ADMP and Tuning for Performance Reports

mgoedtel — Mon, 23 Feb 2009 04:27:00 GMT

The latest Active Directory management pack deployment guide has a small section entitled "Enabling or Disabling Performance Data for Reports" and it was generating some good dialog internally between some colleagues and the product group. This section recommends that you disable the Performance monitor for the class "Active Directory Domain Controller Server 200x Computer Role" in order to minimize performance data collection for reports. However, this is a base aggregate monitor that is basically responsible for reflecting the best/worse case of health relative to the state of the child monitors. It has no direct impact on controlling the behavior of the child monitors, nor performance collection in general.

If you really want to disable performance data collection because reporting is not important to you, then you should be focusing on the performance collection rules. They are denoted as such with the words "performance collection" in the name of the respective rule. Examples in the ADMP are:

AD Global Catalog Search Time Response Performance Collection
AD DC Performance Collection - Metric Memory Committed Bytes

If you want to disable performance alerts because you are not concerned with certain performance issues with your DC's (as you may already know these facts and don't want to be constantly reminded), then you should be disabling the respective performance unit monitor. Examples in the ADMP are:

AD DC Last Bind Monitor
AD DC Op Master Domain Naming Last Bind Monitor

Active Directory Management Pack - Replication Monitoring Account Permissions

mgoedtel — Fri, 23 Nov 2007 03:55:00 GMT

I have been monitoring some of the blogs lately in the management community and came across some entries around guiding customers with respect to properly configuring the Run As account for the Replication Monitoring Rule in the Active Directory Management Pack for Operations Manager 2007. Unfortunately some of the recommendations I reviewed were technically inaccurate. My efforts here are to help clarify the specific permissions that need to be granted to the Replication Monitoring Run As Account. Otherwise, the Replication Monitoring script will generate an alert indicating "Event ID 67 - Access Denied" in trying to create the Domain Controller object, the replication container, or modify the attributes of the DC object.

Update: The latest version of the Active Directory management pack, version 6.0.6452.0 has changed the name of the replication container used for replication monitoring in Operations Manager. It is now OpsMgrLatencyMonitors and was not pointed out in the ADMP deployment guide. Therefore, this blog has been updated to reflect that name change and has been updated to recommend the appropriate minimum security rights that should be granted to the Run As account.

In order to monitor replication between domain controllers in the forest, the Active Directory Management Pack Guide instructs you to configure a domain account that will be used only for replication monitoring. This is found on page 10. However, what is not clearly detailed are the partitions in Active Directory that you must ensure the security permissions are granted correctly for the replication monitoring account to allow it to modify the OpsMgrLatencyMonitors container within each of those partitions.

By default, the Replication Monitoring script will monitor the Domain partition, and application partitions in the directory service. The Configuration partition is not monitored by default and is optional. The following steps must be completed to ensure the replication monitoring account has rights to modify the objects and attributes under the OpsMgrLatencyMonitors container: (Note: Steps 2 and 3 are only necessary if you are using Microsoft DNS that is running on your domain controllers and configured with AD Integrated DNS.)

1. Set permissions for the Replication Monitoring Run As account on the Domain partition in each domain in the forest.

To do this, follow these steps on a domain controller in the domain:

a. Click Start, click Run, type Adsiedit.msc, and then click OK.

b. In the task pane, right-click ADSI Edit, and then click Connect to.

c. Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click OK:

DC=Domain,DC=Domain_extension

d. In the task pane, locate and right-click

CN=MOMLatencyMonitors,DC=Domain,

DC=Domain_extension and then click Properties.

e. In the Permissions tab, click Add.

f. In the Enter the object name to select box, type the name of the replication monitoring Run As account, and then click Check Names to verify the name.

g. Click OK. The Permissions Entry for OpsMgrLatencyMonitors dialog box appears.

h. In the Apply onto drop-down list, click This object and all child objects.

i. Click to select the Allow check box for the Read, Write, Create All Child Objects permission, and then click OK.

j. In the Advanced Security Settings for OpsMgrLatencyMonitors dialog box, click Apply, and then click OK.

k. Close the ADSI Edit window.

2. Set permissions for the Replication Monitoring Run As account on the DomainDNSZones application partition in each domain in the forest. To do this, follow these steps on a domain controller in the domain:

a. Click Start, click Run, type Adsiedit.msc, and then click OK.

b. In the task pane, right-click ADSI Edit, and then click Connect to.

c. Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click OK:

DC=DomainDNSZones,DC=Domain,DC=Domain_extension

d. In the task pane, locate and right-click

CN=OpsMgrLatencyMonitors,DC=DomainDNSZones,DC=Domain,

DC=Domain_extension and then click Properties.

e. In the Permissions tab, click Add.

f. In the Enter the object name to select box, type the name of the replication monitoring Run As account, and then click Check Names to verify the name.

g. Click OK. The Permissions Entry for OpsMgrLatencyMonitors dialog box appears.

h. In the Apply onto drop-down list, click This object and all child objects.

i. Click to select the Allow check box for the Read, Write, Create All Child Objects permission, and then click OK.

j. In the Advanced Security Settings for OpsMgrLatencyMonitors dialog box, click Apply, and then click OK.

k. Close the ADSI Edit window.

3. Set permissions for the Replication Monitoring Run As account on the ForestDNSZones application partition.

To do this, follow these steps on a domain controller in the domain:

a. Click Start, click Run, type Adsiedit.msc, and then click OK.

b. In the task pane, right-click ADSI Edit, and then click Connect to.

c. Under Connection Point, click Select or type a Distinguished Name or Naming Context, type the following, and then click OK:

DC=ForestDNSZones,DC=Domain,DC=Domain_extension

d. In the task pane, locate and right-click

CN=OpsMgrLatencyMonitors,DC=ForestDNSZones,DC=Domain,

DC=Domain_extension and then click Properties.

e. In the Permissions tab, click Add.

f. In the Enter the object name to select box, type the name of the replication monitoring Run As account, and then click Check Names

to verify the name.

g. Click OK. The Permissions Entry for OpsMgrLatencyMonitors dialog box appears.

h. In the Apply onto drop-down list, click This object and all child objects.

i. Click to select the Allow check box for the Read, Write, Create All Child Objects permission, and then click OK.

j. In the Advanced Security Settings for OpsMgrLatencyMonitors dialog box, click Apply, and then click OK.

k. Close the ADSI Edit window.

Hopefully you find this helpful and it clarifies the permissions you need to grant to the Run As account specific to the replication monitoring container in the directory service.

Note: Once the replication monitoring script in the management pack creates an object for each DC and monitoring begins to operate under normal parameters, you can go ahead and remove the old replication monitoring container in the directory service - MOMLatencyMonitors from each domain in the forest and the applicable application partitions that was being monitored as well.

Matt Goedtel on Operations Management : Operations Manager 2007, Active Directory MP

ADMP and Tuning for Performance Reports

Active Directory Management Pack - Replication Monitoring Account Permissions