Active Directory 2016 Services and Counters
This SAM application monitor template assesses the overall health of Active Directory 2016 services and counters on a domain controller.
Use this template in conjunction with the Windows Server 2016 Services and Counters template.
Prerequisites
RPC and WMI access to the domain controller.
Credentials
Windows Administrator on the domain controller.
Component monitors
Components without predetermined threshold values have guidance such as "use the lowest threshold possible" or "use the highest threshold possible" to help you find a threshold appropriate for your application. For details, see Manage application monitor thresholds.
Service: Distributed File System
Monitors the service used to group shared folders located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders.
Service: DNS Server
Monitors the service that resolves DNS names for DNS clients by answering DNS queries and dynamic DNS update requests. If this service is stopped, DNS updates will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: DFS Replication
Monitors the service used to synchronizes folders with file servers that use Distributed File System (DFS) technology.
Service: Intersite Messaging
Monitors the service used to exchange messages between systems running Windows Server sites. If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: Kerberos Key Distribution Center
On domain controllers, this service enables users to log on to the network using the Kerberos authentication protocol. If this service is stopped on a domain controller, users will be unable to log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: Windows Time
Monitors the service that maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: DNS Client
The DNS Client service (dnscache) stores DNS names and registers the full computer name for this system. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.
Service: Security Accounts Manager
The startup of this service signals other services that the Security Accounts Manager is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the Security Accounts Manager is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.
Service: Server
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: Workstation
Creates and maintains client network connections to remote servers using the SMB protocol. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: Remote Procedure Call (RPC)
The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activation requests, object exporter resolutions, and distributed garbage collection for COM and DCOM servers. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the RPCSS service running
Service: Net Logon
Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services, and the domain controller cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start.
LDAP Active Threads
The current number of threads in use by the LDAP subsystem of the local directory service.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements.
LDAP Bind Time
The time (in milliseconds) required for the completion of the last successful LDAP binding.
This counter should be as low as possible. If it is not, it usually indicates that hardware or network-related problems are occurring.
LDAP Client Sessions
The number of currently connected LDAP client sessions.
This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements.
Directory Service Threads in Use
The current number of threads in use by the directory service.
This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements.
Address Book Client Sessions
The number of connected Address Book client sessions.
Directory Service Notify Queue Size
The number of pending update notifications that are queued, but not yet transmitted to clients.
This counter should be as low as possible.
DRA Inbound Full Sync Objects Remaining
The number of objects remaining until the full synchronization is completed (while replication is done).
This counter should be as low as possible.
DRA Inbound Values (DNs only)/sec
The number of object property values received from inbound replication partners that are distinguished names (DNs) that reference other objects. DN values, such as group or distribution list memberships, are generally more expensive to apply than other types of values.
DRA Outbound Values (DNs only)/sec
The number of object property values containing DNs sent to outbound replication partners. DN values, such as group or distribution list memberships, are generally more expensive to read than other kinds of values.
LDAP Successful Binds/sec
The number of LDAP bindings (per second) that occurred successfully.
This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.
LDAP Searches/sec
The number of search operations per second performed by LDAP clients.
This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.
DS Directory Reads/sec
The number of directory reads per second.
DS Directory Writes/sec
The number of directory writes per second.
DRA Pending Replication Synchronizations
The number of directory synchronizations that are queued for this server but not yet processed.
System: Context Switches/sec
Used to determine whether or not the processor must handle too many applications.
Interpret the data cautiously. A thread that is heavily using the processor lowers the rate of context switches, because it does not allow much processor time for other processes' threads. A high rate of context switching means that the processor is being shared repeatedly-for example, by many threads of equal priority. It is a good practice to minimize the context switching rate by reducing the number of active threads on the system. The use of thread pooling, I/O completion ports, and asynchronous I/O can reduce the number of active threads. Determine if the applications you are running provide include options to limit the number of threads.
A context switching rate of 300 per second per processor is a moderate amount; a rate of 1000 per second or more is high.
Specify a value for the warning and critical thresholds based on your current environment. See Manage thresholds in SAM.
System: Processor Queue Length
Indicates if the system is able to handle processing requests.
This counter is a rough indicator of the number of threads each processor is servicing. The processor queue length, sometimes called processor queue depth, reported by this counter is an instantaneous value that is representative only of a current snapshot of the processor, so it is necessary to observe this counter over a long period of time. This counter also reports a total queue length for all processors, not a length per processor.
Service: Active Directory Domain Services
This is a core AD DS Domain Controller service. If this service stops, users cannot log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: Active Directory Web Servers
This service provides a web service interface to instances of the directory service (AD DS and AD LDS) that run locally on this server. If this service is stopped or disabled, client applications such as Active Directory or PowerShell cannot access or manage any directory service instances running locally on this server.
Events: Machine Account Authentication Failure
This monitor returns the number of events that indicate a machine account failed to authenticate, which is usually caused by either multiple instances of the same computer name, or the computer name was not replicated to every domain controller.
If you do not find multiple instances of the computer name, verify that replication is functioning for the domain that contains the computer account.
Events: Replicate Duplicate Object Found
This monitor returns the number of events that indicate a duplicate object is present in the Active Directory of the replication partner of the local domain controller, so updating it is impossible.
Events: Failed Replication
This monitor returns the number of events that indicate replication failed for the reason stated in the message text.
Use Repadmin.exe to further identify the problem, and use Table x.x to determine the appropriate action to take for the message generated by Repadmin.exe. If the event message indicates that the target account name is incorrect, troubleshoot GUID discrepancies. If the event message indicates a time difference between the client and server, synchronize replication from the PDC emulator.
Events: Replication Configuration Does Not Reflect Topology
This monitor returns the number of events that occur when the replication configuration information in Active Directory Sites and Services does not accurately reflect the physical topology of the network.
Events: Lingering Objects Disconnection Error
This monitor returns the number of events usually generated by a lingering object which resulted from disconnecting a domain controller for too long.
Events: Replication Link GUID Mismatch
This monitor returns the number of events that occur over an existing replication link when the GUID of the NTDS Settings object of a replication partner does not match the GUID defined in the Service Principal Name (SPN) attributes of the computer object of this replication partner. Troubleshoot GUID discrepancies as necessary.
Events: User Account Cannot Be Resolved
This monitor returns the number of events that indicate a user account in one or more Group Policy objects (GPOs) cannot be resolved to a security identifier (SID). This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights Assignment or Restricted Groups branch of a GPO.