Active Directory 2008 R2-2012 Services and Counters
Use this SAM application monitor template to assess the overall health of Active Directory 2008 R2 - 2012 services and counters on a domain controller.
Use this template in conjunction with the Windows Server 2003-2012 Services and Counters template.
Prerequisites
RPC and WMI access to the domain controller.
Credentials
Windows Administrator on the domain controller.
Component monitors
Components without predetermined threshold values provide guidance such as "use the lowest threshold possible" or "use the highest threshold possible" to help you find a threshold appropriate for your application. To learn more, see Manage thresholds in SAM.
Service: Distributed File System
Monitors the service used to group shared folders located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders.
Service: DNS Server
Monitors the service used to resolve DNS names by answering DNS queries and dynamic DNS update requests. If this service is stopped, DNS updates will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: DFS Replication
Monitors the service used to synchronize folders on multiple servers across local or wide area network (WAN) network connections. This service uses the Remote Differential Compression (RDC) protocol to update only the portions of files that have changed since the last replication.
Service: Intersite Messaging
Monitors the service used to exchange messages between computers running Windows Server sites. If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: Kerberos Key Distribution Center
On domain controllers, this service enables users to log on to the network using the Kerberos authentication protocol. If this service is stopped on a domain controller, users will be unable to log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: Windows Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: DNS Client
The DNS Client service (dnscache) caches DNS names and registers the full computer name for the system. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.
Service: Security Accounts Manager
The startup of this service signals other services that the Security Accounts Manager is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the Security Accounts Manager is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.
Service: Server
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: Workstation
Creates and maintains client network connections to remote servers using the SMB protocol. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: Remote Procedure Call (RPC)
The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activation requests, object exporter resolutions, and distributed garbage collection for COM and DCOM servers. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the RPCSS service running
Service: Net Logon
Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services, and the domain controller cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start.
LDAP Active Threads
The current number of threads in use by the LDAP subsystem of the local directory service.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements.
LDAP Bind Time
The time (in milliseconds) required for the completion of the last successful LDAP binding.
This counter should be as low as possible. If it is not, it usually indicates that hardware or network-related problems are occurring.
LDAP Client Sessions
The number of currently connected LDAP client sessions.
This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements.
Directory Service Threads in Use
The current number of threads in use by the directory service.
This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements.
Address Book Client Sessions
The number of connected Address Book client sessions.
Directory Service Notify Queue Size
The number of pending update notifications that are queued, but not yet transmitted to clients.
This counter should be as low as possible.
DRA Inbound Full Sync Objects Remaining
The number of objects remaining until the full synchronization is completed (while replication is done).
This counter should be as low as possible.
DRA Inbound Values (DNs only)/sec
The number of object property values received from inbound replication partners that are distinguished names (DNs) that reference other objects. DN values, such as group or distribution list memberships, are generally more expensive to apply than other types of values.
DRA Outbound Values (DNs only)/sec
The number of object property values containing DNs sent to outbound replication partners. DN values, such as group or distribution list memberships, are generally more expensive to read than other kinds of values.
DS Threads in Use
Indicates the current number of threads in use by the directory service.
LDAP Successful Binds/sec
The number of LDAP bindings (per second) that occurred successfully.
This counter should show activity over time. If it does not, it usually indicates that network-related problems are occurring.
LDAP Searches/sec
The number of search operations per second performed by LDAP clients.
This counter should show activity over time. If it does not, it usually indicates that network problems are hindering client requests.
DS Directory Reads/sec
The number of directory reads per second.
DS Directory Writes/sec
The number of directory writes per second.
DRA Pending Replication Synchronizations
The number of directory synchronizations that are queued for this server but not yet processed.
System: Context Switches/sec
Used to determine whether or not the processor must handle an excessive amount of applications.
Interpret this data cautiously. A thread that is heavily using the processor lowers the rate of context switches because it does not allow much processor time for other process threads. A high rate of context switching means that the processor is being shared repeatedly-for example, by many threads of equal priority. It is a good practice to minimize the context switching rate by reducing the number of active threads on the system. The use of thread pooling, I/O completion ports, and asynchronous I/O can reduce the number of active threads. Determine if the applications you are running provide tuning features that include limiting the number of threads.
A context switching rate of 300 per second per processor is a moderate amount; a rate of 1000 per second or more is high. Values at this high level may be a problem.
You can provide a value for the warning and critical thresholds based on your current environment and your requirements.
System: Processor Queue Length
Indicates if the system is able to handle processing requests.
This counter is a rough indicator of the number of threads each processor is servicing. The processor queue length, sometimes called processor queue depth, reported by this counter is an instantaneous value that is representative only of a current snapshot of the processor, so it is necessary to observe this counter over a long period of time. This counter also reports a total queue length for all processors, not a length per processor.
Service: Active Directory Domain Services
This is a core AD DS Domain Controller service. If this service is stopped, users will be unable to log on to the network. If this service is disabled, any services that explicitly depend on it will fail to start.
Service: Active Directory Web Services
This service provides a Web Service interface to instances of the directory service (AD DS and AD LDS) that are running locally on this server. If this service is stopped or disabled, client applications, such as Active Directory PowerShell, will not be able to access or manage any directory service instances that are running locally on this server.