Introduction
This chapter deals with tracking the activity and usage of various
Active Directory components. Whenever you need to troubleshoot a
problem, often the first place you look is log files. With Active
Directory, there are several different log files, and each have
different ways to increase or decrease the verbosity of information
that is logged. Viewing log messages can be useful, but you may also
want to look at performance metrics to determine if the system is
being over-utilized. I'll review a couple of ways
you can view performance metrics and monitor Active Directory
performance. For more extensive monitoring, I suggest looking at
NetPro's (http://www.netpro.com/) Active Directory
monitoring tools or Microsoft Operations Manager (http://microsoft.com/mom/).
I'll also cover a somewhat-related topic in this
chapter called quotas, which allow you to monitor and limit the
number of objects a security principal (user, group, or computer) can
create in a partition. This feature, introduced in Windows Server
2003, closes a hole that existed in Windows 2000 where users that had
access to create objects in Active Directory could create as many as
they wanted. These users could even cause a denial of service by
creating objects until the disk filled on the domain controllers.
This kind of attack is not likely to happen in most environments, but
the possibility should still be considered.
The Anatomy of a Quota Object Container
Quota objects are stored in the NTDS
Quotascontainer in all Windows Server
2003-based naming contexts and application partitions except the
schema-naming context (quotas cannot be associated with the
schema-naming context). By default, this container is hidden from
view within tools, such as Active Directory Users and Computers, but
can be seen by selecting View Advanced Features from the
menu. The quota object container has an
objectClass of
msDS-QuotaContainer, and contains several
attributes that define default quota behavior. Table 15-1 lists some of the important attributes of
msDS-QuotaContainer objects.
Table 15-1. Attributes of msDS-QuotaContainer objects|
cn
|
RDN of quota container objects. By default, this is equal to
NTDS Quotas.
|
msDS-DefaultQuota
|
The default quota applied to all security principals that do not have
another quota specification applied. See Recipe 15.16 for more details.
|
msDS-QuotaEffective
|
A constructed attribute that contains the effective quota of the
security principal that is viewing the attribute. See Recipe 15.17 for more details.
|
msDS-QuotaUsed
|
A constructed attribute that contains the quota usage of the security
principal that is viewing the attribute. See Recipe 15.17 for more details.
|
msDS-TombstoneQuotaFactor
|
Percentage that tombstone objects count against a quota. The default
is 100, which means a tombstone object has equal weighting to a
normal object. See Recipe 15.15 for more
details.
|
msDS-TopQuotaUsage
|
Multivalued attribute that contains information about the security
principals with the top quota usage. See Recipe 15.17 for more details.
|
The Anatomy of a Quota Object
Quota objects have an
objectClass of
msDS-QuotaControl, which defines three attributes
that relate to quotas. Table 15-2 contains these
attributes and provides a description for each.
Table 15-2. Attributes of msDS-QuotaControl objects|
cn
|
RDN of the quota object.
|
msDS-QuotaAmount
|
Number of objects that can be created by the security principals that
the quota applies to. See Recipe 15.13 for
more information.
|
msDS-QuotaTrustee
|
SID of the security principal that the quota applies to. This can be
a user, group, or computer SID. See Recipe 15.13 for more information.
|
|