Blog - Title

June, 2010

  • Son of SPA: AD Data Collector Sets in Win2008 and beyond

    Hello, David Everett here again. This time I’m going to cover configuration and management of Active Directory Diagnostics Data Collector Sets. Data Collector Sets are the next generation of a utility called Server Performance Advisor (SPA).

    Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required the installation of SPA. SPA is helpful because the Active Directory data set collects performance data and it generates XML based diagnostic reports that make analyzing AD performance issues easier by identifying the IP addresses of the highest volume callers and the type of network traffic that is placing the most load on the CPU. A screen shot of SPA is shown here with the Active Directory data set selected.

    image

    Those who came to rely upon this tool will be happy to know its functionality has been built into Windows Server 2008 and Windows Server 2008 R2.

    This performance feature is located in the Server Manager snap-in under the Diagnostics node and when the Active Directory Domain Services Role is installed the Active Directory Diagnostics data collector set is automatically created under System as shown here. It can also be accessed by running “Perfmon” from the RUN command.

    image

    Like SPA, the Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line. If reducing or increasing the time that a data collector set runs is required, and manually stopping the collection is not desirable, then see How to Create a User Defined Data Collection Set below. Like SPA, the data is stored under %systemdrive%\perflogs, only now it is under the \ADDS folder and when a data collection is run it creates a new subfolder called YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts with 0001.

    Once the data collection completes the report is generated on the fly and is ready for review under the Reports node.

    Just as SPA could be managed from the command line with spacmd.exe, data collector sets can also be managed from the command line.

    How to gather Active Directory Diagnostics from the command line

    • To START a collection of data from the command line issue this command from an elevated command prompt:

    logman start “system\Active Directory Diagnostics” -ets

    • To STOP the collection of data before the default 5 minutes, issue this command:

    logman stop “system\Active Directory Diagnostics” -ets

    NOTE: To gather data from remote systems just add “-s servername” to the commands above like this:

    logman -s servername start “system\Active Directory Diagnostics” -ets

    logman -s servername stop “system\Active Directory Diagnostics” -ets

    This command will also work if the target is Server Core. If you cannot connect using Server Manager you can view the report by connecting from another computer to the C$ admin share and open the report.html file under \\servername\C$\PerfLogs\ADDS\YYYYMMDD-000#.

    See LaNae’s blog post on How to Enable Remote Administration of Server Core via MMC using NETSH to open the necessary firewall ports.

    In the event you need a Data Collection set run for a shorter or longer period of time, or if some other default setting is not to your liking you can create a User Defined Data Collector Set using the Active Directory Diagnostics collector set as a template.

    NOTE: Increasing the duration that a data collection set runs will require more time for the data to be converted and could increase load on CPU, memory and disk.

    Once your customized Data Collector Set is defined to your liking you can export the information to an XML file and import it to any server you wish using Server Manager or logman.exe

    How to Create a User Defined Data Collection Set

     

    1. Open Server Manager on a Full version of Windows Server 2008 or later.
    2. Expand Diagnostics > Reliability and Performance > Data Collector Sets .
    3. Right-click User Defined and select New > Data Collector Set.
    4. Type in a name like Active Directory Diagnostics and leave the default selection of Create from a template (Recommended) selected and click Next.
    5. Select Active Directory Diagnostics from the list of templates and click Next and follow the Wizard prompts making any changes you think are necessary.
    6. Right-click the new User Defined data collector set and view the Properties.
    7. To change the run time, modify the Overall Duration settings in the Stop Condition tab and click OK to apply the changes.

    Once the settings have been configured to your liking you can run this directly from Server Manager or you can export this and deploy it to specific DCs.

    Deploying a User Defined Data Collection Set

    • In Server Manager on a Full version of Windows Server 2008 or later
    1.  
      1. Expand Diagnostics > Reliability and Performance > Data Collector Sets > User Defined
      2. Right-click the newly created data collector set and select Save Template…
    • From the command line

    1. Enumerate all User Defined data collector sets

    logman query

    NOTE: If running this from a remote computer the command add “-s servername” to target the remote server

    logman -s servername query

    2. Export the desired collection set

    logman export -n “Active Directory Diagnostics” -xml addiag.xml

    3. Import the collection set to the target server.

    logman import -n “Active Directory Diagnostics” -xml addiag.xml

    NOTE: If you get the error below then there’s an SDDL string in the XML file between the <Security></Security> tags that is not correct. This can happen if you export the Active Directory Diagnostics collector set under System. To correct this, remove everything between <Security></Security> tags in the XML file.

    Error:

    This security ID may not be assigned as the owner of this object.

    4. Verify the collector set is installed

     logman query

    5. Now that the data collector set is imported you’re ready to gather data. See How to gather Active Directory Diagnostics from the command line above to do this from the command line.

    Once you’ve gathered your data, you will have these interesting and useful reports to aid in your troubleshooting and server performance trending:

    image

    image

    In short, all the goodness of SPA is now integrated into the operating system, not requiring an install or reboot. Follow the steps above, and you'll be on your way to gathering and analyzing lots of performance goo.

    David “highly excitable” Everett

  • Friday Mail Sack: Walking Tall Edition

    Hello folks, Ned here again. After a week in Las Colinas Texas, the blog migration, and Jonathan’s attempted coup, we are still standing. Since I’m sure your whole day has been designed around this post I won’t keep you waiting. 

    Question

    I am testing RODC’s in a WAN scenario, where the RODC is in a branch site. When the WAN is taken offline, some users cannot logon even when I have cached their passwords. Other users can logon but not access other resources using Kerberos authorization, like file shares and what not.

    Answer

    Make sure that the computers in that branch site are allowed to cache their passwords also. This means that those computers need to be added into the Password Replication Policy allow list via DSA.MSC. For example:

    image

    image

    If a user tries to logon to a computer that cannot itself create a secure channel and logon to a DC, that user will receive the error “The trust relationship between this workstation and the primary domain failed”.

    If users can logon to their local computers, but then try to access other resources requiring a Kerberos ticket granting service ticket for those computers, and those computers are not able to logon to the domain, users will see something like:

    image

    The error “The system detected a possible attempt to compromise security” is the key, the dialog may change – in this case I was trying to connect to a share.

    You will also see “KDC_ERR_SVC_UNAVAILABLE” errors in your network captures from the RODC. Here I am using a workstation called 7-04-x86-u to try and browse the shares on a file server called 2008r2-06-fn (which is IP address 10.70.0.106). My RODC 2008r2-04-f has a KDC that keeps getting TGS requests that it cannot fulfill since that 06 server cannot logon. So now you see all the SMB (i.e. CIFS) related TGS issues below:

    image

    Question

    Does DFSR talk to the PDCE Emulator like DFS Namespace root servers?

    Answer

    Nope, it locates DC’s just like your computer does when you logon – through the DC Locator process. So if everything is working correctly, any DC’s in the same site are the primary candidates for LDAP communication.

    Question

    I understand that DFSR uses encrypted RPC to communicate, but the details are kind of lacking. Especially around what specific cipher suite is used. Can you explain a bit more?

    Answer

    DFSR uses RPC_C_AUTHN_GSS_NEGOTIATE with Kerberos required, with Mutual Auth required, and with Impersonation blocked. The actual encryption algorithm depends on the OS’s supported algorithms used by Kerberos. On Windows 2003 that would be AES 128 (and RC4 or DES technically, but that would never be used normally). On Win2008 and Win2008R2 it would be AES-256. DFSR doesn’t really care what the encryption is, he just trusts Kerberos to take care of it all within RPC (and this means that you can replace “DFSR” here with “Pretty much any Windows RPC application, as long as it uses Negotiate with Kerberos”). Both AES 128 and AES 256 are very strong block cipher suites that meet FIPS compliance and no one is close to breaking them in the foreseeable future.

    Proof!

    Question

    Not really an AD thing, but is Windows 7 able to use the Novell IPX network protocol?

    Answer

    Nope. Windows XP/2003 were the last Microsoft operating systems to include IPX support. Novell stopped including IPX when they released their client for Vista/2008:

    http://www.novell.com/documentation/vista_client/pdfdoc/vista_client_admin10/vista_client_admin10.pdf

    Novell Client for Windows XP/2003 Features Not Included in the Novell Client for Windows Vista/2008

    • IPX/SPXTM protocols and API libraries.

    Question

    What settings should I configure for Windows Security Auditing? What’s recommended?

    Answer

    That’s a biiiiig question and it doesn’t have a simple answer. The most important thing to consider when configuring auditing – and the one that hardly anyone ever asks – is “what are you trying to accomplish?” Just turning on a bunch of auditing is wrong. Just turning on one set of auditing you find on the internet, a government website, or through some supposed “security auditing” company is also wrong – there is no one size fits all answer, and anyone that says there is can be discarded.

    • Decide what type of information you want to gain by collecting audit events – what are you going to do with this audit data.
    • Consider the resources that you have available for collecting and reviewing an audit log – not just cost of deployment, but reviewing, acting upon it, etc. Operational costs.
    • Collect and archive the logs using something like ACS. The forensic trail is very short in the event log alone.

    Don’t just turn on auditing without having a plan for those three points. Start by reviewing our auditing best practices guide. Then review Eric Fitzgerald’s excellent blog post “Keeping the noise down in your security log.” It has one of the best points ever written about auditing:

    “5. Don't enable "failure" auditing, unless you have a plan on what to do when you see one (that doesn't involve emailing me ;-) and you are actually spending time on a regular basis following up on these events.

    You might or might not realize, that auditing in general is a potential denial-of-service attack on the system.  Auditing consumes system resources (CPU & disk i/o and disk space) to record system and user activity.  Success auditing records activity of authenticated users performing actions which they've been authorized to perform.  This somewhat limits the attack, since you know who they are, and you've allowed them to do whatever it is that you're auditing.  If they try to abuse the system by opening the audited file a million times, you can go fire them.

    Failure auditing allows unauthenticated or unauthorized users to consume resources.  In the worst case, a logon failure event, a remote user with no credentials can cause consumption of system resources.”

    Make sure you are not impacting performance with your auditing – another good Eric read here. Understand exactly what it is your auditing will tell you by reviewing:

    Finally, for some general sample template security settings, take a look at the Security Compliance Manager tool.

    There must have been something in the water this week, as I got asked this by a dozen different customers, askds readers, and MS internal folks. Weird.

    Question

    When running AD PowerShell cmdlet get-adcomputer -properties * it always returns:

    Get-ADComputer : One or more properties are invalid.
    Parameter name: msDS-HostServiceAccount
    At line:1 char:15
    + Get-ADComputer <<<<  srv1 -Properties *
        + CategoryInfo          : InvalidArgument: (srv1:ADComputer) [Get-ADComputer], ArgumentException
        + FullyQualifiedErrorId :
    One or more properties are invalid.
    Parameter name: msDS-HostServiceAccount,Microsoft.ActiveDirectory.Management.Commands.GetADComputer

    Not using –properties * or using other cmdlet’s worked fine.

    Answer

    Rats! Well, this is not by design or desirable. If you are seeing this issue then you are probably using the add-on "AD Management Gateway" PowerShell service on your Win2003 and Win2008 DC's, and have not yet deployed Windows Server 2008 R2 DC’s yet.  You don’t have to roll out Win2008 R2, but you do need to update the AD schema to version 47 – i.e. Windows Server 2008 R2. Steps here, and as always, test your forest schema upgrade in your lab environment first.

    Have a nice weekend.

    - Ned “not actually walking tall, per se” Pyle

  • New Directory Services Content 5/23-5/29

    KB

    983456

    SMTP configuration options are reset in Windows Server 2008 R2, Windows Server 2008 Service Pack 1 and Service Pack 2, after you install the MS10-024 update (976323)

    981482

    In Windows Server 2008 or Windows Server 2008 R2 environment, if the network environment is set to enable Delay ACK and storage is connected with iSCSI, an iScsiPrt error is output to the System Event Log when a general operation is executed

    Blogs

    Designing and Implementing a PKI: Part III Certificate Templates

    FRS to DFSR Migration Tool Released

    Enabling CEP and CES for enrolling non-domain joined computers for certificates

    Hey, Scripting Guy! Weekend Scripter: Using the Get-ACL Cmdlet to Show Inherited Permissions on Registry Keys

    Offline Folders and Folder Redirection with Anjli

    Interview on Identity and the Cloud

    Group Policy Setting of the week 26 – Do not allow Windows Messenger to be Run

    Windows Server 2008 R2 Netsh Technical Ref – now available for download

    Inside the new PowerShell 2.0 commands for Active Directory

    Federation Trust Partner Certificates

    Kim Cameron on Identity, Federation and the Cloud

    How to apply a Group Policy Object to individual users or computer

    Transitioning your Active Directory to Windows Server 2008 R2

    What's New in Roaming User Profiles in Windows 7

    Information Card Issuance CTP

    Managing Windows Server 2008 R2 using PowerShell

    Work Remotely with Windows PowerShell without using Remoting or WinRM

    TechNet Wiki Pick of the Week: DirectAccess and Teredo Adaptor Behavior

    Issuing Information Cards with ADFS 2.0

    PowerShell Modules versus Snapins

    FAQ: Microsoft Hyper-V Server 2008 R2

    Deployment guides for Remote Desktop Services in Windows Server 2008 R2 and for Terminal Services in Windows Server 2008 are now available.

    Two Minute Drill: The Eventcreate command

    Should you install Microsoft Hyper-V on Server Core?

    Windows XP SP2 retirement looms, puts users in tough spot

    Delete certificate from smartcard with Base Smart Card provider

    ADFS V2.0 Lingo

    System Center Configuration Manager v.Next Beta 1 - now available

    VHD Getting Started Guide – now available

  • One Stop Shop for Windows Time Information

    Hi folks, Ned here again. After much noodling and work here with our TechNet writer team, there is a new, consolidated set of info for Windows Time (w32time) in all of our operating systems, to include Windows 7 and Win2008 R2. All of it can be found here:

    Windows Time Service Technical Reference

    This includes updated info on:

    • Where to Find Windows Time Service Configuration Information
    • What is the Windows Time Service?
    • Importance of Time Protocols
    • How the Windows Time Service Works
    • Windows Time Service Tools and Settings

    I think you'll find this useful, make sure to give it a look. A huge thanks to Bob Drake, Kurt, and Jarrett for making this happen.

    PS: The phrase "one stop shop" is the pet peeve of David Fisher. If you ever find yourself talking to him, make sure you use it often.

    - Ned "tick tock you don't stop" Pyle