Spotlight on Active Directory
Deployment Guide
6.8.1
©
2010 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA email:
[email protected] Refer to our Web site (www.quest.com) for regional and international office information.
Patents This product is protected by U.S. Patent #: 6,249,883.
Trademarks Quest, Quest Software, the Quest Software logo, Spotlight, vSpotlight are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software’s trademarks, please see http://www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks used in this guide are property of their respective owners. Quest Spotlight on Active Directory Deployment Guide Updated - July 2010 Software Version - 6.8.1
Contents
CONTENTS Best Practices for Spotlight on Active Directory. . . . . . . . . . . . . . . . . . . . . 5 Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Distributed Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Diagnostic Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Spotlight on Active Directory Diagnostic Console . . . . . . . . . . . . . . . . . . . . . . . . . 15 Spotlight on Active Directory Web Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Database Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Detailed Test Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 High Level Analysis Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Directory Replication Analysis Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 DNS Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 File Replication Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Time Synchronization Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Frequently Asked Questions and Troubleshooting . . . . . . . . . . . . . . . . . . 21 Third Party Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 About Quest Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Contacting Quest Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Contacting Quest Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3
Spotlight on Active Directory
4
Deployment Guide
About this Guide This document has been prepared to assist you in deploying Spotlight on Active Directory, an integral component of Spotlight Suite. The Deployment Guide contains the best practices to install and use Spotlight on Active Directory. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product. For information on Spotlight basics, please refer to the Spotlight Basics section of the Help menu of the Spotlight on Active Directory Diagnostic Console.
Best Practices for Spotlight on Active Directory Once the minimum system requirements have been met, you can deploy Spotlight on Active Directory using the components provided on the Spotlight on Active Directory CD. You should not install the Spotlight on Active Directory components on DCs. You do not have to run services on your DCs to use Spotlight on Active Directory.
Multiple Spotlight on Active Directory Topology Viewer Consoles, installed on separate computers, can connect to and receive analysis test results from the diagnostic services. If multiple administrators need to look at the status of Active Directory, it is recommended that they install their own consoles, and connect to the same Spotlight Diagnostic Services. System administrators should follow Microsoft best practices for Active Directory, SQL Server, and IIS management including operational procedures and performing regular backups.
The following best practices have been established to deploy the following components: •
Domain Controllers
•
Distributed Collectors
•
Diagnostic Services
Domain Controllers All components of the Spotlight on Active Directory application can reside on a single server or on up to four separate systems.
Less Than 50 Domain Controllers If you have 50 or less domain controllers (DCs), you can install all components on one computer.
5
Spotlight on Active Directory
Installation Best Practices
Figure 1: Network with 50 or less domain controllers
6
Deployment Guide
Performance Best Practices To assign permissions, you can perform the following: •
To monitor a single domain, create a service account with Domain Administration privileges for Diagnostic Services.
•
To monitor multiple domains, create a service account with Enterprise Administration privileges for Diagnostic Services.
For more detailed analysis test permissions, see “Detailed Test Permissions” on page 19.
The following table lists the high level analysis tests and how often you should schedule these tests according to the size of your network: TEST Verify Server Health
SCHEDULE EVERY... • 30 minutes
EFFECT ON DATABASE • 6 kilobyte (KB) per target domain controller per poll • Performance - 4 KB • Network - 150 Bytes • Services - 300 Bytes • Disk Space - 400 Bytes • Events - 1 KB • Directory Availability - 150 Bytes
Verify DNS Health
• 30 minutes
2 KB per target domain controller per poll
Verify Directory Replication Health
• 30 minutes
50 Bytes per target domain controller per poll
Verify File Replication Health
• 60 minutes
1.5 KB per target domain controller per poll
Check GPO Synchronization
• 60 minutes
N/A
Verify Time Synchronization
• 30 minutes
400 bytes per target domain per poll
Between 51 and 100 Domain Controllers Installation Best Practices If you have 51 to 100 DCs, it is recommended that you install the diagnostic services and Web Reports on one computer, and database components on a separate computer. For faster test execution, it is recommended you have one collector per every 50 DCs. As one collector is automatically installed with Diagnostic Services, you must add another Distributed Collector on a separate computer. For running Web Reports on a network with 51 to 100 DCs, it is recommended that you use SQL Server Enterprise Edition for better performance.
7
Spotlight on Active Directory
Figure 2: Network with 51 to 100 domain controllers
Performance Best Practices To assign permissions, you can perform the following: •
To monitor a single domain, create a service account with Domain Administration privileges for Diagnostic Services.
•
To monitor multiple domains, create a service account with Enterprise Administration privileges for Diagnostic Services.
For more detailed analysis test permissions, see “Detailed Test Permissions” on page 19.
8
Deployment Guide
The following table lists the high level analysis tests and how often you should schedule these tests according to the size of your network: TEST Verify Server Health
SCHEDULE EVERY...
EFFECT ON DATABASE
• 30 minutes, if no Distributed Collectors
• 6 kilobyte (KB) per target domain controller per poll
• 20 minutes if one Distributed Collector is managing half of the DCs
• Performance - 4 KB • Network - 150 Bytes • Services - 300 Bytes • Disk Space - 400 Bytes • Events - 1 KB • Directory Availability - 150 Bytes
Verify DNS Health
• 30 minutes, if no Distributed Collectors
2 KB per target domain controller per poll
• 15 minutes if one Distributed Collector is managing half of the DCs Verify Directory Replication Health
• 30 minutes, if no Distributed Collectors
50 Bytes per target domain controller per poll
• 15 minutes if one Distributed Collector is managing half of the DCs Verify File Replication Health
• 120 minutes, if no Distributed Collectors
1.5 KB per target domain controller per poll
• 60 minutes if one Distributed Collector is managing half of the DCs Check GPO Synchronization
• 120 minutes, if no Distributed Collectors
N/A
• 60 minutes if one Distributed Collector is managing half of the DCs Verify Time Synchronization
• 30 minutes, if no Distributed Collectors
400 bytes per target domain per poll
• 15 minutes if one Distributed Collector is managing half of the DCs
More Than 100 Domain Controllers Installation Best Practices If you have 101 or more DCs, it is recommended that individual computers are dedicated for each component. By placing the four components on four separate computers, you have dedicated computer resources for each component, which minimizes contention for system resources. For faster test execution, it is recommended you have one collector per every 50 DCs. As one collector is automatically installed with Diagnostic Services, you must add other Distributed Collectors on their own computer. For running Web Reports on a network with 101 or more DCs, it is recommended that you use SQL Server Enterprise Edition for better performance. 9
Spotlight on Active Directory
Figure 3: Network with 101 or more domain controllers
Performance Best Practices To assign permissions, you can perform the following: •
To monitor a single domain, create a service account with Domain Administration privileges for Diagnostic Services.
•
To monitor multiple domains, create a service account with Enterprise Administration privileges for Diagnostic Services.
For more detailed analysis test permissions, see “Detailed Test Permissions” on page 19.
10
Deployment Guide
The following table lists the high level analysis tests and how often you should schedule these tests according to the size of your network: TEST Verify Server Health
SCHEDULE EVERY....
EFFECT ON DATABASE
• 30 minutes, if no Distributed Collectors
• 6 kilobyte (KB) per target domain controller per poll
• 20 minutes if one Distributed Collector is managing half of the DCs
• Performance - 4 KB • Network - 150 Bytes • Services - 300 Bytes • Disk Space - 400 Bytes • Events - 1 KB • Directory Availability - 150 Bytes
Verify DNS Health
• 30 minutes, if no Distributed Collectors
2 KB per target domain controller per poll
• 15 minutes if one Distributed Collector is managing half of the DCs Verify Directory Replication Health
• 30 minutes, if no Distributed Collectors
50 Bytes per target domain controller per poll
• 15 minutes if one Distributed Collector is managing half of the DCs Verify File Replication Health
• 120 minutes, if no Distributed Collectors
1.5 KB per target domain controller per poll
• 60 minutes if one Distributed Collector is managing half of the DCs Check GPO Synchronization
• 120 minutes, if no Distributed Collectors
N/A
• 60 minutes if one Distributed Collector is managing half of the DCs Verify Time Synchronization
• 30 minutes, if no Distributed Collectors
400 bytes per target domain per poll
• 15 minutes if one Distributed Collector is managing half of the DCs
Distributed Collectors The Distributed Collection of Analysis Test Data feature localizes data collection and processing before the data is transferred to the central Diagnostic Services. This feature supports site collection, where a distributed collector runs all tests for each domain controller (DC) in the site, and targeted collection where a distributed collector runs all tests for a specific DC. By default, the Diagnostic Services runs all tests, using a default collector, which can cause a heavy load on the host system. Distributed collectors reduce this load by allowing other servers to share data collection and test execution. Thus, network usage is reduced. Distributed collectors are configured to manage entire sites and/or specific servers, and run any tests against the servers in their managed list. The distributed collectors process the request, and send back only the final results to the Diagnostic Services. 11
Spotlight on Active Directory
Distributed collectors are installed manually or through the Collector Management Console to additional servers on the network.
Figure 4: A typical setup using collectors in Spotlight on Active Directory
Diagnostic Services includes a default collector, and can communicate directly with a set of domain controllers (DCs) or a site containing multiple sets of DCs. As the data passing between the DCs and the server can be large, you can install a distributed collector on the local network or use a high latency connection (Firewall) to help unload the large amount of data.
12
Deployment Guide
The Diagnostic Services tells the distributed collector to execute analysis tests to the DCs over port 9605. The distributed collectors then return the results back to the Diagnostic Services over port 9602.
Port 9605 is a configurable port. Port 9602 is not configurable.
It is recommended that each distributed collector communicates with a set of domain controllers or a site containing up to a maximum of 50 DCs.
Distributed Collectors Deployed in a Firewalled Environment If you have a set of DCs behind a firewall, place a Distributed Collector behind that firewall and use the Collector Management Console to assign the DCs behind the firewall to the Collector. Open port 9605 for incoming connections to the Distributed Collector host and port 9602 for outgoing connections to the DiagnosticTestEngineSLAD host. Install the Spotlight on Active Directory Topology Viewer and Spotlight on Active Directory Diagnostic Console on both sides of the firewall. To allow the Spotlight on Active Directory Topology Viewer to connect with the Diagnostic Services, allow outgoing connections to ports 9601 and 9602. Use the Spotlight on Active Directory Diagnostic Console on the appropriate side of the firewall for diagnosing the DCs in the two different regions. When creating tests, always put the DCs behind the firewall in their own test group. Avoid making one Server Health test for all of the DCs. Instead make one Server Health test for the DCs behind the firewall and another Server Health test for the DCs that are not behind the firewall. In this way, the Distributed Collector performs all the test executions and greatly reduces the number of ports that need to be open.
13
Spotlight on Active Directory
Distributed Collectors Deployed on Multiple Instances of Spotlight on Active Directory You can deploy distributed collectors on networks that use multiple instances of Spotlight on Active Directory, that is multiple instances of Diagnostic Services and databases.
Figure 5: Distributed Collectors deployed on multiple instances of Spotlight on Active Directory
Spotlight on Active Directory Server 1, using a default collector, collects data from three domain controllers (DCs) at Site 1. Spotlight on Active Directory Server 2, using a default collector, collects data from the DCs at Site 2. This install uses a distributed collector that is pushed onto Server 1 that manages the three DCs in Site 3. If you want Spotlight on Active Directory Server 1 to manage the DCs in Site 3 using a distributed collector, the distributed collector in Spotlight on Active Directory Server 2 cannot be reused. Spotlight on Active Directory Server 1 has to push another collector onto another server (Server 2). This server can start managing the DCs found in Site 3.
14
Deployment Guide
Collector Management Console The Collector Management Console: •
installs collectors on host computers
•
removes collectors from host computers
•
assigns servers to collectors
•
ensures no server is being serviced by more than one collector
•
presents collector statistics
•
allows you to specify distributed collectors to retrieve test data from a specific site or specific DCs to reduce the load on the central Diagnostic Services location
The automated collector installation feature uses the Windows Management Instrumentation (WMI) service to install distributed collectors. If this service is disabled, the distributed collector cannot install automatically, and the distributed collectors must be installed directly on the remote system from the Spotlight on Active Directory 6.8.1 Installation CD. You can use the Collector Management Console after Spotlight on Active Directory has been launched and the Active Directory forests has been discovered. Use distributed collectors when Diagnostic Services and the DCs being managed communicate over high latency network paths. This includes WANs and environments employing Quality of Service (QoS) policies, or when communication must go through specific firewall ports.
Diagnostic Services Spotlight on Active Directory cannot be configured to use specific RPC ports, unless you are using distributed collectors. For more information on port configuration, refer to http://questsupportlink.quest.com/eSupport/Solution.asp?WAid=268449782&itemID=8987. ActiveX Data Objects (ADOs) are used to communicate with the database. SQL Server, by default, listens on port 1433, and ports 1024 to 5000 are open for outgoing communication. 1433 is the only port required for incoming communication (assuming the default port for SQL has not been changed).
All communication between the Spotlight on Active Directory Topology Viewer and Diagnostic Services occurs over ports 9601 and 9602. For more information on ports, see “Best Practices for Spotlight on Active Directory” on page 5.
Spotlight on Active Directory Diagnostic Console Spotlight on Active Directory Diagnostic Console is a powerful diagnostic and resolution tool. Its unique user interface provides a real-time representation of the dataflow in your forest, allowing you to detect, diagnose, and resolve Active Directory problems. Calibration does not apply to Spotlight on Active Directory.
15
Spotlight on Active Directory
The Spotlight on Active Directory Diagnostic Console is designed to diagnose and resolve specific problems quickly. Once a problem is resolved, the Diagnostic Console should be closed to avoid excessive use of system resources. If you must run the Spotlight on Active Directory Diagnostic Console for an extended period of time, you should: •
set the number of server connections to a minimum
•
decrease the polling frequency
•
put the history setting low
•
set the refresh rate high to avoid excessive memory consumption
To set the history option and refresh rate 1.
Open the Spotlight on Active Directory Diagnostic Console, and connect to the domain controller whose history option you would like to set.
2.
Select View | Options | Spotlight Console.
3.
Click Data Collection in the Options bar.
4.
Enter the appropriate history collection time and refresh rates.
Spotlight on Active Directory Web Reports You should perform the following best practices when installing and running Spotlight on Active Directory Web Reports: •
For distributed Spotlight on Active Directory Web Reports installation, use SQL Server Authentication.
•
In some instances, authentication errors may occur if Kerberos is not configured properly. The most common error is an access error as follows: "Unable to open database connection. (0x80040E4D: Unknown Error.) To resolve this issue, see the Microsoft Knowledgebase Article - 326985 titled How To: Troubleshoot Kerberos http://support.microsoft.com/kb/326985.
•
Spotlight on Active Directory Web Reports installation fails on a Windows XP without service packs or hotfixes. The following error is received: Error 1904 Module C:\Program Files\Common Files\Quest Shared\Web Reports\4.3\QSWebWizard.dll fail to register. To resolve this issue a) Install Microsoft Windows XP SP2. b) Re-install Spotlight on Active Directory Web Reports.
Port Numbers The following port numbers can be used to install the various services of Spotlight on Active Directory. The services are grouped by component name. For more information on using Spotlight on Active Directory in environments with Firewalls, see “Distributed Collectors Deployed in a Firewalled Environment” on page 13.
16
Deployment Guide
COMPONENT NAME Spotlight on Active Directory Front End including Topology Viewer and Diagnostic Console
PORT NUMBERS • TCP 3269
SERVICE NAME Active Directory
• TCP 3268 • TCP 389 • UDP 389 • TCP 135 • UDP 138
Computer Browsing
• UDP 137 • TCP 139 • UDP 53
DNS
• TCP 53 • TCP 135
FRS
• UDP 138
Net Logon
• UDP 137 • TCP 445 • TCP 139
Performance Logs and Alerts
• TCP 139
Printing
• TCP 445 • TCP 139
Registry
• UDP 138
Server Manager
• UDP 137 • TCP 139 • TCP 445 • TCP 4133 - if default has not changed
SQL Server
• 9601
Communication with Diagnostic Services
• 9602 Diagnostic Services including Default Collector
• TCP 25
SMTP
• UDP 25 • UDP 138
Computer Browsing
• UDP 137 • TCP 139 • UDP 53
DNS
• TCP 53 • UDP 138
Net Logon
• UDP 137 • TCP 139 • TCP 445 • TCP 4133 - if default has not changed
SQL Server
• 9601
Communication with Front End
• 9602
17
Spotlight on Active Directory
COMPONENT NAME Distributed Collector Services
PORT NUMBERS • 9602 • 9605
SERVICE NAME Communication with Diagnostic Services
Note: 9605 is configurable. Diagnostic Tests
• TCP 3269
Active Directory
• TCP 3268 • TCP 389 • UDP 389 • TCP 135 • UDP 138
Computer Browsing
• UDP 137 • TCP 139 • UDP 53
DNS
• TCP 53 • TCP 135
FRS
• UDP 138
Net Logon
• UDP 137 • TCP 139 • TCP 445 • UDP 138
Server Manager
• UDP 137 • TCP 139 • TCP 445 • TCP 139
Performance Logs and Alerts
• TCP 135
RPC
• TCP 4133 - if default was not changed
SQL Server
• UDP 138
DFS
• TCP 139 • TCP 389 • UDP 389 • TCP 445 • TCP 135 • TCP 135
Event Log
Database Maintenance Database maintenance occurs daily and is scheduled by default to purge test result data every 30 days. You can change the default. To change the default
18
1.
Open Spotlight for Active Directory Topology Viewer.
2.
Select Edit | Options | Database.
3.
Enter a value in the Database retention box to reflect how often you would like to schedule database maintenance.
Deployment Guide
Appendix A Detailed Test Permissions High Level Analysis Tests TEST Verify Server Health
DETAILED PERMISSIONS • Network Availability - Administrative rights; ICMP must be enabled. • Disk space - read access to the disks being tested. • Critical Services - read access to the Service Control Manager (SCM). Registry read access (as used by SCM) to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. • Performance Counters - registry read access to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows. • Directory Service Availability - LDAP and RPC connectivity. Ability to perform LDAP searches against the target domain controller. • Event Log - registry read access to HKLM\SYSTEM\CurrentControlSet\Services\EventLog. Disk read access to winnt\system32\config\*.evt.
Verify DNS Health
• Verify Netlogon entries. • Verify partner Netlogon entries. • Verify PDC advertising. • Verify GC advertising. • Read access to %SystemRoot%\System32\Config\NetLogon.DNS file. • Verify zone existence (read registry access required). • Verify forwarder availability (read registry access required). Note: Verify zone existence and Verify forwarder availability apply to Microsoft DNS only.
Verify Directory Replication Health
Read/Write access to the domain partition on the target domain controllers.
Verify File Replication Health
Read/Write access to the disk that holds the SYSVOL share on the target domain.
Check GPO Synchronization
Administrative rights to the PDC Emulator. Read access to the domain naming partition.
Verify Time Synchronization
• Read access to the SYSVOL share on the target domain controller. • Read access to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Tim e registry key on the target domain controller.
19
Spotlight on Active Directory
Directory Replication Analysis Tests TEST
DETAILED PERMISSIONS
Find Replication Failures
Administrative rights to the target domain controllers. This relies on RPC connectivity as well as read access to the directory.
Track Object Replication
Read access to the directory (partition and OU varies on test configuration).
Test Replication Links
Administrative rights to the target domain controllers. This relies on RPC connectivity as well as read access to the directory.
DNS Tests TEST
DETAILED PERMISSIONS
Check DNS Entries
Read access to %SystemRoot%\System32\Config\NetLogon.DNS file.
Check Partners’ DNS Entries
Read access to %SystemRoot%\System32\Config\NetLogon.DNS file on all replication partners.
File Replication Tests TEST
PERMISSIONS
Confirm File Presence
Disk read access to the file selected when configuring the test.
Check NTFRS Status
Read access to the Service Control Manager. Registry read access (as used by the SCM) to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ CurrentVersion.
Time Synchronization Tests TEST
PERMISSIONS
Check W32Time Differential
Domain User access.
Check W32Time Parent Synchronization
Domain User access. Read registry access to the target domain controller (not the time parent).
Check W32Time Status
Read access to the SCM. Registry read access (as used by the SCM) to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
20
Deployment Guide
Appendix B Frequently Asked Questions and Troubleshooting How do I launch Native Tools from the Assistant Pane on 64 bit operating systems? To launch Native Tools from the Assistant Pane on 64 bit operating systems 1.
Go to Program Files | Quest Software | Spotlight on Active Directory.
2.
Rename the file Tools64.xml to Tools.xml.
Native Tools are launched under the account of the user running the Spotlight on Active Directory Topology Viewer. If you are installing Spotlight on Active Directory on a Windows 2003 32 bit member server, you must install an admininstration tools pack so the Native Tools will work. Else, if you launch the native tools, you will get an error saying the files for the tools cannot be found. These files are not installed on the computer until after the administration tools pack is installed. To install the Windows 2003 Administration Tools Pack, see http://www.microsoft.com/downloads/details.aspx?FamilyID= C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en. The Windows Server 2003 Administration Tools Pack (adminpak.msi) is not available on 64 bit versions of Windows. To remotely administer servers from a computer running a 64 bit version of Windows, use Remote Desktop or the Windows Management Instrumentation Command-line (WMIC).
How often should I run analysis tests? Test Group execution frequency is best determined by looking at the test you wish to run and the number of DCs you are monitoring. For example, you can break the Server Health test up into 3 parts: •
Availability (Network Availability and Critical Services) is the highest priority and requires the least amount of time to verify
•
Resources (Directory Responsiveness and Disk Space Usage) have more overhead and should be executed less frequently.
•
Error Monitoring (Performance Counters and Event Logs\Lingering Objects) has the most overhead and the data does not change frequently (or in the case of Performance counters is averaged over the course of the day)
If you want to increase the frequency of the tests being run, break test groups up into smaller groupings. Avoid running a single Server Health test against 120 Domain Controllers. Instead, run a Server Health test against six groups of 20 Domain Controllers. See pages 10, 12, and 14 of this guide for more information.
Do tests still run even when I am logged off? Analysis tests are executed using the Distributed Collector service, as long as the Diagnostic Services host computer is running and the Diagnostic services (running the tests) are executing according to their schedule. For information on what the Diagnostic Services include, see Installation Components of the Spotlight on Active Directory Quick Start Guide.
21
Spotlight on Active Directory
Does Spotlight on Active Directory require an agent to gather the information? Spotlight on Active Directory does not require an agent on a domain controller (DC). All information is gathered using RPC calls and Admin shares.
22
Deployment Guide
How do I migrate the database from SQL 2000 to SQL 2005 instance? Refer to the MS Knowledge Base articles regarding the Backup, detach, and move, then perform the following procedure on the Spotlight on Active Directory console. To migrate the Spotlight on Active Directory database from SQL 2000 to SQL 2005 instance 1.
Stop the following services: DataManagerSLAD & DiagnosticTestEngineSLAD & Distributed Collector.
2.
Change the following registry entry to the new host name of the SQL Server: HKEY_LOCAL_MACHINE\Software\Quest Software\Spotlight on Active Directory\DbServerName | DatabaseServerName.
3.
Change the "ImagePath" string for the 2 Spotlight on Active Directory services to point to the new DB host machine, by making the following registry changes: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DataManagerSLAD String Value: ImagePath has the database connection string that needs to be changed. Change the "Data Source" in the connection string. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagnosticTestEngi neSLAD String Value: ImagePath has the database connection string that needs to be changed. Change the "Data Source" in the connection string.
4.
Add the same DB connection string for the Scheduled tasks Directory Objects Collector, SLAD - Purge Counter Values, and Refresh SLAD Discovery by right-clicking the task and selecting Properties. The tasks need to be updated on the Diagnostic Services host and all Console hosts (not all tasks may be present on the Console only installs).
For Web Reports 1.
Change the following file so it points to the new SQL Server/db and uses new credentials if required: C:\Program Files\Quest Software\Spotlight On Active Directory\WebReports.UDL
2.
Change the following reg key to point to the new SQL Server host name: HKLM\Software\Quest Software\SpotlightOnAD\ClientDB.
3.
Start the DataManagerSLAD & DiagnosticTestEngineSLAD & Distributed Collector services.
How do I move Spotlight on Active Directory from one server to another? Can I keep my settings? The Spotlight on Active Directory database contains all of the configuration data for your Spotlight on Active Directory. If you move your database, the configurations are moved along with it. The procedure to move from one server to another depends on where your database is installed. If your components (including the database) are on one host computer 1.
Backup your database.
2.
Restore the database on the new host computer.
3.
Uninstall Spotlight on Active Directory from the old host computer.
4.
Install Spotlight on Active Directory on the new host computer.
If the database resides on a separate computer 1. 2.
Uninstall Spotlight on Active Directory from the old host computer. Install Spotlight on Active Directory on the new host computer. You can redirect the Spotlight on Active Directory Topology Viewer to a new location the next time you launch it. 23
Spotlight on Active Directory
Why do some Web Reports show no data? Web Reports will not show data until the analysis test (that provides the data) is run. The individual web reports inform you which test you need to execute to obtain data.
How do I perform a distributed installation? see “Distributed Collectors” on page 11 to perform a distributed installation.
How do I correct a faulty installation or configuration of Web Reports? You can use the ASP.NET utility called aspnet_regiis. This command-line utility is found in a path such as the following: C:\WINDOWS\Microsoft.NET\Framework\v1.1.nnnn\where nnnn represents a four-digit build number. To correct a faulty installation or configuration of Web Reports 1.
Look under the highest number.
2.
Run the utility using the /i switch: aspnet_regiis /i
To run ASP.NET 2.0 -32 bit Server 1.
Click Start | Run and type cmd.
2.
Click OK.
3.
Type the following command to enable the 32 bit mode: cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
4.
Type the following command to install the version of ASP.NET 2.0 (32 bit) and to install the script maps at the IIS root and under: %SYSTEMROOT%\Microsoft.NET\Framework\v2.0.40607\aspnet_regiis.exe –i Make sure that the status of ASP.NET version 2.0.40607 (32 bit) is set to Allowed in the Web service extension list in Internet Information Services Manager.
To run ASP.NET 2.0 64 bit Server 1.
Click Start | Run and type cmd.
2.
Click OK.
3.
Type the following command to disable the 32 bit mode: cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
4.
Type the following command to install the version of ASP.NET 2.0 and to install the script maps at the IIS root and under: %SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.40607\aspnet_regiis.exe i Make sure that the status of ASP.NET version 2.0.40607 is set to Allowed in the Web service extension list in Internet Information Services Manager. The build version of ASP.NET 2.0 may differ depending on what the currently released build version is. These steps are for build version 2.0.40607.
24
Deployment Guide
Why do some statistics differ from the information from the Spotlight on Windows drilldown? When you drill down from the Operating System panel at the bottom of the Spotlight on Active Directory home page, you may find that the statistics (such as the Total CPU Usage and Physical RAM) differ from the information provided by the Spotlight on Windows drilldown. The discrepancy occurs because Spotlight on Active Directory and Spotlight on Windows are obtaining the information at different intervals over the polling periods.
How do I execute tests, using the Collector Management Console, if I have an invalid port? The Collector Management Console requires Microsoft Management Console (MMC) 3.0 to run. MMC 3.0 can be installed on Windows XP and Windows 2003 platforms only. If you are operating on a Windows 2000 platform, you can install the Collector Management Console, but you cannot run it. If you change a Distributed Collector to listen on an invalid port, such as port 80, the Collector will no longer be accessible through the Collector Management Console and will not execute tests. To execute tests 1.
Go to Quest Software | Common Files | Distributed Collectors.
2.
Double-click CollectorConfiguration.exe. The Collector Configuration dialog box opens.
3.
Enter 9605 in the Listening Port box.
How do I enable remote connections on SQL 2005 Express? By default, remote connections are disabled for SQL 2005 Express. This needs to be enabled in order to install Diagnostic Services on a different machine that the Spotlight on Active Directory database. To enable remote connections 1.
Open SQL Server 2005 Surface Area Configuration tool.
2.
Click Surface Area Configuration for Services and Connections.
3.
Expand Database Engine, click Remote Connections, click Local and Remote Connections, click the appropriate protocol to enable for your environment, and then click Apply. Click OK when you receive the following message: Changes to Connection Settings will not take effect until you restart the Database Engine service.
4.
Expand Database Engine, click Service, click Stop, wait until the MSSQLSERVER service stops, and then click Start to restart the MSSQLSERVER service.
For more information, see http://support.microsoft.com/kb/914277.
What rights do I need to run this application? You need Administrator rights to run Spotlight on Active Directory. Admin Share access is available to Administrators only.
25
Spotlight on Active Directory
How do I license Spotlight on Windows? Spotlight on Windows is licensed at the same time Spotlight on Active Directory is licensed.
After installing Spotlight on Exchange Diagnostic Console 5.8 on top of Spotlight on Active Directory Diagnostic Console 6.8, why can I no longer make Spotlight on Windows connections to servers? A previous version of the Spotlight on Windows template may prevent you from launching a Spotlight on Windows connection. This may happen when another Spotlight application that includes a previous version of Spotlight on Windows (for example, Spotlight on Exchange or Spotlight on SQL Server) has been installed on top of this version. In this event, copy the backup template from ..\Spotlight\Plug-ins\SoW\SoW Default.stx to ..\Spotlight\Console\Templates\SoW.stx. This problem does not occur if you are installing Spotlight on Windows on top of a current Spotlight application.
The Time Period column of the Authentications Hourly Report is showing 00:00 as the time value. How do I fix this? To fix this issue 1.
Open the SQL Server Management Studio.
2.
Connect to the Spotlight on Active Directory database on designated host name.
3.
Open WRDefaultValues.sql.
4.
Click Execute.
The Directory Replication Health Test sometimes does not populate the table in the test results. How do I fix this? To fix this issue •
26
Launch Sites and Services through Microsoft Native Tools to ensure that your connection has not timed out and/or you have sufficient domain administrative permissions.
Deployment Guide
Third Party Contributions Spotlight on Active Directory 6.8.1 contains some third party components (listed below). Copies of their licenses may be found on our website at http://www.quest.com/legal/third-party-licenses.aspx. COMPONENT
LICENSE OR ACKNOWLEDGEMENT
Blowfish v2
MIT 1.0
Indy Sockets 9.0.1
Mozilla Public License (MPL) 1.1
ZipMaster 1.78
GNU Lesser General Public License v2.1
Zlib
zlib 1.2.3
27
Spotlight on Active Directory
28
Deployment Guide
About Quest Software Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management products—helping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information.
Contacting Quest Software Email
[email protected]
Mail
Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA
Web site
www.quest.com
Please refer to our Web site for regional and international office information.
Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com. From SupportLink, you can do the following: •
Retrieve thousands of solutions from our online Knowledgebase
•
Download the latest releases and service packs
•
Create, update and review Support cases
View the Global Support Guide for a detailed explanation of support programs, online services, contact information, policies and procedures. The guide is available at: http://support.quest.com.
29
![MS Active Directory REGIONALES RECHENZENTRUM ERLANGEN [RRZE]](https://kipdf.com/img/300x300/ms-active-directory-regionales-rechenzentrum-erlan_5ae5b9ae7f8b9aaf378b45a0.jpg)