The Active Directory database is referenced when a user tries to log into the network. AD is referenced whenever someone tries to locate a resource on the network. Some network engineers suggest that AD is the central nervous system for a business that leverages AD for network management.
Quite frankly, AD is a database with many objects that define most resources on the network. A database of this magnitude must be managed and maintained to keep it healthy. Great network administrators realize the importance of Active Directory. They devote a part of their job to ensuring that AD is running smoothly.
Active Directory stores all objects in a database that is located on a Domain Controller. Every Windows Network that leverages Active Directory must have at least one Domain Controller. Most organizations have at least two domain controllers for fault tolerance and disaster recovery reasons. Also, having a second domain controller on the network can improve network performance and responsiveness.
How do I know if AD is working smoothly?
The first place to turn to for a status of your Active Directory Database is the Windows Event Viewer. The event viewer records at least three types of messages for Active Directory and other components of the Windows Ecosystem. These message types are categorized as Informational, Warnings, and Errors. The event viewer will list messages related to AD.
Here is a list of things you can do to Manage an Active Directory database:
- Open Windows Event Viewer to see if there are any messages relating to Active Directory
- Document, Document, Document. Create a diagram of the Active Directory Architecture
- Create associated document that list Active Directory specifics like location of the domain controller, domain username and password, domain administrator's emergency contact information, etc.
- Document AD backup schedule, frequency, and location of backup file
Tools to help manage AD:
The Replication Diagnostic Tool
The Replication Diagnostic Tool is a command-line tool that can be used to spot replication problems such as an offline server or a LAN or WAN link that’s unavailable. This tool can also be used to establish a replication topology. However, you should never create your own replication topology unless you have a good reason for doing so and know exactly what you’re doing, because creating a custom replication topology interferes with the replication topology that Windows creates automatically. Under normal circumstances, the Knowledge Consistency (KCC) automatically manages the replication topology.
The Replication Diagnostic Tool is a command-line tool that can be used to spot replication problems such as an offline server or a LAN or WAN link that’s unavailable. This tool can also be used to establish a replication topology. However, you should never create your own replication topology unless you have a good reason for doing so and know exactly what you’re doing, because creating a custom replication topology interferes with the replication topology that Windows creates automatically. Under normal circumstances, the Knowledge Consistency (KCC) automatically manages the replication topology.
Incorrectly using this tool interferes with Window’s built-in ability to manage replication and can even cause replication to stop completely. With that said, I’ll begin discussing how to use the tool for diagnostic purposes. Basically, like many other command-line tools, the Replication Diagnostic Tool only requires you to follow the name of the executable file with a command and the arguments that the command requires. You can also supplement the command and arguments with the domain, username, and password of the user who should be executing the command. However, you have to add this information only of you’re currently logged in as a user who has insufficient privileges to execute the command.
Repadmin / replsummary:
This is a great command that gives you a snapshot of the state of your active directory replication and how long it has been since a partition has replicated. You should not expect to see longer than 1 hour since last replication, if everything is healthy. Use this command if you have more than one domain controller in your environment. Active Directory uses replication to backup its objects from one domain controller to another.
This is a great command that gives you a snapshot of the state of your active directory replication and how long it has been since a partition has replicated. You should not expect to see longer than 1 hour since last replication, if everything is healthy. Use this command if you have more than one domain controller in your environment. Active Directory uses replication to backup its objects from one domain controller to another.
Repadmin /showrepl /repsto:
This command displays the replication partners for each naming context that is held on the specified DC. This Enables you to build a picture of the replication topology.
This command displays the replication partners for each naming context that is held on the specified DC. This Enables you to build a picture of the replication topology.
Repadmin /queue:
This command runs against a particular DC and determines if its replication queue has any entries. If it has, it may indicate it is overloaded.
Repadmin /viewlist:
This lists all the DCs in the Forest. This is limited at this point to output up to 999 DCs.
Netdom /query FSMO:
This is a nice quick command to display which server (s) currently hold the Forest and Domain Wide FSMO roles.
Netdom /query DC:
To check the number of DC’S in the domain.
Repadmin /syncall:
To force the replication on a particular DC.
Dcdiag /v:
To check the active directory health. It may be a good idea to pipe this command to a file due to the number of lines of the resulting text.
Repadmin /kcc:
To create the connection object when the replication is broken.
This command runs against a particular DC and determines if its replication queue has any entries. If it has, it may indicate it is overloaded.
Repadmin /viewlist:
This lists all the DCs in the Forest. This is limited at this point to output up to 999 DCs.
Netdom /query FSMO:
This is a nice quick command to display which server (s) currently hold the Forest and Domain Wide FSMO roles.
Netdom /query DC:
To check the number of DC’S in the domain.
Repadmin /syncall:
To force the replication on a particular DC.
Dcdiag /v:
To check the active directory health. It may be a good idea to pipe this command to a file due to the number of lines of the resulting text.
Repadmin /kcc:
To create the connection object when the replication is broken.
Active Directory Database and Log Files
The Active Directory database engine is the Extensible Storage Engine (ESE). The ESE uses transaction and log files to ensure the integrity of the active directory database. Active Directory includes the following files:
Ntds.dit
Edb*.log
Edb.chk
Res1.log and Res2.log
These are reserved transaction log files.The amount of disk space that is reserved on a drive or folder for this log is 20MB. This reserved disk space provides a sufficient space to shut down if all the other disk space is being used.
The Active Directory database engine is the Extensible Storage Engine (ESE). The ESE uses transaction and log files to ensure the integrity of the active directory database. Active Directory includes the following files:
Ntds.dit
Is the Active Directory database which stores the entire active directory objects on the domain controller. The .dit extension refers to the directory information tree. Active Directory records each and every transaction log files that are associated with the Ntds.dit file.
Edb*.log
Is the transaction log file. Each transaction file is 10 megabytes (MB). When Edb.log file is full, active directory renames it to edbnnnnn.log. Where nnnnn is an increasing number starts from 1.
Edb.chk
Is a checkpoint file, which is used by the database engine to track the data, which is not yet written to the active directory database file. The checkpoint file acts as a pointer that maintains the status between memory and database file on disk. It indicates the starting point in the log file from which the information must be recovered if a failure occurs.
Res1.log and Res2.log
These are reserved transaction log files.The amount of disk space that is reserved on a drive or folder for this log is 20MB. This reserved disk space provides a sufficient space to shut down if all the other disk space is being used.
Ok, I've given you enough information to go and grab your AD by the horns and rope it in. Just be careful how you handle this steer.
No comments:
Post a Comment