How to Operate Active Directory: Tips & Tricks Aaron T. Suzuki Consulting Engineer Microsoft Corporation
What to Expect from this Presentation Specific to Microsoft Windows Server 2003 Operations-focused presentation A buffet style of recommendations Take what you want, leave what doesn t work Not all recommendations will apply to your environment This presentation will include how to make decisions on which suggestions to implement in your environment What will not be covered Security Account, Policy, and Groups administration 2
#1 Recommendation The best recommendations for operating AD have nothing to do with software or technology How groups talk to each other to pass off issues Tier1 Tier2 Exchange team passing issue off to Active Directory team How teams learn new information How change control is implemented What testing and piloting is done to ensure new technology is deployed successfully 3
Monitoring Performance Use historic performance data to troubleshoot problems for capacity planning consolidate domain controllers new deployments Little known trick Perfmon in XP and Server 2003 can log data directly into SQL\MSDE. It can also pull data from SQL\MSDE directly into Perfmon UI. 4
Monitoring Performance Run Server Performance Advisor periodically Look for alerts and warnings in the summary page Collect daily perf snapshots at busy times (for example, 10:00 a.m.) and save them for trending purposes Try not to run DCs constantly over 60% CPU 5
Logging Perfmon data into SQL or MSDE 6
Managing Uncertainty in Large-scale Cutovers For example: forest functional mode changes /Domainprep schema changes Test, test, and retest, and then build processes 7
Managing Uncertainty in Large-scale Cutovers Peel off method Production Private Network Step1 Corp SouthAmerica Corp NorthAmerica Redmond Step2 WFM South America (WDM) North America Redmond (WDM) Step3 Step1 Step1 Step1 8
Check off Lists After a Large-Scale Cutover Clean event logs (no new errors) Replication occurs between DCs DIT file did not substantially increase in size Client logons Policy processing BIND ing to the DS works DS Searches work (using LDP for example) 9
Root Causes of PDC Overload This is not common in smaller deployments Different components put load on PDC role master Domain DFS and NT4 SP6 clients PDC registration in WINS Sort order of domain 1C entries returned by WINS Some object picker versions go to PDC Pass-through authentication to PDC Uplevel clients only authenticated by Win2k03 PDC in mixed NT4 domain 10
Fixing PDC overload If your PDC runs hot Goal Clients won t use PDC for normal authentication\searches. Clients that are specifically looking for the PDC will still find it Shield the DC in WINS and DNS WINS Set Prepend1BTo1CQueries as stated in Q269424 This stops WINS servers from adding the 0x1B (PDC) record to the top of the 0x1C (Domain) list. DNS Adjust Priority and Weight in DNS so the PDC will be picked last when DNS lookups occur 296716 LdapSrvWeight and LDapSrvPriority are the reg key s set on each DC that can affect this Warning Clients are sticky, and you may have to stop the Netlogon service for up to 1 hour to time out clients Consider having a hot backup PDC that is also shielded in DNS\WINS in case the FSMO needs to be moved quickly 11
General Monitoring Harvest event logs for historical analysis IE: Security event log Have a real time system monitoring\alerting tool. IE: Microsoft Operations Manager Track uptime events, and look for 6008 dirty shutdown events 6008 is useful to monitor because it can tell you if a server is rebooting periodically due to a Blue Screen or HW issues Increase size of Eventlogs to something realistic like 50mb per log (App, System, DS, DNS) 12
General Monitoring Set Field Engineering registry value to detect resource costly searches 0x4: Rollup event is logged every time Online Defrag runs 0x5: 1 Event is logged every time a search is deemed Expensive or Inefficient Q314980 contains the registry location 13
Replication Topology Let the Knowledge Consistency Checker manage your replication environment Improvements in Windows Server 2003 algorithm should eliminate the need for using manual connections Leverage the power of sites & subnets for granular control of replication Spend time defining your network topology as AD sites and subnets 14
Segmenting Traffic Using Sites If you need to segment DC traffic, use /32 subnets to assign specific app servers and DC's to a site. This especially true for dedicated Exchange sites. 15
Replication Monitoring Make sure your AD monitoring solution includes monitoring replication Use new Repadmin (reskit) switches to quickly snapshot the health of Replication /replsum * /sort:delta for initial check /showrepl * /csv and import into Excel 16
Configuring DNS Highly recommend using AD integrated DNS zones Assuming DNS is running on the DC, point DCs to themselves first in the DNS Client settings, then a common DC for the secondary DNS server Make sure you use new App partitions. This is most relevant for Win2k to Win2k03 upgrades since they are not used by default Turn on scavenging to reduce old records from lingering Tip of the day: To reduce replication, set scavenging to normal vacation time in your company + 3 days For example no refresh = 30 days For example refresh = 17 days 17
Monitoring FRS Deploy Ultrasound to monitor FRS Watch out for Sharing Violations. They are the most common problem Usually caused by incorrect permissions in SYSVOL or Applications opening SYSVOL with incorrect permissions Watch for mangled named files\folders ntfrs_xxxxx, scripts_xxxxx Monitor Ultrasound and verify no more than 10 VVJOINS occur at a given time VVJOIN s occur when a new Connection Object is created 18
Active Directory Database Configuration Standardize DIT and LOG drives on all DC s IE: M$ is DIT and L$ is LOG files. This makes management\monitoring a lot easier Windows 2003 uses Single Instance Storage for Security Descriptors. If you upgrade from Win2k to Win2k03, perform an offline defrag to gain back extra HD space 19
Active Directory Database monitoring Monitor the size of the DIT Set Garbage Collection reg key to 1, which will log event for DB size and white space. Event is logged every time Online Defrag runs (8 hours by default). This reg key is under NTDS\Diagnostics Track the amount of white space. If it reaches >33% of total size, consider performing offline defrag(s) 20
Active Directory Database Configuration If there is enough HD space, schedule nightly NTBACKUP system state backups, and store the.bkf file locally. If you need to recover\rebuild the DC, use Install From Media and use the local backup file as the source Do not use this method as a replacement for remote backups, do BOTH 21
Active Directory Database Configuration Always run with /3gb in the BOOT.INI Don t run this with /PAE simultaneously Max DB Cache without running /3gb ~512mb Max DB Cache with running /3gb ~2.6gb (32 bit ) 22
Non AD Specific Recommendations Do not run backups during business hours Use common standard names for Domain Controllers. This makes scripting, administration, and troubleshooting a lot easier IE: WA-DC-01 (physical area or domain name abbreviation, role, serial number) Standardize HW if possible Definitely standardize the software platform IE: All my DC s are running Win2k03 + 6 QFE s. 23
Non-AD Specific Recommendations (continued) If possible, use a testing\piloting forest for changes first. Changes are defined as new fixes, new policies, new major upgrades, etc. 24
A note on Virtual Server DCs Not recommended for production deployment yet Look for published recommendations from AD team around the time of Virtual Server releasing Great for piloting\testing Ok solution for account separation Need two QFE s on Win2k03 Protect against USN rollback Support using older images from same machine Special security considerations needed for handling images 25
Co-produced by: