Software to ensure a solid AD

Most Windows NT systems administrators haven't had much exposure to Windows 2000's Active Directory (AD). After you start to evaluate or deploy Win2K Server, you'll discover the importance of AD. Problems that are minor in an NT 4.0 network, such as downed servers or DNS name-resolution difficulties, can be debilitating in an AD environment. To help you manage your AD infrastructure, NetPro developed DirectoryAnalyzer 1.04, software that monitors, troubleshoots, and alerts you to problems with critical AD services.

The Sum of the Parts
DirectoryAnalyzer is made up of four components: Enterprise Agent, Site Agent, DC Agent, and Client. Enterprise Agent runs on one system in your enterprise and monitors domain, tree, and forestwide conditions. It collects alerts (i.e., notifications of possible problem-causing conditions) from Site Agent systems to generate warning notifications and display status information on the Client system. Site Agent resides on one domain controller within a site. Site Agent monitors site-level conditions and collects alerts and additional information from DC Agent systems to pass on to the Enterprise Agent system. DC Agent, which runs on every domain controller in the enterprise, monitors for alert conditions on the domain controller on which DC Agent is installed and passes alerts to the Site Agent system. Client is the user interface (UI) for all DirectoryAnalyzer operations.

To test DirectoryAnalyzer, I custom-built three Win2K Server systems. I configured two of the servers, CORP and ADC, as domain controllers and the third server, EADAC, as a member server. To install the software, I followed the Installation Guide, which accompanied the Administrator's Guide in a three-ring binder. I inserted the distribution CD-ROM into the EADAC server and chose the complete setup option. This option installs both the Client component and the Distribution Wizard, which lets you push DirectoryAnalyzer component installations to other systems.

After the installation was complete, Client automatically launched the Distribution Wizard, which presented a list of options that included installing the software for the first time, modifying the existing installation, and removing the software from any or all of the systems in the enterprise. Because I chose the first option, the wizard analyzed my current AD environment and formulated an appropriate DirectoryAnalyzer configuration scheme. The wizard then prompted me for a license file, which NetPro provides on a 3.5" disk.

Next, the system presented an agent configuration screen, which listed my enterprise's servers with two check boxes next to each server. Selecting the DC Agent check box specifies that the server is a DC Agent, and selecting both the DC Agent and Site Agent check boxes specifies that the server is a Site Agent. Next to the CORP server listing, I selected both check boxes to make the server a Site Agent, and next to the ADC server I selected only the DC Agent check box. After I clicked Next, the software asked me to specify which system would act as Enterprise Agent. To be Enterprise Agent, a system must run Win2K Server and be configured as a member server. I used EADAC as both Enterprise Agent and Client.

After I specified my servers' roles, the software asked whether I wanted the program to modify my AD schema. The schema modification is necessary only if you want to monitor replication latency. I chose to allow the modification. Next, the software prompted me to configure SNMP integration for DirectoryAnalyzer. I chose not to integrate the software's alerts with the Win2K SNMP service. The Distribution Wizard then compiled a list of operations it needed to perform according to my configuration selections, verified connectivity to the affected computers, and performed the necessary actions in about 1 minute.

The Client Component
After the Distribution Wizard finished, the software presented me with the Client interface, which Figure 1, page 132, shows. (By default, Client displays the Enterprise Current Alerts window.) Client is composed of a vertical taskbar and a data-display window. For operations that require browsing, Client presents a site navigation bar between the taskbar and data-display window. The taskbar contains four main categories—View Status, Browse Directory, Troubleshoot, and Configure—and subcategories that allow for flexible AD analysis.

Monitoring Alert Status
Client's Enterprise Current Alerts window showed all my enterprise's existing alerts. Alerts can relate to a wide range of problems, such as replication, Lightweight Directory Access Protocol (LDAP), DNS, and Flexible Single Master Operation (FSMO) problems. Each alert includes information about status, type, name, start time, and description. The status can be Warning or Critical; the type can be domain, naming context, replication server, or site; and the name is the name of the server that has the alert condition.

When I opened Client, the UI displayed several alerts for conditions that existed in my AD. The first two alerts were related to low disk space on CORP. The third alert notified me that the cache-hit ratio was below ADC's threshold. For more detail about this alert, I right-clicked the alert. Nothing happened, so I double-clicked the alert. This action opened a details window that provided more information about the alert. In this window, I clicked More Info. The resulting dialog box offered an extended description of the alert and suggested methods for resolving the condition that caused the alert. The solution information comes from DirectoryAnalyzer's built-in knowledge base, which will be a helpful feature for AD newbies.

Configuring Alerts and Statistics
You can customize alert and gathered statistics settings on a global or object level. To access an individual alert's settings, highlight the alert in the data-display window and click Set Object Configuration in the Alert settings menu. Individual alert settings override global settings.

To view and modify global alert settings, select DC Configuration, DNS Configuration, or Domain Configuration from the Enterprise Configuration window. Configurable items include DC Server, DNS Server, and Domain. Within each item's alert configuration screen, you can set the thresholds for Warning and Critical status and the amount of time that a condition must exist before it triggers an alert. You can also adjust the sampling rate DirectoryAnalyzer uses to gather statistics for individual AD components.

Browsing AD
The software lets you browse the entire AD and displays detailed information about the AD components that you navigate to. You can browse by site or domain. If you click the By Site subcategory in the taskbar, the resulting icons in the site navigation bar represent domains and servers in a site. If you browse servers in a site, icons in the navigation bar represent the types of services (e.g., DNS, Global Catalog) running on a given server. When you select an object in the browser, DirectoryAnalyzer organizes the information by dividing it into tabbed dialog boxes in the data-display window.

Troubleshooting AD
When an alert informs you of a problem in your AD environment, you can use DirectoryAnalyzer's troubleshooting utilities to isolate the cause. When you select a computer in the site navigation bar, the data-display window lists the available tests for that machine. A DC Server test finds the server, pings it, and performs a name lookup for it. A DNS Server test pings the server IP address and performs a DNS query that reports the service status and query runtime. If the system is a primary DNS server, the software performs both tests on every DNS server in that zone. A Domain test runs against all domain controllers in a given domain. The software pings all the domain controllers and checks the LDAP service status, performs an LDAP query, pings DNS servers, checks the DNS service status, and performs a DNS query on all DNS servers in the domain. To run tests, click Start Test in the data-display window for each test type you want to run. Each test ran in only a few seconds and reported statistics related to the item tested.

Ensure a Sound AD Infrastructure
DirectoryAnalyzer provides a good single-point-of-management tool for AD analysis and troubleshooting. Although pop-up menus that appear when you right-click an alert and other objects would make the product more user-friendly, overall the interface is intuitive. A feature that would enhance the software is the ability to add Performance Monitor items to the software's alerts list. However, the software's current alerting system will help administrators prevent AD-related disasters. AD is the foundation of Win2K enterprises, and DirectoryAnalyzer ensures a solid foundation.

DirectoryAnalyzer 1.04
Contact:NetPro * 480-941-3600 or 800-998-5090
Price: $12 per user object (subscription pricing available)
Decision Summary:
Pros: Single point of administration eases Active Directory analysis; knowledge base aids Active Directory newcomers; integrated Active Directory troubleshooting tools are useful
Cons: No means for adding alert triggers; lacks right-click pop-up menus to access alert details