Deployment Guide 6.7

Deployment Guide 6.7

2007 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, please contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information. TRADEMARKS Quest, Quest Software, the Quest Software logo, Aelita, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Fastlane, Final, Foglight, Funnel Web, I/Watch, Imceda, InLook, InTrust, IT Dad, JClass, JProbe, LeccoTech, LiveReorg, NBSpool, NetBase, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Speed Change Manager, Speed Coefficient, Spotlight, SQL Firewall, SQL Impact, SQL LiteSpeed, SQL Navigator, SQLab, SQLab Tuner, SQLab Xpert, SQLGuardian, SQLProtector, SQL Watch, Stat, Stat!, Toad, T.O.A.D., Tag and Follow, Vintela, Virtual DBA, and XRT are trademarks and registered trademarks of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners. This product contains Zlib from www.zlib.net. Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Spotlight on Active Directory Deployment Guide Updated - November 2007 Software Version - 6.7

Contents CONTENTS About This Guide............................................. 5 Conventions.................................................... 5 About Quest Software......................................... 6 Contacting Quest Software.......................................... 6 Contacting Customer Support........................................ 6 Installation Components...................................... 7 Best Practices for Spotlight on Active Directory..................... 8 Domain Controllers............................................... 8 Distributed Collectors............................................ 14 Diagnostic Services.............................................. 18 Spotlight on Active Directory Diagnostic Console......................... 19 Spotlight on Active Directory Web Reports.............................. 19 Port Numbers.................................................. 19 Database..................................................... 21 Detailed Test Permissions.................................... 22 High Level Analysis Tests.......................................... 22 Directory Replication Analysis Tests.................................. 23 DNS Tests.................................................... 23 File Replication Tests............................................. 23 Time Synchronization Tests........................................ 23 Frequently Asked Questions and Troubleshooting.................. 24 3

Spotlight on Active Directory 4

Deployment Guide About This Guide This document has been prepared to assist you in deploying and configuring Quest Spotlight on Active Directory. The Deployment Guide contains planning and technical information needed when configuring your system to run various analysis tests and web reports in Quest Spotlight on Active Directory. Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes, and cross-references. ELEMENT Select Bolded text Italic text Bold Italic text Blue text CONVENTION Indicates actions such as choosing or highlighting various interface elements, such as files and radio buttons. Indicates interface elements that appear in Quest products, such as menus and commands. Used for comments. Used for emphasis. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. Used to direct the user to more information about a particular topic. + A plus sign between two keystrokes means that you must press them at the same time. Indicates that you must select the elements in that particular sequence. 5

Spotlight on Active Directory About Quest Software Quest Software, Inc., Microsoft's 2007 Global Independent Software Vendor Partner of the Year, delivers innovative products that help organizations get more performance and productivity from their applications, databases and Windows infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 50,000 customers worldwide meet higher expectations for enterprise IT. Quest's Windows Management solutions simplify, automate and secure Active Directory, Exchange Server, SharePoint, SQL Server,.NET and Windows Server as well as integrating Unix, Linux and Java into the managed environment. Quest Software can be found in offices around the globe and www.quest.com. Contacting Quest Software Email Mail Web site info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com Please refer to our Web site for regional and international office information. Contacting Customer Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at www.quest.com/support From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/pdfs/global Support Guide.pdf. 6

Deployment Guide Installation Components The following table lists the components of Quest Spotlight on Active Directory. It describes the functionality each component and prerequisite software and permissions needed to run each component: COMPONENT INSTALLED Console Spotlight Database Diagnostic Services Distributed Collector Service Web Reports Collector Management Console RESULTING FUNCTIONALITY Diagnostic Console: Provides full diagnostic capability for Windows 2000/2003 domain controllers (DCs) Topology Viewer: Provides layout of your organization s Active Directory Allows you to store analysis test configuration data, and analysis test results Allows you to schedule and execute analysis tests, and stores the results in the Spotlight database. Diagnostic Services include: Data Manager Diagnostic Test Engine (DTE) Distributed Collector Allows you to collect analysis test data in a distributed manner and pass the results back to the central Diagnostic Services location Allows you to perform reporting for the Analysis Test results Provides a management environment for configuration of the Distributed Collectors PREREQUISITE SOFTWARE AND PERMISSIONS Microsoft.NET framework 2.0 Microsoft Data Access Components (MDAC) 2.8 Microsoft SQL Server 2000 SP4 OR Microsoft SQL Server 2005 OR Microsoft SQL Server 2005 Express Installation of the Spotlight Database along with or before the Diagnostic Services feature MDAC 2.8 Microsoft.NET framework 2.0 Note: The account used for the Diagnostic Services should be a member of the local administrator s group on both the local computer and the database computer. Microsoft.NET framework 2.0 The Spotlight Database must be installed before Web Reports IIS 5.0 Internet Explorer (IE) 6.0 Microsoft.NET framework 2.0 Microsoft.NET framework 2.0 Microsoft Management Console (MMC) 3.0 Note: If you do not have MMC 3.0 installed, you can still install the Collector Management Console, but it will not run. 7

Spotlight on Active Directory Best Practices for Spotlight on Active Directory Once the minimum system requirements have been met, you can deploy Spotlight on Active Directory using the components provided on the Spotlight on Active Directory CD. You should not install the Spotlight on Active Directory components on DCs. You do not have to run services on your DCs to use Spotlight on Active Directory. Multiple Spotlight on Active Directory Topology Viewer Consoles, installed on separate computers, can connect to and receive analysis test results from the diagnostic services. If multiple administrators need to look at the status of Active Directory, it is recommended that they install their own consoles, and connect to the same Spotlight Diagnostic Services. System administrators should follow Microsoft best practices for Active Directory, SQL Server, and IIS management including operational procedures and performing regular backups. The following best practices have been established to deploy the following components: Domain Controllers Distributed Collectors Diagnostic Services Domain Controllers All components of the Spotlight on Active Directory application can reside on a single server or on up to four separate systems. Less Than 50 Domain Controllers If you have 50 or less domain controllers (DCs), you can install all components on one server. 8

Deployment Guide Installation Best Practices Figure 1: Network with 50 or less domain controllers 9

Spotlight on Active Directory Performance Best Practices To assign permissions, you can perform the following: To monitor a single domain, create a service account with Domain Administration privileges for Diagnostic Services. To monitor multiple domains, create a service account with Enterprise Administration privileges for Diagnostic Services. For more detailed analysis test permissions, see Detailed Test Permissions on page 22. The following table lists the high level analysis tests and how often you should schedule these tests according to the size of your network: TEST SCHEDULE EVERY... EFFECT ON DATABASE Verify Server Health 5 minutes 6 kilobyte (KB) per target domain controller per poll Performance - 4 KB Network - 150 Bytes Services - 300 Bytes Disk Space - 400 Bytes Events- 1 KB Directory Availability - 150 Bytes Verify DNS Health 30 minutes 2 KB per target domain controller per poll Verify Directory Replication Health 30 minutes 50 Bytes per target domain controller per poll Verify File Replication Health 60 minutes 1.5 KB per target domain controller per poll Check GPO Synchronization 60 minutes N/A Verify Time Synchronization 30 minutes 400 bytes per target domain per poll Between 51 and 100 Domain Controllers Installation Best Practices If you have 51 to 100 DCs, it is recommended that you install the diagnostic services and Web Reports on one server, and database components on a separate server. For faster test execution, it is recommended you have one collector per every 50 DCs. As one collector is automatically installed with Diagnostic Services, you must add another Distributed Collector on a separate server. For running Web Reports on a network with 51 to 100 DCs, it is recommended that you use SQL Server Enterprise Edition for better performance. 10

Deployment Guide Figure 2: Network with 51 to 100 domain controllers Performance Best Practices To assign permissions, you can perform the following: To monitor a single domain, create a service account with Domain Administration privileges for Diagnostic Services. To monitor multiple domains, create a service account with Enterprise Administration privileges for Diagnostic Services. For more detailed analysis test permissions, see Detailed Test Permissions on page 22. 11

Spotlight on Active Directory The following table lists the high level analysis tests and how often you should schedule these tests according to the size of your network: TEST SCHEDULE EVERY... EFFECT ON DATABASE Verify Server Health Verify DNS Health Verify Directory Replication Health Verify File Replication Health Check GPO Synchronization Verify Time Synchronization 10 minutes, if no Distributed Collectors 5 minutes if one Distributed Collector is managing half of the DCs 30 minutes, if no Distributed Collectors 15 minutes if one Distributed Collector is managing half of the DCs 30 minutes, if no Distributed Collectors 15 minutes if one Distributed Collector is managing half of the DCs 120 minutes, if no Distributed Collectors 60 minutes if one Distributed Collector is managing half of the DCs 120 minutes, if no Distributed Collectors 60 minutes if one Distributed Collector is managing half of the DCs 30 minutes, if no Distributed Collectors 15 minutes if one Distributed Collector is managing half of the DCs 6 kilobyte (KB) per target domain controller per poll Performance - 4 KB Network - 150 Bytes Services - 300 Bytes Disk Space - 400 Bytes Events- 1 KB Directory Availability - 150 Bytes 2 KB per target domain controller per poll 50 Bytes per target domain controller per poll 1.5 KB per target domain controller per poll N/A 400 bytes per target domain per poll More Than 100 Domain Controllers Installation Best Practices If you have 101 or more DCs, it is recommended that individual computers are dedicated for each component. By placing the four components on four separate computers, you have dedicated computer resources for each component, which minimizes contention for system resources. For faster test execution, it is recommended you have one collector per every 50 DCs. As one collector is automatically installed with Diagnostic Services, you must add other Distributed Collectors on their own server. For running Web Reports on a network with 101 or more DCs, it is recommended that you use SQL Server Enterprise Edition for better performance. 12

Deployment Guide Figure 3: Network with 101 or more domain controllers Performance Best Practices To assign permissions, you can perform the following: To monitor a single domain, create a service account with Domain Administration privileges for Diagnostic Services. To monitor multiple domains, create a service account with Enterprise Administration privileges for Diagnostic Services. For more detailed analysis test permissions, see Detailed Test Permissions on page 22. 13

Spotlight on Active Directory The following table lists the high level analysis tests and how often you should schedule these tests according to the size of your network: TEST SCHEDULE EVERY... EFFECT ON DATABASE Verify Server Health Verify DNS Health Verify Directory Replication Health Verify File Replication Health Check GPO Synchronization Verify Time Synchronization 10 minutes, if no Distributed Collectors 5 minutes if one Distributed Collector is managing half of the DCs 30 minutes, if no Distributed Collectors 15 minutes if one Distributed Collector is managing half of the DCs 30 minutes, if no Distributed Collectors 15 minutes if one Distributed Collector is managing half of the DCs 120 minutes, if no Distributed Collectors 60 minutes if one Distributed Collector is managing half of the DCs 120 minutes, if no Distributed Collectors 60 minutes if one Distributed Collector is managing half of the DCs 30 minutes, if no Distributed Collectors 15 minutes if one Distributed Collector is managing half of the DCs 6 kilobyte (KB) per target domain controller per poll Performance - 4 KB Network - 150 Bytes Services - 300 Bytes Disk Space - 400 Bytes Events- 1 KB Directory Availability - 150 Bytes 2 KB per target domain controller per poll 50 Bytes per target domain controller per poll 1.5 KB per target domain controller per poll N/A 400 bytes per target domain per poll Distributed Collectors The Distributed Collection of Analysis Test Data feature localizes data collection and processing before the data is transferred to the central Diagnostic Services. This feature supports site collection, where a distributed collector runs all tests for each domain controller (DC) in the site, and targeted collection where a distributed collector runs all tests for a specific DC. By default, the Diagnostic Services runs all tests, using a default collector, which can cause a heavy load on the host system. Distributed collectors reduce this load by allowing other servers to share data collection and test execution. Thus, network usage is reduced. Distributed collectors are configured to manage entire sites and/or specific servers, and run any tests against the servers in their managed list. The distributed collectors process the request, and send back only the final results to the Diagnostic Services. 14

Deployment Guide Distributed collectors are installed manually or through the Collector Management Console to additional servers on the network. Figure 4: A typical setup using collectors in Spotlight on Active Directory Diagnostic Services includes a default collector, and can communicate directly with a set of domain controllers (DCs) or a site containing multiple sets of DCs. As the data passing between the DCs and the server can be large, you can install a distributed collector on the local network or use a high latency connection (Firewall) to help unload the large amount of data. 15

Spotlight on Active Directory The Diagnostic Services tells the distributed collector to execute analysis tests to the DCs over port 9605. The distributed collectors then return the results back to the Diagnostic Services over port 9602. Port 9605 is a configurable port. Port 9602 is not configurable. It is recommended that each distributed collector communicates with a set of domain controllers or a site containing up to a maximum of 50 DCs. Distributed Collectors Deployed in a Firewalled Environment If you have a set of DCs behind a firewall, place a Distributed Collector behind that firewall and use the Collector Management Console to assign the DCs behind the firewall to the Collector. Open port 9605 for incoming connections to the Distributed Collector host and port 9602 for outgoing connections to the DiagnosticTestEngineSLAD host. Install the Spotlight on Active Directory Topology Viewer and Spotlight on Active Directory Diagnostic Console on both sides of the firewall. To allow the Spotlight on Active Directory Topology Viewer to connect with the Diagnostic Services, allow outgoing connections to ports 9601 and 9602. Use the Spotlight on Active Directory Diagnostic Console on the appropriate side of the firewall for diagnosing the DCs in the two different regions. When creating tests, always put the DCs behind the firewall in their own test group. Avoid making one Server Health test for all of the DCs. Instead make one Server Health test for the DCs behind the firewall and another Server Health test for the DCs that are not behind the firewall. In this way, the Distributed Collector performs all the test executions and greatly reduces the number of ports that need to be open. 16

Deployment Guide Distributed Collectors Deployed on Multiple Instances of Spotlight on Active Directory You can deploy distributed collectors on networks that use multiple instances of Spotlight on Active Directory, that is multiple instances of Diagnostic Services and databases. Figure 5: Distributed Collectors deployed on multiple instances of Spotlight on Active Directory Spotlight on Active Directory Server 1, using a default collector, collects data from three domain controllers (DCs) at Site 1. Spotlight on Active Directory Server 2, using a default collector, collects data from the DCs at Site 2. This install uses a distributed collector that is pushed onto Server 1 that manages the three DCs in Site 3. If you want Spotlight on Active Directory Server 1 to manage the DCs in Site 3 using a distributed collector, the distributed collector in Spotlight on Active Directory Server 2 cannot be reused. Spotlight on Active Directory Server 1 has to push another collector onto another server (Server 2). This server can start managing the DCs found in Site 3. 17

Spotlight on Active Directory Collector Management Console The Collector Management Console: installs collectors on host computers removes collectors from host computers assigns servers to collectors ensures no server is being serviced by more than one collector presents collector statistics allows you to specify distributed collectors to retrieve test data from a specific site or specific DCs to reduce the load on the central Diagnostic Services location The automated collector installation feature uses the Windows Management Instrumentation (WMI) service to install distributed collectors. If this services is disabled, the distributed collector cannot install automatically, and the distributed collectors must be installed directly on the remote system from the Spotlight on Active Directory 6.7 Installation CD. You can use the Collector Management Console after Spotlight on Active Directory has been launched and the Active Directory forest(s) has been discovered. Use distributed collectors when Diagnostic Services and the DCs being managed communicate over high latency network paths. This includes WANs and environments employing Quality of Service (QoS) policies, or when communication must go through specific firewall ports. Diagnostic Services Spotlight on Active Directory cannot be configured to use specific RPC ports, unless you are using distributed collectors. For more information on port configuration, refer to http://questsupportlink.quest.com/esupport/solution.asp?waid=268449782&itemid=8987. ActiveX Data Objects (ADOs) are used to communicate with the database. SQL Server, by default, listens on port 1433, and ports 1024 to 5000 are open for outgoing communication. 1433 is the only port required for incoming communication (assuming the default port for SQL has not been changed). All communication between the Spotlight on Active Directory Topology Viewer and Diagnostic Services occurs over ports 9601 and 9602. For more information on ports, see Best Practices for Spotlight on Active Directory on page 8. 18

Deployment Guide Spotlight on Active Directory Diagnostic Console Spotlight on Active Directory Diagnostic Console is a powerful diagnostic and resolution tool. Its unique user interface provides a real-time representation of the dataflow in your forest, allowing you to detect, diagnose, and resolve Active Directory problems. Calibration does not apply to Spotlight on Active Directory. If you run the Spotlight on Active Directory Diagnostic Console for an extended period of time, you should: set the number of server connections to a minimum decrease the polling frequency put the history setting low set the refresh rate high to avoid excessive memory consumption To set the history option and refresh rate 1. Select View Options Spotlight Console. 2. Click Data Collection in the Options bar. 3. Enter the appropriate history collection time and refresh rates. Spotlight on Active Directory Web Reports You should perform the following best practices when installing and running Spotlight on Active Directory Web Reports: For distributed Spotlight on Active Directory Web Reports installation, use SQL Server Authentication. In some instances, authentication errors may occur if Kerberos is not configured properly. The most common error is an access error as follows: "Unable to open database connection. (0x80040E4D: Unknown Error.) To resolve this issue, see the Microsoft Knowledgebase Article - 326985 titled How To: Troubleshoot Kerberos http://support.microsoft.com/kb/326985. Spotlight on Active Directory Web Reports installation fails on a Windows XP without services packs or hotfixes. The following error is received: Error 1904 Module C:\Program Files\Common Files\Quest Shared\Web Reports\4.3\QSWebWizard.dll fail to register. To resolve this issue a) Install Microsoft Windows XP SP2. b) Re-install Spotlight on Active Directory Web Reports. Port Numbers The following port numbers can be used to install the various services of Spotlight on Active Directory. The services are grouped by component name. For more information on using Spotlight on Active Directory in environments with Firewalls, see Distributed Collectors Deployed in a Firewalled Environment on page 16. 19

Spotlight on Active Directory COMPONENT NAME PORT NUMBERS SERVICE NAME Spotlight on Active Directory Front End including Topology Viewer and Diagnostic Console TCP 3269 TCP 3268 TCP 389 UDP 389 TCP 135 UDP 138 UDP 137 TCP 139 UDP 53 TCP 53 TCP 135 UDP 138 UDP 137 TCP 445 TCP 139 TCP 139 TCP 445 TCP 139 UDP 138 UDP 137 TCP 139 TCP 445 9601 9602 Diagnostic Services including Default Collector TCP 25 UDP 25 TCP 4133 - if default has not changed UDP 138 UDP 137 TCP 139 UDP 53 TCP 53 UDP 138 UDP 137 TCP 139 TCP 445 TCP 4133 - if default has not changed 9601 9602 Active Directory Computer Browsing DNS FRS Net Logon Performance Logs and Alerts Printing Registry Server Manager SQL Server Communication with Diagnostic Services SMTP Computer Browsing DNS Net Logon SQL Server Communication with Front End 20

Deployment Guide COMPONENT NAME PORT NUMBERS SERVICE NAME Distributed Collector Services 9602 9605 Communication with Diagnostic Services Note: 9605 is configurable. Diagnostic Tests TCP 3269 TCP 3268 TCP 389 UDP 389 TCP 135 UDP 138 UDP 137 TCP 139 UDP 53 TCP 53 TCP 135 UDP 138 UDP 137 TCP 139 TCP 445 UDP 138 UDP 137 TCP 139 TCP 445 TCP 139 TCP 135 TCP 4133 - if default was not changed UDP 138 TCP 139 TCP 389 UDP 389 TCP 445 TCP 135 TCP 135 Active Directory Computer Browsing DNS FRS Net Logon Server Manager Performance Logs and Alerts RPC SQL Server DFS Event Log Database Database maintenance occurs daily and is scheduled by default to purge test result data every 30 days. You can change the default. To change the default 1. Open Spotlight for Active Directory Topology Viewer. 2. From the Options menu, select Database. 3. Enter a value in the Database retention box to reflect how often you would like to schedule database maintenance. 21

Spotlight on Active Directory Appendix A Permissions Detailed Test High Level Analysis Tests TEST Verify Server Health Verify DNS Health DETAILED PERMISSIONS Network Availability - Administrative rights; ICMP must be enabled. Disk space - read access to the disks being tested. Critical Services - read access to the Service Control Manager (SCM). Registry read access (as used by SCM) to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Performance Counters - registry read access to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows. Directory Service Availability - LDAP and RPC connectivity. Ability to perform LDAP searches against the target domain controller. Event Log - registry read access to HKLM\SYSTEM\CurrentControlSet\Services\EventLog. Disk read access to winnt\system32\config\*.evt. Verify Netlogon entries. Verify partner Netlogon entries. Verify PDC advertising. Verify GC advertising. Read access to %SystemRoot%\System32\Config\NetLogon.DNS file. Verify zone existence (read registry access required). Verify forwarder availability (read registry access required). Note: Verify zone existence and Verify forwarder availability apply to Microsoft DNS only. Verify Directory Replication Health Verify File Replication Health Check GPO Synchronization Verify Time Synchronization Read/Write access to the domain partition on the target domain controllers. Read/Write access to the disk that holds the SYSVOL share on the target domain. Administrative rights to the PDC Emulator. Read access to the domain naming partition. Read access to the SYSVOL share on the target domain controller. Read access to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Tim e registry key on the target domain controller. 22

Deployment Guide Directory Replication Analysis Tests TEST Find Replication Failures Track Object Replication Test Replication Links DETAILED PERMISSIONS Administrative rights to the target domain controllers. This relies on RPC connectivity as well as read access to the directory. Read access to the directory (partition and OU varies on test configuration). Administrative rights to the target domain controllers. This relies on RPC connectivity as well as read access to the directory. DNS Tests TEST Check DNS Entries Check Partners DNS Entries DETAILED PERMISSIONS Read access to %SystemRoot%\System32\Config\NetLogon.DNS file. Read access to %SystemRoot%\System32\Config\NetLogon.DNS file on all replication partners. File Replication Tests TEST Confirm File Presence Check NTFRS Status PERMISSIONS Disk read access to the file selected when configuring the test. Read access to the Service Control Manager. Registry read access (as used by the SCM) to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ CurrentVersion. Time Synchronization Tests TEST Check W32Time Differential Check W32Time Parent Synchronization Check W32Time Status PERMISSIONS Domain User access. Domain User access. Read registry access to the target domain controller (not the time parent). Read access to the SCM. Registry read access (as used by the SCM) to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. 23

Spotlight on Active Directory Appendix B Frequently Asked Questions and Troubleshooting How do I launch Native Tools from the Assistant Pane on 64-bit operating systems? To launch Native Tools from the Assistant Pane on 64-bit operating systems 1. Go to Program Files Quest Software Spotlight on Active Directory. 2. Rename the file Tools64.xml to Tools.xml. Native Tools are launched under the account of the user running the Spotlight on Active Directory Topology Viewer. How often should I run analysis tests? Test Group execution frequency is best determined by looking at the test you wish to run and the number of DCs you are monitoring. For example, you can break the Server Health test up into 3 parts: Availability (Network Availability and Critical Services) is the highest priority and requires the least amount of time to verify Resources (Directory Responsiveness and Disk Space Usage) have more overhead and should be executed less frequently. Error Monitoring (Performance Counters and Event Logs\Lingering Objects) has the most overhead and the data does not change frequently (or in the case of Performance counters is averaged over the course of the day) If you want to increase the frequency of the tests being run, break test groups up into smaller groupings. Avoid running a single Server Health test against 120 Domain Controllers. Instead, run a Server Health test against six groups of 20 Domain Controllers. See pages 10, 12, and 14 of this guide for more information. Do tests still run even when I am logged off? Analysis tests are executed using the Distributed Collector service, as long as the Diagnostic Services host computer is running and the Diagnostic services (running the tests) are executing according to their schedule. For information on what the Diagnostic Services include, see Installation Components on page 7. Does Spotlight on Active Directory require an agent to gather the information? Spotlight on Active Directory does not require an agent on a domain controller (DC). All information is gathered using RPC calls and Admin shares. 24

Deployment Guide How do I migrate the database from SQL 2000 to SQL 2005 instance? Refer to the MS Knowledge Base articles regarding the Backup, detach, and move, then perform the following procedure on the Spotlight on Active Directory console. To migrate the Spotlight on Active Directory database from SQL 2000 to SQL 2005 instance 1. Stop the following services: DataManagerSLAD & DiagnosticTestEngineSLAD & Distributed Collector. 2. Change the following registry entry to the new host name of the SQL Server: HKEY_LOCAL_MACHINE\Software\Quest Software\Spotlight on Active Directory\DbServerName DatabaseServerName. 3. Change the "ImagePath" string for the 2 Spotlight on Active Directory services to point to the new DB host machine, by making the following registry changes: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DataManagerSLAD String Value: ImagePath has the database connection string that needs to be changed. Change the "Data Source" in the connection string. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagnosticTestEngi neslad String Value: ImagePath has the database connection string that needs to be changed. Change the "Data Source" in the connection string. 4. Add the same DB connection string for the Scheduled tasks Directory Objects Collector, SLAD - Purge Counter Values, and Refresh SLAD Discovery by right-clicking the task and selecting Properties. The tasks need to be updated on the Diagnostic Services host and all Console hosts (not all tasks may be present on the Console only installs). For Web Reports 1. Change the following file so it points to the new SQL Server/db and uses new credentials if required: C:\Program Files\Quest Software\Spotlight On Active Directory\WebReports.UDL 2. Change the following reg key to point to the new SQL Server host name: HKLM\Software\Quest Software\SpotlightOnAD\ClientDB. 3. Start the DataManagerSLAD & DiagnosticTestEngineSLAD & Distributed Collector services.. How do I move Spotlight on Active Directory from one server to another? Can I keep my settings? The Spotlight on Active Directory database contains all of the configuration data for your Spotlight on Active Directory. If you move your database, the configurations are moved along with it. The procedure to move from one server to another depends on where your database is installed. If your components (including the database) are on one host computer 1. Backup your database. 2. Restore the database on the new host computer. 3. Uninstall Spotlight on Active Directory from the old host computer. 4. Install Spotlight on Active Directory on the new host computer. If the database resides on a separate computer 1. Uninstall Spotlight on Active Directory from the old host computer. 2. Install Spotlight on Active Directory on the new host computer. You can redirect the Spotlight on Active Directory Topology Viewer to a new location the next time you launch it. 25

Spotlight on Active Directory Why do some Web Reports show no data? Web Reports will not show data until the analysis test (that provides the data) is run. The individual web reports inform you which test you need to execute to obtain data. How do I perform a distributed installation? see Distributed Collectors on page 14 to perform a distributed installation. How do I correct a faulty installation or configuration of Web Reports? You can use the ASP.NET utility called aspnet_regiis. This command-line utility is found in a path such as the following: C:\WINDOWS\Microsoft.NET\Framework\v1.1.nnnn\where nnnn represents a four-digit build number. To correct a faulty installation or configuration of Web Reports 1. Look under the highest number. 2. Run the utility using the /i switch: aspnet_regiis /i To run ASP.NET 2.0-32-bit Server 1. Click Start Run and type cmd. 2. Click OK. 3. Type the following command to enable the 32-bit mode: cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1 4. Type the following command to install the version of ASP.NET 2.0 (32-bit) and to install the script maps at the IIS root and under: %SYSTEMROOT%\Microsoft.NET\Framework\v2.0.40607\aspnet_regiis.exe i Make sure that the status of ASP.NET version 2.0.40607 (32-bit) is set to Allowed in the Web service extension list in Internet Information Services Manager. To run ASP.NET 2.0 64-bit Server 1. Click Start Run and type cmd. 2. Click OK. 3. Type the following command to disable the 32-bit mode: cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0 4. Type the following command to install the version of ASP.NET 2.0 and to install the script maps at the IIS root and under: %SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.40607\aspnet_regiis.exe i Make sure that the status of ASP.NET version 2.0.40607 is set to Allowed in the Web service extension list in Internet Information Services Manager. The build version of ASP.NET 2.0 may differ depending on what the currently released build version is. These steps are for build version 2.0.40607. 26

Deployment Guide Why do some statistics differ from the information from the Spotlight on Windows drilldown? When you drill down from the Operating System panel at the bottom of the Spotlight on Active Directory home page, you may find that the statistics (such as the Total CPU Usage and Physical RAM) differ from the information provided by the Spotlight on Windows drilldown. The discrepancy occurs because Spotlight on Active Directory and Spotlight on Windows are obtaining the information at different intervals over the polling periods. How do I execute tests, using the Collector Management Console, if I have an invalid port? The Collector Management Console requires Microsoft Management Console (MMC) 3.0 to run. MMC 3.0 can be installed on Windows XP and Windows 2003 platforms only. If you are operating on a Windows 2000 platform, you can install the Collector Management Console, but you cannot run it. If you change a Distributed Collector to listen on an invalid port, such as port 80, the Collector will no longer be accessible through the Collector Management Console and will not execute tests. To execute tests 1. Go to Quest Software Common Files Distributed Collectors. 2. Double-click CollectorConfiguration.exe. The Collector Configuration dialog box opens. 3. Enter 9605 in the Listening Port box. How do I enable remote connections on SQL 2005 Express? By default, remote connections are disabled for SQL 2005 Express. This needs to be enabled in order to install Diagnostic Services on a different machine that the Spotlight on Active Directory database. To enable remote connections 1. Open SQL Server 2005 Surface Area Configuration tool. 2. Click Surface Area Configuration for Services and Connections. 3. Expand Database Engine, click Remote Connections, click Local and Remote Connections, click the appropriate protocol to enable for your environment, and then click Apply. Click OK when you receive the following message: Changes to Connection Settings will not take effect until you restart the Database Engine service. 4. Expand Database Engine, click Service, click Stop, wait until the MSSQLSERVER service stops, and then click Start to restart the MSSQLSERVER service. For more information, see http://support.microsoft.com/kb/914277. What rights do I need to run this application? You need Administrator rights to run Spotlight on Active Directory. Admin Share access is available to Administrators only. 27

Spotlight on Active Directory How do I license Spotlight on Windows? Spotlight on Windows is licensed at the same time Spotlight on Active Directory is licensed. After installing Spotlight on Exchange Diagnostic Console 5.8 on top of Spotlight on Active Directory Diagnostic Console 6.7, why can I no longer make Spotlight on Windows connections to servers? A previous version of the Spotlight on Windows template may prevent you from launching a Spotlight on Windows connection. This may happen when another Spotlight application that includes a previous version of Spotlight on Windows (for example, Spotlight on Exchange or Spotlight on SQL Server) has been installed on top of this version. In this event, copy the backup template from..\spotlight\plug-ins\sow\sow Default.stx to..\spotlight\console\templates\sow.stx. This problem does not occur if you are installing Spotlight on Windows on top of a current Spotlight application. 28