RedmondMagazine

IN-DPTH (HTTPS://RDMONDMAG.COM/ARTICLS/LIST/FATURS.ASPX)

6 Tips for Troubleshooting Active Directory

07/01/2009

Tip 4: NTDS Diagnotic

Thi tip i an aolute eential for getting additional data on Director Service (DS) event. It'
enaled per DC in the regitr at HKY_LOCAL_MACHIN\SYSTM\
CurrentControlSet\Service\NTDS\Diagnotic. It' fairl traightforward. There are a variet of
value that, when enaled, will dump additional event into the event log to ait with
troulehooting. The valid data for thee value i an integer from zero to five, incluive. The default
value i zero, meaning minimal veroit, and a etting of five will dump more than ou want. Normall
I et it at three and ee if I need more. For intance, if I need more veroe detail on replication, I'd et
the "5 Replication vent" value to three and then reproduce the prolem. Make ure to reet the
value to zero when troulehooting i concluded. Thee etting will fill up the event log quickl.
The mot common value I ue include:
1 Knowledge Conitenc Checker
10 Performance Counter
13 Name Reolution (thi i DNS related)
15 Field ngineering
18 Gloal Catalog
2 Securit vent
5 Replication vent
8 Director Acce
9 Internal Proceing
The 9 Internal Proceing value i hand for getting additional detail for DS event that indicate an
internal error ha occurred. Thi will often caue additional event that will aid in diagnoing the
prolem. It' common to et more than one of thee value. For intance, in replication
troulehooting, it would e reaonale to enale 1 Knowledge Conitenc Checker and 5
Replication vent.
The 15 Field ngineering value will dump everal additional event to the DS log. Unlike the other
diagnotic, thi one need to e et to five to provide relevant data. Specificall, it will produce
event 1644 and 1643, which report inefficient LDAP querie including the client who wa the ource
of the quer, the quer tring and the root of the quer. Thi i important ecaue one of the
headache related to AD i the Local Stem Authorit Sutem Service (LSASS) proce uing up
enough reource to hang or crah a DC and caue client log-on dela. Inefficient LDAP querie a

enough reource to hang or crah a DC and caue client log-on dela. Inefficient LDAP querie a
uer or an application -- or even a Linux client log-on -- will put a heavier load on LSASS. naling
thi diagnotic will quickl identif the guilt part name or IP addre. Some admin leave thi
diagnotic permanentl enaled to monitor a u environment, ut again, it will fill up the event log
and poil hide or overwrite other important event in the DS log.

Tip 5: Group Polic Management Conole and HTML Report

I'm ure nearl ever AD admin alive ue thi tool, ut I thought it would e worth mentioning the
value of HTML report. There are two tpe of report I ue ver frequentl ecaue I'm dealing with
environment I'm not familiar with, and I uuall want proof of the etting of a Group Polic Oject
(GPO) a well a the reult from a particular client or client.
Getting a report of a GPO i valuale even if ou're the admin ecaue it how exactl what etting
are defined -- in fact, it how onl the etting that are defined -- o ou don't have to wade through
the GP editor to find which one are et. Thi i a quick wa to ee if the GPO i defined a ou think it
i. It alo how link, filter applied and other detail. HTML report for the Default Domain Polic are
ea to read and can e expanded and cloed ection a needed, ecaue the're in HTML format.
To get thi report, jut right-click on an GPO in the domain tree and elect "Save Report."
One of the prolem with olving a GPO-related iue at a client i petering the uer, who ma e
hundred of mile awa, to log in and get a GPReult. If the uer ha logged in at leat once on a
worktation, Group Polic Management Conole (GPMC) can provide ou with an HTML-formatted
GPReult that i produced when the uer log on. Thi i otained in the GPMC conole rightclicking the "Group Polic Reult" node and electing the Group Polic Reult Wizard. Of coure,
GPReult i a neceit in diagnoing client-ide iue.

Tip 6: Active Director Performance Diagnoi

While there are man other troulehooting tip I could have elaorated on here, thi i one that
proal in't well known. In troulehooting erver performance, there' a tandard et of oject,
including proceor, LogicalDik, Server, Memor, Stem and o on. However, there' an NTDS oject
that provide u with relevant AD counter uch a DRA, Kerero, LDAP and even NTLM-related
counter. In addition, we can collect valuale AD data monitoring the LSASS proce. I recommend
enaling the following:
Oject: Proce
Counter: %ProceorTime, Working Set, Working Set Peak
Oject: NTDS
Counter: (all counter)
Unfortunatel, there' little information availale on what acceptale threhold are. The onl one I've
found that even addree thi i Microoft' ranch Office Deploment guide. While there are man
counter ma or ma not e familiar, I've onl found a few that are ignificant:
DRA Pending Replication Snchronization: Thee are the director nchronization that are
queued and are eentiall replication acklog. Microoft onl a thee value hould e "a
low a poile" and that "hardware i lowing replication." Thee could e indication that DC

low a poile" and that "hardware i lowing replication." Thee could e indication that DC
reource are at high utilization.
LDAP Client Seion: Thi i the numer of eion opened LDAP client at the time the
data i taken. Thi i helpful in determining LDAP client activit and if the DC i ale to handle
the load. Of coure, pike during normal period of authentication -- uch a firt thing in the
morning -- are not necearil a prolem, ut long utained period of high value indicate an
overworked DC.
LDAP ind Time: Thi i the time in milliecond needed to complete the lat ucceful LDAP
inding. Documentation a that thi hould e "a low a poile," ut if ou run the perfmon
output through the Performance Analzer of Log (PAL) tool, it will flag 15 milliecond a a
warning threhold and 30 milliecond a an error threhold. The fix i more reource:
proceor, memor and o on. (Note: PAL i an excellent performance-anali tool, and i
availale online (http://www.codeplex.com/PAL).)
In diagnoing the LSASS proce, a in an performance anali, a aeline mut e etalihed. A
note on Microoft' DS log indicate that if a aeline i not availale, ue 80 percent. That i, the
LSASS counter houldn't indicate more than 80 percent conumption. Aove 80 percent
conumption indicate an overload condition, which could e a high LDAP quer demand (ee Tip No.
4) or general lack of erver reource. The reolution i to increae reource or reduce demand, ut
e advied thi ha the potential to caue a performance hit in the domain.
If ou reall want to olve our LSASS reource iue, put our DC on x64 platform with everal
proceor and 32G of RAM. You might e urpried at how much memor LSASS reall can ue.
PRVIOUS (HTTPS://RDMONDMAG.COM/ARTICLS/2009/07/01/6-TIPS-FOR-TROULSHOOTING-ACTIVDIRCTORY.ASPX?PAG=2)
1 (HTTPS://RDMONDMAG.COM/ARTICLS/2009/07/01/6-TIPS-FOR-TROULSHOOTING-ACTIVDIRCTORY.ASPX?PAG=1)
2 (HTTPS://RDMONDMAG.COM/ARTICLS/2009/07/01/6-TIPS-FOR-TROULSHOOTING-ACTIVDIRCTORY.ASPX?PAG=2)
3

Aout the Author

Gar i a Solution Architect in Hewlett-Packard' Technolog Service organization and live in
Rowell, GA. Gar ha worked in the IT indutr ince 1981 and hold an MS in Computer Aided
Manufacturing from righam Young Univerit. Gar ha authored numerou technical article for
TechTarget (http://earchwindowerver.techtarget.com), Redmond Magazine
(www.redmondmag.com) and TechNet magazine, and ha preented numerou time at the HP
Technolog Forum, TechMentor Conference and at Microoft Techd 2011. Gar i a Microoft MVP
for Director Service and i the founder and Preident of the Atlanta Active Director Uer Group
(http://aadug.org).
PRINTAL FORMAT (HTTPS://RDMONDMAG.COM/ARTICLS/2009/07/01/6-TIPS-FOR-TROULSHOOTING-ACTIV-DIRCTORY.ASPX?

PRINTAL FORMAT (HTTPS://RDMONDMAG.COM/ARTICLS/2009/07/01/6-TIPS-FOR-TROULSHOOTING-ACTIV-DIRCTORY.ASPX?

PAG=3&P=1)

Recommended: 10 Wa to Save Time with PowerShell

(http://redmondmag.com/whitepaper/2015/05/red-powerhell.apx?
tc=page0&pc=cn66tl01&utm_ource=wemktg&utm_medium=Text_Link&utm_campaign=cn66tl01)

1Comment

RedmondMagazine

Share

Recommend 2

Login

SortbyBest

Jointhediscussion
JeremyRoe 7monthsago

thankyou!

Reply Share

WHAT'STHIS?

ALSOONREDMONDMAGAZINE

What'ToughChoices'AreinStorefor
Microsoft?Redmondmag.com

SamsungAccusedofBlockingSecurity
UpdatesinitsPCsRedmondmag.com

2commentsamonthago

2commentsamonthago

HowToBackUpActiveDirectorySystem
StatesRedmondmag.com

MicrosoftRevealsPlansforWindows10
LaunchEventsRedmondmag.com

1comment18daysago

6comments13daysago

Subscribe

AddDisqustoyoursite

Privacy