400 likes | 531 Vues
Building and Managing a Resilient Active Directory Infrastructure with SMS and MOM. Jeff Alexander IT Pro Evangelist Microsoft Australia. Agenda. Building the Base Introducing the Active Directory Management Pack (ADMP) ADMP Monitoring and Server Health ADMP Reporting
E N D
Building and Managing a Resilient Active Directory Infrastructure with SMS and MOM Jeff Alexander IT Pro Evangelist Microsoft Australia
Agenda • Building the Base • Introducing the Active Directory Management Pack (ADMP) • ADMP Monitoring and Server Health • ADMP Reporting • SMS 2003 Patch Management (ITMU) • Summary and Q&A
Application Packages Internet Resilient Infrastructure Cisco FWSM Cisco MPLS VPN • VPN • Quarantine Other NOS
MOM 2005 Architecture Support Users Management Group Administrator • Agentless managed • Agent-managed MOM Server Operator Management Pack Domain A MOM Database Web • Agent-managed • Agent-managed • MOM Reporting Server • Reporting Database Reporting Domain B
Sybari Exchange Windows HP Proliant Servers Jalasoft Power Management Monitoring the stack • Partners provide complete monitoring solutions Jalasoft Network Management
Agenda • Building the Base • Introducing the Active Directory Management Pack (ADMP) • ADMP Monitoring and Server Health • ADMP Reporting • SMS 2003 Patch Management (ITMU) • Summary and Q&A
Why Monitor Active Directory? • Hardware failures • Disk space • Network connectivity • Configuration errors • Errant applications • Login/password issues • Group Policy • Resource access • Exchange e-mail • Replication issues
DNS Exchange Group Policy Base Operating Systems Other Management Packs
Discovery • Number of Client Sessions • Health Monitoring • Active Directory Database • CPU and Memory Usage on DCs • DC and GC Response Time • Replication Monitoring • Replication Traffic • Replication Latency • Client Side Monitoring • Client Side Events • Health Monitoring • GC Search Response Events • Active Directory Op Master Response Events • Directory Service Errors • NTDS Events • Clean Up After Cross-Domain Moves • Health Monitoring • Active Directory Domain Controller Alerts • Lingering Object Alerts • Service Level Exceptions for DCs • Discovery • Domain Controllers by OS Version • Task Status • Enumerate Trusts • Replication Status Snapshot • Service Principal Name Health • Replication Topology • Broken Connection Objects • Connection Objects • Site Links Computer Group Views Event Views Performance Views Alert Views Task Status Views Diagram Views Active Directory Public Views
Replication Topology Diagram Views • Three different views: • Broken Connection Objects • Connection Objects Site Links • Server health state • Annotated server roles • Site links • Detailed tool tips Site Links
demonstration • Introducing the ADMP • Exploring the Administrator Console • Exploring the Operator Console • Defining Client Side Monitoring Computers
Agenda • Building the Base • Introducing the Active Directory Management Pack (ADMP) • ADMP Monitoring and Server Health • ADMP Reporting • SMS 2003 Patch Management (ITMU) • Summary and Q&A
Active Directory service healthy? • Other processes that are vital to the health of Active Directory? • Database growth and log file free space OK? • Are the necessary FSMO role holders responsive? • Is the Active Directory service responsive? • Can clients connect to the directory? • Is each DC configured properly? • Are all DCs replicating? • Is replication occurring in a timely fashion? • Has initial replication completed in the last 24 hours? • Can clients connect to PDC, GCs? • Is Active Directory responsive to clients? • Serverless bind threshold • GC Search Time • Lost object count • Availability of LDAP and crucial roles • Name resolution and DC locator • Client Pack tests • Serverless bind • PDC availability • Minimum number of GCs available • Targeted DCs availability and responsiveness • Health of LSASS, KCC, Userenv • State of NetLogon, FRS, ISM, W32Time, KDC • Name resolution and DC locator • SYSVOL accessibility • End-to-end replication via change injection • Health of inbound connection objects • Appropriate number of replication partners • Site islands • Slow replication Active Directory State Monitoring Client View Replication Health Server Health Service Health
Monitoring Scenarios Client Side Monitoring Ping Search ICMP LDAP Global Catalogs PDC Emulator
Monitoring Scenarios Active Directory Trust Relationships Monitors and detects problems
Monitoring Scenarios Account and Authentication Issues Password issues Credential issues Duplicate accounts Other problems
Other Monitoring Scenarios Net Logon Service UGMC Dependent Services ActiveDirectoryAvailability Replication PerformanceMonitoring
London.contoso.com LON-DC-01 LON-DC-02 Exchangeuser LON-EXC-01 Seattle.contoso.com MOM2005 HelpDesk SEA-DC-01 SEA-DC-02 Client Side Monitoring Scenario My e-mail is slow!
Source DCs Target DCs Replication Monitoring New container: CN=MomLatencyMonitors Scripts add timestamps to monitor latency Separate thresholds for intra- and intersite Computers can be both source and target
demonstration • ADMP Monitoring and Server Health • Troubleshooting Replication Problems • Configuring Low-Privilege Account • Forcing Data Collection
Agenda • Building the Base • Introducing the Active Directory Management Pack (ADMP) • ADMP Monitoring and Server Health • ADMP Reporting • SMS 2003 Patch Management (ITMU) • Summary and Q&A
Configuration Disk Space Operations Replication ADMP Reports
demonstration • ADMP Reporting • Performing the Initial Triage • Using Predefined Reports
Agenda • Building the Base • Introducing the Active Directory Management Pack (ADMP) • ADMP Monitoring and Server Health • ADMP Reporting • SMS 2003 Patch Management (ITMU) • Summary and Q&A
Overview of Inventory Tool for Microsoft Updates (ITMU) • Why the change to ITMU? • SMS 2003 currently uses Microsoft Baseline Security Analyzer (MBSA) • The MBSA scan engine is built on a third-party tool named Shavlik. • SMS and Microsoft Update Partnership • ITMU – Reduced dependency on MBSA • The SMS ITMU enables customers to standardize on the patch technology of choice for Microsoft going forward.
Overview of Inventory Tool for Microsoft Updates (ITMU) • What does the new ITMU do differently? • Improved patch management through a more comprehensive and widely supported detection technology • Broader detection support for more Microsoft products • Consistent product support across multiple detection technologies including parity with Automatic Updates
Overview of Inventory Tool for Microsoft Updates (ITMU) • How is ITMU different from MBSA? • ITMU supports security updates, service packs and rollups • ITMU supports Office XP and later for security updates and service packs • ITMU only supports Windows 2000 SP3 or later • ITMU catalog (WSUSScan.cab) includes all languages • ITMU Supports SQL Server 2000 and beyond • ITMU provides automatic updates of the Microsoft Updates Catalog • Uses Windows Updates Agent to scan and identify current patch status
Client Scans with ITMU • Requires Windows Update Agent • If agent is not already installed, SMS can automatically install the agent through a dependent program • Scan program calls Windows Update Agent installation program • Configurable through ITMU Setup • Once Windows Updates Agent is installed, scan for Microsoft Updates can occur
Client Scans with ITMU • Scan Agent process: • Scanwrapper.exe verifies WindowsUpdates Agent installed • Scanwrapper.exe calls SMSWushandler.exe • SMSWusHandler.exe performs scan through calls to the Windows Updates Agent • Scan Agent process: • Scan Data is stored in WMI • Data is stored in the Win32_PatchState_Extended class • “Type” attribute is set to “Microsoft Update” • Scan results reported through hardware inventory • SMS 2003 SP1 sms_def.mof file already supports the Extended Patch State class and data
Viewing Results for ITMU • Data is maintained on the client in WMI • Data is returned to the SMS site database in Extended Patch State • Data can be viewed in Resource Explorer, Software Updates (SMS Administrator Console node), and SMS Reports • Previously existing Software Compliance reports are updated to support both classes • There are six new reports added with this tool • Two in Software Update – Compliance • Four in Software Update – Distribution Status
Update Distribution • As with MBSA, the Distribute Software Updates Wizard is used • Presents a list of available updates for distribution • Downloads updates and creates SMS objects required to deploy them • Optionally the administrator can pre-download and stage the patches prior to using the wizard • Administrator selects which updates to deploy to which clients • Can have multiple updates in a single package • Installed on all SMS 2003 SP1 Administrator Consoles automatically
demonstration • Inventory Tool for Microsoft Updates • Overview of the tool • Sending out patches
Troubleshooting • There are new (and some old) log files that can be helpful in troubleshooting patch deployment • SMSWUSHANDLER.log • Advertisement.log • SMSCLIUI.log • PatchUIMonitor.log • EXECMGR.log • Patchinstall.log • WUSSyncXML.log • PatchDownloader.log
Troubleshooting (continued) • Client Side Debugging • ITMU puts the inventory scan results in the CIMV2 namespace on SP1 clients • To review the information collected • Connect to the root\cimv2 namespace (using WBEMTEST) on the Advanced Client • Review the class instances stored within the Win32_PatchState_Extended WMI class • Basic setup issues may be solved by ensuring that the customer has the supported platforms installed
Session Summary • Install additional MPs for the complete picture • Take advantage of client side monitoring • Identify trends and issues through reporting • Be able to respond to update requirements