 143

142 Quest Spotlight on Active Directory Using the Command Buttons The following table describes the command buttons at the top of the Quest Web Reports home page. Different buttons appear depending on your location within Web Reports. ICON FUNCTION Returns you to the Quest Web Reports home page. Allows you to go up one level in the report structure. Accesses the file menu, which includes the following options: New Custom Report, New Folder, Save, Save As, Save Report Settings, Export, Subscriptions, and Set Filter Defaults. Opens the Web Report Wizard so you can edit a custom report. Available only in the Subscriptions Wizard. Accesses the Subscriptions menu, which includes Export Selected Subscriptions, Import Subscriptions, and Configure Subscriptions. Opens the Printer dialog box to allow you to print the report that you are viewing. Shows you a preview of the printed report. Closes the preview window. 144

143 Using Quest Spotlight on Active Directory Web Reports ICON FUNCTION Shows the Help for the reporting component. Using the Treeview Quest Web Reports uses a treeview as its main navigational tool. The treeview contains folders that expand to reveal subfolders and reports. When you select a folder from the treeview, the contents of the folder are displayed in the right pane in a file-based format. You can also select a report directly from the treeview. The illustration to the left is an example of what the treeview may look like. Folders indicate a grouping of report information. Folders may contain subfolders or reports. When you click on a report, the contents appear in the right pane. Using the File-Based Model Quest Web Reports uses a file-based model to display the available reports. When you select a folder from the treeview, the contents of the folder are displayed in the right pane in a file-based format. Your files may look different than the preceding example depending on the information in each report. 145

144 Quest Spotlight on Active Directory The following table describes the interface elements of the file-based format: ELEMENT Folder Icon Report Icon Name DESCRIPTION Reveals the subfolders and files contained within the folder. Displays the report in the right pane. Displays the title of the report. The title is also a hyperlink that you can click to display the report in the right pane. Last Modified Author Report Description n reports, n folders. Edit Displays the datestamp of the last time the report was modified. Displays the name of the report author. Displays a description of the report, if applicable. Indicates the number of reports and subfolders in the main folder. Displays the Edit menu. For more information see Using the Edit Button on page 154. File Menu Commands The command items that appear on the File menu are available depending on where you are within Web Reports. If you click File, the following menu items appear: 146

145 Using Quest Spotlight on Active Directory Web Reports The following table describes the options on the File menu: OPTION New Custom Report New Folder DESCRIPTION Opens the Web Report Wizard to allow you to create the new report. Opens the New Folder dialog box. When you name the new folder, the application places the folder as a subfolder of the currently selected folder. If you want to add a folder to the main navigation tree, the Home node should be selected before you create the new folder. Save Save As Save Report Settings Export Subscriptions Saves the changes, such as new sorting criteria, that you have made to an existing report. Saves the changes you have made to an existing report, but gives you the option to change the name or location of the report. Allows you to save the current report settings, including filters, and create a shortcut for the selected report. <Host product writers may want to add a relevant example of a filter setting.> Allows you to export the report content into one of the following formats: Microsoft Excel Text (as comma separated values) Text (as tab separated values) XML Word File HTML MHTML Opens the Subscriptions Page. 147

146 Quest Spotlight on Active Directory Configuring Report Parts Parts are standard report components containing text-based information and graphs that you can include in certain customizable reports. You can select the parts you want to include in a report, and the order in which they appear on the report. To configure Report Parts 1. Select the My Reports node from the treeview, and click Configure Parts. This opens the Configure Parts dialog box. 2. Select the report parts you want to add to the report from the Part Library pane and click. When you select a report part, the definition of that part is displayed below the Part Library pane. The parts you add are displayed in the Configured Part pane. You can also re-order the parts in the Configured Parts pane by selecting a part and clicking the Up or Down button. 3. Select a part in the Configured Parts pane and click Configure to configure the settings for each individual part. This opens the Configure Settings for Part dialog box. If you select the Show Part Header option, all parts will be separated by a blue header line containing the Part name and description. 4. Enter the appropriate settings for the part and click OK. 5. Click OK to generate your report. To remove Report Parts 1. Select the My Reports node from the treeview, and click Configure Parts. This opens the Configure Parts dialog box. 2. Select the report part you want to remove from the report in the Part Library pane and click. 3. Click OK to generate your report. 148

147 Using Quest Spotlight on Active Directory Web Reports Viewing Report Information At the lower-right of each report, there is an Information button that allows you to view the report options and notes for the selected report. For example, the following illustration shows information that you might see after clicking. Report Options include default filters and sort keys, as well as any quick filters and sort keys you selected using the Quick Filter options. Notes include descriptions of the fields in the report, as well as any field descriptions that exist in the data source for the report. 149

148 Quest Spotlight on Active Directory Creating and Modifying Reports Creating Custom Reports To access the Web Report Wizard Select File New Custom Report. OR Right-click in the treeview and select New Custom Report. You are taken to the Web Report Wizard home page. From this page, you can determine the information that you want to include on your custom report. You do not have to follow the Web Report Wizard steps in order. If you know which screens you need to use, click the appropriate page tab on the left side of the Web Report Wizard to go to the appropriate page. Selecting a Data Source To access the Datasource page of the Web Report Wizard Click Next on the Welcome page of the Web Report Wizard. When you select a data source, the description of the data source appears under the Available Data Sources list. Selecting Fields To access the Fields page of the Web Report Wizard Click Next on the Datasource page of the Web Report Wizard. To select fields for your custom report 1. Select the fields you want to include from the Available Fields list. 2. Click the appropriate arrow button to move the fields to the Selected Fields list. 3. Click Next to proceed to the Filter page. OR 150

149 Using Quest Spotlight on Active Directory Web Reports Select the page you want to use from the list on the left side of the page. OR Click Finish to create the custom report. Filtering Custom Reports To access the Filter page of the Web Report Wizard Click Next on the Fields page of the Web Report Wizard. To select filter criteria for your custom report 1. Select a field from the list. By default, this field is <none>. 2. Select a parameter from the list. Parameters appear in the list based on the field that you select. 3. Select a value from the list. 4. Click Add New Filter to define additional filters. 5. Indicate the appropriate predicate using the list. 6. Repeat steps 1 through 5 as applicable. To remove filter criteria from your custom report 1. Select the check box beside the filter you want to remove. 2. Click Remove Filters. Grouping Reports To access the Group page of the Web Report Wizard Click Next on the Filter page of the Web Report Wizard. To select grouping options for your custom report 1. Select the fields you want to use for grouping from the Available Fields list. 2. Click the appropriate direction button to move the fields to the Grouped Fields list. 151

150 Quest Spotlight on Active Directory Sorting Reports To access the Sort page of the Web Report Wizard Click Next on the Group page of the Web Report Wizard. To sort your custom report 1. Select the field you want to use as your sort key from the list. 2. Select the sort order from the list. 3. Click Add New Sort Key to define additional sort keys. 4. Repeat steps 1 through 3 as applicable. To remove sorting from your custom report 1. Select the check box beside the sort key you want to remove. 2. Click Remove Sort Keys. Formatting Reports To access the Format page of the Web Report Wizard Click Next on the Sort page of the Web Report Wizard. To format your custom report 1. Select the appropriate Display Format. 2. Enter the number or percentage of top records you want to include in the report in the Show Top Records box. For example, if you specify a number, you will get exactly that number of records. If you specify a percentage, you will get that percentage of the total number of records. The default is 100 percent. 3. Click Advanced Summary Calculations to include summary information on your report. For more information about Advanced Summary Calculations, see Using Advanced Summary Calculations on page Select Paginated to paginate the report. Paginated reports display faster than non-paginated reports Select the Date/Time Display.

151 Using Quest Spotlight on Active Directory Web Reports 6. Select the Show quick filter bar if you want to display quick filters at the bottom of the custom report. Using Advanced Summary Calculations The Advanced Summary Calculations option allows you to select appropriate summaries for your report. Quest Web Reports only allows you to select summary calculations that are appropriate to the field type that you select. For example, you cannot select Total for a date field type, nor can you select Average for an alpha-numeric field type. To set Advanced Summary Calculations 1. Click Advanced Summary Calculations on the Format page of the Web Reports Wizard. 2. Select the appropriate summary calculation check boxes. Select the appropriate summary calculation options for your report by clicking the check box on the graph. Quest Web Reports only allows you to select summary calculations that pertain to the field type that you select. 3. Click OK. To view a detailed report, select the Show detail records check box. Otherwise, the result is a summary report. Describing Reports To access the Description page of the Web Report Wizard Click Next on the Format page of the Web Report Wizard. To enter a description for your custom report Enter a description in the box. Previewing Reports To access the Preview page of the Web Report Wizard Click Next on the Description page of the Web Report Wizard. You can preview the way your report looks at any time during the creation of the report. Preview information changes depending on the criteria and formatting you select for your report. 153

152 Quest Spotlight on Active Directory Editing Reports You can edit reports in the following ways: Using the quick filter bar at the bottom of the report Using the Edit menu Using the Edit button Using the column headers on the reports The following table describes the extent of editing for each type: TYPE Quick Filter Bar DESCRIPTION Allows you to change filter options and regenerate the report. For more information, see Using Quick Filters on page 155. Edit Menu Edit Button Column Header Opens the Web Report Wizard to allow you to customize or modify an existing report. Allows you to copy the report to a different destination folder, move the report to a different location, rename or delete the report, or edit the report description. Allows you to add or remove fields in the report, and change group and sort options. For more information, see Changing Grouping Options on page 159. Using the Edit Button There is an Edit button at the right side of each folder and report in the file-based model. The commands available on the Edit button differ depending on whether the Edit button is accessed from a folder or a report. For folders, the following commands are available: COMMAND Copy To Move To DESCRIPTION Opens a dialog box for you to define the destination of the copied folder. Opens a dialog box for you to define the destination of the moved folder. After the report is moved to the new location, the original is deleted. 154

153 Using Quest Spotlight on Active Directory Web Reports COMMAND Rename Delete Edit Description DESCRIPTION Opens a dialog box for you to rename the selected folder. Prompts you to verify that you want to delete the folder. Opens a dialog box for you to edit the description of the folder. For reports, the following commands are available: COMMAND Copy To Move To Rename Delete Modify Report DESCRIPTION Opens a dialog box for you to define the destination of the copied report. Opens a dialog box for you to define the destination of the moved report. After the report is moved to the new location, the original is deleted. Opens a dialog box for you to rename the selected report. Prompts you to verify that you want to delete the report. Opens the Web Report Wizard to allow you to make any changes to the selected report, and save your custom report. Using Quick Filters Each report may have a Quick Filter bar at the bottom of the page. This bar does not scroll with the report; it remains at the bottom of the displayed web page. Field List Parameters Apply Information Filter Criteria Cancel 155

154 Quest Spotlight on Active Directory To use Quick Filters 1. Select a field from the list. 2. Select a parameter from the following list: PARAMETER AVAILABLE IN DESCRIPTION = All The field value equals the criteria value. <> All The field value is not equal to the criteria value. > All The field value is greater than the criteria value. < All The field value is less than the criteria value. <= All The field value is less than or equal to the criteria value. >= All The field value is greater than or equal to the criteria value. like All The field value is like the criteria value. is NULL All There is no value for the criteria field. is not NULL All There is any value except NULL for the criteria value. between All The field value falls between the two criteria that you define. is in All The field value is in the criteria that you define. Note: When using the is in operator, you can multi-select in the Select a Value dialog box by holding down the CTRL key and clicking the items you want. The selected items will appear in the edit box as a list separated by semi-colons. not in All The field value is not in the criteria that you define. 156

155 Using Quest Spotlight on Active Directory Web Reports PARAMETER AVAILABLE IN DESCRIPTION last Date, DateTime This operator allows you to select a time interval in the form nn uu, where nn is a number and uu is a unit of time. (For example, Last 5 Weeks, Last 3 days, and so on). The time interval is based on the current time. most recent Date, DateTime This operator queries the database for the most recent entry for the specified field and then uses that value to find all records with a matching value. The value depends on the content of the database and is independent of the current time. "Most recent" could potentially mean a time long past, and will remain unchanged until the database is changed. today Date, DateTime Today = from 12:00 AM to the current time. yesterday Date, DateTime Yesterday = from 12:00 AM to 11:59 PM yesterday. this week Date, DateTime Start = Sunday of current week, End = today. last week Date, DateTime Start = Sunday of previous week, End = Saturday of previous week. this month Date, DateTime Start = 1st day of current month, End = today. last month Date, DateTime Start = 1st day of previous month, End = last day of previous month. this quarter Date, DateTime Start = 1st day of current quarter, End = today. last quarter Date, DateTime Start = 1st of previous quarter, End = last day of previous quarter. Note: Quarters start January 1, April 1, July 1, and October

156 Quest Spotlight on Active Directory PARAMETER AVAILABLE IN DESCRIPTION this year Date, DateTime This operator selects records with dates from January 1 of the current year to the current date. last year Date, DateTime This operator selects records with dates from January 1 to December 31 of the last year. weekdays Date, DateTime Filters weekdays only, Monday-Friday. weekends Date, DateTime Filters Saturday and Sunday. contains Description The field value contains the specified criteria. does not contain Description The field value does not contain the specified criteria. starts with Description The field value starts with the specified criteria. ends with Description The field value ends with the specified criteria. does not start with Description The field value does not start with the specified criteria. does not end with Description The field value does not end with the specified criteria. When using the DateTime filters, time is based on UTC, not local time. 3. Define the filter criteria. OR Define both criteria if you have selected Between as your report parameter. 4. Click. 158

157 Using Quest Spotlight on Active Directory Web Reports Changing Grouping Options After the report is generated, you can change the grouping options for the report through each column header. The following grouping options that can appear depending on your current settings. Initially, the same options appear regardless of which column header you select. After you change the grouping options, the list changes to reflect your current settings. The following table describes all the grouping options: OPTION Group By Ungroup Insert Field DESCRIPTION Groups the report by the selected field. Removes the grouping of the report by the selected field. Adds a new field to the left of the selected field. When you select this option, a scrolling list appears for you to select the new field. Append Field Adds a new field to the right of the selected field. When you select this option, a scrolling list appears for you to select the new field. Remove Field Sort Ascending Sort Descending Remove Sorting Removes the selected field from the report. Sorts the field in ascending order. Sorts the fields in descending order. Removes the sorting that you have indicated from the report. 159