I've often used Windows NT 4.0 tools such as Nltest and Dommon to monitor and manage our network. I've been looking through the utilities that come with Windows 2000 Server, the Microsoft Windows 2000 Server Resource Kit, and the Microsoft Windows 2000 Professional Resource Kit. But I've yet to see any good tools for monitoring new Win2K components such as Global Catalog (GC) servers or Flexible Single Master Operation (FSMO) role holders. What Win2K-aware network-monitoring tools do you recommend?

Win2K includes several new services and components that administrators need to work with, but Microsoft's white papers and other technical documents lack strong coverage of these new elements. The OS's support tools (which you can find under \i386\support on the Win2K Server CD-ROM) and the Win2K resource kits provide a somewhat anemic set of utilities, which includes the following:

  • Dcdiag.exe—a command-line utility that tests Win2K domain controller (DC) health.
  • Dsastat.exe—a command-line utility that compares two directory trees or GCs and detects differences. You can use this tool to ensure that DCs and GCs are synchronized.
  • Replmon.exe—a GUI-based utility that tests low-level Active Directory (AD) replication status. You can use this tool to view replication topology and to force directory synchronization.
  • Repadmin.exe—a command-line utility that you can use to view AD replication topology, to force replication, and to modify replication topology manually.
  • Nltest.exe—a command-line utility that tests the status of trust-relationship links for Win2K and NT networks. You can use this tool to repair such links.
  • Dnscmd.exe—a command-line utility that monitors and manages Win2K DNS servers.

Although these tools collectively provide the ability to monitor most basic Win2K network functionality, they aren't intuitive or user-friendly. A better tool is NetIQ's ADcheck, which provides Win2K diagnostics tools in five essential categories:

  • Test Domain Controllers—checks DC availability, validates DNS records (e.g., service resource records—SRV RRs), and binds to DC to verify AD status
  • List Domain Controllers—lists all DCs along with each DC's name, availability, Active Directory Service Interfaces (ADSI) scripting location, and site location
  • List Operations Masters—lists FSMO role holders, compares them with an internal best practices list, and recommends changes when necessary
  • Test Replication—performs domain replication topology checks and displays diagnostic information about replication partners
  • Show Domain Controller Status—provides DC status summaries, including replication errors and partners, AD site analysis, and charts that show recommended DC placement changes

You can download ADcheck at http://www.netiq.com/adcheck/download.asp. (Figure 1, page 94, shows the tool's interface.) The tool can generate detailed reports that show current problems and potential trouble spots. No Win2K network administrator should be without this free tool.

You can also purchase more sophisticated and full-featured Win2K or AD network-monitoring tools. Take a look at NetPro's DirectoryAnalyzer, NetIQ's AppManager or Operations Manager, Heroix's RoboMon, and Opalis Software's Opalis EventMonitor or OpalisRobot. For more monitoring advice, see "Monitoring Your AD-Enabled Network," September 2000.