Monitoring AD

  • Thread starter Thread starter ade
  • Start date Start date
A

ade

hello everyone - just for background - Win2k AD

Our org has recently installed a new third party web based application used
by over 100 people (which will ultimatley quadruple +). We have 2 dc's on
the site where the application server is, the most powerful one has 512bm
ram and a 2ghz p4 processor. These DC's are on the same site as most of our
back office servers (Exchange, SQL etc) and since installing the new app
server, when a user authenticates to it (which happens very frequently
during the day), after 2-3 weeks it eventualy slows and takes 2min+ to
authenticate (eventualy failing totaly) which is causing issues. The only
way around this is to reboot the DC (or both DC's) which then allows the
application to function quickly again.

So, the question is, can anyone let know if there are any free tools for
monitoring AD performance - regarding speed of logon times, replication,
potential bottlenecks and general DC health (any third party tools with a
evel period would be OK also). My gut feeling is that these DC's (the most
powerful of which holds all the FSMO roles) are simply not up to providing
the services any longer, as more back office apps and users have been
introduced performance may have reduced, hence the new app perhaps breaking
the camels back.

Any thought's, suggestions, server specs or general advice would be much
appreicated.
 
DCs get busy for a period of time, they don't generally get slower and slower
over weeks. That sounds like you have installed software on the DCs which is
leaking resources. DCs should not be running anything other than default DC
services. Anything else tends to introduce security and stability issues.

As for free monitoring, look at perfmon. The main things you want to look at for
a DC usually are the disk queue stats as that is almost always the first place a
32 bit DC starts having issues if AD is being beaten up.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Thanks - I have always thought the AV on the server does no good either,
McAfee 8.0 is installed, every now and then we have numerous errors in the
event logs (2019 IIRC) that point to this app. Do you have a recommendation
on AV for DC's??
 
I personally would implement a virusscanner on a DC to protect it against
virusses.
For more info see:
MS-KBQ815263_Antivirus, backup, and disk optimization programs that are
compatible with the File Replication Service
MS-KBQ822158_Virus scanning recommendations on a Windows 2000 or on a
Windows Server 2003 domain controller

Besides that I would accept in addition to the DC services like
DNS/WINS/DHCP.

What Joe means is (I think and I agree): "don't install all kinds of
applications and services on a DC like for example exchange, sql, etc."

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
Well I mean both don't install all sorts of apps and if you are comfortable
doing it, don't install AV software. I didn't run AV on my DCs when I was tech
lead of ops. The attack vectors aren't there if you have a small intelligent
group of admins. You don't use DCs as a file share. You don't log interactively
onto DCs but once in a blue moon. Most services should be shut down. If there is
some exploit in the water, you best be patching. Waiting on an AV engine to be
ready is scary. Over time, I have seen AV engines cause more issues than help on
servers that weren't file servers.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top