1 / 40

Building and Managing a Resilient Active Directory Infrastructure with SMS and MOM

Building and Managing a Resilient Active Directory Infrastructure with SMS and MOM. Jeff Alexander IT Pro Evangelist Microsoft Australia. Agenda. Building the Base Introducing the Active Directory Management Pack (ADMP) ADMP Monitoring and Server Health ADMP Reporting

quynh
Download Presentation

Building and Managing a Resilient Active Directory Infrastructure with SMS and MOM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building and Managing a Resilient Active Directory Infrastructure with SMS and MOM Jeff Alexander IT Pro Evangelist Microsoft Australia

  2. Agenda • Building the Base • Introducing the Active Directory Management Pack (ADMP) • ADMP Monitoring and Server Health • ADMP Reporting • SMS 2003 Patch Management (ITMU) • Summary and Q&A

  3. Application Packages Internet Resilient Infrastructure Cisco FWSM Cisco MPLS VPN • VPN • Quarantine Other NOS

  4. MOM 2005 Architecture Support Users Management Group Administrator • Agentless managed • Agent-managed MOM Server Operator Management Pack Domain A MOM Database Web • Agent-managed • Agent-managed • MOM Reporting Server • Reporting Database Reporting Domain B

  5. MOM 2005 Sizer

  6. Sybari Exchange Windows HP Proliant Servers Jalasoft Power Management Monitoring the stack • Partners provide complete monitoring solutions Jalasoft Network Management

  7. Agenda • Building the Base • Introducing the Active Directory Management Pack (ADMP) • ADMP Monitoring and Server Health • ADMP Reporting • SMS 2003 Patch Management (ITMU) • Summary and Q&A

  8. Why Monitor Active Directory? • Hardware failures • Disk space • Network connectivity • Configuration errors • Errant applications • Login/password issues • Group Policy • Resource access • Exchange e-mail • Replication issues

  9. Active Directory Management Pack

  10. DNS Exchange Group Policy Base Operating Systems Other Management Packs

  11. Discovery • Number of Client Sessions • Health Monitoring • Active Directory Database • CPU and Memory Usage on DCs • DC and GC Response Time • Replication Monitoring • Replication Traffic • Replication Latency • Client Side Monitoring • Client Side Events • Health Monitoring • GC Search Response Events • Active Directory Op Master Response Events • Directory Service Errors • NTDS Events • Clean Up After Cross-Domain Moves • Health Monitoring • Active Directory Domain Controller Alerts • Lingering Object Alerts • Service Level Exceptions for DCs • Discovery • Domain Controllers by OS Version • Task Status • Enumerate Trusts • Replication Status Snapshot • Service Principal Name Health • Replication Topology • Broken Connection Objects • Connection Objects • Site Links Computer Group Views Event Views Performance Views Alert Views Task Status Views Diagram Views Active Directory Public Views

  12. Replication Topology Diagram Views • Three different views: • Broken Connection Objects • Connection Objects Site Links • Server health state • Annotated server roles • Site links • Detailed tool tips Site Links

  13. demonstration • Introducing the ADMP • Exploring the Administrator Console • Exploring the Operator Console • Defining Client Side Monitoring Computers

  14. Agenda • Building the Base • Introducing the Active Directory Management Pack (ADMP) • ADMP Monitoring and Server Health • ADMP Reporting • SMS 2003 Patch Management (ITMU) • Summary and Q&A

  15. Active Directory service healthy? • Other processes that are vital to the health of Active Directory? • Database growth and log file free space OK? • Are the necessary FSMO role holders responsive? • Is the Active Directory service responsive? • Can clients connect to the directory? • Is each DC configured properly? • Are all DCs replicating? • Is replication occurring in a timely fashion? • Has initial replication completed in the last 24 hours? • Can clients connect to PDC, GCs? • Is Active Directory responsive to clients? • Serverless bind threshold • GC Search Time • Lost object count • Availability of LDAP and crucial roles • Name resolution and DC locator • Client Pack tests • Serverless bind • PDC availability • Minimum number of GCs available • Targeted DCs availability and responsiveness • Health of LSASS, KCC, Userenv • State of NetLogon, FRS, ISM, W32Time, KDC • Name resolution and DC locator • SYSVOL accessibility • End-to-end replication via change injection • Health of inbound connection objects • Appropriate number of replication partners • Site islands • Slow replication Active Directory State Monitoring Client View Replication Health Server Health Service Health

  16. Monitoring Scenarios Client Side Monitoring Ping Search ICMP LDAP Global Catalogs PDC Emulator

  17. Monitoring Scenarios Active Directory Trust Relationships Monitors and detects problems

  18. Monitoring Scenarios Account and Authentication Issues Password issues Credential issues Duplicate accounts Other problems

  19. Other Monitoring Scenarios Net Logon Service UGMC Dependent Services ActiveDirectoryAvailability Replication PerformanceMonitoring

  20. London.contoso.com LON-DC-01 LON-DC-02 Exchangeuser LON-EXC-01 Seattle.contoso.com MOM2005 HelpDesk SEA-DC-01 SEA-DC-02 Client Side Monitoring Scenario My e-mail is slow!

  21. Source DCs Target DCs Replication Monitoring New container: CN=MomLatencyMonitors Scripts add timestamps to monitor latency Separate thresholds for intra- and intersite Computers can be both source and target

  22. demonstration • ADMP Monitoring and Server Health • Troubleshooting Replication Problems • Configuring Low-Privilege Account • Forcing Data Collection

  23. Agenda • Building the Base • Introducing the Active Directory Management Pack (ADMP) • ADMP Monitoring and Server Health • ADMP Reporting • SMS 2003 Patch Management (ITMU) • Summary and Q&A

  24. Configuration Disk Space Operations Replication ADMP Reports

  25. demonstration • ADMP Reporting • Performing the Initial Triage • Using Predefined Reports

  26. Agenda • Building the Base • Introducing the Active Directory Management Pack (ADMP) • ADMP Monitoring and Server Health • ADMP Reporting • SMS 2003 Patch Management (ITMU) • Summary and Q&A

  27. Overview of Inventory Tool for Microsoft Updates (ITMU) • Why the change to ITMU? • SMS 2003 currently uses Microsoft Baseline Security Analyzer (MBSA) • The MBSA scan engine is built on a third-party tool named Shavlik. • SMS and Microsoft Update Partnership • ITMU – Reduced dependency on MBSA • The SMS ITMU enables customers to standardize on the patch technology of choice for Microsoft going forward.

  28. Overview of Inventory Tool for Microsoft Updates (ITMU) • What does the new ITMU do differently? • Improved patch management through a more comprehensive and widely supported detection technology • Broader detection support for more Microsoft products • Consistent product support across multiple detection technologies including parity with Automatic Updates

  29. Overview of Inventory Tool for Microsoft Updates (ITMU) • How is ITMU different from MBSA? • ITMU supports security updates, service packs and rollups • ITMU supports Office XP and later for security updates and service packs • ITMU only supports Windows 2000 SP3 or later • ITMU catalog (WSUSScan.cab) includes all languages • ITMU Supports SQL Server 2000 and beyond • ITMU provides automatic updates of the Microsoft Updates Catalog • Uses Windows Updates Agent to scan and identify current patch status

  30. Inventory Tool for Microsoft Updates (ITMU) Diagram

  31. Client Scans with ITMU • Requires Windows Update Agent • If agent is not already installed, SMS can automatically install the agent through a dependent program • Scan program calls Windows Update Agent installation program • Configurable through ITMU Setup • Once Windows Updates Agent is installed, scan for Microsoft Updates can occur

  32. Client Scans with ITMU • Scan Agent process: • Scanwrapper.exe verifies WindowsUpdates Agent installed • Scanwrapper.exe calls SMSWushandler.exe • SMSWusHandler.exe performs scan through calls to the Windows Updates Agent • Scan Agent process: • Scan Data is stored in WMI • Data is stored in the Win32_PatchState_Extended class • “Type” attribute is set to “Microsoft Update” • Scan results reported through hardware inventory • SMS 2003 SP1 sms_def.mof file already supports the Extended Patch State class and data

  33. Viewing Results for ITMU • Data is maintained on the client in WMI • Data is returned to the SMS site database in Extended Patch State • Data can be viewed in Resource Explorer, Software Updates (SMS Administrator Console node), and SMS Reports • Previously existing Software Compliance reports are updated to support both classes • There are six new reports added with this tool • Two in Software Update – Compliance • Four in Software Update – Distribution Status

  34. Update Distribution • As with MBSA, the Distribute Software Updates Wizard is used • Presents a list of available updates for distribution • Downloads updates and creates SMS objects required to deploy them • Optionally the administrator can pre-download and stage the patches prior to using the wizard • Administrator selects which updates to deploy to which clients • Can have multiple updates in a single package • Installed on all SMS 2003 SP1 Administrator Consoles automatically

  35. demonstration • Inventory Tool for Microsoft Updates • Overview of the tool • Sending out patches

  36. Troubleshooting • There are new (and some old) log files that can be helpful in troubleshooting patch deployment • SMSWUSHANDLER.log • Advertisement.log • SMSCLIUI.log • PatchUIMonitor.log • EXECMGR.log • Patchinstall.log • WUSSyncXML.log • PatchDownloader.log

  37. Troubleshooting (continued) • Client Side Debugging • ITMU puts the inventory scan results in the CIMV2 namespace on SP1 clients • To review the information collected • Connect to the root\cimv2 namespace (using WBEMTEST) on the Advanced Client • Review the class instances stored within the Win32_PatchState_Extended WMI class • Basic setup issues may be solved by ensuring that the customer has the supported platforms installed

  38. Session Summary • Install additional MPs for the complete picture • Take advantage of client side monitoring • Identify trends and issues through reporting • Be able to respond to update requirements

More Related