We run a functional level 2003 AD and have been asked to improve performance.  I know this can cover a lot of areas but if you were given the task of doing this what would you start to look for and what areas would this cover ?

LDAP queries
DNS
DHCP
Replication
Exchange ?
Other applications using AD for authentication ?
Certificate Services
Management, Rights, Additions, Deletions
AD Database Defrag ?
Kerberos

Looking for tools, scripts etc to help me down this path.  So far I have found some resources from a simple BING search, and also have found the built in Performance Monitor Data Colector for AD to be useful.  Some suggestions on what else to look for and any other usefull tools would be greatly appreciated.

Have a good one, and thanks !

I can say this much, this is a very broad question.

There are so many methods and means to do monitor AD because it is multifaceted. As you said, you can use the built-in perfmon tools. Preferably, the better way is to use a monitoring service, such as SCOM (formerly MOM), that will do lots of stuff.

.

Some Microsoft tools:

SCOM 2012 - System Center Operations Manager
http://technet.microsoft.com/en-us/library/hh205987.aspx

Monitoring Active Directory Health
http://technet.microsoft.com/en-us/library/cc180912.aspx

Monitoring Active Directory
http://technet.microsoft.com/en-us/library/bb727046.aspx

Microsoft Download details: Ultrasound - Monitoring and Troubleshooting Tool for File Replication Service (FRS):
 http://www.microsoft.com/downloads/details.aspx?FamilyID=61acb9b9-c354-4f98-a823-24cc0da73b50&DisplayLang=en

VBscript to return a list of pending replication jobs on a domain controller.
 http://activexperts.com/network-monitor/windowsmanagement/scripts/activedirectory/monitoring/
 
Keeping Track of Changes That Have Occurred Over a Period of Time
 http://technet.microsoft.com/en-us/library/cc811562(WS.10).aspx
 
To check the replication summary you can run repadmin /replsum.
 http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx

.

Scripts:

NUMEROUS scripts are available at the Technet gallery or you can request one based on the customization.
 http://gallery.technet.microsoft.com/site/search?f[0].Type=RootCategory&f[0].Value=activedirectory&f[0].Text=Active%20Directory

The Official Scripting Guy Forum is the best resource for script related questions
http://social.technet.microsoft.com/Forums/en/ITCG/threads

If you are looking for assistance with Powershell scripting, you might want to post in the PowerShell forum:
http://social.technet.microsoft.com/Forums/en/winserverpowershell/threads

.

Manual methods to look at the health of your DCs:

dcdiag /v > c:\dcdiagDC01.txt (from each DC)                      (DC diagnostic tool, the /v will test all available tests. Run a /? for specific test switches)
netdiag /v > c:\netdiagDC01.txt                                           (Only for 2000/2003 - netdiag isn't supported on Windows 2008 or newer)
repadmin /showrepl [DC01] /verbose /all /intersite                (Helps understand the replication topology and replication failures)
repadmin /showrepl dc* /verbose /all /intersite > c:\repl.txt     ["dc*" is if you have more than one DC, and the beginning name of the DCs begin with the same name]
repadmin /showrepl dc01.domain.local /verbose /all /intersite> c:\rep-showrepl.txt   (Helps understand the replication topology and replication failures)
repadmin /showreps > c:\rep-showreps.txt                            (This switch shows if partitions have replicated or not)
repadmin /replsum > c:\rep-replsummary.txt                        (View replication summary. You can also use the output to create report)
dnslint /ad /s {The DC's IP Address} (From each DC)             (http://support.microsoft.com/kb/321045)
nltest /dsgetdc:<domain.local> /force                                   (Tests secure channels between DCs)
Event log errors from each DC                                              (Include the Event ID #, "Source Name, and relevant msg in the event)

.

There are numerous third party options, too:

ManageEngine OPManager
 http://www.manageengine.com/network-monitoring/activedirectory-monitoring.html

Splunk - Monitor AD:
 http://docs.splunk.com/Documentation/Splunk/latest/Data/AuditActiveDirectory

Monitor Active Directory
 http://www.activexperts.com/activmonitor/functions/adsi/
 
Using WMI to Monitor AD
 http://www.windowsitpro.com/Windows/Articles/ArticleID/41835/pg/2/2.html

Active Directory monitoring and health checkup
http://technetsrilanka.net/blogs/bubble/archive/2009/07/13/active-directory-monitoring-and-health-checkup.aspx

.

Last, but not least, previous discussions, some recent, from the DS Forum:

Technet Thread: "scripts, tools to monitor DC" 4/1/2012
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/606b62d2-57bc-42af-893f-b2e75f3fb12a

Technet Thread: "Network Monitor and traffic to/from DC" 4/24/2011
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/d58e5b52-faab-431b-a01d-b7adf113c1f8

Technet Thread: "AD Performance" 7/11/2009  [Comprehensive responses regarding performance counters]
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/48f50a27-82ab-4c1e-aa5a-37fb1e2e6f5b

Technet Thread: "Performance Counter" 11/17/2011
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/74a32da6-8ef7-4d01-9330-510c30f72ecc

.

I guess monitoring AD with SCOM (referenced by ACE) is a viable solution because you can customize the threshold parameters in the AD management pack. Using SCOM, you can utilize other benefits even like monitoring network devices,SQL,Exchange,ACS, Unix/Linux based systems etc. If you don't have budget constraint, you can also evaluate 3rd party tools like AD monitoring tool from the Quest. I have used SCOM and i feel its better in the business.

http://www.microsoft.com/download/en/details.aspx?id=21357

http://www.quest.com/techbrief/using-system-center-operations-manager-and-spotlight-to-solve-real-wo814423.aspx

I like Quest's Spotlight on Active Directory. They have other "Spotlight" versions for Exchange, SQL, etc. The screens show realtime views of background AD processes running with a black background and green objects, yellow flows, and the objects or flows turns red when something's amiss. It reminds me of that old PacMan game from years ago.

But I agree, SCOM is a nice solution. At one long term contract while managing 20 Exchange 2003 servers, and other messaging components, we used MOM for monitoring. Lots of info. It even helped me find a problem on one of the servers by running performance logging charts isolating it down to various points during a work day, to figure out which component was giving me a headache. And SCOM has been vastly improved over MOM.

And that's an interesting article, Awinish, about combining SCOM and Spotlight. That would be the ultimate monitoring solution! Nice!

.

.

Ace, i agree but combining both would be heavy expenditure. I have seen mostly enterprise clients using both the products, considering the capability of the Quest tools but they require hefty investment to cover licensing and it won't be possible for the small or medium size org. to go for such investements.

Yea, I agree, that would be a huge drawback. The licensing costs, especially for the Quest tools, are tremendous. At least if a customer has a Microsoft EA, depending on the EA level, SCOM would be included, as well as its SQL requirements to store the data, however they still need to purchase hardware to implement it. Big $$$....

Some small companies argue that they can simply have their junior IT admin do all the monitoring manually or using scripts as part of their job description, not requiring to purchase additional tools. But that doesn't help with realtime issues.

It comes down to what a company wants and what they need to invest to achieve it.

Thanks for all of your thoughts... we do have an EA, and have looked at SCOM before but it involved weeks of setup to just monitor a few basic things, and then we were constantly bombarded with various alerts etc.  I might take a look at spotlight on AD to see if it is any easier to implement.  My other thought was just to do an ADRAP and just let them come out and look at everything and tell me where the problems may be, if any at all.  Hardware is not a problem we have plenty of VM space available.

You have to tweak SCOM alerts to get the notifications you want. And I don't think it takes weeks to setup. It does need SQL, whether locally installed or somewhere else on the network. It can be setup and working within a few hours and settled down within a day or two, but of course that comes with product knowledge and guidance with some of the Technet blogs and other sites. Quest's Spolight tools are nice, but a little pricey, as we've discussed. But that may be the best bang for your bucks with not having to install SQL for SCOM, etc.

.

I'm curious which direction you will take this. Please do post back and let us know what you decide!

.

An effective monitoring tool for AD is ARK for Active Directory http://www.vyapin.com/products/active-directory-audit/active-directory-reports from Vyapin Software Systems. Another tool you can use is the Active Directory Change Tracker - http://www.vyapin.com/products/active-directory-change-tracking/active-directory-change-reporting