Quest Spotlight on Active Directory User Guide

Quest Spotlight on Active Directory User Guide
Spotlight 6.8.2
ON ACTIVE DIRECTORY
User Guide
©
2012. Quest Software, Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in
this guide is furnished under a software license or nondisclosure agreement. This software
may be used or copied only in accordance with the terms of the applicable agreement. No part
of this guide may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying and recording for any purpose other than the purchaser's
personal use without the written permission of Quest Software, Inc.
The information in this document is provided in connection with Quest products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by
this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN
QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS
PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS,
IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT,
INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING,
WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS
OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN
IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no
representations or warranties with respect to the accuracy or completeness of the contents of
this document and reserves the right to make changes to specifications and product
descriptions at any time without notice. Quest does not make any commitment to update the
information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Quest Software World Headquarters
LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656 USA
www.quest.com
email: [email protected]
Refer to our Web site for regional and international office information.
Patents
This product is protected by U.S. Patent #: 6,249,883.
TRADEMARKS
Quest, Quest Software, the Quest Software logo, Simplicity at Work, Spotlight, and vSpotlight
are trademarks of Quest Software, Inc., and its subsidiaries. See
http://www.quest.com/legal/trademarks.aspx for a complete list of Quest Software's
trademarks. Other trademarks are property of their respective owners.
Quest Spotlight on Active Directory User Guide
Updated - August 2012
Software Version - 6.8.2
CONTENTS
CHAPTER 1
USING QUEST® SPOTLIGHT® ON ACTIVE DIRECTORY®
TOPOLOGY VIEWER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
ABOUT QUEST SPOTLIGHT ON ACTIVE DIRECTORY
TOPOLOGY VIEWER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
CONNECTING TO DIAGNOSTIC SERVICES . . . . . . . . . . . . . . . . .10
DISCOVERING THE TOPOLOGY . . . . . . . . . . . . . . . . . . . . . . .12
NAVIGATING THE INTERFACE . . . . . . . . . . . . . . . . . . . . . . . .13
PARTS OF THE INTERFACE . . . . . . . . . . . . . . . . . . . . . . .13
BROWSING BY SITE, DOMAIN, OR GROUPING . . . . . . . . . . .16
CENTER ON SERVER . . . . . . . . . . . . . . . . . . . . . . . . . .17
SELECT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
SERVER INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . .20
TOOLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
SETTING IMPERSONATION CREDENTIALS . . . . . . . . . . . . . . . . .23
SETTING NOTIFICATION GROUPS . . . . . . . . . . . . . . . . . . . . . .23
CUSTOMIZING THE TOPOLOGY VIEWER . . . . . . . . . . . . . . . . . .24
APPLYING A SYSTEM VIEW . . . . . . . . . . . . . . . . . . . . . .24
CREATING A CUSTOM VIEW . . . . . . . . . . . . . . . . . . . . . .25
DELETING A CUSTOM VIEW . . . . . . . . . . . . . . . . . . . . . .26
EDITING A CUSTOM VIEW . . . . . . . . . . . . . . . . . . . . . . .26
RESETTING THE LAYOUT OF THE CURRENT VIEW . . . . . . . . .27
SETTING OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
ANALYSIS TEST OPTIONS . . . . . . . . . . . . . . . . . . . . . . .28
GLOBAL NOTIFICATION OPTIONS . . . . . . . . . . . . . . . . . . .29
DATABASE OPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . .30
OPERATIONS MANAGER OPTIONS . . . . . . . . . . . . . . . . . .30
FOREST DISCOVERY OPTIONS . . . . . . . . . . . . . . . . . . . .31
WEB REPORTS OPTIONS . . . . . . . . . . . . . . . . . . . . . . . .31
INTRUST® INTEGRATION . . . . . . . . . . . . . . . . . . . . . . .31
SETTING PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
GENERAL PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . .33
iii
Spotlight on Active Directory
OPERATING SYSTEM PROPERTIES. . . . . . . . . . . . . . . . . . .33
DNS PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
TIME SYNC PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . .34
REPLICATION PROPERTIES . . . . . . . . . . . . . . . . . . . . . . .35
NTFRS PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . .35
DFSR PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . .36
GPO PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
LATENCY PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . .37
LOCAL CHANGES PROPERTIES . . . . . . . . . . . . . . . . . . . . .38
MOM PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . .38
CONFIGURING OPERATIONS MANAGER INTEGRATION . . . . . . . . . .39
CHAPTER 2
DETECTING ACTIVE DIRECTORY PROBLEMS . . . . . . . . . . . . . . . . 45
DETECTING ACTIVE DIRECTORY PROBLEMS . . . . . . . . . . . . . . . .46
ANALYSIS TESTS CATEGORIES . . . . . . . . . . . . . . . . . . . .46
RUNNING AND SCHEDULING ANALYSIS TESTS . . . . . . . . . . .57
CHAPTER 3
DIAGNOSING PROBLEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
DIAGNOSING PROBLEMS . . . . . . . . . . . . . . . . . . . . . . . . . . .68
SPOTLIGHT ON ACTIVE DIRECTORY DIAGNOSTIC CONSOLE . . .68
INTRUST FOR ACTIVE DIRECTORY . . . . . . . . . . . . . . . . . .69
CHAPTER 4
RESOLVING REPLICATION AND TIME SYNC PROBLEMS . . . . . . . . . 71
RESOLVING DIRECTORY REPLICATION . . . . . . . . . . . . . . . . . . .72
MANAGING REPLICATION LINKS . . . . . . . . . . . . . . . . . . .72
RESOLVING FILE REPLICATION . . . . . . . . . . . . . . . . . . . . . . .81
MANAGING THE FILE REPLICATION SERVICES . . . . . . . . . . .81
MANAGING LOGGING . . . . . . . . . . . . . . . . . . . . . . . . . .83
INCREASING USN JOURNAL SIZE . . . . . . . . . . . . . . . . . .87
MANAGING ADVANCED GPO LOGGING . . . . . . . . . . . . . . .88
RESOLVING TIME SYNCHRONIZATION . . . . . . . . . . . . . . . . . . .89
SETTING TIME SYNCHRONIZATION PARAMETERS. . . . . . . . . .89
iv
CHAPTER 5
MANAGING ACTIONS AND RESULTS . . . . . . . . . . . . . . . . . . . . . 91
MANAGING ACTIONS AND RESULTS . . . . . . . . . . . . . . . . . . . .92
CANCELING PENDING ACTIONS . . . . . . . . . . . . . . . . . . . .92
SAVING ACTION RESULTS . . . . . . . . . . . . . . . . . . . . . . .92
CLEARING ACTION RESULTS . . . . . . . . . . . . . . . . . . . . .93
LAUNCHING SPOTLIGHT ON ACTIVE DIRECTORY
DIAGNOSTIC CONSOLE . . . . . . . . . . . . . . . . . . . . . . . . .93
VIEWING CHANGES FROM INTRUST FOR ACTIVE DIRECTORY . .94
CHAPTER 6
CUSTOMIZING THE TOPOLOGY LAYOUT . . . . . . . . . . . . . . . . . . . 95
UNDERSTANDING SYSTEM VIEWS . . . . . . . . . . . . . . . . . . . . .96
APPLYING A SYSTEM VIEW . . . . . . . . . . . . . . . . . . . . . .96
CREATING A CUSTOM VIEW . . . . . . . . . . . . . . . . . . . . . .97
DELETING A CUSTOM VIEW . . . . . . . . . . . . . . . . . . . . . .98
EDITING A CUSTOM VIEW . . . . . . . . . . . . . . . . . . . . . . .98
RESETTING THE LAYOUT OF THE CURRENT VIEW . . . . . . . . .99
CHAPTER 7
WORKING WITH GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
WORKING WITH GROUPS . . . . . . . . . . . . . . . . . . . . . . . . . 102
AUTOGROUPING . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
CENTERING ON GROUP . . . . . . . . . . . . . . . . . . . . . . . . 103
COLLAPSING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
EXPANDING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
GROUPING TOGETHER . . . . . . . . . . . . . . . . . . . . . . . . 104
UNGROUPING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
CHAPTER 8
USING THE QUEST SPOTLIGHT ON ACTIVE DIRECTORY
DIAGNOSTIC CONSOLE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
INTRODUCING SPOTLIGHT ON ACTIVE DIRECTORY
DIAGNOSTIC CONSOLE . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
STARTING SPOTLIGHT ON ACTIVE DIRECTORY
DIAGNOSTIC CONSOLE . . . . . . . . . . . . . . . . . . . . . . . . 107
USING SPOTLIGHT ON ACTIVE DIRECTORY DIAGNOSTIC CONSOLE . 107
v
Spotlight on Active Directory
USING DRILLDOWNS . . . . . . . . . . . . . . . . . . . . . . . . . 108
USING COMPONENTS . . . . . . . . . . . . . . . . . . . . . . . . . 119
USING INDICATORS. . . . . . . . . . . . . . . . . . . . . . . . . . 126
CHAPTER 9
USING QUEST SPOTLIGHT ON ACTIVE DIRECTORY WEB REPORTS 129
UNDERSTANDING QUEST WEB REPORTS . . . . . . . . . . . . . . . . 130
ACCESSING WEB REPORTS . . . . . . . . . . . . . . . . . . . . . 131
TYPES OF WEB REPORTS . . . . . . . . . . . . . . . . . . . . . . 131
VIEWING AND INTERACTING WITH WEB REPORTS . . . . . . . . . . . 132
BROWSING WEB REPORTS . . . . . . . . . . . . . . . . . . . . . 132
USING THE COMMAND BUTTONS . . . . . . . . . . . . . . . . . . 133
USING THE TREEVIEW . . . . . . . . . . . . . . . . . . . . . . . . 134
USING THE FILE-BASED MODEL . . . . . . . . . . . . . . . . . . 134
FILE MENU COMMANDS . . . . . . . . . . . . . . . . . . . . . . . 135
VIEWING REPORT INFORMATION . . . . . . . . . . . . . . . . . . 138
CREATING AND MODIFYING WEB REPORTS . . . . . . . . . . . . . . . 139
CREATING CUSTOM REPORTS . . . . . . . . . . . . . . . . . . . . 139
SAVING WEB REPORTS . . . . . . . . . . . . . . . . . . . . . . . 142
EDITING WEB REPORTS . . . . . . . . . . . . . . . . . . . . . . . 143
USING QUICK FILTERS . . . . . . . . . . . . . . . . . . . . . . . . 145
CHANGING GROUPING OPTIONS . . . . . . . . . . . . . . . . . . 149
CREATING CUSTOM GRAPHS . . . . . . . . . . . . . . . . . . . . . . . 150
USING THE GRAPH WIZARD . . . . . . . . . . . . . . . . . . . . . 151
GUIDELINES FOR CREATING BAR CHARTS . . . . . . . . . . . . 153
GUIDELINES FOR CREATING PIE CHARTS . . . . . . . . . . . . . 156
GUIDELINES FOR CREATING XY GRAPHS . . . . . . . . . . . . . 159
SETTING SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
ROLE-BASED SECURITY . . . . . . . . . . . . . . . . . . . . . . . 162
CONFIGURING THE WEB REPORT SUBSCRIPTION SERVICE . . . . . . 165
THE SUBSCRIPTION WIZARD WELCOME PAGE . . . . . . . . . . 165
SCHEDULING THE SUBSCRIPTION SERVICE . . . . . . . . . . . . 166
SENDING THE SUBSCRIPTION . . . . . . . . . . . . . . . . . . . . 166
SELECTING WEB REPORTS FOR THE SUBSCRIPTION . . . . . . . 168
vi
SELECTING A USER ACCOUNT. . . . . . . . . . . . . . . . . . . . 168
DISPLAYING SUBSCRIPTIONS . . . . . . . . . . . . . . . . . . . . 168
IMPORTING AND EXPORTING SUBSCRIPTIONS . . . . . . . . . . 169
USING PRECONFIGURED REPORTS . . . . . . . . . . . . . . . . . . . . 170
PRECONFIGURED REPORTS IN SPOTLIGHT ON ACTIVE
DIRECTORY TOPOLOGY VIEWER. . . . . . . . . . . . . . . . . . . 170
GENERATING REPORT DATA . . . . . . . . . . . . . . . . . . . . . 179
CHAPTER 10
USING DISTRIBUTED COLLECTION OF ANALYSIS TEST
DATA (COLLECTORS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
USING DISTRIBUTED COLLECTORS . . . . . . . . . . . . . . . . . . . . 184
DIAGNOSTIC SERVICES . . . . . . . . . . . . . . . . . . . . . . . 184
COLLECTOR SERVICE . . . . . . . . . . . . . . . . . . . . . . . . . 184
COLLECTOR MANAGEMENT CONSOLE. . . . . . . . . . . . . . . . 185
INSTALLING DISTRIBUTED COLLECTORS . . . . . . . . . . . . . . . . . 185
USING THE COLLECTOR MANAGEMENT CONSOLE . . . . . . . . 186
USING THE SPOTLIGHT ON ACTIVE DIRECTORY
INSTALLATION CD . . . . . . . . . . . . . . . . . . . . . . . . . . 187
ADDING SITES AND SERVERS TO DISTRIBUTED COLLECTORS . . . . 188
VIEWING MANAGED SITES AND SERVERS . . . . . . . . . . . . . . . . 188
CONFIGURING COLLECTORS . . . . . . . . . . . . . . . . . . . . . . . . 189
UPGRADING DISTRIBUTED COLLECTORS. . . . . . . . . . . . . . . . . 189
UPDATING COLLECTOR STATUS . . . . . . . . . . . . . . . . . . . . . . 190
UNINSTALLING DISTRIBUTED COLLECTORS . . . . . . . . . . . . . . . 190
USING THE COLLECTOR MANAGEMENT CONSOLE . . . . . . . . 190
USING ADD/REMOVE PROGRAMS IN THE CONTROL PANEL . . . 191
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
CONTACTING QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . 205
CONTACTING QUEST SUPPORT . . . . . . . . . . . . . . . . . . . . . . 205
THIRD PARTY CONTRIBUTIONS . . . . . . . . . . . . . . . . . . . . . . 206
vii
Spotlight on Active Directory
viii
1
Using Quest® Spotlight®
on Active Directory®
Topology Viewer
• About This Guide
• About Quest Spotlight on Active Directory
Topology Viewer
• Connecting to Diagnostic Services
• Discovering the Topology
• Navigating the Interface
• Setting Impersonation Credentials
• Setting Notification Groups
• Customizing the Topology Viewer
• Setting Options
• Setting Properties
Spotlight on Active Directory
About This Guide
This document has been prepared to assist you in becoming familiar with
Spotlight on Active Directory, an integral component of Spotlight Suite. The User
Guide contains the information required to install and use Spotlight on Active
Directory. It is intended for network administrators, consultants, analysts, and
any other IT professionals using the product.
For information on Spotlight basics, see the Spotlight Basics section of the
Help menu of the Spotlight on Active Directory Diagnostic Console.
For Frequently Asked Questions or Troubleshooting information related to
Spotlight on Active Directory, see the Spotlight on Active Directory
Deployment Guide.
About Quest Spotlight on Active
Directory Topology Viewer
Spotlight on Active Directory Topology Viewer displays the configuration of your
organization’s Active Directory. It gives you the tools to diagnose and repair
replication, Group Policy Objects (GPO), and time synchronization issues. You
can view replication between domain controllers (DCs), change replication links,
and run diagnostics to pinpoint key problems with your Active Directory
environment.
For more information on the features of Spotlight on Active Directory, see the
Spotlight on Active Directory Quick Start Guide.
Connecting to Diagnostic Services
Before using Spotlight on Active Directory Topology Viewer, you must be
connected to the Diagnostic Services. Diagnostic Services
(DiagnosticTestEngineSLAD and DataManagerSLAD) are automatically installed
during the standard installation of Spotlight on Active Directory Topology Viewer.
If you select this installation option, the Spotlight on Active Directory Topology
Viewer will automatically connect to the Diagnostic Services.
10
Using Quest® Spotlight® on Active Directory® Topology Viewer
However, you can also install Diagnostic Services on a different computer. If you
select this installation option, then you will need to connect to Diagnostic
Services the first time you run the Spotlight on Active Directory Topology
Viewer. Once you have connected to the Diagnostic Services the first time, it will
not be necessary to do so again unless the Diagnostic Services are located on a
different server.
The account used to run the Diagnostic Services must be a member of the
Local Administrators group on the server where the Diagnostic Services are
running.
For more information on the running of Spotlight on Active Directory, see the
Spotlight on Active Directory Quick Start Guide.
To connect to the Diagnostic Services
1.
Select File | Connect to Diagnostic Services.
When you launch Spotlight on Active Directory Topology Viewer, Diagnostic
Services will attempt to autoconnect to the local host.
2.
Enter the address of the computer where the Diagnostic Services
reside.
Enter the IP address, the NetBIOS name, or the fully-qualified name
of the computer. You can enter "Localhost" if the Diagnostic Services
reside on the same computer as Spotlight on Active Directory
Topology Viewer.
3.
Click OK.
The Diagnostic Services connection status is shown in the bottom left
corner of the Spotlight on Active Directory Topology Viewer window.
11
Spotlight on Active Directory
Discovering the Topology
You discover the topology of your Active Directory forest by connecting to a
domain or DC in the forest. This DC becomes the query server, which is used to
gather information about the forest.
When you launch Spotlight on Active Directory Topology Viewer, Diagnostic
Services will attempt to autoconnect to the local host.
To connect and discover your topology
1.
Start Spotlight on Active Directory Topology Viewer.
2.
Click Discover in the Assistant pane at the top of the Assistant pane.
– OR –
Select File | Discover Topology.
3.
Enter the name of the DC.
You can also enter either the IP address of the DC or the domain name. If
you enter the domain name, the first server in the domain to answer the
request becomes the query server.
4.
Click OK.
To search for different DCs
1.
Start Spotlight on Active Directory Topology Viewer.
2.
Click Discover in the Assistant pane at the top of the Assistant pane.
– OR –
Select File | Discover Topology.
12
3.
Click
4.
Browse to the DC, select it, and click OK.
.
Using Quest® Spotlight® on Active Directory® Topology Viewer
Navigating the Interface
This section introduces the Spotlight on Active Directory Topology Viewer
interface. The topics describe how the different menus, dialog boxes, and
windows work together, and they provide details of how the parts of the
application work together when administering your organization’s Active
Directory network.
•
Parts of the Interface
•
Browsing by Site, Domain, or Grouping
•
Center on Server
•
Select
•
Server Information
•
Tools
Parts of the Interface
The Spotlight on Active Directory Topology Viewer consists primarily of three
panes. The pane on the left is the Navigation pane, the center pane is the Main
pane, and the pane on the right is the Assistant pane. Using the Navigation pane,
you can view your topology layout, test results, manage action results, and run
Web Reports. Your selection in the Navigation pane dictates the display in the
Main pane and whether the Assistant pane is displayed.
The Navigation Pane
The Spotlight on Active Directory Topology Viewer contains tabs in the
Navigation pane on the left:
TAB
DESCRIPTION
Topology
Displays the topology of the Active Directory forest to which you
are connected. When you click this tab, the left pane expands to
show a treeview of the forest while the main pane shows the
topology view.
Analysis Test Results
Displays the results of the various Analysis Tests. The Main pane
lists the type of test, the last update, and the last result. You can
expand the test node to show the actual test, the server that was
the focus of the test, and the actions, or steps, that took place as
part of the test. If you select an actual test or server, further
details are displayed below the main pane.
13
Spotlight on Active Directory
TAB
DESCRIPTION
Management Actions
Results
Displays pending and completed management actions. When you
click this tab, the main pane that is displayed has two tabs at the
top of the pane: Pending Actions and Completed Actions. Any
Directory Replication, File Replication, or Time Synchronization
(Time Sync) action performed in Spotlight on Active Directory
Topology Viewer is listed in the Pending Actions tab. When the
action is complete, it is moved to the Completed Actions tab.
Web Reports
Expands to display a treeview showing all available Web Reports.
When you select a report in the treeview, the main pane displays
the actual report.
Getting Started
Guides you through the process of discovering your topology,
running analysis tests, verifying results, and using the Diagnostic
Console to troubleshoot and resolve problems in Active Directory.
14
Using Quest® Spotlight® on Active Directory® Topology Viewer
The Assistant Pane
The Assistant pane contains panes located on the right side of the Spotlight on
Active Directory Topology Viewer interface:
TAB
DESCRIPTION
Assistant
Gives you quick access to some of the most commonly used
tools and analysis tests. Hover your pointer over each icon
for the title of the feature.
Native Tools
When a problem occurs on a DC, to further troubleshoot and
resolve the problem you may want to check some common
information for that DC using native Microsoft management
tools. From the Native Tools pane, you can launch any
Microsoft tool:
• AD Sites & Services - allows you to review AD
configuration
• AD Users & Computers - allows you to review security
and permissions
• Computer Management - allows you to review service
status, and manage a service
• DNS Management Console - allows you to examine DNS
configuration
• Event Viewer - allows you to look for recent System
event log errors on the DC
Directory Replication Testing
Provides quick access to the Find Replication Failures, Check
GPO Synchronization, Track Object Replication, and Test
Replication Links tests. You can launch any of these tests by
clicking the appropriate icon or the name of the test.
DNS Testing
Provides quick access to the Check DNS Entries and Check
Partners’ DNS Entries tests. You can launch either of these
tests by clicking the appropriate icon or the name of the
test.
File Replication Testing
Provides quick access to the Confirm File Presence, GPO
Synchronization, and Check NTFRS/DFSR Status tests. You
can launch any of these tests by clicking the appropriate icon
or the name of the test.
Status/Performance Testing
Provides quick access to the Check Service Pack and
Hotfixes test and the Check Service Status test. You can
launch either of these tests by clicking the appropriate icon
or the name of the test.
Time Synchronization Testing
Provides quick access to the Check W32Time Differential,
Check W32Time Parent Synchronization, and Check
W32Time Status tests. You can launch any of these tests by
clicking the appropriate icon or the name of the test.
15
Spotlight on Active Directory
TAB
DESCRIPTION
Resolve Directory Replication
Allows you to exercise various management actions that
address directory replication problems for selected servers.
These include managing links, forcing replication,
configuring Knowledge Consistency Checker (KCC) and
flexible single master operation (FSMO) role transfers. You
can perform any of these actions by clicking the appropriate
icon or the name of the test.
Resolve NTFRS/DFSR File
Replication
Offers various management actions that you can take to
address file replication problems for selected servers.
Depending on the service you are using, these actions
include managing the DFSR or NT File Replication Service
(NTFRS) and DFSR or NTFRS logging, setting USN Journal
size, and enabling and disabling advanced GPO logging. You
can perform any of these actions by clicking the appropriate
icon or the name of the test.
Resolve Time Synchronization
Contains the Set Parameters action with which you can set
time synchronization parameters for selected servers.
Click
to hide the Assistant pane. When you hide the Assistant pane, all
of the icons in the various panes are still visible. You can launch a tool or run
a test by selecting a server and clicking the desired icon.
Scroll Bars
You can scroll to view different regions of your topology by clicking the red
arrows
on the borders of the Topology View pane.
Browsing by Site, Domain, or Grouping
You can browse by domain, site, or grouping. This makes it easier to navigate
the treeview by reducing the number of branches. It is also an efficient way of
finding a particular DC within its domain, site, or group structure. The default
view of the Browse pane is by site. Select Browse by Domain if your network
contains a large number of sites, but only a small number of domains.
To browse by site
1.
Right-click the Forest node in the treeview.
– OR –
Right-click the My Favorites node in the treeview.
2.
16
Select Browse By | Site.
Using Quest® Spotlight® on Active Directory® Topology Viewer
The DCs in the Browse pane are organized by their site membership.
To browse by domain
1.
Right-click the Forest node in the treeview.
– OR –
Right-click the My Favorites node in the treeview.
2.
Select Browse By | Domain.
The DCs in the Browse pane are organized by their domain
membership.
To browse by grouping
1.
Right-click the Forest node in the treeview.
– OR –
Right-click the My Favorites node in the treeview.
2.
Select Browse By | Grouping.
The DCs in the Browse pane are organized by their group
membership.
Center on Server
Use the Center on Server feature to focus on a specific server. Center on Server
is useful in large topologies as you can bring a specific server to the center of
the Topology View pane.
To center the topology view on a specific server
1.
Click the Forest node in the treeview to see the list of DCs.
2.
Select the DC you want to center in the Topology View pane.
3.
Right-click the DC and select Center on Server.
To go back to the original view or to see the entire topology view, either use
the zoom icons (see “Tools” on page 21.) or reset the current layout view
(see “Resetting the Layout of the Current View” on page 27.).
17
Spotlight on Active Directory
Select
The Select menu allows you to select specific DCs in the Topology View pane:
OPTION
DESCRIPTION
All
Selects all DCs in the forest.
By Name
Selects a specific server when you enter the server’s name.
DCs in Domain
Selects all DCs in the same domain as a selected DC.
Server Roles
Selects which DCs have server roles:
• PDC Emulators
• RID Servers
• Infrastructure Masters
• Domain Naming Master
• Schema Master
• GC Servers
• ISTG Servers
My Favorites
A list of all your favorite configurations. My Favorites are logical groups of
DCs that you define. This makes it easy to select many DCs at once:
• Create Favorite
• Delete Favorite
• Edit Favorite(s)
• Rename Favorite
Create Favorite
Favorites you create are added to the Browse pane under the My Favorites node
and to the Select | My Favorites menu. Each Favorite grouping expands to show
the full Domain Naming System (DNS) names of its DCs.
To create a Favorite
1.
Select the DCs in the Browse or Topology View pane that you want to
include in the Favorite.
2.
Right-click and select Select | My Favorites | Create Favorite.
This launches the Favorites dialog box. The DCs you selected are
displayed in the DCs in Favorite list.
You can also right-click in the Browse or Topology View pane and select
Select | My Favorites | Create Favorite.
3.
18
Enter a name for the Favorite in the Favorite Name box.
Using Quest® Spotlight® on Active Directory® Topology Viewer
4.
Click OK.
The Favorite you created will be added in the Browse pane under the
My Favorites node and to the Select | My Favorites menu.
You can select to Browse by Site or Browse by Domain within the Create
Favorite dialog box by right-clicking in the Available DCs pane.
Delete Favorite
You can select and delete Favorite groupings.
To delete a Favorite
1.
2.
Select the Favorite you want to delete in the Browse pane.
Right-click and select Select | My Favorites | Delete Favorite.
The Favorite you deleted will be removed from the Browse pane under
the My Favorites node and from the Select | My Favorites menu.
Edit Favorite(s)
You can edit the Favorites you create and perform the various tasks:
•
Add or remove a DC
•
Add a site
•
Add a domain
•
Add an entire forest
•
Add another Favorite
•
Change the name of the Favorite
To add items to a Favorite
1.
Right-click in the Browse or Topology View pane and select Select |
My Favorites | Edit Favorite(s).
This launches the Favorites dialog box. Previously configured
Favorites are displayed in the Configured Favorites list.
2.
Select the Favorite you want to edit in the Configured Favorites list.
The name of the Favorite is displayed in the Favorite Name box, and
the DCs that make up the Favorite are displayed in the DCs in Favorite
list.
19
Spotlight on Active Directory
3.
Select the DC/site/domain/forest you want to add to the Favorite in
the Available DCs list and click Add.
– OR –
Select the Favorite you want to add in the Available DCs list and click
Add.
You can select to Browse by Site or Browse by Domain within the Edit
Favorite(s) dialog box by right-clicking in the Available DCs pane.
To remove DCs from a Favorite
1.
Right-click in the Browse or Topology View pane and select Select |
My Favorites | Edit Favorite(s).
This launches the Favorites dialog box. Previously configured
Favorites are displayed in the Configured Favorites list.
2.
Select the Favorite you want to edit in the Configured Favorites list.
The name of the Favorite is displayed in the Favorite Name box, and
the DCs that make up the Favorite will display in the DCs in Favorite
list.
3.
Select the DC you want to remove from the Favorite in the DCs in
Favorite list and click Remove.
Rename Favorite
To rename a Favorite
1.
Select the Favorite you want to rename in the Browse pane.
2.
Right-click and select Select | My Favorites | Rename Favorite.
3.
Enter the new name for the Favorite.
Server Information
Server Information is displayed when you place the pointer over a DC in the
Topology View pane. The name of the DC or server is shown.
To view Server Information
20
1.
Discover your topology.
2.
Place the pointer over a DC in the Topology View pane.
Using Quest® Spotlight® on Active Directory® Topology Viewer
The DC name is shown.
Server Information is enabled by default when you first launch Spotlight on
Active Directory.
Tools
Spotlight on Active Directory Topology Viewer provides you with various tools
when working with the Topology view:
TOOL
NAME
DESCRIPTION
Toggle Site
Grouping On/Off
Toggles Site grouping on and off. For more information,
see “Working with Groups” on page 101.
Toggle
CustomGroup
Grouping On/Off
Toggles CustomGroup groupings on and off. For more
information, see “Working with Groups” on page 101.
Toggle
Replication Links
On/Off
Toggles the display of replication arrows on and off.
Replication arrows are dark aqua in color.
Toggle Time
Sync Links
On/Off
Toggles the display of time synchronization arrows on and
off. Time synchronization arrows are blue in color. When
interpreting Time Sync arrows, for example, a line from
DC1 to DC2 indicates that DC1 sends its time to DC2.
Therefore, DC2 synchronizes its time with DC1.
Toggle Labels
On/Off
Toggles the display of computer and site names on and
off.
Toggle Details
On/Off
Toggles the display of server information on and off.
Server information appears when you position your
mouse over a DC in the topology. It displays the name,
domain, and site of the DC, as well as the top 3 diagnostic
and monitoring errors on that DC. If there are less than 3
monitoring errors, more diagnostic errors are shown.
Collapse
Selected
Grouping
Collapses selected expanded groups in the Topology View
pane.
21
Spotlight on Active Directory
TOOL
22
NAME
DESCRIPTION
Expand Selected
Grouping
Expands selected groups in the Topology View pane.
Group Selected
Grouping(s)
Groups selected sites in the Topology View pane.
Ungroup
Selected
Grouping(s)
Ungroups selected sites in the Topology View pane.
Select Server or
Groupings in the
Topology
Allows you to select servers or groupings in the Topology
View pane.
Pan the Topology
Allows you to reposition DCs in your topology view by
clicking a DC and dragging it to a different position in the
Topology View pane.
Zoom In
Magnifies the topology. Click the area of the topology
where you want to zoom in.
Zoom Out
Zooms out the entire topology so you can see more in the
Topology View pane.
Center on Point
Zooms in on the topology on the exact location you click
(you do not have to click a server).
Toggle
Prominent Links
On/Off
Highlights the links for a selected group or node in the
topology view. Links for other non selected groups or
nodes in the topology view will appear as dimmed.
Autogrouping
Opens the Autogrouping Rules dialog box, which allows
you to create rules used to automatically organize your
sites into groups.
Using Quest® Spotlight® on Active Directory® Topology Viewer
Setting Impersonation Credentials
You can configure alternate credentials under which to execute analysis tests.
The user credentials you specify must have sufficient permissions to execute the
analysis test.
To set impersonation credentials
1.
Select Edit | Analysis Test Credentials.
This opens the Credential Management dialog box.
2.
Click Add.
3.
Enter the domain\user name and password you want to use.
You must enter a valid Windows user name, and this account must
have sufficient administrative privileges to run the analysis tests.
4.
Click OK.
The credentials are stored in a list of valid credentials for running
analysis tests.
You can also specify alternate credentials for impersonation in the
Impersonation pane of the “Analysis Test Options” on page 28, or when
scheduling an analysis test. For more information, see “Running and
Scheduling Analysis Tests” on page 57.
Setting Notification Groups
You can configure different notification groups to be notified upon failure of an
analysis test.
To set notification groups
1.
Select Edit | Notification Groups.
This opens the Notification Groups dialog box.
2.
Enter the name of the SMTP server.
3.
Click New in the Notification Groups pane to add a new group.
4.
Enter the new group name, the subject, and the originating email
address for the group.
5.
Click New in the Group Members pane.
6.
Enter the recipient's First Name, Last Name, Email Address, and
select Yes in the Enable field.
23
Spotlight on Active Directory
7.
Click OK.
To delete a notification group or a member of a notification group, select the
group or group member you want to delete and click Delete.
Customizing the Topology Viewer
Initially, Spotlight on Active Directory Topology Viewer defaults to a layout view
of the entire forest you have specified. However, it also provides system Views
that you can apply to that forest. In addition, Spotlight on Active Directory
Topology Viewer allows you to filter the topology view to suit your needs. This
makes it much easier for you to view the status of, and work with, the servers
you are concerned about. This ability is of particular value to local administrators
who are responsible for a small number of domain controllers (DCs).
Spotlight on Active Directory Topology Viewer provides system Views that you
can apply to the forest you have specified. Also, instead of dealing with the entire
forest, you can create custom Views that display only specific domains or groups
of DCs. You can also delete or edit these custom Views.
In addition to the topology view, system and custom Views are also applied to
the treeview and the Analysis Test Results tab. Test results are shown only for
the target servers that are part of the system or custom View currently applied.
Spotlight on Active Directory Topology Viewer retains the last View. This last
View is loaded the next time you launch Spotlight on Active Directory
Topology Viewer.
You can customize the topology view by:
•
Applying a System View
•
Creating a Custom View
•
Deleting a Custom View
•
Editing a Custom View
•
Resetting the Layout of the Current View
Applying a System View
Spotlight on Active Directory Topology Viewer provides system views that you
can apply to the current discovered forest:
24
Using Quest® Spotlight® on Active Directory® Topology Viewer
•
All (default - shows entire forest)
•
Domain Naming Masters
•
Global Catalogs
•
Infrastructure Masters
•
Intersite Topology Generators
•
PDC Emulators
•
RID Masters
•
Schema Masters
Any custom views you create are also added to this list. You cannot delete or
modify these system views.
When you apply another system or custom View, this can affect what is
shown in the Analysis Test Results tab. If a server whose test results are
shown is not included in the View you select, then those test results
disappear from the Analysis Test Results tab.
To select a system view
1.
Click
2.
Select the system view you want to apply.
in the View box above the topology view pane.
Creating a Custom View
You can create custom views and define them by site, domain, server or naming
convention. You can select the domains or servers you want to include, or use
naming conventions to filter only the servers you want to include.
To create a View
1.
Select View | Create View.
This launches the View Wizard. You can also do this by clicking
next to the View list above the main topology view pane.
2.
Click Next.
3.
Select the type of view you want and click Next.
25
Spotlight on Active Directory
4.
Select the sites you want to include in the view and click Next.
Your selection can also be domains, servers or naming conventions,
depending on the type of view you selected.
5.
6.
Enter a name for the view you are creating and click Next.
Review the settings you have selected.
To make changes, click Back until the Wizard displays the page you
want, make your corrections and then click Next until you are at the
Summary page.
7.
Click Finish to save and apply the view you have created.
Your custom view will be added to the View list above the main pane.
Deleting a Custom View
You can delete the custom View currently displayed. However, you cannot delete
the systems views provided with Spotlight on Active Directory Topology Viewer.
To delete the current View
1.
Select View | Delete Current View.
2.
Click Yes to confirm you want to delete the current View.
Editing a Custom View
Once you have created a custom View, you can modify it. Spotlight on Active
Directory Topology Viewer allows you to change any of the parameters of the
custom View currently displayed.
You cannot modify the system views that are provided with Spotlight on
Active Directory Topology Viewer.
To edit the current View
1.
Select View | Edit Current View.
This launches the View Wizard. You can also do this by clicking
next to the View list above the main topology view pane.
2.
26
Click Next.
Using Quest® Spotlight® on Active Directory® Topology Viewer
3.
Modify the type of view if necessary and click Next.
4.
Modify the sites included in the View if necessary and click Next.
You can also modify domains, servers or naming conventions, depending on
the type of view you selected.
5.
Change the name of the View if necessary and click Next.
6.
Review the settings you have selected.
To make further changes, click Back until the Wizard displays the
page you want, make your corrections and then click Next until you
are at the Summary page.
7.
Click Finish to save and re-apply the View you have modified.
Resetting the Layout of the Current View
If you have adjusted the server layout in your topology view by moving the
servers, you can reset the view back to its original layout.
To reset the layout of the current View
•
Select View | Reset Current View Layout.
Setting Options
Spotlight on Active Directory Topology Viewer allows you to customize or define
default settings for:
•
Analysis Test Options
•
Global Notification Options
•
Database Options
•
Operations Manager Options
•
Forest Discovery Options
•
Web Reports Options
•
InTrust® Integration
27
Spotlight on Active Directory
Analysis Test Options
You can specify default Analysis test settings for newly created analysis tests.
These settings include Scheduling, Impersonation, and Notification options.
To configure the default analysis test options
1.
Select Edit | Options.
2.
Click the Analysis Tests icon
3.
In the Execution Schedule pane, select Run every and specify the
interval for running the test.
in the Options pane.
– OR –
Select Run every day at and enter the time you want the test to run.
You can select the Between check box to run the test during specified
hours. The default setting is to execute the test every 30 minutes,
daily, between 8 AM and 5 PM.
4.
In the Notification Settings pane, accept the default - <no
notification group>.
– OR –
Select a notification group from the list.
If you select a notification group, you must specify the number of
consecutive alarms needed to trigger the notification, whether you
want to limit the number of notifications sent, and the maximum
number of notifications sent per alarm.
5.
In the Impersonation Settings pane, select Execute the credentials
of the diagnostic services.
These are the credentials entered during the installation of the
diagnostic services. This is the default option.
– OR –
Select Execute using a credential.
28
Using Quest® Spotlight® on Active Directory® Topology Viewer
Select the credentials you want to use from the list of available
credentials. Click Configure Credentials to open the Credential
Management dialog box and add existing Windows credentials to the
list of credentials you can use to execute analysis tests.
When you run an analysis test using the Run Once option, default notification
and impersonation settings are used.
The default options or setting are used when you configure a new analysis
test. To edit any of the test settings for an existing test, you must go to the
Analysis Test Schedule Management dialog box. For more information, see
“Editing a Scheduled Analysis Test” on page 61.
Global Notification Options
You can configure Spotlight on Active Directory Topology Viewer to globally send
email notifications upon failure of an analysis test. All users in a defined
notification group are notified when a test fails. In addition to email notifications,
you can configure notifications to launch external applications.
Notifications are not sent if the test does not complete. Notifications are sent
only if the test fails upon completion.
To configure the global notification options
1.
Select Edit | Options.
2.
Click the Global Notifications icon
left of the dialog box.
3.
Enter the name of SMTP server for sending email notifications.
4.
Enter the application to run on alert.
in the Options pane on the
The application is launched by the Diagnostic Services and has no interaction
with the desktop.
5.
Enter the parameters to run the application, and click OK.
The system stores this information for future use.
Should you change any of the global settings after a test has been configured
and scheduled to run, that test will still run with its original configuration. To
modify the settings for an existing test, select Edit | Analysis Test.
29
Spotlight on Active Directory
Database Options
The supported databases are SQL Server 2005, SQL Server 2005 Express, and
MSDE.
To activate database storage
1.
Select Edit | Options.
2.
Click the Database icon
3.
Enter the interval for data retention for raw, hourly, and daily in the
Database Retention box.
in the Options pane.
(The default interval is 30 days. Database retention specifies the
length of time analysis test results are stored. Test results older than
the specified retention period are purged from the database on a
nightly basis.)
4.
Click OK.
Operations Manager Options
You can configure Spotlight on Active Directory Topology Viewer to integrate
with Operations Manager, either Microsoft® Operations Manager (MOM) 2005 or
System Center Operations Manager 2007. This provides end-to-end discovery,
diagnosis, and resolution of Active Directory issues from a single console. You
can set the location of the Operations Manager to read alerts from the
Operations Manager database and display them in Spotlight on Active Directory.
These alerts can be viewed by right-clicking a domain controller in the Topology
Viewer, and navigating to the Operations Manager Properties tab. You can set
the location of the server to allow forwarding alerts generated from Spotlight on
Active Directory to Operations Manager.
To configure Operations Manager options
30
1.
Select Edit | Options.
2.
Click the Operations Manager icon
left of the dialog box.
3.
Select either Microsoft Operations Manager 2005 or System
Center Operations Manager 2007.
4.
Depending on the option selected in step 3, enter the location of the
Operations Manager Server or MOM Database Server, and click OK.
in the Options pane to the
Using Quest® Spotlight® on Active Directory® Topology Viewer
Forest Discovery Options
Every two hours, Spotlight on Active Directory Topology Viewer automatically
refreshes the topology of all the forests you have discovered. However, you can
configure Spotlight on Active Directory Topology Viewer to refresh only selected
forests.
To configure Forest Discovery options
1.
Select Edit | Options.
2.
Click the Forest Discovery icon
left of the dialog box.
in the Options pane on the
The dialog box displays a list of all the discovered forests. By default
they are all selected.
3.
Clear the check box for the forests you do not want refreshed, and
click OK.
Web Reports Options
If the computer running IIS also has SSL installed, Spotlight on Active Directory
Topology Viewer must use the SSL format in order for Web Reports to work
properly. You can make this configuration change using the Web Reports
options.
To configure Web Reports options
1.
Select Edit | Options.
2.
Click the Web Reports icon
the dialog box.
3.
Select the Use SSL when browsing Web Reports check box, and
click OK.
in the Options pane on the left of
InTrust® Integration
In order to view changes from InTrust for Active Directory, you must first link it
into Spotlight on Active Directory.
To integrate InTrust for Active Directory
1.
Select Edit | Options.
31
Spotlight on Active Directory
2.
Click the InTrust Integration icon
the left of the dialog box.
in the Options pane on
3.
Enter the name of the InTrust Database Server, and click OK.
If you have renamed your InTrust database, you must specify the new name
of the database in InTrust Database Name box.
Setting Properties
The Properties dialog box provides you with Replication and Time
Synchronization properties. You can view general computer information, view
and configure the monitored objects list, view messages returned by monitored
objects, and view local changes on specific servers.
To view properties
1.
Right-click a node in the forest.
2.
Select Properties.
Spotlight on Active Directory Topology Viewer contains the these properties
tabs:
32
•
General Properties
•
Operating System Properties
•
DNS Properties
•
Time Sync Properties
•
Replication Properties
•
NTFRS Properties
•
DFSR Properties
•
GPO Properties
•
Latency Properties
•
Local Changes Properties
•
MOM Properties
Using Quest® Spotlight® on Active Directory® Topology Viewer
General Properties
The General Properties tab contains the following:
•
DNS Name - indicates the name of the selected DC on the Active
Directory network
•
IP Address - indicates the IP address assigned to the selected DC
•
Domain - indicates the domain to which the selected DC belongs
•
Site - indicates the site to which the selected DC belongs
•
Server - indicates the roles which server roles are being performed by
the DC. Available roles include the following:
•
•
•
•
•
•
•
PDC Emulator
RID Master
Infrastructure Master
Domain Naming Master
Schema Master
ISTG Server
GC
•
Total Physical Memory - indicates the total amount of memory
available
•
Processors - indicates the vendor, speed, and model number of the
processors in the DCs on your network
Operating System Properties
The Operating System Properties tab contains the following:
•
Version - indicates the current version of the operating system
•
Build - indicates the build number of the version
•
Service Pack - indicates the current service pack installed on the
selected DC
•
Hotfixes - indicates the details of any hotfixes that have been applied
to the selected DC
•
•
•
Hotfix ID - the Microsoft Knowledge Base Article Number
Comments - the patch information for the Article Number
Start the Service Pack and Hotfix Analysis using this configuration
button - indicates the analysis process uses the Service Pack and
Hotfix details of the selected DC when applying the diagnostic view.
33
Spotlight on Active Directory
DNS Properties
The DNS Properties tab contains the following:
•
DNS Servers - indicates the DNS Servers associated with the network
card
•
DNS Registered Records - lists the registered DNS records on the DSN
servers on the network
Time Sync Properties
The Time Sync Properties tab contains the following:
•
Configuration - indicates Time Synchronization details for the selected
DC:
•
•
•
•
Service State - indicates the current state of Time Synchronization.
The possible states are as follows:
•
•
•
•
•
•
•
34
Synchronization Type -indicates the type of synchronization
performed.
Parent - indicates the DC being used by the selected DC to synchronize
its time. By default, this is the PDC Emulator for the domain.
Period - indicates the specified number of times per day, if the
Specified times per day option is selected.
Running
Paused
Pausing
Stopped
Stopping
Starting
Resuming
Using Quest® Spotlight® on Active Directory® Topology Viewer
Replication Properties
The Replication Properties tab contains the following:
•
Distinguished Name - indicates the distinguished name of the selected
DC
•
KCC Enabled (intersite) - shows if the intersite (between sites) KCC is
enabled on the selected DC. If the KCC is enabled, it will return a
value of Enabled. If it is disabled, it will return a value of Disabled
•
KCC Enabled (intrasite) - shows if the intrasite (within sites) KCC is
enabled on the selected DC. If the KCC is enabled, it will return a
value of Enabled. If it is disabled, it will return a value of Disabled.
•
Replication Links - shows replication link direction and the DCs that
replicate with the selected DC:
•
•
•
Inbound - indicates if the link is inbound from the DC in the Domain
Controller column
Outbound - indicates if the link is outbound to the DC in the Domain
Controller column
Domain Controller - gives a list of replication partners
NTFRS Properties
The NT File Replication Service (NTFRS) Properties tab contains the following:
•
General Settings - shows the following general settings:
•
•
•
•
•
•
Working Directory - shows the working storage directory for
replication data
Staging Space Limit - shows the maximum amount of disk space
allocated to files held on disk until they are retrieved by all
downstream replication partners
USN Journal Size - shows the current size of the update sequence
number (USN) Journal in megabytes (MB)
Short Polling Interval - shows the interval the NTFRS uses to poll the
Active Directory at service startup or after configuration changes
Long Polling Interval - shows the interval with which NTFRS polls the
Active Directory for configuration changes after eight short polling
intervals have finished without interruption
Log Settings - shows the following logging-related details:
•
•
•
NTFRS Logging Enabled - Shows if NTFRS Logging is enabled or
disabled on the selected domain controller.
Log File Severity Detail - Shows the level of detail that the NTFRS
records in its trace log files (Ntfrs_000n.log).
Number of Log Files Generated - The number of debug log files that
are kept on the selected domain controller.
35
Spotlight on Active Directory
•
Number of Messages per Log File - The maximum number of messages
logged to a file for the selected domain controller.
•
View logs button - launches the NTFRS Log File Viewer dialog box
•
Service State - shows the current state of NTFRS: Running, Stopped,
or Missing
NTFRS Log File Viewer
The NTFRS Log File Viewer collects the names of all the log files currently existing
on a DC. Click a specific log file in the Available Log Files list to load the log file
information into the bottom listview of the dialog box. The NTFRS Log File Viewer
displays the following:
•
Location of Log Files - indicates the DC where the log files are located
•
Available Log Files - indicates the name, size (bytes), and time stamp
of the log files on the DC
•
Log Files - indicates the specific log file you select in the Available Log
Files list
•
Number of Entries - indicates the number of entries in the log file you
select
•
Data - shows the Log file details including the Source, Thread ID, Line,
Severity, Time, and Message for each entry in the log file
•
Load Progress - shows the progress of the log file as it loads into the
Data pane
DFSR Properties
The Distributed File System Replication Service (DFSR) Properties tab contains
the following:
•
General Settings - shows the following general settings:
•
•
•
•
•
36
Staging Directory - shows the temporary storage directory for
replication data.
Polling Interval - shows the interval, in minutes, between Active
Directory Domain Service cycles.
Reghosting Rate - shows the maximum rate, in minutes, at which
reghosting occurs.
Enable Light DS Polling - shows if the periodic check for configuration
changes in the Active Directory Domain Services is enabled or
disabled. Enabling light DS polling speeds up the service response to
certain types of configuration changes.
Max Offline Time - shows the maximum number of days that the server
can be disconnected from replication.
Using Quest® Spotlight® on Active Directory® Topology Viewer
•
Log Settings - shows the following logging-related details:
•
•
•
•
•
DFSR Logging Enabled - Shows if DFSR Logging is enabled or disabled
on the selected domain controller.
Log File Severity Detail - Shows the level of detail that the DFSR
records in its trace log files (Dfsr_000n.log).
Number of Log Files Generated - The number of debug log files that
are kept on the selected domain controller.
Number of Messages per Log File - The maximum number of messages
logged to a file for the selected domain controller.
Service State - shows the current state of DFSR: Running, Stopped,
or Missing
GPO Properties
The Group Policy Object (GPO) Properties tab contains the following:
•
GPO Logging - shows the following details:
•
•
Advanced GPO Event Logging Enabled - shows Enabled or Disabled,
depending on whether or not GPO Event Logging is enabled
GPO Object List - shows the following details:
•
•
•
•
•
•
•
•
GPO Name - shows the name given to the GPO when it is created
GUID - shows the unique identifying number assigned to the GPO
when it is created
Created - shows the date and time the GPO was created
Changed - shows the date and time the GPO was last changed
SU - shows the Sysvol user version of the GPO
SM - shows the Sysvol machine version of the GPO
DU - shows the directory services user version of the GPO
DM - shows the directory services machine version of the GPO
Latency Properties
The Latency Properties tab contains the following:
•
Replication Latency - shows how long it takes replication to occur from
one DC to another:
•
•
•
•
Domain Controller - shows the DCs to which the selected DC has a
replication path.
Site - shows the site to which the DC belongs.
DS Replication Time - shows the amount of time it takes for AD
replication to occur.
File Replication Time - shows the amount of time it takes for file
replication to occur.
37
Spotlight on Active Directory
Local Changes Properties
The Local Changes Properties tab contains the following:
•
Distinguished name of Root Object to obtain list from - indicates the
distinguished Name of the AD object to be used as the starting point
of the search. You can browse for the AD object you want to use.
•
Highest Committed USN - indicates the highest committed Update
Sequence Number (USN)
•
List changes since - shows the USN to be used as the starting point in
the search. By default, this number is the Highest Committed USN,
but you can enter a different number if you want to search based on
a number other than the Highest Committed USN.
•
List All Changes on this Server since USN - shows all of the objects
with changes since the indicated USN
Double-click an object in the list to display its properties. The Changed
Object Properties dialog box lists the name of the Object Property that
changed, the version of the Object Property, the time the change occurred,
the originating server, the Originating USN, and Local USN.
MOM Properties
The MOM Properties tab contains the following:
•
MOM database server - shows the location of the MOM database
server
•
Critical Errors - indicates the number of critical errors MOM has raised
for a specific DC
•
Errors - indicates the number of errors MOM has raised for a specific
DC
•
Warnings - indicates the number of warnings MOM has raised for a
specific DC
•
Alerts - shows the following details about the alerts:
•
•
•
•
•
38
Description - shows the description of the alarm that was raised
Name - shows the name of the alarm that was raised
Repeat Count - shows the number of times a particular alarm has been
raised
Resolution State - shows the state of the event (whether it has been
resolved or not)
Severity - shows the severity of the alarm raised. 30 is warning, 40 is
error, 50 is critical error
Using Quest® Spotlight® on Active Directory® Topology Viewer
•
Time Raised - shows the time the alarm was raised
Double-click an entry on the MOM Properties tab to open the MOM Alerts
dialog box. The MOM Alerts dialog box lists more detailed information about
the entry. If there are multiple entries in the list, you can view them in the
dialog box using the
and
buttons.
Configuring Operations Manager
Integration
Providing end-to-end discovery, diagnosis, and resolution of Active Directory
issues from a single console, Spotlight on Active Directory Topology Viewer
offers integration with:
•
Microsoft Operations Manager (MOM) 2005
•
System Center Operations Manager (SCOM) 2007 Service Pack 1
•
SCOM 2007 R2
When you highlight an Active Directory server alert, you can launch the Spotlight
Diagnostic Console to view the problem.
Spotlight on Active Directory must meet the following prerequisites for
Operations Manager integration:
•
For Spotlight on Active Directory integration, the Spotlight on Active
Directory Console component must be installed on the Operations
Manager server.
•
The Active Directory management pack must be installed and
configured on the Operations Manager administrator console
•
SCOM or MOM agents must be deployed on the domain controllers
(DCs) to be monitored, in order to see the Operations Manager alerts
for the AD management pack.
In order for SCOM and MOM integration to work, you must be able to launch the
Spotlight Launcher. This program is installed when the Spotlight on Active
Directory Console is installed. Once the Console is installed, you can locate the
following two files that are needed for the integration configuration:
•
SpotlightLauncher.exe
•
Spotlights.xml
39
Spotlight on Active Directory
By default, both of these files are provided with Spotlight on Active Directory
Topology Viewer and are located in the following folder:
C:\Program Files\Quest Software\Spotlight\MOM Launcher.
To configure MOM integration
1.
Select Start | Programs | Microsoft Operations Manager 2005 |
Administrator Console.
2.
Expand the Management Packs folder in the treeview.
3.
Right-click the Tasks folder in the treeview and select Create Task.
4.
Click Next.
5.
Select Operator Console as the run location and click Next.
6.
Select Events or Alerts as the view type in the Task Configuration
dialog box.
7.
In the Task Command Line box:
a) Enter the path to the Spotlight Launcher.
b) Click the arrow on the right side of the box.
c) Select Generated by Computer in the Events view type or
Computer Name in the Alerts view type.
The command syntax should be:
•
•
Events view type (point to the Spotlight Launcher files):
"Drive letter:\directory\SpotlightLauncher.exe" $Generated by
Computer$
Alerts view type (point to the Spotlight Launcher files):
"Drive letter:\directory\SpotlightLauncher.exe" $Computer Name$
Use quotation marks around the Spotlight Launcher path. Use a
single space between items in the command line.
8.
Click Next.
9.
Name the task "Diagnose using Spotlight" and enter the description.
10. Click Finish.
When you re-open a MOM Operators Console, the task name appears
in the Task Pane of that Console.
40
Using Quest® Spotlight® on Active Directory® Topology Viewer
To launch Spotlight on Active Directory Diagnostic Console from a MOM
Alerts or Events view in the MOM Operators Console.
Before you launch Spotlight on Active Directory Diagnostic Console
from MOM Alerts or Events view, you must configure the Diagnostic
Console as a task and assign the task name "Diagnose using
Spotlight".
1.
Select Start | Programs | Microsoft Operations Manager 2005
| Operator Console.
2.
Click Events or Alerts tab in the left pane.
3.
In the treeview, select the Events folder in Active Directory folder if
you have chosen the Events tab.
– OR –
In the treeview, select the Alerts folder in Active Directory folder if
you have chosen the Alerts tab.
4.
Select an item in the detail view pane.
5.
Click Tasks in the Toolbar if the Tasks pane is not visible.
6.
Select the task name ("Diagnose using Spotlight") to launch the
Spotlight Diagnostic Console from the Tasks pane.
To configure MOM within Spotlight on Active Directory
1.
Open the Edit menu and choose Options.
2.
Enter the relevant MOM/SCOM server name and the MOM database
server name (if using MOM).
3.
Select the Analysis Tests option, enter the Notification Settings,
and click on the Forward alerts to Microsoft Operations
Manager option.
This causes alerts to be seen at the MOM/SCOM console. Perform this
step when using MOM.
41
Spotlight on Active Directory
To configure SCOM integration
In order for SCOM and MOM integration to work, you must be able to launch
the Spotlight Launcher. This program is installed when the Spotlight on Active
Directory Console is installed. Once the Console is installed, you can locate
the following two files that are needed for the integration configuration:
•
SpotlightLauncher.exe
•
Spotlights.xml
By default, both of these files are provided with Spotlight on Active Directory
Topology Viewer and are located in the folder C:\Program Files\Quest\
Software\Spotlight\MOM Launcher.
1.
Create a new management pack in the Administration pane.
2.
Create a task in the Authoring pane.
3.
Click Create New Task in the Actions pane.
4.
Select Console Task as the task type and Command Line as the
sub type.
5.
Select the management pack you created in step 1 as the destination
management pack. Assign the Task Target as Windows Domain
Controller.
6.
Click Next.
7.
Enter the name "Diagnose using Spotlight" for the task.
8.
For the Applications Name, enter the following path to the Spotlight
Launcher:
C:\Program Files\Quest Software\Spotlight\Plug-ins\
SLAD\MOMSpotlightLauncher\SpotlightLauncher.exe.
9.
For the parameters, select the Display Name property.
$Target/Property[Type="System!System.Entity"]/DisplayName$
10. Continue through the wizard to completion.
The Diagnose using Spotlight task is now visible in the monitoring
pane.
11. You can now launch the Spotlight on Active Directory Diagnostic
Console from within SCOM by highlighting an Error with a server and
selecting the Diagnose using Spotlight task.
To configure SCOM within Spotlight on Active Directory
42
1.
Open the Edit menu and choose Options.
2.
Enter the relevant MOM/SCOM server name and the MOM database
server name (if using MOM).
3.
Select the Analysis Tests option, enter the Notification Settings,
and click on the Forward alerts to Microsoft Operations
Manager option.
Using Quest® Spotlight® on Active Directory® Topology Viewer
This causes alerts to be seen at the MOM/SCOM console. Perform this
step when using SCOM.
43
Spotlight on Active Directory
44
2
Detecting Active Directory
Problems
• Detecting Active Directory Problems
• Analysis Tests Categories
• Running and Scheduling Analysis Tests
Spotlight on Active Directory
Detecting Active Directory
Problems
Spotlight on Active Directory Topology Viewer provides analysis tests to help you
detect and analyze Active Directory problems. You can run analysis tests
instantaneously, or schedule them to run at specific times. You can also configure
Spotlight on Active Directory Topology Viewer to notify you, based on the results
of the different analysis tests. For more information, see “Setting Notification
Groups” on page 23.
Analysis Tests Categories
You can run any of the following analysis test categories:
46
•
Directory Replication
•
DNS
•
File Replication
•
Status/Performance
•
Time Synchronization
Detecting Active Directory Problems
Directory Replication
The Directory Replication test category contains the following available analysis
tests:
DIRECTORY REPLICATION
ANALYSIS TEST
Verify Directory Replication Health
DESCRIPTION
Creates an object in the domain partition that will be
replicated to all other domain controllers. Based on what
domain controllers are selected as targets, Spotlight on
Active Directory will check those domain controllers for the
replicated object and report back how long it took for the
object to replicate. The container is found at the root of the
domain naming partition and is named
QuestReplicationMonitoring. A container for each target
domain controller will be created within the
QuestReplicationMonitoring container. It determines if a
selected DC has replicated with its replication partners.
When running or scheduling the Verify Directory Replication
Health analysis test, select the following:
• You cannot have more than one active test with the
same source server.
• The source server cannot be the same as the
destination server.
• The timeout value cannot exceed the execution
frequency.
• There must be at least one destination server in the
same domain as the source server or Global Catalog
(GC) server.
Verify Schema Consistency
Checks all target domain controllers against the Schema
Master to ensure Schema consistency.
Find Replication Failures
Checks all replication links for any errors that occurred in
the last replication attempt.
When this analysis tool fails, you should:
• Check to make sure the DC is running and is connected
to the network.
• Check to see if you can connect to the DC through
Microsoft Native Tools (ADSIEdit, Sites and Services,
etc.). If not, then you probably do not have
administrative access to bind to that computer.
47
Spotlight on Active Directory
DIRECTORY REPLICATION
ANALYSIS TEST
Check GPO Synchronization
DESCRIPTION
First gets a list of all group policies from the PDC Emulator.
It then compares the file and directory version of each
group policy from the selected domain controllers to the
version found on the PDC Emulator. If the PDC Emulator is
in the list of target domain controllers, it will be skipped as
the PDC Emulator is the source to which group policies are
compared. This test shows if the following GPO properties
are inconsistent across any of the selected DCs in the
forest:
• Sysvol user version
• Sysvol machine version
• Directory Services user version
• Directory Services machine version
When this analysis tool fails, you should:
• DCs flagged as red may not have received replication
updates from their partners. Try forcing replication
between any affected DC and its partners using the
Force Replication analysis tool.
• Check to see if there have been any replication failures
on the affected DC.
• Ensure that you have administrative access to the
registry on the DC. The Sysvol location is stored in the
remote registry.
• Ensure that you have access to the file system on the
DC. The file portion of GPOs is read from the Sysvol
container on the remote DC.
Track Object Replication
Allows the user to select any object and track it as it is
replicated throughout your Active Directory forest. This test
is used to determine if all servers in the forest have the
selected copy of an Active Directory object. The Update
Sequence Number (USN)/source computer pair for each
property on the selected object is recorded from the source
computer. This ensures that the tested computer has
received all changes made to the object on the source
computer.
When you run or schedule this analysis test, you must select
more than one DC. The first DC becomes the source server.
You must also enter the full LDAP path of the object you
want to track.
When tracking an object in the domain naming context,
Global Catalog servers outside the domain might fail the
analysis test. Any Global Catalog server in the forest will fail
the analysis test if it does not have the selected copy of an
Active Directory object.
48
Detecting Active Directory Problems
DIRECTORY REPLICATION
ANALYSIS TEST
Test Replication Links
DESCRIPTION
Ensures connectivity across all selected replication links. If
you run this test on a computer that is offline, you may
receive the error: There are no more end points available
from the end point mapper.
When this action fails, you should:
• Check to see if the replication partner is operational.
• Check if the replication partner can be contacted by the
target computer. The Check Partners' DNS Entries
analysis tool will tell you if the remote DC can find the
DNS entries it needs from its replication partners.
• Run the Find Replication Failures analysis tool to see if
there have been replication problems in the past.
• Run the Check W32Time Differential analysis tool to
see if there is a time synchronization problem causing
the failure.
49
Spotlight on Active Directory
DNS
The DNS test category contains the following available analysis tests:
DNS ANALYSIS TEST
DESCRIPTION
Verify DNS Health
Checks the health and responsiveness of DNS and whether
domain controllers (DCs) are properly configured to use
DNS. It checks all dependencies that Active Directory has
on DNS. This test validates numerous settings with DNS.
• If the Verify Netlogon entries check box is selected,
the test will enumerate all network adapters, get all
the DNS servers for those adapters, ensure each DNS
server is online and responsive, and then validate each
entry listed for that DNS server.
• If the Verify partner Netlogon entries check box is
selected, the test will enumerate all replication
partners for the target domain controller and validate
all entries listed for each DNS server.
• If the Verify PDC advertising check box is selected, the
test will ensure that an entry is listed in DNS for each
PDC Emulator in Active Directory.
• If the Verify GC advertising check box is selected, the
test will ensure that an entry is listed in DNS for each
Global Catalog in Active Directory.
• If the Skip Domain A record validation check box is
selected, the test will not trigger an alarm on any
missing Domain A records.
• If the Verify zone existence check box is selected, the
test will ensure that there is a zone for that domain
controller’s domain.
• If the Verify forwarder availability check box is
selected, the test will check the registry on the DNS
server to enumerate the forwarders and then ensure
each forwarder is online.
• User-specified external records of types A, SRV, and
CNAME can be resolved.
• The DNS Health test retrieves installed network
adapters once every four hours.
• DNS servers other then those used by domain
controllers can be tested.
It queries the DNS Server IP addresses specified for the
network adapter of the targeted DCs. This test reconciles
Netlogon entries found on the DC with the ones registered
on the DNS server. It performs this same validation for the
DC’s replication partners. The status of the DNS entries
registration with replication partners is shown in the test
results. Click the link in the test results to see the DNS
entries that have registered successfully or the individual
records that are missing on the DNS server.
50
Detecting Active Directory Problems
DNS ANALYSIS TEST
DESCRIPTION
Check DNS Entries
Validates each DNS entry for the selected domain
controllers. This test verifies that the DNS Entries
registered by a specific DC can be found on the DNS
Servers configured for the computer running Spotlight on
Active Directory Topology Viewer.
When this analysis tool fails, you should:
• Ensure that the server operational.
• Ensure that you have access to the admin$ share on
the server. The tool requires access to the
netlogon.dns file stored in admin$\System32\config.
• Check to see if you can make DNS requests from your
computer. (The tool contacts the default DNS Servers
for the local computer.)
Check Partners’ DNS Entries
Validates each DNS entry for the replication partners of the
selected domain controllers. This test verifies that the DC
can find the DNS records of each of its inbound replication
partners on the DNS server that it is using.
When this analysis tool fails, you should:
• Ensure that the DC and its partners are operational.
• Ensure that you have access to the admin$ share on
the server. This tool requires access to the
netlogon.dns file stored in admin$\System32\config on
each of the target DNS server's inbound replication
partners.
• Verify (either using nslookup or the Microsoft DNS
snap-in) that the entries are actually registered.
51
Spotlight on Active Directory
File Replication
The File Replication test category contains the following available analysis tests:
FILE REPLICATION
ANALYSIS TEST
Verify File Replication Health
DESCRIPTION
Creates a file in the SYSVOL share to be replicated. Based
on what domain controllers are selected as targets,
Spotlight on Active Directory will check those domain
controllers for the replicated file and report back how long it
took for the file to replicate. The file will be created within
the domain folder that resides in the SYSVOL share. The
filename will be QuestFrsMonitoring<domain> where
<domain> is the fully qualified domain name for that
domain controller. This test determines if a selected domain
controller (DC) can replicate files with its replication
partners.
When running the Verify File Replication Health analysis
test, you should consider the following:
• You cannot have more than one active test with the
same source server.
• The source server cannot be the same as the
destination server.
• The timeout value cannot exceed the execution
frequency.
• There must be at least one destination server in the
same domain as the source server.
For more information on starting NTFRS or DFSR, see
“Starting the Service” on page 82.
Confirm File Presence
Allows you to select any file and check for its presence on
other domain controllers. This test verifies that the files
stored on all shares are physically the same files. Confirm
File Presence verifies the file size in bytes, file date, and file
name between the source computer and all other selected
computers.
When you run or schedule this analysis test, select the
source server from the list and enter the name of the file or
folder you want confirmed. The Confirm File Presence
analysis test will stop comparing files on a DC once 10
errors have been reached.
When this analysis tool fails, you should:
• Ensure that you have administrative rights to access
the file system on the affected DC.
52
Detecting Active Directory Problems
FILE REPLICATION
ANALYSIS TEST
Check GPO Synchronization
DESCRIPTION
First gets a list of all group policies from the PDC Emulator.
It then compares the file and directory version of each
group policy from the selected domain controllers to the
version found on the PDC Emulator. If the PDC Emulator is
in the list of target domain controllers, it will be skipped as
the PDC Emulator is the source to which group policies are
compared. This test shows if the following GPO properties
are inconsistent across any of the selected DCs in the
forest:
• Sysvol user version
• Sysvol machine version
• Directory Services user version
• Directory Services machine version
When this analysis tool fails, you should:
• DCs flagged as red may not have received replication
updates from their partners. Try forcing replication
between any affected DC and its partners using the
Force Replication analysis tool.
• Check to see if there have been any replication failures
on the affected DC.
• Ensure that you have administrative access to the
registry on the DC. The Sysvol location is stored in the
remote registry.
• Ensure that you have access to the file system on the
DC. The file portion of GPOs is read from the Sysvol
container on the remote DC.
Check NTFRS/DFSR Status
Shows if the NTFRS or DFSR service is not running on the
selected domain controllers.
For more information on starting the file replication services,
see “Starting the Service” on page 82.
When this analysis tool fails, you should:
• Try starting the NTFRS or DFSR service through
Spotlight on Active Directory Topology Viewer.
• Try connecting to the Service Control Manager through
Microsoft native tools (services.msc). If you cannot
connect, you may not have the required administrative
access to that DC.
53
Spotlight on Active Directory
Status/Performance
The Status/Performance test category contains the following available analysis
tests:
STATUS/PERFORMANCE
ANALYSIS TEST
Verify Server Health
DESCRIPTION
Collects key data to determine overall server health. Data
collected includes performance counters, network
availability, disk space, critical services, directory service
availability, and event log errors.
Custom counters and/or thresholds can be configured for
performance counters, network availability, and disk space.
Performance data is polled twice over 30 seconds and
averaged.
You can be notified when optional performance counters and
optional services are missing from the target Domain
Controllers (DC). The default action for the test is to present
a warning if an optional performance counter or service is
missing. If this warning is not needed, you can disable this
warning so the Verify Server Health Analysis test can report
a successful completion.
When you run the Verify Server Health test once, all events
logged within the past hour are scanned.
When you schedule the Verify Server Health test, the
hardware is inspected every four hours. All events logged
within the past hour are scanned the first time the test runs.
On every subsequent run, the event log is scanned starting
back from the previous time the test ran.
When you run or schedule this analysis test, select the
components for which you want to gather information.
Options include performance counters, network availability,
disk space, critical services, directory service availability and
the event log.
You can modify the thresholds for the test by clicking Edit.
This will launch the Server Health Configuration Wizard. Any
modifications you make are applied only to the Server
Health test you are scheduling. If you want to modify the
thresholds used for all tests, access the Server Health
Configuration Wizard by selecting Start | Quest Software |
Spotlight on Active Directory | Server Health Configuration
Wizard.
NOTE: For more information on the Server Health
Configuration Wizard, see the Spotlight on Active Directory
Server Health Configuration Wizard User Guide found in
C:\Program Files\Quest Software\Spotlight on Active
Directory\Tools.
54
Detecting Active Directory Problems
STATUS/PERFORMANCE
ANALYSIS TEST
Verify FSMO Best Practices
DESCRIPTION
Discovers the FSMO roles held by the target domain
controllers and checks for violations based on the roles held.
If the PDC Emulator and RID Master are on the same domain
controller check box is selected, the test will check if both of
these roles are located on the same domain controller.
If the Infrastructure Master should not host the Global
Catalog check box is selected, the test will check if any
domain controllers that hold the Infrastructure Master host a
copy of the Global Catalog.
If the Schema Master and Domain Naming Master are on the
same domain controller check box is selected, the test will
check if the Schema Master is also holding the Domain
Naming Master role.
When you run or schedule this analysis test, select one or
more best practices to test.
Verify Site Configuration
Checks the following configurable site settings:
• If the Intersite Topology Generation is disabled check
box is selected, the test will check all selected sites to
see if Intersite Topology Generation is disabled.
• If the No authority to resolve Universal Group
membership check box is selected, the test will check if
a domain controller is within the target site that can
resolve Universal Group membership. This requires
either a Global Catalog or a domain controller to be in
the target site.
• If the Exchange Server to Global Catalog ratio has been
exceeded check box is selected, the test will enumerate
all Exchange Server and Global Catalogs in the target
site and produce an Exchange Server to Global Catalog
ratio. This ratio is then compared to the ratio provided
by the user and if the actual ratio is greater that the
supplied ratio the test will return as a failure.
When you run or schedule an analysis test, select a site to
test and the settings to test against each site. The list of DCs
is modified based on the sites selected. One DC is selected
for each site to prevent several DCs alarming with the same
alert data.
Check Service Pack & Hotfixes
Uses the remote registry service to enumerate all installed
hot fixes and service packs on a domain controller. This is
then compared to what the user selected to check if any
service packs or hot fixes are missing the test will return a
failure and list any missing entries.
When you run or schedule this analysis test, enter a service
pack number and a Microsoft Knowledgebase Article
Number.
When this analysis tool fails, you should:
• Check to make sure you have administrative access to
the registry on the remote DC.
• Install the missing Hotfix or service pack on the DC and
run the tool again.
55
Spotlight on Active Directory
STATUS/PERFORMANCE
ANALYSIS TEST
Check Service Status
DESCRIPTION
Opens a dialog box that lists all existing services on the
query server. It checks that the services you chose are
running on all selected domain controllers.
When this analysis tool fails, you should:
• Try connecting to the Service Control Manager through
Microsoft native tools (services.msc). If you cannot
connect, then you may not have the required
administrative access to that DC.
• Physically restart the affected services on the DC.
Time Synchronization
The Time Synchronization test category contains the following available analysis
tests:
TIME SYNCHRONIZATION
ANALYSIS TESTS
DESCRIPTION
Verify Time Synchronization
Checks if all the pieces of the time synchronization solution
function properly when Windows Time Service is used as a
time synchronization solution. This test combines the
functionality of three existing analysis tests: Check W32Time
Status, Check W32Time Parent Synchronization, and Check
W32Time Differential. The test also verifies synchronization
with a specified time source server if a third-party
NPT-based time synchronization solution is used, and allows
you to ignore alarms associated with the specified time
source server.
Check W32Time Differential
Compares the time of the selected domain controllers to the
PDC Emulator and compares this to the specified threshold.
If the threshold is exceeded, the test will return a failure.
This test shows you child DCs whose time is not
synchronized with their parent time server within a
user-defined margin. This margin is referred to as the time
sync gap. The default time sync gap is two minutes.
When you run or schedule this analysis test, enter a time
differential as an acceptable threshold.
When this analysis tool fails, you should:
• Ensure that the server is operational.
• Check to make sure your time differential gap is set to
the correct setting (default is 5 minutes).
• Check the properties of the server to see which
computer is its time sync parent server. If necessary,
change the Time Sync parameters of the server to point
to a different server.
56
Detecting Active Directory Problems
TIME SYNCHRONIZATION
ANALYSIS TESTS
Check W32Time Parent
Synchronization
DESCRIPTION
Ensures that the selected domain controllers are using the
PDC Emulator from their domain as their time source. The
root PDC Emulator cannot be tested against external time
sources. This test shows you any DC that is not
synchronizing time with the Windows default time server.
The Windows default time server is the PDC Emulator in its
domain. If the selected DC is the PDC Emulator for the
domain, the Windows default time server is the PDC
Emulator of the root domain.
When this analysis tool fails, you should:
Ensure that the server is operational.
Make sure you have administrative access to the file system.
The tool attempts to connect to the file system on the
remote server.
Ensure that you have access to query the registry on the
remote server. The tool requires access to the registry to
determine the server's time sync settings.
Check to make sure you have access to query the domain
object for that server. The tool attempts to find the Windows
default parent for a particular server by binding to objects in
Active Directory (starting with the object for the domain the
server is in).
If required, change the parameters of the server to point to
the Windows default Time Sync server (for example, Resolve
| Time Sync -| Set Parameters).
Check W32Time Status
Checks the status of the W32Time service. This test shows if
the W32Time Service is not running on the selected domain
controller.
When this analysis tool fails, you should:
• Ensure that the server is operational.
• Ensure that you have administrative access to query
services on that server.
• Try connecting to the Service Control Manager on the
remote computer through services.msc.
• Try physically restarting the service.
Indicators are applied to domain controllers (DCs) that cannot be contacted
or that return errors. A status of yellow indicates that the DC could not be
contacted, and a status of red indicates that the server has failed the test.
Running and Scheduling Analysis Tests
To run an analysis test
1.
Select one or more DCs in the Topology View depending on the test
you are running.
57
Spotlight on Active Directory
Use your SHIFT key to make multiple selections.
2.
Right-click one of the selected DCs and select Detect | <Test
Category> | <Analysis Test> | Run Once.
3.
Click OK.
You can run analysis tests using the Assistant Pane. For more information,
see “Running Analysis Tests using the Assistant Pane” on page 62.
To schedule an analysis test
1.
Select one or more DCs in the Topology View depending on the
analysis test you are scheduling.
2.
Right-click a selected DC and select Detect | <Test Category> |
<Analysis Test>| Schedule.
3.
Select Run every in the Scheduling tab and specify the interval for
running the test.
The default setting is to execute the test every 30 minutes, daily,
between 8 AM and 5 PM.
– OR –
Select Run every day at in the Scheduling tab and enter the time
you want the test to run.
You can select the Between check box to run the test during specified
hours or to run overnight.
4.
Click OK.
To view analysis test results
• Place your mouse pointer over a server node in the Topology View pane. The highest
severity analysis test result is displayed in the Topology View.
To view more detailed results
1. Right-click the server in question.
2. Select View Test Results.
This displays the Result Pane, where you can select the test whose results
you want to view. The Test Category, Test Name, Target, Time, and Result
are displayed in the right side of the Result Pane. If a test has more than
one target, a summary grid of information is displayed.
All analysis tests will time out after either one hour or after the scheduled
time, whichever is greater.
58
Detecting Active Directory Problems
Scheduling Analysis Tests with Impersonation
Options
You can configure analysis tests to run under alternate credentials. The user
credentials you use must have sufficient permissions to execute the analysis
test.
To schedule an analysis test with impersonation options
1.
Select Detect | <Analysis Test> | Schedule.
This opens the Analysis Test dialog box.
2.
Select Run every in the Scheduling tab and specify the interval for
running the test.
The default setting is to execute the test every 30 minutes, daily,
between 8 AM and 5 PM.
– OR –
Select Run every day at in the Scheduling tab and enter the time
you want the test to run.
You can select the Between check box to run the test during specified
hours.
3.
Click the Impersonation tab in the Advanced Options pane.
4.
Select Execute using the credentials of the diagnostic
services.
These are the credentials entered during the installation of the
diagnostic services. This is the default option.
– OR –
Select Execute using one of the following credentials.
To execute using one of the following credentials
1. Select the credentials you want to use from the list of available
credentials.
2. Select Configure Credentials to open the Credential
Management dialog box.
3. Add existing Windows credentials to the list of credentials you can
use to execute analysis tests.
5.
Click OK.
59
Spotlight on Active Directory
Scheduling Analysis Tests with Notification Options
You can configure Spotlight on Active Directory Topology Viewer to send email
notifications upon failure of an Analysis test. All users in a defined notification
group are notified when a test fails.
Notifications are not sent if the test does not complete. Notifications are sent
only if the test fails upon completion.
You can also forward any alerts to the Operations Manager console.
To schedule an analysis test with notification options
1.
Select Detect | <Analysis Test> | Schedule.
This opens the Analysis Test dialog box.
2.
Select Run every in the Scheduling tab and specify the interval for
running the test.
– OR –
Select Run every day at in the Scheduling tab and enter the time
you want the test to run.
You can select the Between check box to run the test during specified
hours or to run overnight. The default setting is to execute the test
every 30 minutes, daily, between 8 AM and 5 PM.
3.
Select the Notifications tab in the Advanced Options pane.
4.
Select the notification group you want to notify.
5.
Enter the number of consecutive alarms.
Once a specific number of alarms are triggered, the notification is
sent.
6.
Enter the number of maximum notifications to be sent per alarm.
7.
If necessary, select the Forward alerts to Operations Manager check
box to send any alerts to the Operations Manager console.
8.
Click OK.
The configured analysis test executes. If the test fails, a notification
is sent to all members of the specified notification group.
60
Detecting Active Directory Problems
Editing a Scheduled Analysis Test
You can edit a scheduled analysis test through the Analysis Test Schedule
Management dialog box. You can pause and resume a scheduled test, view a
test, or delete a test. You can also edit the execution frequency of analysis tests;
for example, you can change a Run Once test to a scheduled test, or a scheduled
test to a Run Once test.
To edit a scheduled analysis test
1.
Select Edit | Analysis Tests.
The Analysis Test Schedule Management dialog box displays all
scheduled analysis tests including Test Category, Test Name,
Scheduled Status (Active, Paused, or Completed), next Run Time,
Execution Frequency, Notification Group, and the credentials being
used.
2.
Select the test you want to edit and click the Edit button.
This opens the Edit Test Configuration dialog box.
3.
Edit the configuration information for the selected test.
You can edit the target server list, test schedule, notification and
impersonation information, and test configuration.
4.
Click OK.
All information for the test is updated, saved, and used the next time
the test is run.
Pausing and Resuming a Scheduled Analysis Test
You can pause and resume the execution of a previously scheduled analysis test.
To pause a scheduled analysis test
1.
Select Edit | Analysis Tests.
The Analysis Tests Schedule Manager displays all scheduled analysis
tests including Test Category, Test Name, Scheduled Status (Active,
Paused, or Completed), Execution Frequency, and Notification Group.
2.
Select the test you want to pause and click Pause.
The test is paused and will not execute until you click Resume.
To resume a paused analysis test
1.
Select Edit | Analysis Tests.
The Analysis Tests Schedule Manager displays all scheduled analysis
tests including Test Category, Test Name, Scheduled Status (Active
or Paused), Execution Frequency, and Notification Group.
61
Spotlight on Active Directory
2.
Select the paused test you want to resume and click Resume.
If a test is halted by the system because of invalid credentials, you can pause
the test and resume it when the credentials are corrected. Also, if you pause
a test and the Ending Time for that test passes during the pause, click
Resume to resume the test schedule.
Deleting a Scheduled Analysis Test
You can delete a scheduled analysis test using the Analysis Tests Schedule
Manager.
To delete a scheduled analysis test
1.
Select Edit | Analysis Tests.
The Analysis Tests Schedule Manager displays all scheduled analysis
tests including Test Category, Test Name, Scheduled Status (Active,
Paused, or Completed), Execution Frequency, and Notification Group.
2.
Select the test you want to delete and click Delete.
You will be prompted to confirm or cancel the deletion.
3.
Click Yes to confirm the deletion.
Running Analysis Tests using the Assistant Pane
You can quickly access all of the analysis tests provided in Spotlight on Active
Directory Topology Viewer through the various panes in the Assistant pane. The
three comprehensive analysis tests, Verify DNS Health, Verify Replication Health
and Verify Server Health, can be found in the Assistant pane at the top of the
Assistant pane. The other tests are organized according to troubleshooting
category and grouped into the following panes:
•
Directory Replication Testing
•
DNS Testing
•
File Replication Testing
•
Status/Performance Testing
•
Time Synchronization Testing
For more information about these panes, see “The Assistant Pane” on page 15.
To run an analysis test from the Assistant pane
62
1.
Select the specific DC or DCs in the Topology View or in the Analysis
Test Results pane.
2.
Expand the pane of the troubleshooting category you want.
Detecting Active Directory Problems
3.
Click the name of the test you want to run.
– OR –
Click the icon for the test you want to run.
4.
Select Run test once.
– OR –
Select Schedule test with advanced options.
If you select Schedule test with advanced options, the configuration
dialog box for that particular test opens and you must provide the
appropriate information.
If you select only one DC and attempt to run an analysis test that requires
more than one target server, the following error message is displayed: You
must select at least two servers in the Topology View to perform this action.
Naming an Analysis Test
By default, when you schedule an analysis test, the name of the analysis test is
generated automatically. If desired, you can enter a custom test name instead
of using the generated test name. For example, you can schedule separate
Server Health analysis tests in order to monitor different metrics of a domain
controller at different intervals. You should give each test a different name to
distinguish amongst the three Server Health analysis tests, and therefore, better
manage the tests.
To name an analysis test
1.
Select one or more DCs in the Topology View.
2.
Right-click a selected DC and select Detect | <Test Category> |
<Analysis Test> | Test Name.
3.
Click the Test Name tab in the Advanced Options pane.
4.
Enter a name for the test.
5.
Click OK.
You can also name an analysis test using the Assistant pane.
To name an analysis test from the Assistant pane
1.
Select the specific DC or DCs in the Topology View or in the Analysis
Test Results pane.
2.
Expand the pane of the troubleshooting category you want.
63
Spotlight on Active Directory
3.
Click the name of the test you want to run.
– OR –
Click the icon for the test you want to run.
4.
Select Schedule test with advanced options.
5.
Click the Test Name tab in the Advanced Options pane.
6.
Enter a name for the test.
7.
Click OK.
You can only give custom test names to analysis tests that have been
scheduled.
Viewing Test Results
You can view test results using the Analysis Test Results tab. The Analysis Test
Results tab is divided into two sections, each providing analysis test status and
results. You can resize each section by dragging the section borders. The
Analysis Test Results tab does not provide test details until you run an analysis
test. You can view details for scheduled tests and tests that run once. The
Analysis Test Results tab also includes the Assistant pane on the right. This gives
you quick access to the running of new analysis tests, native Microsoft
administrative tools, and management actions.
Results and status of analysis tests are shown in a tree structure, which you can
expand and collapse. The individual tests are listed by test category and you can
see the details for each test:
•
Analysis Test — the type of test, test name, test target, and test
progression details.
•
Last Update — the date and time that the test results were updated
in the test results tree.
•
Last Result — whether or not the test completed, failed, or was
successful.
The colors of the test icons represent test status:
64
•
Green indicates that the test is running but may not be completed yet.
•
Yellow indicates that the test failed to complete.
•
Red indicates that the server failed the test.
Detecting Active Directory Problems
The color on the test category name indicates the highest severity in the test
group.
If you right-click a server, you are presented with the following options:
OPTION
EXPLANATION
Launch Diagnostic
Console
Launches the Diagnostic Console for the server that was the focus of the
test.
Run Again
Runs the test again immediately.
Note: Applicable only for scheduled tests. At times, you may
need to do corrections or adjustments based on the results of a
scheduled test. This option allows you to run the test again
once you have made your changes. This will not affect the
current schedule for that test.
Expand All
Expands the tree structure to show all the steps that took place for each
test.
Collapse All
Reduces the tree structure to the test category (highest level).
Ignore Result
Omits the selected test results from the current display.
Note: This only affects existing test results. When the test is
run again, the new results will appear.
Once network problems are detected by Spotlight on Active Directory Topology
Viewer, you can launch Spotlight on Active Directory Diagnostic Console to help
you determine what corrective action to take.
The Test Result Details Pane
The details in this pane change according to which type of test is selected. The
following test details are available:
•
Test Name — the type of test highlighted in the test result tree and
the date and time of test executions.
•
Target — the name of the target server and target mailbox.
•
Time — a more detailed textual summary of the test highlighted in
the test result tree.
•
Result — whether or not the test completed, failed, or was
successful. In this example the store responsiveness test succeeded.
•
Text Result — a more detailed textual summary of the test
highlighted in the test result tree.
65
Spotlight on Active Directory
If the test selected in the test result tree contains multiple targets, a table is
displayed in the Test Result Details pane.
66
3
Diagnosing Problems
• Diagnosing Problems
• Spotlight on Active Directory Diagnostic
Console
• InTrust for Active Directory
Spotlight on Active Directory
Diagnosing Problems
You can diagnose problems by using:
•
Spotlight on Active Directory Diagnostic Console
•
InTrust for Active Directory
Spotlight on Active Directory Diagnostic
Console
Once network problems have been detected by Spotlight on Active Directory
Topology Viewer, you can launch Spotlight on Active Directory Diagnostic
Console to help you determine what corrective actions to take.
Graphical flows illustrate the rate at which data is moving between DC
components. Components display the value of key statistics and metrics. The
power of Spotlight on Active Directory Diagnostic Console lies in its ability to
provide visual and audible warnings if performance metrics exceed acceptable
thresholds. Components change color to show you the source of the problem.
A range of reports and graphs provide you with detailed information about a DC.
This information can be viewed on the screen or printed.
Spotlight on Active Directory Diagnostic Console provides the following:
•
a number of drilldowns which display detailed information about the
DC you are analyzing. You can locate and identify problem areas
quickly using a visual representation of the major components in the
DC being monitored. When you have isolated a problem, you can see
a detailed breakdown by viewing a drilldown that displays the
underlying statistics.
•
various techniques to warn you when a DC is exceeding a threshold.
You can set Spotlight on Active Directory Diagnostic Console to warn
you when the system reaches a threshold, and you can set a number
of thresholds to display warning messages before inbound or
outbound traffic levels of a DC become critical.
For more information on how to launch the Spotlight on Active Directory
Diagnostic Console, see “Launching Spotlight on Active Directory Diagnostic
Console” on page 93.
68
Diagnosing Problems
InTrust for Active Directory
The InTrust for Active Directory Service operates on domain controllers. It
captures and audits all changes made to Active Directory and Group Policy
objects. The InTrust for Active Directory Service also, optionally, protects critical
objects from accidental and unwanted changes, enabling an organization to
audit and manage changes in their Active Directory environment. If a problem
occurs in the Spotlight on Active Directory, it can be due to a change made in
domain controller. Because change information is saved in the InTrust on Active
Directory, you can view the Event Log and review any changes that have been
made.
Quest® InTrust™ provides collection, correlation, archival, and reporting on the
data from your enterprise-wide network, as well as for real-time alerting and
notification. InTrust’s two main processes are audit data gathering and real-time
monitoring for critical events.
For more information on Quest InTrust, see Quest InTrust User Guide.
If a problem arises in the Spotlight on Active Directory, it can be due to a change
made to the configuration or schema in InTrust. You can launch the InTrust on
Active Directory Event Log to find out what changes have been made.
You must be integrated to InTrust on Active Directory. For more information
on InTrust Integration, see “InTrust® Integration” on page 31. For more
information on how to view changes from InTrust on Active Directory, see
“Viewing Changes from InTrust for Active Directory” on page 94.
69
Spotlight on Active Directory
70
4
Resolving Replication and
Time Sync Problems
• Resolving Directory Replication
• Managing Replication Links
• Configuring the Knowledge Consistency
Checker (KCC)
• Understanding FSMO Role Transfer
• Resolving File Replication
• Managing the File Replication Services
• Managing Logging
• Resolving Time Synchronization
• Setting Time Synchronization Parameters
Spotlight on Active Directory
Resolving Directory Replication
The Directory Replication actions let you change your replication topology in
order to resolve replication issues in your Active Directory forest. You can
perform these actions:
•
Add, edit, and delete replication links
•
Find the quickest replication path between two domain controllers
(DCs)
•
Force replication between two linked servers
•
Enable or disable the Knowledge Consistency Checker (KCC) — the
KCC auto-generates and removes replication links
•
Transfer Flexible Single-Master Operation (FSMO) roles
For more information, see Managing Replication Links.
Managing Replication Links
Spotlight on Active Directory Topology Viewer provides various actions to allow
you to manage your replication links. These actions include:
•
Creating, editing, and deleting replication links
•
Testing replication links to ensure replication can happen
•
Forcing replication between two servers
•
Identifying servers that have not received the latest data on the last
replication attempt
•
Finding the quickest replication path from one server to another
•
Configuring the KCC to enable or disable automatic replication link
maintenance
Pending actions are displayed in the Pending Resolve Actions list at the bottom
of the Results tab window. Pending actions can be cancelled. When the action is
complete, it is posted to the Completed Resolve Actions list at the bottom of the
Results tab window.
72
Resolving Replication and Time Sync Problems
Creating a Link
The Create Link action allows you to create a link, and set a description, the
replication schedule, the replication schedule frequency, and the transport type.
The link is created on the lookup server, and replicates to all the other servers
in the forest. You can use the object tracker to see which computers have the
new link.
Replication links are automatically created by the Knowledge Consistency
Checker, but you can also create them using Spotlight on Active Directory
Topology Viewer. For more information, see “Configuring the Knowledge
Consistency Checker (KCC)” on page 78.
To create a link
1.
2.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
Select a server in the Browse or Topology View pane.
The first server selected becomes the source server.
3.
Hold the CTRL key and select another server.
The second server selected becomes the destination server.
4.
Right-click and select Resolve | Directory Replication | Create
Link.
Optionally, you can change the source and destination computers.
5.
Enter a name for the link.
6.
Click a block of time that corresponds to the time and day you want
to set in the Schedule section.
– OR –
Drag the pointer to create a selection region around the blocks of time
you want to edit.
7.
Select a replication frequency from the Frequency section.
The four settings in the Frequency section represent how often
replication will occur each hour.
8.
Select a transport type.
9.
Enter a description, and click OK.
73
Spotlight on Active Directory
If This Action Fails
If this action fails, you should:
•
Ensure that you have sufficient rights to perform this action.
•
Ensure that the lookup server you are connected to is still responding
to requests.
Deleting a Link
The Delete Link action creates a replication link between two domain controllers
(DCs).
The link is deleted on the lookup server. Once the link is deleted, the change
replicates to all the other servers in the forest.Replication links are automatically
deleted by the KCC, but you can also delete them using Spotlight on Active
Directory Topology Viewer. This is useful when reorganizing sites and domains.
The KCC does not delete manually created links.
To delete a link
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select a server in the Browse or Topology View pane.
The first server selected becomes the source server.
3.
Hold the CTRL key and select another server.
The second server selected becomes the destination server.
4.
Right-click and select Resolve | Directory Replication | Delete
Link.
Optionally, you can change the source and destination computers.
5.
Select the link you want to delete in the Links list, and click OK.
If This Action Fails
If this action fails, you should:
•
74
Ensure that you have sufficient rights to perform this action.
Resolving Replication and Time Sync Problems
•
Ensure that the lookup server you are connected to is still responding
to requests.
•
Check to see if the replication link you are deleting is already been
deleted. Use the Topology Confirmation analysis tool to detect any
discrepancies between the topology on the lookup server and the
topology on the targeted DCs.
Editing a Link
Spotlight on Active Directory Topology Viewer allows you to edit the replication
schedule, frequency, and transport type properties of a replication link between
two servers.
The link is modified on the lookup server. Once modified, the changes replicate
to all the other servers in the forest.
To edit a link
1.
2.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
Select a server in the Browse or Topology View pane.
The first server selected becomes the source server.
3.
Hold the CTRL key and select another server.
The second server selected becomes the destination server.
4.
Right-click and select Resolve | Directory Replication | Edit Link.
5.
If there are multiple links between the two selected DCs, select the
link you want to edit from the Links list.
6.
Click a block of time that corresponds to the time and day you want
to edit in the Schedule section.
– OR –
Drag the pointer to create a selection region around the blocks of time
you want to edit.
7.
Select a replication frequency from the Frequency section.
The four settings in the Frequency section represent how often
replication will occur each hour.
8.
Select a transport type.
9.
Enter a description, and click OK.
75
Spotlight on Active Directory
If This Action Fails
If this action fails, you should:
•
Ensure that you have sufficient rights to perform this action.
•
Ensure that the lookup server you are connected to is still responding
to requests.
•
Check to see if the replication link you are deleting is already deleted.
Use the Topology Confirmation analysis tool to detect any
discrepancies between the topology on the lookup server and the
topology on the targeted DCs.
Forcing Replication
The Force Replication action replicates an entire naming context from one
domain controller (DC) to another. All changes made to that naming context are
replicated immediately (even if it crosses a site boundary). The destination
computer is contacted, and it initiates the replication with the source computer.
To force replication
1.
2.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
Select a server in the Browse or Topology View pane.
The first server selected becomes the source server.
3.
Hold the CTRL key and select another server.
The second server selected becomes the destination server.
4.
Right-click and select Resolve | Directory Replication | Force
Replication.
You can force replication for Configuration, Schema, and Domain
naming contexts independently of each other by selecting the
individual check boxes on the Force Replication dialog box.
If Forced Replication fails because of a schema mismatch, Active Directory
will attempt to replicate the schema partition.
You can also force replication between unconnected servers. Spotlight on Active
Directory Topology Viewer determines the quickest path between the selected
servers, and all data from the source DC is replicated to all DCs along that path,
up to and including the destination DC.
76
Resolving Replication and Time Sync Problems
To force replication between two unconnected servers
1.
2.
Connect to a DC.
Select a server in the Browse or Topology View pane.
The first server selected becomes the source server.
3.
Hold the CTRL key and select another server that is not directly
connected to the first server.
The second server selected becomes the destination server.
4.
Right-click the source server and select Resolve | Directory
Replication | Force Replication.
When replication is complete, a message informing you of the exact
replication path is displayed in the Completed Resolve Actions tab in
the lower pane of the Topology Viewer tab.
If This Action Fails
If this action fails, you should:
•
Ensure that you have sufficient rights to perform this action. You must
have rights on both the source and target DCs.
•
Ensure that both DCs are currently operational.
•
Verify if the replication link you want to delete is already deleted. Use
the Topology Confirmation analysis tool to detect any discrepancies
between the topology on the lookup server and the topology on the
targeted DCs.
•
Check to see if there is a time synchronization issue causing
replication to fail. Use the Check W32Time Differential analysis tool to
see if the clocks on the two DCs are out of sync.
•
Check to make sure the replication partner has been contacted by the
target computer. The Check Partners' DNS Entries analysis tool will
tell you if the remote DC can find the DNS entries it needs from its
replication partners.
Finding the Quickest Path
The Find Quickest Path action shows you the quickest path that replication will
take from one domain controller (DC) to another. It analyzes the replication
schedule as shown on the lookup server, assuming that a change is made
immediately on the source DC and follows the replication links to the destination
computer.
77
Spotlight on Active Directory
To find the quickest path
1.
2.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
Select a server in the Browse or Topology View pane.
The first server selected becomes the source server.
3.
Hold the CTRL key and select another server.
The second server selected becomes the destination server.
4.
Right-click and select Resolve | Directory Replication | Find
Quickest Path.
A message is displayed in the Completed Resolve Actions tab in the
lower pane of the Topology Viewer tab. Double-click the message to
see the quickest replication path.
If This Action Fails
If this action fails, you should:
•
Ensure that the lookup server you are connected to is still responding
to requests.
•
Check to see if a path exists from the source computer to the
destination computer.
Configuring the Knowledge Consistency Checker
(KCC)
The KCC automatically generates and maintains the replication topology within
a site and between sites. You can disable the KCC within a site (intrasite) and
between sites (intersite).
The KCC runs at regular intervals, adjusting the replication topology if any
changes occur in Active Directory. Changes may include the addition of new DCs,
or the creation of new sites. The KCC also simultaneously reviews the replication
status of existing connections and determines if any are not working. If a
connection is not working, the KCC automatically builds temporary connections
to other available replication partners to ensure that replication continues.
Spotlight on Active Directory Topology Viewer allows you to disable the KCC if
the default network replication infrastructure does not meet your organization’s
specific requirements. Before you disable the KCC, it is recommended that all
DCs conform to the following rules:
•
78
All DCs replicate changes to and from at least one other DC in the
domain.
Resolving Replication and Time Sync Problems
•
All DCs in the domain must have a direct replication path to each
other.
•
All DCs must have a replication path to all other DCs.
•
Global Catalog (GC) servers must be able to obtain a copy of every
domain's naming context from a source. This can be another GC
server or a DC in the domain.
To disable the KCC
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more DCs in the Browse or Topology View pane that
are in the sites where you want to disable the KCC.
3.
Right-click and select Resolve | Directory Replication |
Configure KCC.
4.
Clear the Intersite KCC (Between Sites) check box to disable the
KCC between sites.
– OR –
Clear the Enable Intrasite KCC (Within a Site) check box to
disable the KCC within a site.
You can clear both check boxes if required.
5.
Click OK.
If This Action Fails
If this action fails, you should:
•
Ensure that you have sufficient rights to perform this action.
•
Ensure that the lookup server you are connected to is still responding
to requests.
Understanding FSMO Role Transfer
The FSMO Role Transfer action initiates transfer of one or more FSMO roles from
domain controller (DC) to DC. A computer about to gain a role, contacts the
current holder of the role, and a transfer is negotiated. You can transfer any
FSMO role to another DC on the network.
You can change forest-wide FSMO roles and domain-wide FSMO roles. FSMO
roles are:
•
PDC Emulators - Domain specific and one per domain
79
Spotlight on Active Directory
•
RID Servers - Domain specific and one per domain
•
Infrastructure Masters - Domain specific and one per domain
•
Domain Naming Master- Forestwide and one per forest
•
Schema Master - Forestwide and one per forest
To transfer forest FSMO roles
1.
Select two or more DCs.
2.
Right-click and select Resolve | Directory Replication | FSMO
Role Transfer.
3.
Select the DC you want to assign the Schema Master role to in the
Schema Master Change To list.
4.
Select the DC you want to assign the Domain Naming Master role to
in the Domain Naming Master Change To list, and click OK.
To transfer domain FSMO roles
1.
Select two or more DCs.
2.
Right-click and select Resolve | Directory Replication | FSMO
Role Transfer.
3.
Select a domain from the Domain list to display the current PDC
Emulator, RID Master, and Infrastructure Master roles for that DC.
4.
Select the DC you want to assign the PDC Emulator role to in the PDC
Emulator Change To list.
5.
Select the DC you want to assign the RID Master role to in the RID
Master Change To list.
6.
Select the DC you want to assign the Infrastructure Master role to in
the Infrastructure Master Change To list, and click OK.
If This Action Fails
If this action fails, you should:
80
•
Ensure that you have sufficient rights to perform this action.
•
Ensure that the source server and the destination server are
operational. If the source server is not operational and is never going
to be operational again, you may have to seize the role using
Microsoft’s ntdsutil tool.
•
Ensure that both servers have the necessary DNS entries registered.
You can check this with the Check DNS Entries analysis tool.
•
Check to see if a time synchronization issue is causing the transfer to
fail. Run the Check W32Time Differential analysis tool to see if the
clocks on the DCs are out of sync.
Resolving Replication and Time Sync Problems
Resolving File Replication
The File Replication actions let you manipulate your File Replication settings, NT
File Replication Service (NTFRS), and Distributed File System Replication
(DFSR). The file replication actions include:
•
Managing the File Replication Services
•
Managing Logging
•
Increasing USN Journal Size
•
Managing Advanced GPO Logging
Managing the File Replication Services
File replication services replicate and synchronize files stored in the System
Volume (SYSVOL) shares of Active Directory domain controllers (DCs). Active
Directory supports two different file replication services: the NT File Replication
Service (NTFRS), which is available in systems running Windows NT or later, and
Distributed File System Replication (DFSR), which is available in Windows Server
2008 and Windows Server 2008 R2.
The service used depends on the state of the domains being monitored. Brand
new domains, created only with Windows 2008 R2 servers, use DFSR file
replication to synchronize SYSVOL files by default. Older domains use NTFRS file
replication by default. Domains that are brought up to Windows Server 2008
operations level or later use NTFRS replication by default, but can be migrated
to use DFSR file replication. Although Windows Server 2003 R2 does support
DFSR file replication, Windows Server 2003 R2 DCs replicate SYSVOL data only
through the NTFRS file replication service.
Spotlight on Active Directory can show one or both of the NTFRS and DFSR
actions in the Assistant pane, depending on the state of domains in the current
forest. If all domains in the forest have been configured to use entirely NTFRS
or DFSR file replication, then only the appropriate action is available. If domains
in the forest have been configured to use different services, or if one or more
domains in the forest are migrating from NTFRS to DFSR replication, then both
actions are available.
The file replication actions available, when you right-click a server, depend on
which services are active on the currently selected servers. If the selected
servers are running NTFRS or DFSR file replication, then only the appropriate
menu entries are available. If the selected servers are running different versions
of file replication, or if one or more selected servers are migrating from NTFRS
to DFSR file replication, then menu entries for both NTFRS and DFSR actions are
available.
81
Spotlight on Active Directory
In places where it is not practical to report on both services simultaneously,
Spotlight on Active Directory will report on the service which is replicating live
data within the domain.
You can perform the following functions on these services:
•
Starting the Service
•
Stopping the Service
•
Restarting the Service
Starting the Service
To start the service
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more DCs from the Browse or Topology View pane.
3.
Right-click and select Resolve | File Replication | Start NTFRS
Service.
– OR –
Right-click and select Resolve | File Replication | Start DFSR
Service.
If This Action Fails
•
Check the state of the service and try again. The service might be in
a state where it cannot be started (for example, it may be stopping).
•
Check to see that you have the proper access to administer the
services on the remote computer.
•
Try to start the service though Microsoft native tools(services.msc).
Stopping the Service
To stop the service
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more DCs from the Browse or Topology View pane.
3.
Right-click and select Resolve | File Replication | Stop NTFRS
Service.
– OR –
82
Resolving Replication and Time Sync Problems
Right-click and select Resolve | File Replication | Stop DFSR
Service.
If This Action Fails
•
Ensure that the server is operational and that you have the proper
administrative access to control its services remotely.
•
Check to see if the service was in a state where it could not be
restarted (for example, in the 'starting' state). If so, attempt the
action again.
Restarting the Service
To restart the service
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more domain controllers from the Browse or Topology
View pane.
3.
Right-click and select Resolve | File Replication | Restart NTFRS
Service.
– OR –
Right-click and select Resolve | File Replication | Restart DFSR
Service.
If This Action Fails
•
Ensure that the server is operational and that you have the proper
administrative access to control its services remotely.
•
Check to see if the service was in a state where it could not be
restarted (for example, in the 'starting' state). If so, attempt the
action again.
Managing Logging
Spotlight on Active Directory Topology Viewer allows you to set specific details
such as the number of file replication log files per DC, the number of messages
per file, and the level of detail of the information contained in each file. By
default, file replication records its actions in trace log files. These log files,
named Ntfrs_000x or Dfsr_000x, are located in the %Systemroot%\debug
directory. These files are typically used to investigate file replication problems.
Functions include:
83
Spotlight on Active Directory
•
Enabling Logging
•
Disabling Logging
•
Setting the Number of Log Files Generated
•
Setting the Number of Messages per Log File
•
Setting Log File Details
Enabling Logging
To enable logging
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more domain controllers from the Browse or Topology
View pane.
3.
Right-click and select Resolve | File Replication | Enable NTFRS
Logging.
– OR –
Right-click and select Resolve | File Replication | Enable DFSR
Logging.
If This Action Fails
•
Check to make sure you have access. This action requires
administrative access to the remote registry.
•
Check to make sure you have the ability to restart the service. (see
“Restarting the Service” on page 83).
Disabling Logging
To disable logging
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more domain controllers from the Browse or Topology
View pane.
3.
Right-click and select Resolve | File Replication | Disable NTFRS
Logging.
– OR –
4.
84
Right-click and select Resolve | File Replication | Disable DFSR
Logging.
Resolving Replication and Time Sync Problems
If This Action Fails
•
Check to make sure you have administrative access to the remote
registry.
•
Check to make sure you can restart the service. (see “Restarting the
Service” on page 83).
Setting the Number of Log Files Generated
To set the number of log files generated
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more DCs in the Browse or Topology View pane.
3.
Right-click and select Resolve | File Replication | Set Number of
NTFRS Log Files Generated.
– OR –
Right-click and select Resolve | File Replication | Set Number of
DFSR Log Files Generated.
4.
Click the up or down arrows in the Set the Number of Log Files to
box to increase or decrease the number of files.
– OR –
Type the number of files.
5.
Click OK.
If This Action Fails
•
Check to make sure you have administrative access to the remote
registry.
•
Check to make sure you can restart the service. (see “Restarting the
Service” on page 83).
Setting the Number of Messages per Log File
To set the number of messages per log file
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more DCs in the Browse or Topology View pane.
85
Spotlight on Active Directory
3.
Right-click and select Resolve | File Replication | Set Number of
Messages per NTFRS Log File.
– OR –
Right-click and select Resolve | File Replication | Set Number of
Messages per DFSR Log File.
4.
Click the up or down arrows in the Set the messages per file limit to
box to increase or decrease the number of messages.
– OR –
Enter the number of messages.
You can set a minimum number of messages per NTFRS/DFSR log file.
5.
Click OK.
If This Action Fails
•
Check to make sure you have administrative access to the remote
registry.
•
Check to make sure you can restart the service. (see “Restarting the
Service” on page 83).
Setting Log File Details
To set the log file detail
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more DCs in the Browse or Topology View pane.
3.
Right-click and select Resolve | File Replication | Set NTFRS Log
File Detail.
– OR –
Right-click and select Resolve | File Replication | Set DFSR Log
File Detail.
4.
Select the option that corresponds to the level of detail you require,
and click OK.
The level of detail is specified by a numeric scale from zero to five:
zero being the least detailed and five being the most detailed.
86
Resolving Replication and Time Sync Problems
If This Action Fails
•
Check to make sure you have administrative access to the remote
registry.
•
Check to make sure you can restart the service. (see “Restarting the
Service” on page 83).
Increasing USN Journal Size
This action allows you to increase the size of the USN Journal, therefore allowing
for more entries to be added to the journal.
This action is available only when using NTFRS.
Although you can reconfigure the USN journal size when using DFSR
replication, we do not recommend it. If you need to reconfigure the USN
journal size for DFSR replication, contact Microsoft support.
To increase the USN Journal size
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more DCs in the Browse or Topology View pane.
3.
Right-click and select Resolve | File Replication | Increase USN
Journal Size.
4.
Increase the journal size in the box labeled Increase the USN Journal
Size to, and click OK.
You can decrease journal size only by reformatting volumes that contain
NTFRS-replicated content.
If This Action Fails
If this action fails, you should:
•
Check to make sure you have administrative access to the remote
registry.
•
Check to make sure you can restart the service. (see “Restarting the
Service” on page 83).
87
Spotlight on Active Directory
Managing Advanced GPO Logging
Group policy events are logged to the Event Log using either Normal or Verbose
mode. By default, they are logged using Normal mode, which means not all
failures are displayed in the Event Log. To retrieve more detailed information on
group policy processing from the Event Log, Spotlight on Active Directory
Topology Viewer allows you to enable verbose logging.
Managing advanced GPO logging functions include:
•
Enabling Advanced GPO Logging
•
Disabling Advanced GPO Logging
Enabling Advanced GPO Logging
Advanced Group Policy Object (GPO) Logging enables detailed event logging for
group policies, which logs all Group Policy-related events to the event log.
To enable advanced GPO logging
1.
Start Spotlight on active Directory Topology Viewer and connect to a
DC.
2.
Select one or more DCs in the Browse or Topology View pane.
3.
Right-click and select Resolve | File Replication | Enable
Advanced GPO Logging.
If This Action Fails
If this action fails, you should:
•
Check to make sure you have administrative access to the remote
registry.
Disabling Advanced GPO Logging
Disable advanced GPO logging to return group policy event logging to Normal
mode.
To disable advanced GPO logging
88
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select one or more DCs in the Browse or Topology View pane.
3.
Right-click and select Resolve | File Replication | Disable
Advanced GPO Logging.
Resolving Replication and Time Sync Problems
If This Action Fails
If this action fails, you should:
•
Check to make sure you have administrative access to the remote
registry.
Resolving Time Synchronization
Spotlight on Active Directory Topology Viewer displays time synchronization
lines between synchronized DCs. You have the ability to set parameters, run
diagnostics, and monitor selected DCs or all DCs in your topology. You can also
view time sync-related properties on selected DCs.
Time Synchronization is the process by which DCs keep their time consistent
across the forest. Each DC copies the time from another DC, and by arranging
the synchronization partners in an appropriate fashion, all DCs will have nearly
the same time.
•
Setting Time Synchronization Parameters
Setting Time Synchronization Parameters
The Set Time Sync Parameters action allows you to control how time
synchronization works in your forest. Specifically, it sets the replications
partners for the domain controllers (DC) and how often replication occurs. These
entries are made in registry entries on the DC, and the time synchronization.
service is also restarted.
To set time synchronization parameters for a DC
1.
Start Spotlight on Active Directory Topology Viewer and connect to a
DC.
2.
Select a DC in the Browse or Topology View pane.
3.
Right-click and select Resolve | Time Sync | Set Parameters.
4.
Select a type from the Set the Time Sync Type to list.
5.
Select a parent from the Set the Time Sync Parent to list (if
available).
6.
Select a time period from the Set the Time Sync Period to list.
The Daily Skew option is defined as once every 45 minutes until one
good synchronization occurs, then once every day. The Special Skew
option is defined as once every 45 minutes until three good
synchronizations occur, then once every eight hours (three per day).
89
Spotlight on Active Directory
7.
Enter a frequency in the Times Per Day box (if available).
The Times per Day box is disabled by default. Selecting the Specified
times per day option in the Set the Time Sync Period to box makes
the Times per Day box available.
8.
Click OK to save the changes.
For more information on setting external time synchronization sources, go to
http://support.microsoft.com/default.aspx?scid=kb;en-us;262680.
When Set Time Sync Parameters Fails
When this action fails, you should:
90
•
Ensure that you have sufficient rights to perform this action
•
Ensure that the target DC is operational
5
Managing Actions and
Results
• Canceling Pending Actions
• Saving Action Results
• Clearing Action Results
• Launching Spotlight on Active Directory
Diagnostic Console
• Viewing Changes from InTrust for Active
Directory
Spotlight on Active Directory
Managing Actions and Results
If you select the Management Action Results tab in the Navigation pane, pending
and completed actions for directory replications, file replications, and time
synchronizations are displayed.
At the top of the main pane there are two tabs: Pending Actions and Completed
Actions. Any directory replication, file replication, or time synchronization action
performed in Spotlight on Active Directory Topology Viewer is displayed under
the associated Pending Actions tab. When the action is complete, it is posted to
the Completed Actions tab.
The Completed Actions list displays each action that was performed, the domain
controller (DC) on which it was performed, whether or not it was successful, the
DC that performed the action, and the time the action was completed. You can
save action results to a file for future reference, or delete them.
Canceling Pending Actions
After you perform Directory Replication, File Replication, or Time
Synchronization actions, these are posted to the list shown in the Pending
Actions tab. You can cancel any or all pending actions.
To cancel all pending actions
•
Right-click in the associated Pending Actions list and select Cancel All
Pending Action(s).
To cancel selected pending actions
1.
In the Pending Actions list, select the action you want to cancel.
2.
Right-click the action and select Cancel Selected Pending Action.
You cannot cancel an action while it is being executed. Actions currently
being executed are indicated by an animated green arrow.
Saving Action Results
After performing Directory Replication, File Replication or Time Synchronization
actions, you can save all results or selected results to a file.
92
Managing Actions and Results
To save results to a file
1.
Right-click in the Completed Actions tab and select Save All
Message(s).
– OR –
Right-click and select Save Selected Message.
2.
Enter a name for the file and click Save.
Clearing Action Results
You can clear individual action results or the entire list of action results.
To clear results
•
Right-click in the Completed Actions tab and select Clear All
Message(s).
– OR –
Right-click and select Clear Selected Message.
Launching Spotlight on Active Directory
Diagnostic Console
Once Spotlight on Active Directory Topology Viewer has detected Active
Directory or performance problems, you can launch Spotlight on Active Directory
Diagnostic Console to help you determine what corrective action to take. This
applies to target servers only, not groups.
To launch Spotlight on Active Directory Diagnostic Console
1.
Select a domain controller (DC).
2.
Click Launch Diagnostic Console in the Assistant pane.
– OR –
Right-click and select Diagnose | Launch Diagnostic Console.
– OR –
Right-click in the Completed Actions tab and select Launch
Diagnostic Console.
93
Spotlight on Active Directory
Viewing Changes from InTrust for Active
Directory
If a problem arises in the Spotlight on Active Directory, it can be due to a change
made on a domain controller. Since changes to the domain controller are saved
in the InTrust on Active Directory Event Log, you can launch the InTrust on
Active Directory Event Log to find out what changes have been made.
You must be integrated to InTrust on Active Directory. For more information
on InTrust Integration, see “InTrust® Integration” on page 31.
To view changes made from InTrust
1.
Select and right-click a domain controller (DC).
2.
Select Diagnose | View Changes from InTrust.
In the Event Log, you can view configuration and schema changes
made in the last X number of minutes, hours, or days.
94
6
Customizing the Topology
Layout
• Applying a System View
• Creating a Custom View
• Deleting a Custom View
• Editing a Custom View
• Resetting the Layout of the Current View
Spotlight on Active Directory
Understanding System Views
Initially, Spotlight on Active Directory Topology Viewer defaults to a layout view
of the entire forest you have specified. However, it also provides system Views
that you can apply to that forest. In addition, Spotlight on Active Directory
Topology Viewer allows you to filter the topology view to suit your needs. This
makes it much easier for you to view the status of, and work with, the servers
you are concerned about. This ability is of particular value to local administrators
who are responsible for a small number of domain controllers (DCs).
Spotlight on Active Directory Topology Viewer provides system Views that you
can apply to the forest you have specified. Also, instead of dealing with the entire
forest, you can create custom Views that display only specific domains or groups
of DCs. You can also delete or edit these custom Views.
In addition to the topology view, system and custom Views are also applied to
the treeview and the Analysis Test Results tab. Test results are shown only for
the target servers that are part of the system or custom View currently applied.
Spotlight on Active Directory Topology Viewer retains the last View. This last
View is loaded the next time you launch Spotlight on Active Directory
Topology Viewer.
Applying a System View
Spotlight on Active Directory Topology Viewer provides the following system
Views that you can apply to the current discovered forest:
•
All (default - shows entire forest)
•
Domain Naming Masters
•
Global Catalogs
•
Infrastructure Masters
•
Intersite Topology Generators
•
PDC Emulators
•
RID Masters
•
Schema Masters
You cannot delete or modify these system views.
96
Customizing the Topology Layout
Any custom Views you create are also added to this list.
When you apply another system or custom View, this can affect what is
shown in the Analysis Test Results tab. If a server whose test results are
shown is not included in the View you select, then those test results
disappear from the Analysis Test Results tab.
To select a system view
1.
Click
2.
Select the system view you want to apply.
in the View box above the topology view pane.
Creating a Custom View
You can create custom views and define them by site, domain, server or naming
convention. You can select the domains or servers you want to include, or use
naming conventions to filter only the servers you want to include.
To create a View
1.
Select View | Create View.
This launches the View Wizard. You can also do this by clicking
next to the View list above the main topology view pane.
2.
Click Next.
3.
Select the type of view you want and click Next.
4.
Select the sites you want to include in the view and click Next.
Your selection can also be domains, servers or naming conventions,
depending on the type of view you selected.
5.
Enter a name for the view you are creating and click Next.
6.
Review the settings you have selected.
To make changes, click Back until the Wizard displays the page you
want, make your corrections and then click Next until you are at the
Summary page.
7.
Click Finish to save and apply the view you have created.
Your custom view will be added to the View list above the main pane.
97
Spotlight on Active Directory
Deleting a Custom View
You can delete the custom View currently displayed. However, you cannot delete
the systems views provided with Spotlight on Active Directory Topology Viewer.
To delete the current View
1.
Select View | Delete Current View.
2.
Click Yes to confirm you want to delete the current View.
Editing a Custom View
Once you have created a custom View, you can modify it. Spotlight on Active
Directory Topology Viewer allows you to change any of the parameters of the
custom View currently displayed.
You cannot modify the system views that are provided with Spotlight on
Active Directory Topology Viewer.
To edit the current View
1.
Select View | Edit Current View.
This launches the View Wizard. You can also do this by clicking
next to the View list above the main topology view pane.
2.
Click Next.
3.
Modify the type of view if necessary and click Next.
4.
Modify the sites included in the View if necessary and click Next.
You can also modify domains, servers or naming conventions, depending on
the type of view you selected.
5.
Change the name of the View if necessary and click Next.
6.
Review the settings you have selected.
To make further changes, click Back until the Wizard displays the
page you want, make your corrections and then click Next until you
are at the Summary page.
7.
98
Click Finish to save and re-apply the View you have modified.
Customizing the Topology Layout
Resetting the Layout of the Current View
If you have adjusted the server layout in your topology view by moving the
servers, you can reset the view back to its original layout.
To reset the layout of the current View
•
Select View | Reset Current View Layout.
99
Spotlight on Active Directory
100
7
Working with Groups
• Autogrouping
• Centering on Group
• Collapsing
• Expanding
• Grouping Together
• Ungrouping
Spotlight on Active Directory
Working with Groups
As a network administrator, you may be responsible for domain controllers (DCs)
located in various geographic locations. In particular, Global Catalog (GC) server
administration can be a challenge in large network deployments with hundreds
of DCs in multiple sites and domains that can span continents.
Spotlight on Active Directory Topology Viewer addresses this challenge by
allowing you to save DCs as groups. Once a group has been saved, accessing the
list of DCs is as simple as selecting the group in the Browse pane. This saves you
from having to select individual DCs and is particularly useful when applying
common settings or actions to several DCs on your network.
Autogrouping
You can autogroup existing groups using the Autogrouping tool
toolbar and the autogrouping rules. You can autogroup:
•
By site name using offset rules
•
By site name using delimiter rules
on the
Offset rules allow you to group sites based on a certain number of letters in the
group name. For example, an offset of 2 means that the autogrouping rule will
use the next 2 characters as a group name.
Delimiter rules allow you to group sites based on a delimiter. For example, a
delimiter of '-' means that the autogrouping rule will use all of the characters up
to the next '-' as a group name.
Autogrouping rules are processed from the top down.
To create Autogrouping rules
1.
Click
2.
Click Add.
.
3.
Enter the name of the group in the Name of New Group Type box.
4.
Select Offset in the Rule Type list.
– OR –
Select Delimiter in the Rule Type list.
102
Working with Groups
5.
Enter the offset you want to use in the Offset box.
– OR –
Enter the delimiter you want to use in the Delimiter box.
6.
Click OK.
The rule you created will be added to the list in the Autogrouping
Rules dialog box. You can edit or remove rules you create. Click a rule
in the list and click Edit to edit a rule or click Remove to remove a
rule you have created.
You can also reorder rules in the list by clicking a rule and using the
and
buttons.
Select the Re-execute Layout check box and click OK to override the
current site positioning.
Centering on Group
Use the Center on Group feature to focus on a specific group in a large topology.
Center on Group lets you bring a specific group to the center of the Topology
View pane. Center on Group expands all parents of a group so that the selected
group is visible. The group itself is not expanded.
To center the topology view on a specific group
1.
Select the group you want to center in the Topology View pane.
2.
Right-click the selected group and select Center on Group.
Collapsing
Groups can be contracted into a single group node which has a visual
representation of the group shape, but at a smaller size.
To collapse a group
1.
Select a group.
2.
Right-click on the group you want to collapse and select Collapse.
103
Spotlight on Active Directory
Expanding
After a group has been collapsed into a single group node, you can expand it
again.
To expand a group
1.
Select a group.
2.
Right-click on the group node you want to expand and select
Expand.
Grouping Together
Groups are user-defined groups of DCs. You can group by site, region, country,
and so on. Once you define the scope of a group, you must give it a name. Group
names are also user defined. DCs are grouped by site by default.
To group
1.
Select a group in the Topology View pane.
2.
Press the CTRL key, and select another group in the Topology View
pane.
3.
Right-click and select Group Together.
Ungrouping
You can ungroup DCs which you have previously grouped.
To ungroup
104
1.
Select a group in the Topology View pane.
2.
Press the CTRL key, and select another group in the Topology View
pane.
3.
Right-click and select Ungroup.
8
Using the Quest Spotlight
on Active Directory
Diagnostic Console
• Introducing Spotlight on Active Directory
Diagnostic Console
• Starting Spotlight on Active Directory
Diagnostic Console
• Using Spotlight on Active Directory
Diagnostic Console
• Using Drilldowns
• Using Components
• Using Indicators
Spotlight on Active Directory
Introducing Spotlight on Active
Directory Diagnostic Console
Spotlight on Active Directory Diagnostic Console graphically displays, in real
time, the actual flow of data between domain controllers (DCs) and various
systems in your Active Directory so you can quickly identify congested areas and
take appropriate corrective action. Spotlight on Active Directory Diagnostic
Console
•
provides a visual representation of Active Directory replication and
response time
•
identifies bottlenecks using flows, graphs and visual icons
•
displays details including Lightweight Directory Access Protocol
(LDAP) Bind times, inbound/outbound replication, Active Directory
database size, Global Catalog response time, authentication traffic,
Flexible Single-Master Operation (FSMO) roles, and Group Policy
Object (GPO) recency
Spotlight on Active Directory Diagnostic Console allows you to detect a problem
in real time, drill down, and resolve it, thereby improving the efficiency of
network administration, and reducing downtime for users. Spotlight on Active
Directory Diagnostic Console also integrates seamlessly with Spotlight on Active
Directory Topology Viewer, a powerful network management tool that provides a
visual representation of your entire Active Directory topology. Spotlight on Active
Directory Topology Viewer’s unique user interface and functionality provide you
with a wide range of remote administration functions and tools that assist you in
pinpointing and resolving network replication and time synchronization
performance issues. Spotlight on Active Directory Diagnostic Console and
Spotlight on Active Directory Topology Viewer work together to help you detect,
diagnose, and resolve network problems.
Quest Spotlight on Active Directory Diagnostic Console offers expert help that
explains each process and counter on a domain controller, and what a raised
alarm means. The help system offers suggestions on how to resolve the alarm,
common solutions, and next steps. It also enables additional drilldown into more
detailed Windows processes and counters through Spotlight on Windows, which
is included with Spotlight on Active Directory.
106
Using the Quest Spotlight on Active Directory Diagnostic Console
Starting Spotlight on Active Directory
Diagnostic Console
To start Spotlight on Active Directory Diagnostic Console
1.
Select Start | Programs | Quest Software | Spotlight |
Spotlight.
2.
Click Spotlight on Active Directory in the Spotlight Connection
Manager window.
3.
Click the connection icon that represents the system or DC you want
to connect to in the Spotlight on Active Directory Diagnostic Console
connections dialog box.
4.
Click Connect.
If the connection icon for the system or DC you want to connect to
does not appear in the Spotlight on Active Directory Diagnostic
Console connections dialog box, you may have to create a new
connection icon. For more information on creating connection icons
and adding new connections, see the Spotlight Basics section in the
Help menu of the Spotlight on Active Directory Diagnostic Console.
To view a different system or DC when you have multiple connections
1.
Select View | Connection Browser.
In the Connections Browser, click the name of the system or DC you want to
view.
Using Spotlight on Active Directory
Diagnostic Console
Spotlight on Active Directory Diagnostic Console is a powerful diagnostic and
resolution tool. Its unique user interface provides a real-time representation of
the dataflow in your forest, allowing you to detect, diagnose, and resolve Active
Directory problems.
Graphical flows illustrate the rate at which data is moving between domain
controller (DC) components. Components display the value of key statistics and
metrics. The power of Spotlight on Active Directory Diagnostic Console lies in its
ability to provide visual and audible warnings if performance metrics exceed
acceptable thresholds. Components change color to show you the source of the
problem.
A range of reports and graphs provide you with detailed information about a DC.
This information can be viewed on the screen, or printed.
107
Spotlight on Active Directory
Spotlight on Active Directory Diagnostic Console provides various techniques to
warn you when a DC is exceeding a threshold. You can set Spotlight on Active
Directory Diagnostic Console to warn you when any component reaches a
specific threshold. This way, warnings are displayed when individual components
(for example, memory consumption or CPU usage) approach alarm levels and
you can take steps to remedy the situation before they cause significant
problems.
Spotlight on Active Directory also provides seamless integration with Spotlight
on Windows. A Spotlight on Windows connection is automatically created when
you create a connection to Spotlight on Active Directory. Therefore, you can
double-click a Windows counter in the Spotlight on Active Directory homepage
and connect directly to the appropriate Spotlight on Windows drilldown, without
having to manually create a Spotlight on Windows connection, or re-enter a
server name and credentials.
Using Drilldowns
Drilldowns display detailed information about the DC you are analyzing.
Spotlight on Active Directory Diagnostic Console is designed to help you locate
and identify problem areas quickly using a visual representation of the major
components in the DC being monitored. When you have isolated a problem, you
can see a detailed breakdown by viewing a drilldown that displays the underlying
statistics.
You can display drilldowns by clicking a component in the main screen or by
clicking a drilldown button on the toolbar. You can modify the way drilldowns
display information.
Each drilldown page contains displays that provide you with specific information
about the components of your system. Drilldowns mainly use two different types
of displays - tables and charts. Spotlight drilldowns have the following features:
•
There is more than one way to view a specified drilldown.
•
They can be configured to show all or some of the metrics associated
with components.
•
You can access further information about displays in drilldowns by
moving the mouse over the displays, or by clicking or right-clicking on
them.
•
You can copy the data shown in drilldowns to other applications or
save it to a file
Spotlight on Active Directory Diagnostic Console provides the following
drilldowns:
108
Using the Quest Spotlight on Active Directory Diagnostic Console
•
Performance Drilldown
•
Replication Drilldown
•
Configuration Drilldown
•
DNS Drilldown
•
LSASS Drilldown
•
LDAP Drilldown
•
FSMO Roles Drilldown
You can view Spotlight on Windows drilldown information through Spotlight
on Active Directory. For example, when you view the expert help for the Ping
Time component on the Spotlight on Active Directory homepage, click Show
me the Network drilldown to connect to Spotlight on Windows and view
the information in the Network drilldown.
Performance Drilldown
The Performance drilldown displays information on the applications running on
a DC, including
•
the process name and ID of the application
•
the percentage of CPU usage
•
the physical memory usage in megabytes
To display the Performance drilldown
•
Click the Performance
drilldown button on the toolbar.
The following tabs are displayed:
•
Top CPU Consumers Tab
•
Top Memory Consumers Tab
•
All Processes Tab
Top CPU Consumers Tab
The Top CPU Consumers tab displays information on the top ten CPU-consuming
processes running on a DC.
109
Spotlight on Active Directory
The Top CPU Consumers tab displays the following information in a table:
COLUMN
DESCRIPTION
Process Name
The process name of the application.
% CPU
The percentage of CPU that the process is using.
Top Memory Consumers Tab
The Top Memory Consumers tab displays information on the top ten memoryconsuming processes running on a DC.
The Top Memory Consumers tab displays the following information in a table:
COLUMN
DESCRIPTION
Process Name
The process name of the application.
Physical Memory (MB)
The amount of physical memory in megabytes that the
process is consuming.
All Processes Tab
The All Processes tab displays the following information in a table:
COLUMN
DESCRIPTION
Process Name
The process name of the application.
Process ID
The unique ID for the process.
% CPU
The percentage of CPU that the process is using.
Physical Memory (MB)
The amount of physical memory in megabytes that the
process is consuming.
Virtual Memory (VB)
The amount of virtual memory in megabytes that the
process is consuming.
Replication Drilldown
The Replication drilldown displays
110
•
the amount of traffic to and from the DC and its replication partners
•
the length of the Replication Queue
Using the Quest Spotlight on Active Directory Diagnostic Console
•
the number of updates remaining in the replication packet
•
the number of objects received per second from replication partners
and applied by the local directory service
•
the name, path, size, and staging information for FRS replicas
•
the occurrence of any replication collisions
The service used depends on the state of the domains being monitored. Brand
new domains, created only with Windows 2008 R2 servers, use DFSR file
replication to synchronize SYSVOL files by default. Older domains use NTFRS file
replication by default. Domains that are brought up to Windows Server 2008
operations level or later use NTFRS replication by default, but can be migrated
to use DFSR file replication. Although Windows Server 2003 R2 does support
DFSR file replication, Windows Server 2003 R2 DCs replicate SYSVOL data only
through the NTFRS file replication service.
Spotlight on Active Directory can show one or both of the NTFRS and DFSR
actions in the Assistant pane, depending on the state of domains in the current
forest. If all domains in the forest have been configured to use entirely NTFRS
or DFSR file replication, then only the appropriate action is available. If domains
in the forest have been configured to use different services, or if one or more
domains in the forest are migrating from NTFRS to DFSR replication, then both
actions are available.
The file replication actions available, when you right-click a server, depend on
which services are active on the currently selected servers. If the selected
servers are running NTFRS or DFSR file replication, then only the appropriate
menu entries are available. If the selected servers are running different versions
of file replication, or if one or more selected servers are migrating from NTFRS
to DFSR file replication, then menu entries for both NTFRS and DFSR actions are
available.
To display the Replication drilldown
•
Click the Replication
drilldown button on the toolbar.
The following tabs are displayed:
•
Activity Tab
•
Queues Tab
•
Directory Partners Tab
•
FRS Replicas Tab
•
Collisions Tab
111
Spotlight on Active Directory
Activity Tab
This tab shows the amount of inbound and outbound traffic being received and
sent by the DC to its replication partners.
The Activity tab displays the following graphs:
GRAPH
DESCRIPTION
DRA Activity
The amount of inbound/outbound replication traffic the DC
is sending and receiving from its replication partners. The
graph shows occasional bursts of high activity during
replication events followed by periods of zero activity where
no replication is taking place. Inbound activity is shown in
orange. Outbound activity is shown in blue.
File Replication I/O
Activity
The amount of Kbytes/sec that have been read from the
Active Directory database by the NTFRS or DFSR process
(depending on the type of replication service used). Read
activity is shown in orange, and write activity is shown in
blue.
File Replication CPU
Usage
The percentage of the CPU used by the NTFRS or DFSR
process (depending on the type of replication service used).
Queues Tab
The Queues tab displays
•
the length of the Replication Queue
•
the number of updates remaining in the replication packet
•
the number of objects received per second from replication partners
and applied by the local directory service
The Queues tab displays the following graphs:
GRAPH
Replication Queues
112
DESCRIPTION
The number of directory synchronizations queued for the
DC but not yet processed. It helps determine the
replication backlog; the higher the counter, the higher the
backlog. The Objects series indicates the number of Active
Directory objects queued for synchronization by the
Directory Replication Agent (DRA). The Files series
indicates the number of files queued for replication by the
NTFRS or DFSR file replication service.
Using the Quest Spotlight on Active Directory Diagnostic Console
GRAPH
DESCRIPTION
Remaining Objects
The number of object updates remaining in the current
replication update packet that have not been applied on
the local server.
Objects Applied per
Second
The rate at which the objects are applied to the Active
Directory database.
Directory Partners Tab
The Directory Partners tab displays detailed information about inbound and
outbound replication links.
If two or more links created contain the same information, then only one
instance is displayed.
If information is coming from a read-only domain controller (RODC), the link
entry will be missing. RODCs do not contain naming contexts, and, therefore,
will not display link information.
The Directory Partners tab displays the following information in a table:
COLUMN
DESCRIPTION
Replication Partner
The name of the DC that the server is replicating with.
Link Direction
Shows whether replication is inbound (coming to the
server from this replication partner) or outbound (going to
the indicated replication partner.)
Site
The name of the site where the replication partner is
located.
IP Address
The IP address of the replication partner.
Enabled/Disabled
Shows whether the connection to the indicated replication
partner is enabled or disabled.
Transport Type
The transport type being used for replication.
Options
Shows whether or not the replication link was
automatically generated by the Knowledge Consistency
Checker (KCC).
Consecutive Failures
The number of consecutive replication errors that have
occurred.
Naming Context
The naming context that can be replicated between the
replication partner and the currently connected DC.
113
Spotlight on Active Directory
COLUMN
DESCRIPTION
Last Status
The result of the last replication attempt.
Last Replication
Attempt
The time at which the last replication was attempted.
Last Successful
Replication
The time at which the last successful replication was
completed.
Consecutive Failures
The number of consecutive replication errors that have
occurred.
FRS Replicas Tab
The FRS Replicas tab displays detailed information about FRS Replicas.
The FRS Replicas tab displays the following information in a table:
COLUMN
DESCRIPTION
Replica Name
The display name of the FRS Replica.
Replica Path
The path to the FRS Replica.
Replica Size (MB)
The path to the replica staging folder. This folder acts as a
queue for changed files and folders to be replicated to
downstream partners.
Replica Staging Path
The size of the FRS Replica.
Replica Staging Size
(MB)
The size of the replica staging folder.
Collisions Tab
The Collisions tab displays detailed information about any collisions that
occurred during replication.
The Collisions tab displays the following information in a table:
COLUMN
DESCRIPTION
Distinguished Name
The distinguished name of the object involved in the
replication collision.
Collision Time
The time the collision occurred.
114
Using the Quest Spotlight on Active Directory Diagnostic Console
Configuration Drilldown
The Configuration drilldown displays information on installed software, hotfixes,
and installed network adapters.
To display the Configuration drilldown
•
Click the Configuration
drilldown button on the toolbar.
The following tabs are displayed:
•
Installed Hotfixes Tab
•
Installed Software Tab
•
Network Adapters Tab
Installed Hotfixes Tab
The Installed Hotfixes tab displays information on all installed hotfixes. A
browser window in the lower half of the tab automatically opens to the
corresponding support center home page for the installed operating system. As
well, if a specific hotfix is selected, the browser window will automatically open
to the Microsoft Knowledge Base article for that specific hotfix.
The Installed Hotfixes tab displays the following information in a table:
COLUMN
DESCRIPTION
Name
The name of the installed hotfix
Description
The description for the hotfix
Type
The type of hotfix that is installed
Installed By
The user that installed the hotfix
Installed Date
The date the hotfix was originally installed
Installed Software Tab
The Installed Software tab displays information about all software installed on a
DC.
115
Spotlight on Active Directory
The Installed Software tab displays the following information in a table:
COLUMN
DESCRIPTION
Application Name
The application name of the installed software.
Network Adapters Tab
The Network Adapters tab displays information on all network adapters installed
on a DC.
The Network Adapters tab displays the following information in a table:
COLUMN
DESCRIPTION
Network Card
The display name of the network card.
IP Address
The IP address associated with the network card.
DNS Servers
The DNS Servers associated with the network card.
Multiple entries are separated by a | delimiter.
Is DHCP Enabled
Whether DHCP is enabled for the network card.
DNS Drilldown
The Domain Naming System (DNS) drilldown indicates whether the DNS entries
are registered by the currently connected DC, registered by another DC in the
forest, or not registered at all.
To display the DNS drilldown
•
Click the DNS
drilldown button on the toolbar.
– OR –
Click the DNS Entries component on the home page and click Show
me the DNS Drilldown.
The DNS drilldown displays the following information in a table:
COLUMN
Record
116
DESCRIPTION
The name of the DNS record.
Using the Quest Spotlight on Active Directory Diagnostic Console
COLUMN
DESCRIPTION
Registration Status
Whether the DNS record is registered or not.
LSASS Drilldown
The Local Security Authority Subsystem (LSASS) drilldown displays information
on database traffic and authentication requests.
To display the LSASS drilldown
•
Click the LSASS
drilldown button on the toolbar.
The LSASS drilldown displays the following information in graphs:
GRAPH
DESCRIPTION
LSASS CPU Usage
The percentage of the CPU used by the LSASS process.
LSASS I/O Activity
How many bytes have been read from the Active Directory
database by the LSASS process. Read activity is shown in
orange.
How many bytes have been written to the Active Directory
database by the LSASS process. Write activity is shown in
blue.
Authentications
The number of NTLM NT Lan Manager Authentications and
Kerberos Authentications per second being handled by the
currently connected DC. NTLM Authentications are shown
in orange and Kerberos Authentications are shown in blue.
Directory Activity
The number of directory read and write operations per
second occurring on this DC. Read activity is shown in
orange, and write activity is shown in blue.
LDAP Drilldown
The LDAP drilldown displays detailed information regarding communications
between clients and the DC.
To display the LDAP drilldown
•
Click the LDAP
drilldown button on the toolbar.
117
Spotlight on Active Directory
The LDAP drilldown displays the following graphs:
GRAPH
DESCRIPTION
LDAP Client Sessions
The number of clients that currently have open LDAP
sessions with this DC
LDAP Bind Time
The amount of time necessary to perform the last LDAP
bind. Consistently high values might indicate a hardware
or networking problem.
Directory Searches Per
Second
The number of directory searches that are being executed
per second on this DC.
LDAP Search Time
The time taken for a simple LDAP search against the DC.
FSMO Roles Drilldown
The Flexible Single-Master Operation (FSMO) Roles drilldown indicates which DC
owns each FSMO role. It also indicates which DC is the Global Catalog (GC)
server.
To display the FSMO Roles drilldown
•
Click the FSMO Roles
drilldown button on the toolbar.
– OR –
Click one of the FSMO Roles components on the home page.
The FSMO Roles drilldown displays the following information in a table:
COLUMN
DESCRIPTION
FSMO Role
The five main roles a server can fulfill. These include
Domain Naming Master, Schema Master, Infrastructure
Master, PDC Emulator, and RID Server.
Global Catalog and Intersite Topology Generator are not
FSMO roles; they are listed here as extra information.
Domain Controller
The network name of the computer that fulfills the
associated FSMO role.
Domain
The name of the domain to which the computer belongs
Site
The site to which the computer belongs
118
Using the Quest Spotlight on Active Directory Diagnostic Console
COLUMN
DESCRIPTION
IP Address
The IP address of the computer
By default, the FSMO Roles drilldown collects only the FSMO roles for the
domain where the DC is located. Select the Collect FSMO role holders
from other domains check box to collect all FSMO roles in the forest. If
selected, this check box is applied to all current connections as well as new
future connections.
You can also connect to a DC from the FSMO Roles drilldown by using the
right-click menu.
Using Components
The components on the Spotlight on Active Directory Diagnostic Console home
page correspond to the elements of the DC that is being diagnosed. Components
change color to alert you to specific performance problems. You can get more
detailed information about a component’s status by placing the pointer over the
component to display its corresponding tip text, or by opening a drilldown to
view the associated statistics in table and graph format.
Spotlight on Active Directory Diagnostic Console displays the following types of
components:
•
Network Components
•
Dataflow Components
•
LSASS Components
•
File Replication Components
•
AD Store Components
•
Active Directory Components
•
Operating System Components
119
Spotlight on Active Directory
Network Components
The following table describes the Network components:
NETWORK
COMPONENT
DESCRIPTION
Connected Users
The number of clients connected to this server. It does not
show users connected to other applications that may be
running on this computer; for example, Microsoft
Exchange or SQL Server. It only shows the users that have
established a Microsoft networking connection to the
system. This component opens the Network drilldown.
LDAP Client Sessions
The number of LDAP clients that have sessions with this
DC. This component opens the LDAP drilldown.
Ping Time
The ping time, or average round trip time, from the
computer where Spotlight on Active Directory Diagnostic
Console is running to the connected DC. This component
opens the Network drilldown.
LDAP Bind Time
The time it took for the last LDAP client to bind to this DC.
This component opens the LDAP drilldown.
LDAP Search Time
The time taken for a simple LDAP search against the DC.
The time taken to bind to LDAP is not included in this
value, providing a better representation of LDAP search
performance.
Theoretical Bandwidth
The level of network traffic graphed against a "theoretical"
maximum bandwidth. The maximum bandwidth is
calculated by totalling the capacity of all network devices
reported by the operating system. This component opens
the Network drilldown.
For more information on the Network drilldown, see the Spotlight on
Windows section in the online help.
Dataflow Components
Dataflows illustrate the rate at which data is moving through the system and
change their speed and color to alert you to performance issues. You can display
a dataflow as a flow and graph.
120
Using the Quest Spotlight on Active Directory Diagnostic Console
The following table describes the Dataflow components:
DATAFLOW COMPONENT
DESCRIPTION
Authentications
The number of Kerberos and NTLM
Authentications per second handled by the DC.
This component should show activity over time.
Prolonged periods of high usage or zero activity
should be investigated. The PDC Emulator tends
to show higher values for Kerberos authentication
than other DCs as many older programs only
authenticate with a PDC. Client programs can
also ask for NTLM authentication as a preference
over Kerberos.
Directory Searches
The number of search operations that have been
requested by LDAP clients. This component opens
the LDAP drilldown.
Directory Reads
The rate at which clients are reading data from
the Active Directory Data Store. Global Catalog
servers tend to have higher levels of directory
activity than other DCs. This component opens
the LSASS drilldown.
Directory Writes
The rate at which clients are writing data to the
Active Directory Data Store. Global Catalogs tend
to see higher levels of directory activity than
other DCs. This component opens the LSASS
drilldown.
DRA Inbound KBytes
The number of kilobytes per second the server
receives through replication. This component
opens the Replication drilldown.
DRA Outbound KBytes
The number of kilobytes per second that the
server sends through replication. This component
opens the Replication drilldown.
121
Spotlight on Active Directory
DATAFLOW COMPONENT
DESCRIPTION
LSASS Kilobytes Read
How many kilobytes have been read from the
Active Directory database by the LSASS process.
The LSASS process is the part of Active Directory
that is responsible for LDAP requests and for
authentication requests. This component opens
the LSASS drilldown.
LSASS Kilobytes Written
How many kilobytes have been written to the
Active Directory database by the LSASS process.
The LSASS process is the part of Active Directory
that is responsible for LDAP requests and for
authentication requests. This component opens
the LSASS drilldown.
NTFRS/DFSR Kilobytes Read
How many kilobytes have been read from the
Active Directory database by the NTFRS or DFSR
process (depending on the type of replication
service used). The process is the part of Active
Directory that is responsible for file replication.
This component opens the Activity tab on the
Replication drilldown.
NTFRS/DFSR Kilobytes Written
How many kilobytes have been written to the
Active Directory database by the NTFRS or DFSR
process (depending on the type of replication
service used). The process is the part of Active
Directory responsible for file replication. This
component opens the Activity tab on the
Replication drilldown.
The following dataflow components are not available when running Spotlight
on Active Directory Diagnostic Console on a server:
• LSASS Kilobytes Read
• LSASS Kilobytes Written
• NTFRS/DFSR Kilobytes Read
• NTFRS/DFSR Kilobytes Written
Kerberos is the default authentication mechanism in most Active Directory
forests and is more secure than the older NTLM authentication. NTLM
authentications are performed in many scenarios. Primarily, they are
performed by pre-Windows 2000 programs that use LanMan APIs. However,
they may also be performed when Kerberos is unavailable or when Kerberos
authentication fails.
122
Using the Quest Spotlight on Active Directory Diagnostic Console
LSASS Components
The following table describes the LSASS components:
LSASS COMPONENT
DESCRIPTION
CPU Usage
The total amount of CPU used by the LSASS
process. This component opens the LSASS
drilldown.
Memory Usage
The total amount of physical memory (RAM)
available and the total amount used by the LSASS
process. This component opens the All Processes
tab on the Performance drilldown.
Replication Queue (DRA)
The number of directory synchronizations queued
for this server but not yet processed. This
component opens the Replication Queues
drilldown.
File Replication Components
The following table describes the File Replication components:
FILE REPLICATION
COMPONENT
DESCRIPTION
CPU Usage
The total amount of CPU used by the NTFRS or
DFSR process (depending on the type of
replication service used). If you are using NTFRS
and are migrating to DFSR file replication, this
counter shows CPU usage for both NTFRS and
DFSR services.
Memory Usage
The total amount of physical memory used by the
NTFRS or DFSR process (depending on the type
of replication service used). If you are using
NTFRS and are migrating to DFSR file replication,
this counter shows CPU usage for both NTFRS
and DFSR services.
Replication Queue
The number of changes to files detected on this
DC that have not yet been processed for
replication. This component opens the Queues
tab on the Replication drilldown.
123
Spotlight on Active Directory
AD Store Components
The following table describes the AD Store components:
AD STORE COMPONENT
DESCRIPTION
Database Size
The total size in megabytes of the file that stores
Active Directory. This file represents all of the
data in the Active Directory and will grow as new
objects are added.
Free Space
Total drive space available.
Total Space
The total drive space in use where Active
Directory is stored.
Objects Applied/Second
The rate at which objects are being applied to the
Active Directory database. This component opens
the Replication drilldown.
Remaining Objects
The number of object updates remaining in the
current replication update packet that have not
yet been applied on the local DC. This component
opens the Replication drilldown.
Active Directory Components
The following table describes the Active Directory components:
ACTIVE DIRECTORY
COMPONENT
DESCRIPTION
Replication Links
The number of active replication links for the
target DC. This component opens the Directory
Partners tab on the Replication drilldown.
DNS Entries
Shows whether or not the DC has registered the
proper DNS entries with its DNS server. The
component is running the DNS check from the
computer where the Spotlight on Active Directory
Diagnostic Console is running on and not the DC
to which it is connected. This component opens
the DNS drilldown.
Schema Mismatches
The number of replication errors that have
occurred as a result of a schema mismatch since
the last refresh of the Spotlight on Active
Directory Diagnostic Console.
124
Using the Quest Spotlight on Active Directory Diagnostic Console
ACTIVE DIRECTORY
COMPONENT
DRA Errors
DESCRIPTION
The number of replication errors that have
occurred since the last refresh of the Spotlight on
Active Directory Diagnostic Console.
Operating System Components
The following table describes the Operating System components:
OPERATING SYSTEM
COMPONENT
DESCRIPTION
CPU Usage
The total amount of CPU being used on the
computer being monitored. It includes CPU
consumed by all Windows processes. This
component opens the CPU drilldown.
System Disk (Free Space/Total
Space)
The total unused disk space on the system disk
(the disk that houses the Windows Operating
System). There should be enough free disk space
to accommodate the operational requirements of
the Windows Operating System. Total space
refers to the total size of the system disk.
Physical RAM
The amount of physical memory (RAM) Windows
is using. Physical memory usage normally
remains close to the total amount of physical
memory installed on the system unless the
amount of physical memory exceeds the amount
of virtual memory that Windows is using.
Windows normally keeps some physical memory
available for immediate reuse. This component
opens the Memory drilldown.
Processor Queue
The number of process threads (program
execution units) waiting to be run on all
processors. A sustained processor queue length
can indicate processor congestion. This
component opens the CPU drilldown.
Top CPU Consumer
The process name that is consuming the most
CPU on this DC. This component opens the Top
CPU Consumers tab on the Performance
drilldown.
125
Spotlight on Active Directory
OPERATING SYSTEM
COMPONENT
DESCRIPTION
The process name that is consuming the most
physical memory on this DC. This component
opens the Top Memory Consumers tab on the
Performance drilldown.
Top Memory Consumer
For more information on the CPU and Memory drilldowns, see the Spotlight
on Windows section in the online help.
Using Indicators
Indicators give more information about the selected domain controller. The
indicators include:
INDICATOR
DESCRIPTION
Intersite Topology
Generator
Shows if the domain controller (DC) is an Intersite
Topology Generator (ISTG). An ISTG considers the cost of
intersite connections, checks if previously available domain
controllers are no longer available, and checks if new
domain controllers have been added. The Knowledge
Consistency Checker (KCC) then updates the intersite
replication topology accordingly.
Global Catalog
Shows if the domain controller (DC) is a Global Catalog.
The Global Catalog stores full replicas of all object
attributes created within the domain and also partial
replicas of all object attributes within other domains in the
forest.
Schema Master
Shows if the domain controller is the Schema Master for its
forest. All changes to the schema of a forest must be made
on that computer. There is only one Schema Master for a
forest.
Domain Naming Master
Shows if the domain controller is the Domain Naming
Master for its forest. Each forest has only one Domain
Naming Master. The Domain Naming Master is contacted
whenever a new domain is added to the forest to ensure its
name is unique.
126
Using the Quest Spotlight on Active Directory Diagnostic Console
INDICATOR
DESCRIPTION
RID Master
Shows if the domain controller (DC) is the RID Master for
its domain. The RID Master is responsible for handing out
RID pools to the other DCs in a domain. A RID pool is used
to generate RIDs, which are a part of every object created
by Active Directory. There is one RID Master per domain.
Infrastructure Master
Shows if the domain controller is the Infrastructure Master
for its domain. Each domain has an Infrastructure Master,
which is used to maintain the integrity of Active Directory's
internal database.
PDC Emulator
Shows if the domain controller (DC) is the PDC Emulator
for its domain. The PDC Emulator acts like the PDC for
pre-Windows 2000 applications and performs time
synchronization for the enterprise. It is contacted by
default when other DCs in the domain fail to authenticate.
Password changes are duplicated here as well. There is one
PDC Emulator per Active Directory domain.
RODC Indicator
Shows if the domain controller (DC) is a Read-Only Domain
Controller.
Note: This indicator is active on Windows 2008 Servers
only.
127
Spotlight on Active Directory
128
9
Using Quest Spotlight on
Active Directory Web
Reports
• Understanding Quest Web Reports
• Viewing and Interacting with Web Reports
• Creating and Modifying Web Reports
• Creating Custom Graphs
• Setting Security
• Configuring the Web Report Subscription
Service
• Using Preconfigured Reports
Spotlight on Active Directory
Understanding Quest Web Reports
Quest Spotlight on Active Directory has a separate web-based reporting
component called Quest Web Reports.
Quest Web Reports provides a collection of preconfigured reports which allow
report consumers to view data across multiple subsections of your organization.
You can change relevant report parameters immediately using Quick Filters.
Quest Web Reports also provides a Web Report Wizard, which allows you to
create customized reports based on any data available in your Quest Web
Reports database.
Quest Web Reports features:
130
•
A Web Report Wizard that allows you to quickly and easily configure
and generate reports.
•
The ability to group, insert, append, remove, and sort fields on
reports. On-page Quick Filters allow you to change relevant report
parameters quickly and easily.
•
Configurable Report Parts that you can select and arrange on
customizable reports.
•
The ability to display report data in bar graphs and pie charts.
•
Predefined role-based security settings.
•
A Report Subscription Service that allows you to notify users that
reports have been generated. Subscription notices may be sent by
email containing links to where the reports are located.
Using Quest Spotlight on Active Directory Web Reports
Accessing Web Reports
To access Web Reports
•
Select Programs | Quest Software | Quest Spotlight on Active
Directory | Spotlight on Active Directory Web Reports.
– OR –
Click the Spotlight on Active Directory Web Reports icon on your
desktop.
– OR –
Select the Web Reports tab in the Topology Viewer.
If you do not have a desktop icon, you can also access the preconfigured
reports by opening your web browser and going to the Spotlight on Active
Directory Web Reports home page at:
http://IISSERVERNAME/SpotlightonAD/WebReport.asp.
IISSERVERNAME is the server where the Spotlight on Active Directory Web
Reports home page resides.
If typing in the URL for Spotlight on Active Directory Web Reports does not
bring up a valid web page, ensure that ASP (Active Server Pages) is enabled
on the IISSERVERNAME server. Also ensure that the necessary IIS Services
are running properly on the server. Finally, check the security privileges on
the web site and make sure appropriate permissions are set for
administrative access to the site.
Types of Web Reports
Quest Web Reports hosts two types of reports: Custom Reports and
Preconfigured Reports.
Custom Reports
You can create custom reports using the Web Report Wizard. The Web Report
Wizard allows you to build your own reports based on existing data sources. You
can select fields, filters, format, grouping, and sorting options. Custom reports
can be edited, depending on your security clearance within Quest Web Reports.
For more information about the Web Report Wizard, see “Creating Custom
Reports” on page 139.
131
Spotlight on Active Directory
Preconfigured Reports
Preconfigured reports are specific to the application, and are delivered with the
Quest Software product purchased. For more information about preconfigured
reports, see “Using Preconfigured Reports” on page 170.
Viewing and Interacting with Web
Reports
You can filter Web reports, change grouping options, and view report information
in the Report Information dialog box. For more information, see “Viewing Report
Information” on page 138.
Browsing Web Reports
You can browse Web reports in the following three ways:
132
•
Using command buttons
•
Using the treeview
•
Using the file-based model
Using Quest Spotlight on Active Directory Web Reports
Using the Command Buttons
The following table describes the command buttons at the top of the
Quest Web Reports home page.
Different buttons appear depending on your location within Web
Reports.
ICON
FUNCTION
Returns you to the Quest Web Reports home page.
Allows you to go up one level in the report structure.
Accesses the file menu, which includes the following options: New Custom
Report, New Folder, Save, Save As, Save Report Settings, Export,
Subscriptions, and Set Filter Defaults.
Opens the Web Report Wizard so you can edit a custom report.
Available only in the Subscriptions Wizard. Accesses the Subscriptions
menu, which includes Export Selected Subscriptions, Import
Subscriptions, and Configure Subscriptions.
Opens the Printer dialog box to allow you to print the report that you are
viewing.
Shows you a preview of the printed report.
Appears only during preview. Closes the preview window.
133
Spotlight on Active Directory
ICON
FUNCTION
Shows the Help for the reporting component.
Using the Treeview
Quest Web Reports uses a treeview as its
main navigational tool. The treeview
contains folders that expand to reveal
subfolders and reports. When you select a
folder from the treeview, the contents of the
folder are displayed in the right pane in a
file-based format. You can also select a
report directly from the treeview.
The illustration to the left is an example of
what the treeview may look like. Folders
indicate a grouping of report information.
Folders may contain subfolders or reports.
When you click on a report, the contents
appear in the right pane.
Using the File-Based Model
Quest Web Reports uses a file-based model to display the available Web reports.
When you select a folder from the treeview, the contents of the folder are
displayed in the right pane in a file-based format.
Your files may look different than the preceding example depending on the
information in each report.
134
Using Quest Spotlight on Active Directory Web Reports
The following table describes the interface elements in the right pane of the
file-based format:
ELEMENT
USAGE
Folder Icon
Identifies the listed object as a folder; reveals the subfolders
and files contained within the folder.
Report Icon
Identifies the listed object as a report.
Name
Displays the title of the report.
The title is also a hyperlink that you can click to display the
report in this pane.
Last Modified
Displays the datestamp of the last time the report was
modified.
Author
Displays the name of the report author.
Edit
Displays the Edit menu for the item.
For more information see “Using the Edit Button” on page 144.
Report Description
Displays a description of the report on the second line of the
item.
n reports, n folders.
Indicates, at the bottom of the pane, the number of Web
reports and subfolders in the main folder.
File Menu Commands
The command items that appear on the File menu are available depending on
where you are within Web Reports.
135
Spotlight on Active Directory
If you click File
, the following menu items appear:
The following table describes the options on the File menu:
OPTION
DESCRIPTION
New Custom
Report
Opens the Web Report Wizard to allow you to create the new
report.
New Folder
Opens the New Folder dialog box.
When you name the new folder, the application places the folder
as a subfolder of the currently selected folder. If you want to add
a folder to the main navigation tree, the Home node should be
selected before you create the new folder.
Save
Saves the changes, such as new sorting criteria, that you have
made to an existing report.
Save As
Saves the changes you have made to an existing report, but gives
you the option to change the name or location of the report.
Save Report
Settings
Allows you to save the current report settings, including filters,
and create a shortcut for the selected report. <Host product
writers may want to add a relevant example of a filter setting.>
Send To
Allows you to create and send an email
136
Using Quest Spotlight on Active Directory Web Reports
OPTION
DESCRIPTION
Export
Allows you to export the report content into one of the following
formats:
• Microsoft Excel
• Text (as comma separated values)
• Text (as tab separated values)
• XML
• Word File
• HTML
• MHTML
Subscriptions
Opens the Subscriptions Page.
Set Filter Defaults
Allows you to reset the filters to the defaults.
Administrative
Options
Allows you to modify the following administrative options:
• Email Server Configuration - select the STMP server to use
for subscriptions and Web reports.
• Manage Custom Report Definitions - download or upload
report definition files.
137
Spotlight on Active Directory
Viewing Report Information
At the lower-right of each report, there is an Information
button that allows
you to view the report options and notes for the selected report. For example,
the following illustration shows information that you might see after clicking
.
Report Options include default filters and sort keys, as well as any quick filters
and sort keys you selected using the Quick Filter options.
Notes include descriptions of the fields in the report, as well as any field
descriptions that exist in the data source for the report.
138
Using Quest Spotlight on Active Directory Web Reports
Creating and Modifying Web
Reports
Creating Custom Reports
To access the Web Report Wizard
•
Select File | New Custom Report.
– OR –
Right-click in the treeview and select New Custom Report.
You are taken to the Web Report Wizard home page.
From this page, you can determine the information that you want to include on
your custom report.
You do not have to follow the Web Report Wizard steps in order. If you know
which screens you need to use, click the appropriate page tab on the left side
of the Web Report Wizard to go to the appropriate page.
Selecting a Data Source
To access the Datasource page of the Web Report Wizard
•
Click Next on the Welcome page of the Web Report Wizard.
Selecting Fields
To access the Fields page of the Web Report Wizard
•
Click Next on the Datasource page of the Web Report Wizard.
To select fields for your custom report
1.
Select the fields you want to include from the Available Fields list.
2.
Click the appropriate arrow button to move the fields to the Selected
Fields list.
3.
Click Next to proceed to the Filter page and then to other pages in
sequence.
This button is only enabled when a field has been selected.
– OR –
139
Spotlight on Active Directory
Select the page you want to use from the list on the left side of the
page.
– OR –
Click Finish to create the custom report.
Filtering Custom Reports
To access the Filter page of the Web Report Wizard
•
Select Filter from the list on the left side of the page.
To select filter criteria for your custom report
1.
Select a field from the list.
By default, this field is <none>.
2.
Select an operator.
Operators appear in the list based on the field that you select.
3.
Select a value from the list, or enter text in the box.
4.
Click Add New Filter to define additional filters.
5.
Indicate the appropriate predicate using the list.
6.
Repeat steps 1 through 5 as applicable.
– OR –
1.
If you have created a custom report, select the report from My
Reports.
2.
At the bottom of the screen, specify fields, operators, and values to
define the filter.
3.
Click
to generate the report.
To remove filter criteria from your custom report
1.
Select the check box beside the filter you want to remove.
2.
Click Remove Filters.
Filtering Preconfigured Reports
You can apply filters to a preconfigured report using the Quick Filter options
located at the bottom of the screen. Specify fields, operators, and values to
define the filter, and click
140
to generate the report.
Using Quest Spotlight on Active Directory Web Reports
Grouping Web Reports
To access the Group page of the Web Report Wizard
•
Select Group from the list on the left side of the page.
To select grouping options for your custom report
1.
Select the fields you want to use for grouping from the Available
Fields list.
2.
Click the appropriate direction button to move the fields to the
Grouped Fields list.
Sorting Web Reports
To access the Sort page of the Web Report Wizard
•
Select Sort from the list on the left side of the page.
To sort your custom report
1.
Select the field you want to use as your sort key from the list.
2.
Select the sort order from the list.
3.
Click Add New Sort Key to define additional sort keys.
4.
Repeat steps 1 through 3 as applicable.
To remove sorting from your custom report
1.
Select the check box beside the sort key you want to remove.
2.
Click Remove Sort Keys.
Formatting Web Reports
To access the Format page of the Web Report Wizard
•
Select Format from the list on the left side of the page.
To format your custom report
1.
Select the appropriate Display Format.
2.
Enter the number or percentage of top records you want to include in
the report in the Show Top Records box.
For example, if you specify a number, you will get exactly that
number of records. If you specify a percentage, you will get that
percentage of the total number of records. The default is 100 percent.
3.
Click Advanced Summary Calculations to include summary
information on your report.
141
Spotlight on Active Directory
a) In the dialog, click the summary calculation check boxes that are
appropriate for your report.
You can only select summary calculations that pertain to the field type
that you selected.
b) To view a detailed report, select the Show detail records check
box. Otherwise, the result is a summary report.
c) Click OK.
4.
To paginate the report, select Paginated and enter the number of
lines per page.
Paginated Web reports display faster than web reports that are all on
one page.
5.
Select the Date/Time Display.
6.
Select the Show quick filter bar if you want to display quick filters at
the bottom of the custom report.
Describing Web Reports
To access the Description page of the Web Report Wizard
•
Select Description from the list on the left side of the page.
To enter a description for your custom report
•
Enter a description in the box.
Previewing Web Reports
To access the Preview page of the Web Report Wizard
•
Select Preview from the list on the left side of the page.
You can preview the way your report looks at any time during the creation of the
report. Preview information changes depending on the criteria and formatting
you select for your report. If you want to make further changes to the report,
you can return to any of the previous pages in the wizard before you save the
report.
Saving Web Reports
When you are satisfied with the report you have created, you can save it. It will
appear in the treeview under [My Reports]. If you select another page without
saving a report, you must confirm your action. This is a reminder to ensure you
do not lose your work unexpectedly.
142
Using Quest Spotlight on Active Directory Web Reports
To save a report
1.
Select the Save or Save As command from the File menu.
If you have modified an existing report, the save command simply
updates it, whereas the Save As command allows you to save the
modified report with a new name.
2.
In the Save As dialog, enter the report name in the Name field.
3.
Click OK.
Editing Web Reports
You can edit Web reports in the following ways:
•
Using the quick filter bar at the bottom of the report
•
Using the Edit menu
•
Using the Edit button
•
Using the column headers on the Web reports
The following table describes the extent of editing for each type:
TYPE
DESCRIPTION
Quick Filter Bar
Allows you to change filter options and regenerate the report.
For more information, see “Using Quick Filters” on page 145.
Edit Menu
Allows you to open the report, create a copy of the report in a
different folder, move the report to a different location, rename
or delete the report. You can open the Web Report Wizard to
create a new report.
When a report listed in [My Reports] is selected, select Modify
Report to open the Web Report Wizard with fields of the report
pre-selected.
Edit Button
Allows you to open the report, create a copy of the report in a
different folder, move the report to a different location, rename
or delete the report.
Column Header
Allows you to add or remove fields in the report, and change
group and sort options. For more information, see “Changing
Grouping Options” on page 149.
143
Spotlight on Active Directory
Using the Edit Button
The following commands are available from the Edit button, which is located at
the right side of each folder and report in the file-based model.
For folders, the following commands are available:
COMMAND
DESCRIPTION
Open
Opens the selected report, or reveals the Web reports and
folders contained by the selected folder, in the current window.
Open in New Window
Opens the selected report, or reveals the Web reports and
folders contained by the selected folder, in a new window.
Copy To
Opens a dialog box for you to define the destination of the
copied folder.
Move To
Opens a dialog box for you to define the destination of the
moved folder.
After the report is moved to the new location, the original is
deleted.
Rename
Opens a dialog box for you to rename the selected folder.
Delete
Prompts you to verify that you want to delete the folder.
Edit Description
Opens a dialog box for you to edit the description of the folder.
For Web reports, the following commands are available:
COMMAND
DESCRIPTION
Open
Opens the selected Web report, or reveals the Web reports
and folders contained by the selected folder, in the current
window.
Open in New Window
Opens the selected Web report, or Web reports the reports
and folders contained by the selected folder, in a new window.
Copy To
Opens a dialog box for you to define the destination of the
copied Web report.
Move To
Opens a dialog box for you to define the destination of the
moved Web report. After the Web report is moved to the new
location, the original is deleted.
Rename
Opens a dialog box for you to rename the selected Web
report.
144
Using Quest Spotlight on Active Directory Web Reports
COMMAND
DESCRIPTION
Delete
Prompts you to verify that you want to delete the Web report.
Modify Report
Opens the Web Report Wizard to allow you to make any
changes to the selected report, and save your custom Web
report.
Using Quick Filters
Each report may have a Quick Filter bar at the bottom of the page. This bar does
not scroll with the report; it remains at the bottom of the displayed web page.
Field List
Apply
Operators
Information
Filter Criteria
Cancel
To use Quick Filters
1.
Select a field from the list.
2.
Select an operator from the table below.
3.
Define the filter criteria.
The criteria can be one or two values, depending on the operator.
4.
Click
.
PARAMETER
AVAILABLE IN
DESCRIPTION
=
All
The field value equals the criteria
value.
<>
All
The field value is not equal to the
criteria value.
>
All
The field value is greater than the
criteria value.
145
Spotlight on Active Directory
PARAMETER
AVAILABLE IN
DESCRIPTION
<
All
The field value is less than the
criteria value.
<=
All
The field value is less than or
equal to the criteria value.
>=
All
The field value is greater than or
equal to the criteria value.
like
All
The field value is like the criteria
value.
is NULL
All
There is no value for the criteria
field.
is not NULL
All
There is any value except NULL
for the criteria value.
between
All
The field value falls between the
two criteria that you define.
is in
All
The field value is in the criteria
that you define.
Note: When using the is in
operator, you can multi-select in
the Select a Value dialog box by
holding down the CTRL key and
clicking the items you want. The
selected items will appear in the
edit box as a list separated by
semi-colons.
146
not in
All
The field value is not in the
criteria that you define.
last
Date, DateTime
This operator allows you to select
a time interval in the form nn uu,
where nn is a number and uu is a
unit of time. (For example, Last 5
Weeks, Last 3 days, and so on).
The time interval is based on the
current time.
Using Quest Spotlight on Active Directory Web Reports
PARAMETER
AVAILABLE IN
DESCRIPTION
most recent
Date, DateTime
This operator queries the
database for the most recent
entry for the specified field and
then uses that value to find all
records with a matching value.
The value depends on the content
of the database and is
independent of the current time.
"Most recent" could potentially
mean a time long past, and will
remain unchanged until the
database is changed.
today
Date, DateTime
Today = from 12:00 AM to the
current time.
yesterday
Date, DateTime
Yesterday = from 12:00 AM to
11:59 PM yesterday.
this week
Date, DateTime
Start = Sunday of current week,
End = today.
last week
Date, DateTime
Start = Sunday of previous week,
End = Saturday of previous week.
this month
Date, DateTime
Start = 1st day of current month,
End = today.
last month
Date, DateTime
Start = 1st day of previous
month, End = last day of previous
month.
this quarter
Date, DateTime
Start = 1st day of current quarter,
End = today.
last quarter
Date, DateTime
Start = 1st of previous quarter,
End = last day of previous
quarter.
Note: Quarters start January 1, April 1, July 1, and October 1.
this year
Date, DateTime
This operator selects records with
dates from January 1 of the
current year to the current date.
last year
Date, DateTime
This operator selects records with
dates from January 1 to
December 31 of the last year.
weekdays
Date, DateTime
Filters weekdays only,
Monday-Friday.
147
Spotlight on Active Directory
PARAMETER
AVAILABLE IN
DESCRIPTION
weekends
Date, DateTime
Filters Saturday and Sunday.
contains
Description
The field value contains the
specified criteria.
does not contain
Description
The field value does not contain
the specified criteria.
starts with
Description
The field value starts with the
specified criteria.
ends with
Description
The field value ends with the
specified criteria.
does not start with
Description
The field value does not start with
the specified criteria.
does not end with
Description
The field value does not end with
the specified criteria.
When using the DateTime filters, time is based on UTC, not local time.
148
Using Quest Spotlight on Active Directory Web Reports
Changing Grouping Options
After the report is generated, you can change the grouping options, by right
clicking on the column headers or grouped headers.
Initially, the same options appear regardless of which column header you select.
After you change the grouping options, the list changes to reflect your current
settings.
The following table describes all the grouping options:
OPTION
DESCRIPTION
Group By
Groups the report by the selected field.
Ungroup
Removes the grouping of the report by the selected field. This
option is only available if you select a grouped field above the
table.
Insert Field
Adds a new field to the left of the selected field.
When you select this option, a scrolling list appears for you to
select the new field.
Append Field
Adds a new field to the right of the selected field.
When you select this option, a scrolling list appears for you to
select the new field.
Remove Field
Removes the selected field from the report.
Sort Ascending
Sorts the field in ascending order.
Sort Descending
Sorts the fields in descending order.
Remove Sorting
Removes the sorting that you have indicated from the report.
Select Table
Selects the entire table, for email, export, or copy.
Select Column
Selects a single column, for email, export, or copy.
Send Selection To
Allows you to create an email, containing selected content.
Export Selection
Allows you to export the content in several possible formats.
Copy
Copies the content into temporary storage.
Sorting changes you make are automatically reflected in the Report Information
dialog box, but no changes are retained upon exit from the page, unless you
save the report.
149
Spotlight on Active Directory
Creating Custom Graphs
Several standard Web reports provide graphs of data collected during analysis.
The custom graph capability is a flexible tool that allows you to develop
additional graphs and charts for data that is of particular interest to you.
Bar Charts
Bar charts are useful for comparing data. They are also used to compare values
across categories or to compare the contribution of each value to a total across
categories (for example, stacked bars).
Pie Charts
Pie charts are useful for viewing proportions or percentages. They visually
represent the contribution of each value to a total sum of data, or the component
parts of a whole. A pie chart is used to show how a part of something relates to
the whole.
XY or Line Graphs
A line graph is used to show continuing data, usually on a time scale. This kind
of graph is used to show the effect of an independent variable (such as time) on
a dependent variable. Line graphs are useful for determining trends.
For more information, see the following sections:
150
•
“Using the Graph Wizard” on page 151
•
“Guidelines for Creating Bar Charts” on page 153
•
“Guidelines for Creating Pie Charts” on page 156
•
“Guidelines for Creating XY Graphs” on page 159
Using Quest Spotlight on Active Directory Web Reports
Using the Graph Wizard
The Graph Wizard contains several pages that support selection of the graph
type, data source, and fields to be used to create your custom graph. You can
also apply filters and select sorting options.
You can follow the wizard pages in order by selecting the Next button at the
bottom of the page, or you can select the pages you need from the list in the left
pane.
The Preview page is useful to show what the graph will look like. If you want to
make adjustments, you can return to other wizard pages, by using the Previous
button or selecting specific pages from the left pane. The Preview page then
shows the updated graph.
When you are satisfied with the graph, select the Finish button to create the final
version. You can then save the graph using the File | Save command.
The pages following the field selection page are not available until you select
allowable fields, as described in the guidelines.
To access the Graph Wizard
•
Select File | New | Custom Graph.
– OR –
Right-click Reports in the treeview and select New Custom Graph.
151
Spotlight on Active Directory
To create a custom graph using the wizard pages in order
1.
In the Welcome page, click Next at the bottom of the screen to move
to the next page in the wizard. Use this button to advance through all
the pages in this procedure.
2.
In the Graph Type page, select the type of graph that you want:
3.
•
Bar Chart
•
Stacked Bar Chart
•
Pie Chart
•
XY Graph
•
XY Stacked Area Graph
In the Datasource page, select the data source for the graph.
These datasources reflect how data collected by analysis jobs is
organized. Each datasource supports a different set of fields.
4.
In the Fields page, select fields to be used for the three graph
attributes.
Graph attributes vary depending on graph type, and there are
restrictions on which fields and how many fields you can select. (See
the guidelines for creating graphs.)
The availability of a selected field as a graph attribute is shown by the
right arrow icon beside each graph attribute.
5.
In the Filter page, you can select filter criteria to limit the data used
to create the graph. This is useful in simplifying a graph.
•
To define more than one filter, click Add New Filter. All filters
are logically ANDed.
•
To remove a filter, select the check box beside the filter and click
Remove Filters.
6.
In the Sort page, select the order in which the data will be displayed.
7.
In the Format page, specify the format details, such as graph size
and axis titles. To include a table of the data used to create the
graph, select Show Data. (This option is enabled by default.)
8.
In the Description page, enter a description for the graph.
9.
In the Preview page, the resulting graph is displayed.
If the wizard indicates too much data is present, define filters to
reduce the data volume.
10. If you want to make changes, click Previous or select a wizard page
from the list to the left of the graph; otherwise click Finish.
11. Select File | Save.
12. Enter a name for the report and save it to the My Reports folder.
152
Using Quest Spotlight on Active Directory Web Reports
To modify a saved graph or create a new graph based on an existing
custom graph
1.
In the Tree View under Reports, select [My Reports].
2.
Choose a saved custom graph and select the associated Edit |
Modify Report command at the right side of the list item.
The graph wizard opens, with values preselected from the saved
graph you chose.
3.
Modify values as required and select Finish.
4.
Select File | Save As and provide a new name for the new graph.
Guidelines for Creating Bar Charts
The following rules apply when you select fields for a bar or stacked bar chart:
•
At least one data value must be selected.
•
If only one data value is selected, you must select either a category
label or a series label. You can select both.
•
If more than one data value is selected, you do not require a category
label, and you cannot select a series label.
•
Only one series label can be selected, and only if a single data value
is selected.
•
Multiple data values and category labels can be selected.
The following are general rules regarding the display of bar and stacked bar
charts:
•
Fields selected as data values determine the size of the bars and the
scale of the horizontal axis. These fields should contain statistical
values.
•
Fields selected as category labels affect the number of bars in the
chart. Values of the category label fields are used to label the bars on
the vertical axis.
•
The Field selected as series label affects the number of the bars in the
chart. Values of the series label are used in the legend. When a series
label is not present, the legend values come from the data value field
names.
153
Spotlight on Active Directory
Examples of Field Selections for Bar Charts
FIELD SELECTION
RESULTS
One Data Value:
The Data Value field
provides data for the
bars, the scale of
the horizontal axis,
and the label for the
horizontal axis.
File Size (KB)
One Category Label:
Server
The number of
values in the
Category Label field
determines the
number of bars.
Values of the
Category Label are
used to label each
bar.
Two Data Values:
Free Space (GB)
Used Space (GB)
The Data Value
fields provide data
for the bars, the
scale of the
horizontal axis, and
labels for the legend
below the graph.
The number of Data
Value fields
determines the
number of bars.
154
Using Quest Spotlight on Active Directory Web Reports
FIELD SELECTION
RESULTS
Two Data Values:
The Data Value
fields provide data
for the bars, the
scale on the
horizontal axis, and
legend labels.
Free Space (GB)
Used Space (GB)
One Category Label:
Server
The number of
values in the
Category Label field
multiplied by the
number of Data
Value fields
determines the
number of bars.
Values of the
Category Label are
shown on the
vertical axis.
One Data Value:
File Size (KB)
One Category Label:
Server
One Series Label:
Extension
The Data Value field
provides data for all
bars and the scale of
the horizontal axis.
The number of
values in the
Category Label field
and the number of
values in the Series
Label field
determine the
number of bars.
Values of the
Category Label are
shown on the
vertical axis.
Series Label values
determine the
legend labels.
155
Spotlight on Active Directory
Guidelines for Creating Pie Charts
The following rules apply when you select fields for a pie chart:
•
At least one data value must be selected.
•
If only one data value is selected, you must select a series label.
•
You can select only one series label and one multi-pie selection. If you
select both, you can select only one data value.
•
Multiple data values can be selected.
The following are general rules regarding the display of pie charts:
156
•
Fields selected as data values determine the relative size of the pie
wedges. When multiple data values are selected (and no series label),
these fields are used as legend labels. These fields should contain
statistical values.
•
The field selected as series label affects the number of wedges in the
pie chart. Values of the series label are used in the legend. When a
series label is not present, the legend values come from the data
value field names.
•
The multi-pie selection field affects the number of pies in the chart.
Values of this field are used to label the pies.
•
Selecting more than one data value and a series label generates a pie
for each data value field. The data value field is used as a label for the
pies.
Using Quest Spotlight on Active Directory Web Reports
Examples of Valid Axis Selections for Pie Charts
.
FIELD SELECTION
RESULTS
Two Data Values:
Each Data Value field
provides data for a
pie wedge.
Free Space (GB)
Used Space (GB)
The number of Data
Value fields
determines the
number of wedges.
Data Value field
names are used as
legend labels.
One Data Value:
Used Space (GB)
One Series Label:
Logical Disk
The Data Value field
provides data for the
pie wedges.
The number of
values in the Series
Label field
determines the
number of wedges.
The values of the
Series Label field are
used as legend
labels.
157
Spotlight on Active Directory
FIELD SELECTION
RESULTS
Two Data Values:
Each Data Value field
provides data for the
wedges in its pie.
Free Space (GB)
Used Space (GB)
One Series Label:
Logical Disk
The number of Data
Value fields
determine the
number of pies.
The names of the
Data Value fields are
used to label the
pies.
The number of
values in the Series
Label determine the
number of wedges in
each pie.
The values of the
Series Label field are
used as legend
labels.
One Data Value:
File Size
One Series Label:
Extension
One Multi-Pie
Selection:
Server Name
The Data Value field
provides data for the
pie wedges.
The number of
values in the Series
Label field
determines the
number of wedges in
each pie.
The values of the
Series Label field are
used as legend
labels.
The number of
values in the
Multi-Pie Selection
field determines the
number of pies.
The values of the
Multi-Pie Select field
are used to label the
pies.
158
Using Quest Spotlight on Active Directory Web Reports
Guidelines for Creating XY Graphs
The following rules apply when you select fields for an XY or XY stacked area
graph:
•
One X-Axis Value must be selected.
•
At least one Y-Axis Value must be selected.
•
Multiple Y-Axis Values can be selected.
•
Only one Series Label can be selected, but this limits the number of
Y-Axis Values to one.
The following are general rules regarding the display of XY graphs:
•
Points on a line are plotted from a pair of x-axis/y-axis values.
•
The field selected as the x-axis value determines the x-axis scale.
•
Fields selected as y-axis values and the series label affect the number
of lines in the graph.
•
Values of the series label are used in the legend. When a series label
is not present, the y-axis value field names are used in the legend or
the vertical axis name.
The following are general rules that apply when you create a XY graph:
•
The X and Y values determine successive points on a line.
•
In most cases, the X-axis value is a date or time field.
•
The series label values determine with which line the point is
associated.
159
Spotlight on Active Directory
Examples of Valid Axis Selections for XY Graphs
AXIS SELECTION
RESULTS
One X-Axis Value:
The Y-Axis Value field
data creates points
for each X-Axis Value
field value and a line
is drawn to connect
these points.
Date
One Y-Axis Value:
Used Space (GB)
The Y-Axis Value field
name is used for the
Y-axis label and
values of this field
determine the scale.
X-Axis Value field
values determine the
scale of the X-axis.
One X-Axis Value:
Date
Two Y-Axis Values:
Used Space (GB)
Used Space (%)
160
Values in each Y-Axis
Value field are
plotted on a separate
line, for each X-Axis
Value field value.
The Y-Axis Value field
names are used for
the legend labels and
the values of these
fields determine the
scale of the Y-axis.
Using Quest Spotlight on Active Directory Web Reports
AXIS SELECTION
RESULTS
One X-Axis Value:
The Y-Axis Value field
data creates points
for each X-Axis Value
field value.
Date
One Y-Axis Value:
Used Space (GB)
One Series Label:
Server Name
The number of
values of the Series
Label determines the
number of lines in
the chart.
The values of the
Series Label are used
as Legend labels.
161
Spotlight on Active Directory
Setting Security
Quest Web Reports includes a flexible solution for report security, which allows
you to assign certain permissions to users, and enable different views of the
reporting tree depending on user needs and security requirements.
Quest Web Reports supports two types of security:
•
Role-based Security
•
File-based permissions which requires NTFS manipulation of your
network.
This is the responsibility of the Preconfigured product.
Role-based Security
Role-based security provides an initial layer of security for your Web reports.
Three local security groups, each with preconfigured permissions, are created
when Quest Web Reports is installed. Quest Web Reports provides the following
three local security groups in a role-based security scheme:
•
Web Report Administrators
•
Web Report Authors
•
Web Report Users
The effect of role-based security is uniform for all Web reports. All three security
groups have access to the report site, and all Web reports therein; however, the
roles (Administrator, Author, User) provide different permissions that can
restrict the ways Web reports can be manipulated.
The default membership in these security groups places administrators in the
Web Report Administrators role, and all others in both the Web Report Authors
and Web Report Users roles. To customize the memberships for your
implementation, you can add or remove users from the default groups.
Administrators can specify which users belong to which roles by modifying their
membership in these local security groups. The role-based security scheme is
easier to manage than the file-system permissions security scheme, as the
changes to these security groups immediately affect all Web reports.
162
Using Quest Spotlight on Active Directory Web Reports
The following table shows the default roles associated with each action:
ACTION
USER
AUTHOR
ADMINISTRATOR
Accessing the site
Exporting Web reports
Saving report settings in My Reports
folder
Saving report settings in any folder
Creating Custom Reports
Saving Custom Reports in My Reports
folder
Saving Custom Reports in any folder
Creating new folders in My Reports folder
Creating new folders in any folder
Copy folders or report within My Reports
folder
Copy folders or Web reports to and within
My Reports folder
Copy folders or Web reports to and within
any folder
Move folders or Web reports with My
Reports folder
Move folders or Web reports from any
folder to My Reports folder
163
Spotlight on Active Directory
ACTION
Move folder to and within any folder
Rename folders or Web reports in My
Reports folder
Rename folders or Web reports in any
folder
Delete folders or Web reports in My
Reports folder
Delete folders or Web reports in any folder
Edit folder descriptions in My Reports
folder
Edit folder descriptions in any folder
Enable subscriptions for Web reports in
My Reports folder
Enable subscriptions for Web reports in
any folder
Set Filter Defaults
164
USER
AUTHOR
ADMINISTRATOR
Using Quest Spotlight on Active Directory Web Reports
Configuring the Web Report
Subscription Service
The Quest Web Reports subscription service generates specific Web reports on
a regular schedule. You can use the Subscription Wizard to set up and schedule
the report subscription service.
To access the Subscriptions page
•
In the folder view, select File | Subscriptions.
This opens the Subscriptions page.
From this page you can:
•
Click Add to access the Subscription Wizard.
•
Click Modify to modify an existing subscription.
•
Click Remove to delete a subscription from your subscription list.
•
Click Run Now to run a subscription earlier than its scheduled time.
•
Click Refresh to refresh the list of displayed subscriptions.
The Show subscriptions for all users check box is available only to
administrators.
To access the Configuration dialog box using the Subscriptions | Configure
Subscriptions menu item, you must have administrator privileges and be the
administrator of the computer where Web Reports is installed.
The Subscription Wizard Welcome Page
To access the Subscription Wizard
1.
On the Subscriptions page, click Add.
This opens the Subscription Wizard Welcome page. From this page,
you can configure the report subscription service.
2.
Click Next to access the Schedule page.
165
Spotlight on Active Directory
Scheduling the Subscription Service
You can schedule the interval, start date, and exact time you want the
subscription to run.
Subscriptions can be run on the following intervals: Now, Once Only, Daily,
Weekly, Monthly, and Quarterly. If you select Daily, you have the option to
specify whether you want the subscription to run every day, weekdays, or every
specified number of days. If you select Weekly, you can specify the days of the
week you want the subscription to run, and the number of weeks apart. If you
select Monthly, you can specify which months, and which date during the month.
To schedule the subscription
1.
Select the interval.
2.
Enter the time of day you want the subscription to run in the Start
Time box.
3.
Enter the date you want the subscription to start in the Start Date
box.
4.
Click Next.
Sending the Subscription
You can specify the method for sending the subscription on the Action page of
the Subscription Wizard. Web Reports can be sent by email, or copied to a file
location, an FTP site, or a web site.
To send a subscription by email
1.
Select Email in the Send to box.
2.
Select the format in the Format box.
You can specify Inline HTML, HTTP Link, MHTML Attachment, Excel
Attachment, Word Attachment, CSV Attachment, CSV Inline, TSV
Attachment, TSV Inline, or XML Attachment.
3.
Enter the recipient's email address in the To: line.
You may also specify other recipients in the CC: and BCC: lines.
4.
Enter a subject for the Subject line.
5.
Click Next.
When sending a subscription by email, the SMTP From address cannot
contain spaces.
166
Using Quest Spotlight on Active Directory Web Reports
To send a subscription to a file location
1.
2.
Select File Location in the Send to box.
Select the format in the Format box.
You can specify HTML, MHTML, Excel, Word, CSV, TSV, or XML.
3.
Enter the UNC File Path for the file location.
You may also choose to overwrite old copies of Web reports or include
the date and time in the filename of generated Web reports.
4.
Click Next.
To send a subscription to an FTP site
1.
Select FTP Site in the Send to box.
2.
Specify the format in the Format box.
You can specify HTML, MHTML, Excel, Word, CSV, TSV, or XML.
3.
Enter the name of the FTP server, user name, password, and
directory.
The default FTP user name is "anonymous". You must re-enter the
password to confirm it. You may also choose to overwrite old copies
of Web reports or include the date and time in the filename of
generated Web reports.
4.
Click Next.
FTP passwords are neither stored nor transmitted securely. Valuable
passwords should not be used for this purpose.
To send a subscription to a web site
1.
2.
Select Web Site in the Send to box.
Specify the format in the Format box.
You can specify HTML, MHTML, Excel, Word, CSV, TSV, or XML.
3.
Enter the URL for the web site.
You may also choose to overwrite old copies of Web reports or include
the date and time in the filename of generated Web reports.
4.
Click Next.
In order to send subscriptions to file locations, FTP, and web sites, you must
have write privileges for these directories/virtual directories. This setting has
to be set manually, as write privileges are not granted by default.
167
Spotlight on Active Directory
Selecting Web Reports for the Subscription
You can select specific Web reports from the list of available Web reports to
include in the subscription.
To select Web reports to be included in the subscription
1.
2.
Click Add to view the list of reports.
Select a Web report, and click Next.
If the Web report has filters applied to it, you will be taken to the Filter
page of the Web Report Wizard so you can modify the filter settings.
3.
Click Finish, and click Next.
Selecting a User Account
The Web reports in your subscription are generated under a specific user
account.
To select a user account for the subscription
1.
Enter the user name, password, and domain for the user account you
want to use.
2.
Click Next.
Displaying Subscriptions
You can specify a display name for the subscription.
To give the subscription a display name
1.
Enter a display name for the subscription in the Display Name box.
2.
Click Finish.
This name is displayed in your list of current subscriptions.
168
Using Quest Spotlight on Active Directory Web Reports
Importing and Exporting Subscriptions
You can import or export existing subscriptions.
You must have administrative rights on the IIS server to import a
subscription.
To import a subscription
1.
Select File | Subscriptions.
This opens the Subscriptions page.
2.
Select Subscriptions | Import Subscriptions.
3.
Enter the file name of the subscription you want to import.
– OR –
Browse to the file you want to import.
4.
Enter a user name and password to use when generating the
subscription.
5.
Enter the domain name for that user name.
6.
Click OK.
Once you have configured a subscription, you can export it to a file.
To export a subscription
1.
Select File | Subscriptions.
This opens the Subscriptions page.
2.
Select Subscriptions | Export Selected Subscriptions.
You are prompted to save the file.
3.
Click Save.
This opens the Save As dialog box. Enter a name for the subscription
and browse to where you want to save the file, or accept the default.
4.
Click Save.
169
Spotlight on Active Directory
Using Preconfigured Reports
Spotlight on Active Directory Web Reports provides a collection of preconfigured
reports, which allow report consumers to view data across multiple subsections
of your organization.
For more information, see:
•
Preconfigured Reports in Spotlight on Active Directory Topology
Viewer
•
Accessing Web Reports
•
Filtering Preconfigured Reports
To view a preconfigured report
1.
Click the name of the report you want to run.
The report is generated and displayed immediately, using data
collected in Discovery and Analysis tests.
2.
To view report options, click
at the lower right of the screen.
3.
You can apply filters to the report. See “Filtering Preconfigured
Reports” on page 140 for more information.
Preconfigured Reports in Spotlight on
Active Directory Topology Viewer
Spotlight on Active Directory preconfigured reports are organized into the
following categories:
170
•
My Reports (shown only in the web browser)
•
Summary Reports
•
Server Health
•
Directory Replication
•
File Replication
•
Time Synchronization
•
DNS
•
Group Policy Objects
•
Inventory
Using Quest Spotlight on Active Directory Web Reports
You can access these preconfigured reports by clicking the Web Reports tab in
the Topology Viewer.
Summary Reports
Summary reports provide an overall status on your network environment. The
following table lists these reports and their descriptions:
REPORT
DESCRIPTION
Corporate Active Directory At A
Glance
Provides a complete update on the Active
Directory forest on an hourly, daily, weekly, and
monthly basis. You can also view the percentages
of total requests (Authentications, Exchange Client
Usage, Directory Changes, DNS Interaction, and
Replication) per domain controller (DC).
Domain Controller At A Glance
Provides a complete update on the specified DC on
a daily, weekly and monthly basis.
Server Health
Server Health reports consist of several report categories that focus on domain
controllers in your Active Directory forest. The following table contains a full list
of report categories and their descriptions:
REPORT CATEGORY
DESCRIPTION
Processor Utilization
Identify servers having the highest CPU usage
over a specified period of time. You can select a
report for the top five or ten servers for either the
past week or month. You can also use filters to
prepare a custom report.
Use these Web reports to help pinpoint
performance problems and down time.
You can also use the Processor Utilization Hourly
Report to view data alphabetically by server name
in the database. By default, it renders for the time
period “Today”.
Physical Memory Utilization
Identify servers having the highest physical
memory usage over a specified period of time. You
can select a report that shows either the top five
or ten servers for either the past week or month.
You can also use filters to prepare a custom
report.
171
Spotlight on Active Directory
REPORT CATEGORY
DESCRIPTION
Page Faults
Identify which servers have the highest average
number of pages faults per second within either
the past week or month. You can also use filters to
prepare a custom report.
SMB Connections
Identify which servers have the largest number of
SMB connections within either the past week or
month. You can also use filters to prepare a
custom report.
Alerts
Identify performance or service status alerts over
a specified period of time. You can select an alert
report for either of these types with a time period
criteria of the past day, week, or month. You can
also use filters to prepare a custom report.
LDAP Response Time
Identify servers having the slowest LDAP
responsiveness over a specified period of time.
You can select a report that shows either the top
five or ten servers for either the past week or
month. You can also use filters to prepare a
custom report.
LDAP Query Execution Time
Identify servers having the slowest LDAP query
response time over a specified period of time. You
can select a report that shows either the top five
or ten servers for either the past week or month.
You can also use filters to prepare a custom
report.
Disk Space
Identify domain controllers with the lowest
amount of disk space on the drive hosting the
directory service database within the past week or
month. You can also use filters to prepare a
custom report. Additional Web reports identify disk
space usage by domain or site.
Use these Web reports to help determine which
domain controllers require upgrades to their disk
subsystems.
Event Log Errors
172
Identify event log errors that occurred during a
specified period of time. You can select a report for
either the past day, week, or month. You can also
use filters to prepare a custom report.
Using Quest Spotlight on Active Directory Web Reports
REPORT CATEGORY
DESCRIPTION
Lingering Objects
Records pertaining to the Lingering Objects test
results (detection of the lingering object existence
on the domain controller after long disconnection
or restoring from back-up operation). You can view
a report for the past day, week, or month. You can
also customize a date range.
Authentications
Identify Authentications on a daily or hourly basis.
Exchange Client Usage
Identify Exchange Client Usage on a daily or
hourly basis.
Directory Changes
Identify Directory Changes on a daily or hourly
basis.
DNS Interaction
Identify DNS Interactions on a daily or hourly
basis.
Directory Replication
Directory Replication Reports provide diagnostic information regarding the
status of replication in your forest, such as slowest replication links, sites that
are slowest to replicate, object tracking, replication failures, and domain
controllers with missing replication links. The following table lists these Web
reports and their descriptions:
173
Spotlight on Active Directory
REPORT
DESCRIPTION
Replication Time
Contains the following:
Intra-Site Replication Time
Provide Top N list of domain controllers that
have the slowest replication links, and display
the domain controllers for which the
replication times are greater than 30 minutes
or 1 hour, in the past week or month.
Use these Web reports to render Average
Intra-Site Replication Daily and Average
Intra-Site Replication Hourly to show the
average replication times for each day or each
hour respectively.
You can also use filters to prepare a custom
report.
• Inter-Site Replication Time
The same Web reports are supported as for
Intra-Site Replication Time, above.
• Replication Time from FSMO Role Holders
Discovers the servers that take the longest
time to receive replication updates from the
various FSMO role holders. It also records
replication times hourly and daily from the
PDC Emulator.
Domain Controllers without
Replication Links
Identifies the domain controllers that do not have
any replication links.
Find Replication Failures
Identifies replication links that do not replicate.
Use this report to determine whether changes
made to replication partners are also replicated to
a selected server.
Object Tracking
174
Identifies whether tracked objects are identical on
two or more domain controllers.
Using Quest Spotlight on Active Directory Web Reports
File Replication
File Replication Reports provide diagnostic information regarding the status of
file replication, intra-site replication, and inter-site replication, such as slowest
replication paths, average intra-site and inter-site replication times, and
replication links. The following table lists these Web reports and their
descriptions:
REPORT CATEGORY
DESCRIPTION
Intra-Site Replication Time
Provide time required for intra-site file
replications. You can select a report for the top N
servers with slowest replication paths and for
replication links that took longer than 30 minutes
or one hour in either the last week or month. You
can also use filters to prepare a custom report.
Inter-Site Replication Time
Provide time required for inter-site file
replications. You can select a report for the top N
servers with slowest replication paths and for
replication links that took longer than 30 minutes
or one hour in either the last week or month. You
can also use filters to prepare a custom report.
Time Synchronization
Time Synchronization Reports identify issues with time differences between
domain controllers and their W32Time Parents.
The following table lists these Web reports and their descriptions:
REPORT
DESCRIPTION
Domain Controllers Having Time
Difference Greater Than
Threshold
Identifies DCs whose time difference is greater
than the specified threshold.
Domain Controllers Having Time
Difference With W32Time Parent
Identifies the average time difference between
DCs and their W32Time Parent.
Top Domain Controllers With
Greatest Time Difference
Lists the top N DCs with the greatest difference in
time from that of their W32Time Parent.
175
Spotlight on Active Directory
DNS
DNS Reports provide information regarding domain name system servers, such
as bind and query times, and missing DNS records. The following table lists these
Web reports and their descriptions:
REPORT
DESCRIPTION
DNS Bind Time
Provides information regarding DNS Bind Times
over the past day, week, or month. You can also
apply filters to customize the report.
Use this report to determine the availability of the
DNS servers used by the DC.
DNS Query Time
Provides information regarding DNS Query Times
over the past day, week, or month. You can also
apply filters to customize the report.
Use this report to determine the response level of
the DNS servers used by the DC.
Missing DNS Records
Provides a listing of servers with missing DNS
records.
Use this report to determine which DCs have failed
to register DNS records.
Group Policy Objects
Group Policy Objects Reports provide information regarding group policy objects
(GPOs) within a domain, such as GPO synchronization and replication.
The following table lists these Web reports and their descriptions:
REPORT
DESCRIPTION
Group Policy Objects
Lists GPOs in a selected domain. You can drill
down to get detailed information regarding DC
replication.
Use this report to determine what GPOs exist in a
domain and what DCs they are being replicated to.
Group Policy Objects
Synchronization Status
Lists GPOs and their synchronization within a
selected domain. You can drill down to get detailed
information regarding DC synchronization history.
Use this report to identify what GPOs are not
synchronized in a selected DC.
176
Using Quest Spotlight on Active Directory Web Reports
Inventory
Inventory Reports provide information on the components of your Active
Directory forest, such as domains, servers, sites, FSMO roles, Global Catalogs,
and groups. The following table lists the available Web reports and their
descriptions:
REPORT
DESCRIPTION
Domains and Directory Objects
Directory Objects - contains the following:
• User Objects - lists all user objects in your
forest by domain.
• Group Objects - lists all group objects in your
forest by domain.
• Computer Objects - lists all computer objects
in your forest by domain.
• Organization Unit Objects - lists all OUs in
your forest by domain.
• Group Policy Objects - lists all GPOs in your
forest by domain.
Domains - lists all the domains in a given forest,
along with the number of sites, domain
controllers, and directory objects associated with
each domain.
Sites and Replication Links
Replication Links - contains the following:
• Intra-Site Replication Links - lists all Intra-Site
Replication Links in your forest.
• Outgoing Inter-Site Replication Links - lists all
Outgoing Inter-Site Replication Links in your
forest.
• Incoming Inter-Site Replication Links - lists all
Incoming Inter-Site Replication Links in your
forest.
Sites - lists all the sites in a given forest.
177
Spotlight on Active Directory
REPORT
DESCRIPTION
Domain Controllers and Roles
Domain Controller Roles - contains the following:
• Schema Masters - lists all Schema Masters
roles in your forest
• Infrastructure Masters - lists all Infrastructure
Masters roles in your forest by domain.
• RID Masters - lists all RID Masters roles in
your forest by domain.
• Domain Naming Masters - lists all Domain
Naming Masters roles in your forest by
domain.
• PDC Emulators - lists all PDC Emulators roles
in your forest by domain.
• Inter-Site Topology Generators - lists all
Inter-Site Topology Generators roles in your
forest by domain.
• Global Catalogs - lists all Global Catalogs in
your forest by site by domain.
Domain Controllers - lists all DCs in your forest.
Domain Controllers by Domain - lists all DCs in
your forest by domain.
Domain Controllers by Site - lists all DCs in your
forest by site.
Forests
178
Lists all forests in your Active Directory.
Using Quest Spotlight on Active Directory Web Reports
Generating Report Data
In order to generate data for preconfigured reports, you must run the analysis
tests provided in the Topology Viewer. Certain analysis tests generate data for
certain preconfigured reports. The correlation between tests and reports is as
follows:
REPORT NAME
ANALYSIS TEST NAMES
Summary
• Corporate Active Directory At a
Glance
• Verify Server Health
• Domain Controller at a Glance
• Directory Objects Collector Task (you
can initiate this scheduled task through
the Windows Scheduler)
• Discovery
Server Health
• Processor Utilization
• Verify Server Health
• Physical Memory Utilization
• Page Faults
• SMB Connections
• Alerts
• LDAP Response Time
• LDAP Query Execution Time
• Disk Space
• Event Log Errors
• Lingering Objects
• Authentication
• Exchange Client Usage
• Directory Changes
• DNS Interaction
Directory Replication
• Replication Time
• Verify Directory Replication Health
Directory Replication
• Domain Controllers Without
Replication Links
• Replication Time from FSMO Role
Holders
Directory Replication
• Find Replication Failures
• Verify Directory Replication Health
179
Spotlight on Active Directory
REPORT NAME
ANALYSIS TEST NAMES
Directory Replication
• Object Tracking
• Find Replication Failures
• Track Object Replication
File Replication
• Inter Server Replication Time
• Verify File Replication Health
• Inter Site Replication Time
Time Synchronization
• Domain Controller's Having Time
Difference Greater Than Threshold
• Check W32Time Differential
• Domain Controller's Having Time
Difference With W32Time Parent
• TOP Domain Controller's With
Greatest Time Difference
DNS
• DNS Bind Time
• Verify DNS Health
• DNS Query Time
• Missing DNS Records
Group Policy Objects
• Group Policy Objects
• Group Policy Objects
Synchronization Status
180
• Check GPO Synchronization
Using Quest Spotlight on Active Directory Web Reports
REPORT NAME
ANALYSIS TEST NAMES
Inventory
• Intersite Replication Links
Discovery
• Outgoing Intrasite Replication
Links
• Incoming Intrasite Replication
Links
• Sites
• Schema Masters
• Infrastructure Masters
• RID Masters
• PDC Emulators
• Intersite Topology Generators
• Global Catalogs
• Domain Controllers
• Domain Controllers by Domains
• Domain Controllers by Site
• Forests
Inventory
• User Objects
• Group Objects
Directory Objects Collector Task (you can
initiate this scheduled task through the
Windows Scheduler)
• Computer Objects
• OU Objects
• GPO Objects
For more information on running the aforementioned analysis tests, refer to
“Detecting Active Directory Problems” on page 46.
181
Spotlight on Active Directory
182
10
Using Distributed
Collection of Analysis Test
Data (Collectors)
• Using Distributed Collectors
• Installing Distributed Collectors
• Adding Sites and Servers to Distributed
Collectors
• Viewing Managed Sites and Servers
• Configuring Collectors
• Upgrading Distributed Collectors
• Updating Collector Status
• Uninstalling Distributed Collectors
Spotlight on Active Directory
Using Distributed Collectors
The Distributed Collection of Analysis Test Data feature localizes data collection
and processing before the data is transferred to the central Diagnostic Services.
This feature supports site collection where a distributed collector runs all tests
for each domain controller (DC) in the site, and targeted collection where a
distributed collector runs all tests for a specific DC.
Distributed collectors are installed manually or through the Collector
Management Console to additional servers on the network.
This feature is made up of several components:
•
Diagnostic Services
•
Collector Service
•
Collector Management Console
Diagnostic Services
The Diagnostic Services component is responsible for managing the test
execution schedule.
By default, Diagnostic Services run all tests, using a default collector, which can
cause a heavy load on the host system. Distributed collectors reduce this load
by allowing other servers to share data collection and test execution. Thus,
network usage is reduced. Distributed collectors are configured to manage entire
sites and/or specific servers, and to run any tests against the servers in their
managed list. The distributed collectors process the request, and send back only
the final results to the Diagnostic Services.
If a required distributed collector is unavailable, the default collector is used to
execute the tests. Multiple collectors can be involved in a single test execution if
the test is operating against several servers.
Collector Service
The Collector Service is running on host computers listening to the specified port.
It waits for Diagnostic Services to send test requests. Once the test request is
received and validated, the test is executed, and the results are returned to the
server for processing.
184
Using Distributed Collection of Analysis Test Data (Collectors)
Collector Management Console
The Collector Management Console allows you to specify distributed collectors
to handle test requests against specific sites or servers. This helps to reduce the
load on the central Spotlight on Active Directory server.
Using the Collector Management Console, you can push a distributed collector to
any server with which the Diagnostic Services communicates using Windows
Management Instrumentation (WMI). You can view the status of the installed
distributed collectors, view the DCs that collector is managing, and configure the
listening port of the collector so that it can operate in a firewalled environment.
The Collector Management Console, you can:
•
install distributed collectors on host computers
•
remove distributed collectors from host computers
•
assign servers to distributed collectors
•
present statistics on distributed collectors
The Collector Management Console is a component of the Spotlight on Active
Directory installation. It can be installed on the same servers as the Spotlight on
Active Directory and/or different servers.
Installing Distributed Collectors
Distributed collectors are installed:
•
Using the Collector Management Console
•
Using the Spotlight on Active Directory Installation CD
You can install remote collectors, which are collectors not installed in the
same location as the Diagnostic Services. Using remote collectors reduces
traffic load over slow links and works better in firewalled environments.
185
Spotlight on Active Directory
Using the Collector Management Console
To install distributed collectors using the Collector Management Console
1.
From the Collector Management Console:
Select Action | Install Distributed Collector.
– OR –
Right-click the Collectors root node and select Install Distributed
Collector.
– OR –
Select Install Distributed Collector from the Actions pane.
2.
Enter the name of the distributed collector.
The name can be letters and numbers only. You cannot use special
characters such as spaces or underscores.
3.
Enter the host name of the server on which the distributed collector
is to be installed.
The name should be a fully qualified domain name if the server is in
a different forest than the local computer.
4.
Enter the name of the listening port that collector will use to receive
information.
The default listening port is 9605.
5.
Enter a user name and password to execute tests.
6.
Re-enter the password.
7.
Click OK.
The distributed collector is automatically installed.
186
Using Distributed Collection of Analysis Test Data (Collectors)
Using the Spotlight on Active Directory
Installation CD
If you have the WMI disabled, distributed collectors cannot be automatically
installed, or if you cannot install distributed collectors via the Collector
Management Console, you have to manually install them. You manually install
distributed collectors using the Spotlight on Active Directory installation CD.
To manually install distributed collectors using the Spotlight on Active
Directory installation CD
1.
Select Collector Install from the Spotlight on Active Directory
installation CD.
2.
Click Next.
3.
Read the license agreement and select I accept the license
agreement.
You must accept the license agreement to activate Next.
4.
Click Next to proceed to the Destination Folder dialog box.
5.
Click Next to accept the default installation drive and path settings.
– OR –
Click Browse to select a different destination folder, then click OK,
then click Next.
6.
7.
Click Next to proceed to the Logon Information dialog box.
Enter your user name and password.
The user name and password must be the same as the one used to
install Spotlight on Active Directory. Specify the user name as
Domain\User name.
8.
Click Next to proceed to the Installation Configuration dialog box.
9.
Enter the default collector server name, listening port, and collector
name.
You can also leave the defaults as is for the listening port and collector
name.
10. Click Next on the Ready to Install the Application dialog box to begin
the installation.
11. Click Finish.
187
Spotlight on Active Directory
Adding Sites and Servers to
Distributed Collectors
When you first launch the Collector Management Console and view the
properties of the distributed collector, every site and server is checked to
indicate that the distributed collector is managing those sites and servers.
If a site or server is not checked, it is being managed by another
distributed collector. The name of that distributed collector is
indicated in parenthesis to the right of the site or server.
To assign sites and servers to a distributed collector
1.
Select a distributed collector.
2.
Check which site and/or server you would like the distributed
collector to manage.
The Confirm Collector Assignment dialog appears. This dialog tells you
that this site and/or server is being managed by another distributed
collector, and asks if you would like to manage this site and/or server.
3.
Click OK.
The check box is checked indicating the distributed collector is now
managing the site and/or server.
Viewing Managed Sites and Servers
You can view which default collector or distributed collector is managing which
sites or servers.
To view managed sites or servers
1.
2.
Click the Collectors root node.
Select the default collector or a distributed collector.
You can view a list of managed sites or managed servers in the
Properties area.
The Properties section appears listing all sites and servers. Those sites
and servers that are checked are being managed by the selected
collector.
188
Using Distributed Collection of Analysis Test Data (Collectors)
Configuring Collectors
The configuration of Collectors Services is controlled through the Collector
Management Console. You can configure the listening port - a port the collector
service should use to communicate with the Diagnostic Services.
To configure the listening port
1.
Right-click the default collector or a distributed collector.
2.
Click View <name of Collector>.
You can also double-click the name of the default collector or distributed
collector.
3.
Enter the listening port in the Listening Port box.
4.
Click Apply.
Upgrading Distributed Collectors
When you log on to the Collector Management Console, you may notice that the
Version number and the icon left to the Distributed Collector name in the
Installed Collectors pane are red. This means that the Distributed Collector
requires an upgrade.
You can also hover the mouse pointer over the Distributed Collector
name. The following message appears "The Distributed Collector
requires upgrade".
To upgrade the Distributed Collector
1.
Click the Distributed Collector requiring an upgrade.
2.
Click Upgrade <Distributed Collector name> from the Actions
pane.
3.
Enter the User name and Password used to execute the tests.
4.
Re-enter the Password.
5.
Click OK.
189
Spotlight on Active Directory
Updating Collector Status
When you log onto the Collector Management Console, you may want to update
the status of the collector to see if any changes had occurred to the collector.
To update the collector status
1.
Select the default collector or distributed collector.
2.
Click Update Collector Status from the Actions pane.
Uninstalling Distributed Collectors
You can uninstall distributed collectors:
•
Using the Collector Management Console
•
Using Add/Remove Programs in the Control Panel
Using the Collector Management Console
To uninstall distributed collectors using the Collector Management
Console
1.
From the Collector Management Console:
Select Action | Uninstall <Distributed Collector name>.
– OR –
Right-click the distributed collector and select Uninstall
<Distributed Collector name>.
– OR –
Select Uninstall <Distributed Collector name> from the Actions
pane.
2.
190
Click Yes in the Confirm dialog.
Using Distributed Collection of Analysis Test Data (Collectors)
Using Add/Remove Programs in the
Control Panel
To uninstall distributed collectors using Add/Remove Programs
1.
Click Start | Settings | Control Panel | Add or Remove
Programs | Quest Spotlight on Active Directory Collector.
2.
Click Remove.
3.
Click Yes to confirm you want to remove the distributed collector
from your computer.
If you uninstall a distributed collector using this method, the distributed collector
is still registered with the Diagnostic Services. You have to use the Collector
Management Console to remove the registration information. For more
information, see “Using the Collector Management Console” on page 190.
191
Spotlight on Active Directory
192
Glossary
This glossary contains definitions taken from Microsoft publications.
C
Client
A software application that requests the services, data, or
processing of another application or computer (known as
the domain controller).
Collector Management Console
An application that allows you to specify distributed
collectors to handle test requests against specific sites or
servers to reduce the load on the central Spotlight on
Active Directory server.
D
DFSR (Distributed File System Replication)
The Distributed File Replication service is used to keep
folders synchronized on multiple servers.
Diagnostic Views
Visual diagnostic tools that aid in network performance
monitoring.
Diagnostic Services
A component that is responsible for managing the test
execution schedule. By default, the Diagnostic Services
runs all tests using a default collector.
Distributed Collection of Analysis Tests (Distributed Collector)
A function that localizes data collection and processing
before the data is transferred to the central Spotlight on
Active Directory server. This function supports site
collection, where a collector runs all tests for each domain
controller (DC) in the site, and targeted collection where
an collector runs all tests for a specific DC.
Domain
A logical collection of resources consisting of computers,
printers, and computer and user accounts. A domain also
has a system of logon authentication of computer and
user accounts.
193
Spotlight on Active Directory
Domain Controller (DC)
A domain controller is a server that authenticates domain
logon passwords. It maintains security policy and the
security accounts master database for a domain.
G
Global Catalog (GC)
A GC is a portion of Active Directory that contains a
subset of information about all objects within all domains
of the Active Directory data store. It is used to improve
performance of authentications and for sharing
information between domains.
L
Layout File (.tvl)
This file contains layout information about a specific
domain or a domain controller and can be reloaded and
displayed in the Topology View pane.
N
NTFRS (NT File Replication Service)
The part of Active Directory that deals with the replication
of files. It is vital to security and Group Policy Object
(GPO) maintenance that includes the file portion of GPOs.
The NT File Replication Service deals with changes to files
that are part of the group policy template. Good examples
are logon scripts and administrative templates.
Q
Query
Query Server
A query is a statement that returns a set of values.
Spotlight uses a variety of queries to collect information
about a system’s performance.
The domain controller that is queried to gather
information from the Active Directory database.
R
Replication
194
The mechanism employed by Active Directory to ensure
changes made to objects are propagated through the
network.
Replication Links
Domain controllers replicate information through a
network by a series of links. A replication link consists of
direction, schedule, and frequency settings, that ensure
replication occurs.
S
Server Information
This tip text displays the domain controllers name as well
as the site and domain to which it belongs.
T
Time Synchronization
A set of parameters that affect replication schedules and
partners.
Topology View
The topology view is displayed in the Topology View pane.
It consists of a series of domain controllers organized by
sites or domains and connected via groups of replication
links.
195
Spotlight on Active Directory
196
INDEX
A
action results
clearing 93
saving 92
actions and results 92
adding sites and servers to
collectors 188
analysis tests 46
configuring impersonation
options 23
deleting 62
naming 63
pausing and resuming 61
running tests using the Assistant
Pane 62
scheduling 57
scheduling tests with impersonation
options 59
scheduling tests with notification
options 60
Assistant pane 15, 62
Assistant 15
Directory Replication Testing
pane 15
DNS Testing pane 15
File Replication Testing pane 15
Native Tools 15
Resolve DFSR File Replication
pane 16
Resolve Directory Replication
pane 16
Resolve NTFRS File Replication
pane 16
Resolve Time Synchronization
pane 16
Status/Performance Testing
pane 15
Time Synchronization Testing
pane 15
Autogrouping 102
B
browse reports 132
browsing
by domain 16
by grouping 16
by site 16
C
canceling
pending actions 92
197
Center on Group 103
Center on Server 17
changing reports 143
clearing
action results 93
Collapse 103
Collector Management Console 185
collector service 184
collectors 183
adding sites and servers 188
collector service 184
configuring 189
Diagnostic Services 184
distributed 184
distributed, manually
uninstalling 191
distributed,installing 185
distributed,manually installing 187
distributed,uninstalling 190
updating status 190
viewing managed sites and
servers 188
Computer Objects web report 177
Configuration Drilldown
Installed Hotfixes Tab 115
Installed Software Tab 115
Network Adapters Tab 116
configuring collectors 189
configuring impersonation options for
analysis tests 23
Configuring Subscriptions 165
connecting
to a domain or domain controller
(DC) 12
creating
a Favorite 18
creating custom topology views 97
D
databases supported 30
default analysis test options 28
default settings, defining for Topology
Viewer 27
defining default settings for Topology
Viewer 27
deleting
a Favorite 19
a link 74
scheduled analysis tests 62
Spotlight on Active Directory
deleting custom topology views 98
Description page 142
DFSR
logging 83
properties 36
restarting 83
starting 82
stopping 82
DFSR logging
disabling 84
enabling 84
setting the log file details 86
setting the number of log files
generated 85
setting the number of messages
per log file 85
Diagnostic Services 184
Directory Replication reports 173
Directory Replication Testing pane 15
discovering the topology 12
Displaying Subscriptions 168
distributed collection of analysis test
data
see also collectors 183
distributed collectors 184
installing 185
installing manually 187
manually uninstalling 191
uninstalling 190
upgrading 189
DNS reports 176
DNS Testing pane 15
domain
connecting to 12
Domain Controllers web report 178
Domain Naming Masters web
report 178
Domains Controllers by Domain web
report 178
Domains Controllers by Site web
report 178
drilldowns
Configuration Drilldown 115
DNS Drilldown 116
FMSO Drilldown 118
LDAP Drilldown 117
LSASS Drilldown 117
Performance Drilldown 109
Replication Drilldown 110
198
E
Edit button 144
edit reports 143
editing
a Favorite 19
scheduled analysis tests 61
editing custom topology views 98
entering a description for your
custom report 142
Expand 104
F
Fields page 139
File menu commands, Reports
interface 135
File Replication
managing 81
File Replication reports 175
File Replication Testing pane 15
file-based model for reports 134
Filter page 140
filtering
Preconfigured reports 131, 140
force replication between two
unconnected servers 77
forcing replication 76
Forest discovery options 31
Format page 141
formatting custom reports 141
G
Global Catalogs web report 178
GPO
logging 83
properties 37
GPO logging 88
disabling 88
disabling advanced logging 88
enabling 88
enabling advanced logging 88
Group Objects web report 177
Group page 141
Group Policy Objects reports 176
Group Policy Objects web report 177
Group Together 104
grouping options for reports 149
groups
Autogrouping 102
Center on Group 103
Collapse 103
Expand 104
Group Together 104
Ungroup 104
I
impact of changing topology
views 25, 97
Incoming Intra-Site Replication Links
web report 177
information button 138
Infrastructure Masters web
report 178
installing distributed collectors 185
integrating
InTrust for Active Directory 31
Inter-Site Topology Generators web
report 178
Intrasite Replication Links web
report 177
introducing Spotlight on Active
Directory 106
introduction
Spotlight on Active Directory 106
InTrust for Active Directory
integrating 31
viewing changes 69
Inventory reports 177
L
launching
Spotlight on Active Directory
Diagnostic Console 93
logging
NTFRS, DFSR and GPO 83
M
Management Action Results tab
Completed Actions 92
overview of 92
Pending Actions 92
managing
replication links 72
199
managing File Replication 81
managing GPO logging 88
manually installing distributed
collectors 187
manually uninstalling distributed
collectors 191
MOM options 30
My Favorites 18
N
naming
analysis tests 63
Native Tools 15
NTFRS
logging 83
properties 35
restarting 83
starting 82
stopping 82
NTFRS logging
disabling 84
enabling 84
setting the log file details 86
setting the number of log files
generated 85
setting the number of messages
per log file 85
O
options
database options 29, 30
default analysis test options 28
Forest discovery 31
MOM integration 30
Web Reports 31
Organizational Units web report 177
Outgoing Intra-Site Replication Links
web report 177
P
parts of the Topology Viewer
interface 13
pausing
scheduled analysis tests 61
PDC Emulators web report 178
pending actions, canceling 92
Performance Drilldown
All Processes Tab 110
Top CPU Consumers Tab 109
Top Memory Consumers Tab 110
preconfigured reports
Alerts Reports 172
Spotlight on Active Directory
Authentications Reports 173
Corporate Active Directory At A
Glance Report 171
Directory Changes Reports 173
Disk Space Reports 172
DNS Bind Time Report 176
DNS Interaction Reports 173
DNS Query Time Report 176
Domain Controller At A Glance
Report 171
Domain Controllers and Roles 178
Domain Controllers Having Time
Difference Greater Than
Threshold Report 175
Domain Controllers Having Time
Difference With W32Time
Parent Report 175
Domain Controllers With Greatest
Time Difference Report 175
Domain Controllers without
Replication Links Report 174
Domains and Directory Objects 177
Event Log Errors Reports 172
Exchange Client Usage Reports 173
Find Replication Failures
Report 174
Forest Report 178
Group Policy Objects Report 176
Group Policy Objects
Synchronization Status
Report 176
Inter Server Replication Time
Report (File Replication) 175
Inter Site Replication Time Report
(File Replication) 175
Inter-Site Replication Time Report
(Directory Replication) 174
Intra-Site Replication Time Report
(Directory Replication) 174
LDAP Query Execution Time
Reports 172
LDAP Response Time Reports 172
Lingering Objects Reports 173
Missing DNS Records Report 176
Object Tracking Report 174
Page Faults Reports 172
Physical Memory Utilization
Reports 171
Processor Utilization Reports 171
Replication Time from FSMO Role
Holders Report (Directory
Replication) 174
200
Replication Time Report 174
Sites and Replication Links 177
Sites Report 177
SMB Connections Reports 172
Preconfigured reports, filtering 131,
140
Preview page 142
previewing reports 142
properties
DFSR properties 36
DNS properties 34
general properties 33
GPO properties 37
latency properties 37
local changes properties 38
NTFRS properties 35
operating system properties 33
replication properties 35
time sync properties 34
Q
Quick Filter bar 145
R
removing filter criteria from your
custom report 140
removing sorting options from a
custom report 141
renaming
a Favorite 20
Replication Drilldown
Activity Tab 112
Collisions Tab 114
Directory Partners Tab 113
FRS Replicas Tab 114
Queues Tab 112
Report Information button 138
report types 131
reports
file-based model 134
reports interface
command buttons 133
reports treeview 134
resetting layout of topology view 99
Resolve DFSR File Replication
pane 16
Resolve Directory Replication
pane 16
Resolve NTFRS File Replication
pane 16
Resolve Time Synchronization
pane 16
restarting
DFSR 83
NTFRS 83
resuming
paused analysis tests 61
RIDMasters web report 178
running
analysis tests using the Assistant
Pane 62
time sync parameters 89
Sort page 141
sorting a custom report 141
Spotlight on Active Directory
Introduction 106
starting
DFSR 82
NTFRS 82
Status/Performance Testing pane 15
stopping
DFSR 82
NTFRS 82
Subscription Page 165
Subscriptions
configuring 165
Summary reports 171
supported databases 30
system properties 33
system views, summary of 25, 96
S
saving
action results 92
scheduling
analysis tests 57
analysis tests with impersonation
options 59
analysis tests with notification
options 60
Scheduling the Subscription
Service 166
Schema Masters web report 178
Scroll Bars 16
Select 18
all 18
DCs in Domain 18
Server Roles 18
Selecting a User Account 168
selecting filter criteria for custom
reports 140
selecting grouping options for custom
reports 141
Selecting Reports for the
Subscription 168
selecting topology views 25, 97
Sending the Subscription 166
server
connecting to 12
Server Health reports 171
setting
default options for Topology
Viewer 27
T
Time Synchronization reports 175
Time Synchronization Testing
pane 15
To select a user account for the
subscription 168
To send a subscription by email 166
To send a subscription to a file
location 167
To send a subscription to a web
site 167
To send a subscription to an FTP
site 167
Topology Viewer interface, parts
of 13
Topology Viewer tools 16
topology views
creating custom 97
deleting custom 98
editing custom topology views 98
impact of changing 25, 97
resetting layout of 99
selecting 25, 97
summary of system views 25, 96
201
Spotlight on Active Directory
types of reports 131
U
Ungroup 104
uninstalling distributed collectors 190
updating collector status 190
upgrading distributed collectors 189
User Objects web report 177
USN Journal Size
increasing 87
V
viewing
analysis test results 64
viewing changes
InTrust for Active Directory 69
viewing managed sites and
servers 188
W
web reports
Alerts Reports 172
Authentications Reports 173
Computer Objects Report 177
Corporate Active Directory At A
Glance Report 171
Directory Changes Reports 173
Disk Space Reports 172
DNS Bind Time Report 176
DNS Interaction Reports 173
DNS Query Time Report 176
Domain and Directory Objects
Report 177
Domain Controller At A Glance
Report 171
Domain Controllers and Roles
Report 178
Domain Controllers Having Time
Difference Greater Than
Threshold Report 175
Domain Controllers Having Time
Difference With W32Time
Parent Report 175
Domain Controllers Report 178
Domain Controllers With Greatest
Time Difference Report 175
Domain Controllers without
Replication Links Report 174
Domain Naming Masters
Report 178
Domains Controllers by
Domain 178
202
Domains Controllers by Site 178
Domains Report 177
Event Log Errors Reports 172
Exchange Client Usage Reports 173
Find Replication Failures
Report 174
Forests Report 178
Global Catalogs Report 178
Group Objects Report 177
Group Policy Objects Report 176,
177
Group Policy Objects
Synchronization Status
Report 176
Incoming Intra-Site Replication
Links Report 177
Infrastructure Masters Report 178
Inter Server Replication Time
Report (File Replication) 175
Inter Site Replication Time Report
(File Replication) 175
Inter-Site Replication Time Report
(Directory Replication) 174
Inter-Site Topology Generators
Report 178
Intrasite Replication Links
Report 177
Intra-Site Replication Time Report
(Directory Replication) 174
LDAP Query Execution Time
Reports 172
LDAP Response Time Reports 172
Lingering Objects Reports 173
Missing DNS Records Report 176
Object Tracking Report 174
Organizational Units Report 177
Outgoing Intra-Site Replication
Links Report 177
Page Faults Reports 172
PDC Emulators Report 178
Physical Memory Utilization
Reports 171
Processor Utilization Reports 171
Replication Time from FSMO Role
Holders Report 174
Replication Time Report 174
RID Masters Report 178
Schema Masters Reports 178
Sites and Replication Links
Report 177
Sites Report 177
SMB Connections Reports 172
User Objects Report 177
Web Reports options 31
203
Spotlight on Active Directory
204
About Quest Software
Established in 1987, Quest Software (Nasdaq: QSFT) provides simple and
innovative IT management solutions that enable more than 100,000 global
customers to save time and money across physical and virtual environments.
Quest products solve complex IT challenges ranging from database
management, data protection, identity and access management, monitoring,
user workspace management to Windows management. For more information,
visit www.quest.com.
Contacting Quest Software
Email
[email protected]
Mail
Quest Software, Inc.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656
USA
Web site
www.quest.com
Refer to our Web site for regional and international office information.
Contacting Quest Support
Quest Support is available to customers who have a trial version of a Quest
product or who have purchased a Quest product and have a valid maintenance
contract. Quest Support provides unlimited 24x7 access to support portal. Visit
our support portal at http://www.quest.com/support.
From our support portal, you can do the following:
•
Retrieve thousands of solutions from our online Knowledgebase
•
Download the latest releases and service packs
•
Create, update and review Support cases
View the Global Support Guide for a detailed explanation of support programs,
online services, contact information, policies and procedures. The guide is
available at: http://www.quest.com/support.
205
Spotlight on Active Directory
Third Party Contributions
Spotlight on Active Directory 6.8.2 contains some third party components (listed
below). Copies of their licenses may be found on our website at
http://www.quest.com/legal/third-party-licenses.aspx.
COMPONENT
LICENSE OR ACKNOWLEDGEMENT
Zlib
zlib 1.2.3
206
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement