JSI Tip 5454. How do I monitor performance in Active Directory?

Jerold Schulman

June 18, 2002

23 Min Read
ITPro Today logo in a gray background | ITPro Today

Microsoft TechNet article Monitoring Performance in Active Directory contains:

Chapter 8 - Monitoring Performance in Active Directory

Monitoring Active Directory performance is vital to making sure that Active Directory is meeting your business and networking goals. For example, one aspect of ensuring optimal performance is to verify that all network servers are getting directory replication updates and applying them in a timely manner. To monitor replication, as well as other activities, you have available to you Microsoft Management Console (MMC) snap-ins, Microsoft® Windows® 2000 Server Resource Kit command-line tools, and Microsoft® Visual Basic® scripts.

By using a combination of MMC snap-ins and Performance Monitoring tools, such as command-line tools and Visual Basic scripts, you can monitor many activities in Active Directory, the Windows 2000 directory service. For example, activities such as monitoring replication topology, Domain Name System (DNS) functionality, latency, connection times, and allocation of relative identifiers (RIDs) can each be monitored by using these tools.

MMC Snap-ins

The Windows 2000 MMC provides several snap-ins that are available from the Administrative Tools menu. The Active Directory Sites and Services snap-in enables you to view information that is related to sites and replication topology. The Performance snap-in provides a graphical way to view performance of Active Directory according to measurements, or counters, that you select. Also, you can log activity according to those counters and print them or view them online. Finally, Event Viewer enables you to view log files and error messages sent by applications.

Performance

The Performance snap-in enables you to monitor the performance of local and remote computers anywhere in your network and summarize the performance at selected intervals. The Performance snap-in uses a range of counters for monitoring real-time resource usage. The Performance snap-in can log results to a file so that you can analyze the performance history of a computer. You can monitor resource usage of other Windows 2000 servers on the network providing you have the right permission. You can also use the Performance snap-in to collect baseline performance data and send alerts to the event log about exceptions to the baseline that you configure.

The Performance snap-in is a command on the Administrative Tools menu, and it has two tools: System Monitor and Performance Logs and Alerts.

For more information about performance monitoring tools, see "Overview of Performance Monitoring" in the Microsoft Windows 2000 Server Resource Kit Server Operations Guide.

System Monitor

The System Monitor tool enables you to display performance data in real-time charts and reports, collect data in files, and generate alerts that warn you when critical events occur. This information is classified as a performance object by the component (whether it is a service, computer, or mechanism) that generates the data. Examples of performance objects include Processor, Print Queue, and SMTP service. To monitor Active Directory, you monitor the activity reported by the NTDS performance object.

By using System Monitor, you can track the activity of performance objects through the use of counters. Performance counters measure the parameters that apply to a performance object. For example, if you need to discover whether a server is receiving directory replication updates and applying the updates in a timely fashion, you can select one or more counters from the NTDS object and then view the current activity by using System Monitor. For more information about using System Monitor, see System Monitor Help.

For example, to ensure a timely replication of all network servers, you can use the DRA Pending Replication Synchronizations counter from the NTDS object to check the number of directory synchronizations that are queued for a server but not yet processed. This counter provides a visual representation of how quickly objects are being applied to the server, which helps you to determine whether a server is replicating normally.

Performance Logs and Alerts

The Performance Logs and Alerts tool enables you to log performance counters and system alerts. You can optionally collect data using the Windows Management Instrumentation (WMI) interface for hardware resources installed on the system. WMI can trace data available in Active Directory for core directory service Lightweight Directory Access Protocol (LDAP), Key Distribution Center (KDC), Security Accounts Manager (SAM), Local Security Authority (LSA), and Net Logon service. When enabled, trace logging continuously captures key events such as network logons, authentications, LDAP operations, and SAM operations, and it also records the CPU time, timestamp, and thread identifier. You can enable or disable trace logging by using the Performance Logs and Alerts tool. To produce transaction-level costing information trace data, you must use the trace application programming interfaces (APIs). For more information about trace APIs for third-party systems management vendors, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.

Similar to the System Monitor tool, the Performance tool enables you to select performance counters in a performance object, such as NTDS, for purposes of tracking certain types of activity. Furthermore, you can select the time intervals during which to log the activity, and you can print the logs or view them online by using System Monitor.

For more information about using the Performance snap-in, see Windows 2000 Server Help.

Event Viewer

Windows 2000 provides the Event Viewer snap-in as a way to monitor system events, such as application or system errors and the successful starting of services. These events are recorded in event logs. For example, if you need detailed information about when directory partitions are replicated, you would use Event Viewer to study the event log.

Also, if you suspect any problem with the directory operation, such as information not being replicated, it is recommended that you first investigate the event logs to determine the cause of the problem. By using information from the event logs, you can better understand the sequence and types of events that led to the performance problem. For more information about how to use the Event Viewer snap-in, see Windows 2000 Server Help.

Active Directory Performance Tools

This section describes the command-line tools and Visual Basic scripts, provided on the Windows 2000 Resource Kit companion CD, that enable you to monitor performance of Active Directory, including monitoring differences between directory partitions, replication schedules and topology, networking, channels, and local and remote computer performance, and the allocation of RID pools. They are located in the directory <Root Directory of the CD-ROM>SupportReskit. The performance monitor (Pmon) tool and two Visual Basic (VBS) scripts, DisplayRID and DisplayOld, are furthered described in this chapter.

Pmon

You can use the Process Monitor (Pmon.exe) command-line tool to monitor process resource usage by tracking CPU and memory usage for each running process. Pmon.exe also measures paged and nonpaged pool usage, and identifies kernel-mode memory leaks. For Active Directory purposes, you can use Pmon.exe to monitor the memory usage of the Local Security Authority by viewing the Lsass.exe process.

The Process Monitor tool provides a keyboard interface, so you can use the UP ARROW and DOWN ARROW to scroll up and down the list of currently running processes. To quit Pmon.exe, press ESC or type q. Use any other key to refresh the Pmon.exe display.

For more information about paged and nonpaged pool usage, see "Evaluating Memory and Cache Usage" in the Microsoft Windows 2000 Server Resource Kit Server Operations Guide.

DisplayRID

You use the Visual Basic script DisplayRID to monitor the allocation and use of RID pools by domain controllers. For example, to monitor the ResKit domain's allocation and use of its RID pool, type:

cscript displayrid.vbs /D:ResKit /U:SalesAdministrator /W:mypass1

The general syntax of the command is as follows:

Cscript displayrid.vbs [/U:Username] [/W:Password] [/D:Domain] [/S:Server] [/Q]

DisplayOld

You use the Visual Basic script DisplayOld to query Active Directory to find computer or user accounts that have not logged on for a specified period of time. The output can be optionally archived to a file in LDAP Data Interchange Format (LDIF) so that you can delete those objects from Active Directory. For example, to find all user accounts that have not logged on for the past 60 days in the Sales organizational unit (OU) within the Reskit.com domain, type the following command:

cscript displayold.vbs /N:60 /C:user /D:ResKit /U:SalesAdministrator /W:mypass1

The general syntax of the command is as follows:

Cscript displayold.vbs /N:Number_of_days [/U:User_name] [/W:Password] [/D:Domain] [/S:Server] [/C:Computer|User] [/F:File_name] [/Q]

Note that only one parameter, /N:Number_of_days, is required.

Trace Logging

Trace logging enables you to measure the performance cost of an operation. Active Directory provides instrumentation to trace the operations of directory services, such as LDAP Primitives, Kerberos, SAM, LSA, and Net Logon. When enabled, tracing captures key events such as logons, authentications, LDAP operations, and SAM operations. It also records parameters such as CPU time, timestamps, and thread identifiers. By using the event logging services of the Performance Logs and Alerts service, you can enable or disable trace logging. To produce transaction-level costing information trace data, you must use the trace APIs. For more information about trace APIs, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. The Microsoft Platform SDK and Resource Kit also includes sample programs and tools to post-process trace data.

When the Active Directory Installation Wizard installs Active Directory, the wizard configures performance counters in the NTDS object that provide statistics about directory activity. These counters apply to the entire directory, including global catalogs. By using the Performance snap-in, you can graphically view current activity, and also send the activity to a log file.

NTDS Object

The NTDS object contains performance counters that provide statistics about Active Directory performance. For example, there are several counters associated with the directory replication agent (DRA), which monitors replication activity. Because there are many performance counters from which to choose, you first need to determine the statistics you want to monitor and then find the matching performance counter.

These counters can also help during capacity planning by providing some baseline analysis. For example, you can create events that run whenever performance exceeds your baseline criteria. Typically, counters that are suited for capacity planning contain the word "Total" in their name, and come in three types:

  • Statistic. Shows total actions per second. For example, the counter DRA Inbound Properties Total/Sec shows the total number of object properties received from inbound replication partners.

  • Ratio. Shows the percentage of total activity. For example, the counter DS % Writes from LDAP shows the percentage of directory writes coming from LDAP queries.

  • Accumulative. Shows activity since the last start of the computer. For example, the counter DRA Inbound Bytes Total Since Boot shows the total number of inbound bytes replicated, the sum of the number of bytes of uncompressed data (never compressed) and compressed data (after compression).

Each counter has its own guidelines and limits. The counters listed in Table 8.1 are important to performance monitoring for the reasons described.

Table 8.1 Active Directory System Monitor Counters on the NTDS Object

Counter

Description

DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec

The compressed size (in bytes) of compressed replication data inbound from directory system agents (DSAs) in other sites (per second).

DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec

The uncompressed size (in bytes) of compressed replication data inbound from DSAs in other sites (per second).

DRA Inbound Bytes Not Compressed (Within Site)/sec

The uncompressed size (in bytes) of replication data that was not compressed at the source - that is, inbound from other DSAs in the same site (per second).

DRA Inbound Bytes Total/sec

The total number of bytes (per second) received through replication. It is the sum of the number of bytes of uncompressed data (never compressed) and compressed data (after compression).

DRA Inbound Full Sync Objects Remaining

The number of objects remaining until the full synchronization process is completed.

DRA Inbound Objects/sec

The number of objects received (per second) through inbound replication from replication partners.

DRA Inbound Objects Applied/sec

The number of objects received (per second) from replication partners and applied by the local directory service. This counter excludes changes that are received but not applied (for example, when the update is already made). This counter indicates how many replication updates are occurring on the server as a result of changes generated on other servers.

DRA Inbound Objects Filtered/sec

The number of objects received (per second) from replication partners that contained no updates that needed to be applied.

DRA Inbound Object Updates Remaining in Packet

The number of object updates received in the current directory replication update packet that have not yet been applied to the local server. This counter tells you whether the monitored server is receiving changes, but is taking a long time applying them to the database.

DRA Inbound Properties Applied/sec

The number of changes (per second) to object properties that are applied through inbound replication as a result of reconciliation logic.

DRA Inbound Properties Filtered/sec

The number of changes (per second) to object properties received during the replication that are already made.

DRA Inbound Properties Total/sec

The total number of changes (per second) to object properties received from replication partners.

DRA Inbound Values (DNs only)/sec

The number of values of object properties received (per second) from replication partners in which the values are for object properties that belong to distinguished names. This number includes objects that reference other objects. Values for distinguished names, such as group or distribution list memberships, are more expensive to apply than other kinds of values because a group or distribution list object can include hundreds or thousands of members. In contrast, a simple object might have only one or two attributes. A high number from this counter might explain why inbound changes are slow to be applied to the database.

DRA Inbound Values Total/sec

The total number of values of object properties received (per second) from replication partners. Each inbound object has one or more properties, and each property has zero or more values. A value of zero indicates that the property is to be removed.

DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec

The compressed size (in bytes) of compressed replication data that is outbound to DSAs in other sites (per second).

DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec

The uncompressed size (in bytes) of compressed replication data outbound to DSAs in other sites (per second).

DRA Outbound Bytes Not Compressed (Within Site)/sec

The uncompressed size (in bytes) of outbound replication data that was not compressed - that is, outbound to DSAs in the same site - per second.

DRA Outbound Bytes Total/sec

The total number of bytes sent per second. It is the sum of the number of bytes of uncompressed data (never compressed) and compressed data (after compression).

DRA Outbound Objects Filtered/sec

The number of objects (per second) acknowledged by outbound replication partners that required no updates. This counter includes objects that the outbound partner did not already have.

DRA Outbound Objects/sec

The number of objects sent (per second) though outbound replication to replication partners.

DRA Outbound Properties/sec

The number of properties sent per second. This counter tells you whether a source server is returning objects or not. Sometimes, the server might stop working correctly and not return objects quickly or at all.

DRA Outbound Values (DNs only)/sec

The number values of object properties sent (per second), to replication partners in which the values are for object properties that belong to distinguished names. Values for distinguished names, such as group or distribution list memberships, are more expensive to apply than other kinds of values because a group or distribution list object can include hundreds or thousands of members. In contrast, a simple object might have only one or two attributes.

DRA Outbound Values Total/sec

The total number of values of object properties sent (per second), to replication partners.

DRA Remaining Replication Updates

The number of changes to objects that have been received in the current directory replication update packet for the DRA that have not yet been applied to the local server. A sharp decline in the rate at which objects are applied to the database indicates normal operation, while a gradual decline indicates that complex objects are being applied. This counter is a helpful gauge of whether a server is slow to replicate.

DRA Pending Replication Synchronizations

The number of directory synchronizations that are queued for this server that are not yet processed. This counter helps in determining replication backlog - the larger the number, the larger the backlog.

DRA Sync Requests Made

The number of synchronization requests made to replication partners since computer was last restarted.

DS Security Descriptor Suboperations/sec

The number of suboperations (per second) of security descriptor propagation. One operation of security descriptor propagation comprises many suboperations. There is approximately one suboperation for each object that the propagation operation causes the propagator to examine.

DS Security Descriptor Propagation Events

The number of events of Security Descriptor Propagation that are queued but not yet processed.

DS Threads in Use

The current number of threads in use by the directory service (different from the number of threads in the directory service process). This counter represents the number of threads currently servicing API calls by clients, and you can use it to determine whether additional CPUs would be beneficial.

LDAP Client Sessions

The number of sessions of connected LDAP clients.

LDAP Bind Time

The time (in milliseconds) required for the completion of the last successful LDAP binding.

Kerberos Authentications/sec

The number of times per second that clients use a client ticket to this domain controller to authenticate to this domain controller.

NTLM Authentications/sec

The number of NTLM authentications (per second) serviced by this domain controller.

LDAP Successful Binds/sec

The number LDAP bindings (per second) that occurred successfully.

LDAP Searches/sec

The number of search operations per second performed by LDAP clients.

Manually Loading and Unloading NTDS Counters

In rare cases, the NTDS object can fail to load. If this happens, the NTDS object is not available when you open System Monitor.

To load the NTDS object manually

  1. Change directory to %SystemRoot%System32.

  2. To load the counter information into the registry, at the command prompt, type lodctr.exe ntdsctrs.ini.

  3. To enable collection of performance data for Active Directory, restart your computer.

After these steps are finished, you can use the System Monitor tool to view the counters for the NTDS object.

To unload the NTDS object manually

  1. Change directory to SystemRootSystem32.

  2. To unload the counter information from the registry at the command prompt, type unlodctr.exe ntds.

Database Object

The Database object relates to the Extensible Storage Engine (ESENT), the transacted database system that stores all Active Directory objects. This performance object is not installed by default. The counters on the Database object enable you to perform advanced tuning of Active Directory. You can also use some of the counters to help determine whether you need more disk drives for storage of logs or database.

Currently, there is no automated way to install the performance dynamic-link library (DLL), Esentprf.dll, in Windows 2000.

Caution Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. To configure or customize Windows 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

To load the Database object

  1. Copy the performance DLL (Esentprf.dll) located in SystemRootSystem32 to any directory (for example, C:Perf).

  2. Run Regedt32.exe or Regedit.exe, and make sure that the following registry subkeys exist:
    HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services ESENT
    HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services ESENT Performance
    If these subkeys do not exist, you need to create them.
    For more information about creating registry subkeys, see Windows 2000 Server Help.

  3. Make sure that, under the Performance subkey, the registry values that have the following settings exist:

    • Open : data type REG_SZ : OpenPerformanceData

    • Collect : data type REG_SZ : CollectPerformanceData

    • Close : data type REG_SZ : ClosePerformanceData

    • Library : data type REG_SZ : c:perfesentprf.dll

  4. Change directory to SystemRootWinntSystem32 or to another folder that contains the files Esentprf.ini and Esentperf.hxx generated when Eseperfnt.dll was compiled.

  5. (Optional) To verify that previous counter information is not present in the registry, at the command prompt, type unlodctr.exe ESENT.

  6. To load the counter information into the registry, run Lodctr.exe Esentprf.ini.

To view the counters for the Database object, restart System Monitor.

Table 8.2 lists the performance counters for the Database object.

Table 8.2 Additional Active Directory System Monitor Counters Under the Database Object

Counter

Description

Cache % Hit

The percentage of page requests for the database file that were fulfilled by the database cache without causing a file operation. If this percentage is too low, the size of the database cache might be too small. You can increase the size of the database cache by adding more RAM.

Cache Page Fault Stalls/sec

The number of page faults (per second) that cannot be serviced because there are no pages available for allocation from the database cache. If this counter is nonzero most of the time, the clean threshold might be too low. You can increase the size of the database cache by adding more RAM.

Cache Page Faults/sec

The number of page requests (per second) for the database file that require the database cache manager to allocate a new page from the database cache. If this number is too high, the size of the database cache might be too small. You can increase the size of the database cache by adding more RAM.

Cache Size

The amount of system memory used by the database cache manager to hold commonly used information from the database file or files to prevent file operations. If the size of the database cache seems to be too small for optimal performance and there is very little system memory available on the system, adding more RAM to the system might increase performance. If there is plenty of system memory available and the database cache size is not growing, the database cache size might be restricted to an artificially low limit. You can increase the size of the database cache by adding more RAM.

File Bytes Read/sec

The number of bytes that are read (per second) from the database file or files into the database cache. If this rate is too high, the size of the database cache might be too small. You can increase the size of the database cache by adding more RAM.

File Bytes Written/sec

The number of bytes that are written (per second) to the database file or files from the database cache. If this rate is too high, the size of the database cache might be too small. You can increase the size of the database cache by adding more RAM.

File Operations Pending

The number of reads and writes issued by the database cache manager to the database file or files that the operating system is currently processing. A large number of pending operations increases system throughput, but also increases the time required to process individual operations. Typically, a larger number means that file operations on the database file or files might be a bottleneck.

File Operations/sec

The number of reads and writes (per second) issued by the database cache manager to the database file or files. If this number is too high, the database cache size might be too small. You can increase the size of the database cache by adding more RAM.

Log Record Stalls/sec

The number of instances (per second) that a log record cannot be added to the log buffers because the buffers are full. If this counter is not zero most of the time, the size of the log buffer might be a bottleneck.

Log Threads Waiting

The number of threads waiting for their data to be written to the log in order to complete an update of the database. If this number is too high, the log might be a bottleneck.

Log Writes/sec

The number of instances (per second) that the log buffers are written to the log file(s). If this number approaches the maximum rate at which the medium that is storing the log file(s) can write data, the medium might be a bottleneck.

Table Open Cache % Hit

The percentage of database tables opened by using cached schema information. If this number is too low, the size of the table cache might be too small. You can increase the size of the database cache by adding more RAM.

Table Open Cache Hits/sec

The number of database tables opened (per second) by using cached schema information. If this number is too low, the size of the table cache might be too small. You can increase the size of the database cache by adding more RAM.

Table Open Cache Misses/sec

The number of database tables opened (per second) without using cached schema information. If this number is too high, the size of the table cache might be too small. You can increase the size of the database cache by adding more RAM.

Table Opens/sec

The number of database tables opened per second.

Note When the description of a counter indicates that the number counted is "too high" or "too low," it is an indication of how to adjust the system configuration. For example, if you make a change that increases the rate of page faults for a cache, you know that you have made an incorrect adjustment, and you must change the settings in the opposite direction. Please note that you cannot adjust settings that cause the counter behavior to change in System Monitor. Settings are configured elsewhere, such as in the registry or in startup .inf files.

Using System Monitor to Select Performance Counters

You can select the performance counters that you want to monitor in System Monitor. You can view a graphical representation of the counters by selecting a type of display: chart, histogram, or log file data. Also, when you have a counter selected, you can view a description of that counter and tips on how to improve system performance by clicking the Explain button.

To select Active Directory performance counters to monitor

  1. On the Start menu, click Programs, point to Administrative Tools, and then click Performance. The Performance snap-in appears with a graphical chart displayed in the details pane.

  2. Click the add counter button (+) to display the Add Counters window.

  3. Select the name of the computer that you want to monitor - either the local computer or another domain controller.

  4. Select the NTDS or Database performance object.

  5. Select the performance counters that you want to add, and then click Add. If you need a detailed explanation of the counter, click Explain.

When you are finished, click Close. The counters that you selected appear in the lower part of the screen. System Monitor displays each counter in a unique color.

Note When creating a monitoring console for export, make sure to select Use local computer counters. Otherwise, System Monitor obtains data from the computer named in the text box, regardless of where the console file is installed. For more information about creating consoles, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.




Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like