Lesson 1: Proactive Directory Maintenance and Data Store Protection 653
If you did not assign a static IP address, the AD DS Active Directory Domain Services
Installation Wizard will give you a warning because you are using a dynamic IP Address.
23. Click the Yes, The Computer Will Use A Dynamically Assigned IP Address (Not Recom-
mended) option.
The Active Directory Domain Services Installation Wizard will warn you that it cannot
create a delegation for the domain.
24. Click Yes.
25. On the Install From Media page, click Replicate Data From Media At The Following
Location, type C:\IFM or click Browse to locate the IFM folder on the C drive, and click
Next.
Note that it indicates that the media must have been created from a writable DC because
you did not select the RODC mode for this DC.
26. On the Source Domain Controller page, accept the defaults and click Next.
27. On the Location For Database, Log Files And SYSVOL page, accept the default locations
and click Next.
28. Type a strong password, confirm it, and click Next.
29. Confirm your settings on the Summary page and click Next. Select Reboot On Comple-
tion and wait for the operation to complete.
Your new DC has been created from local media. This cuts down replication and then
updates the data through replication after the DC has been created.
 Exercise 3 Perform Database Maintenance
In this exercise, you will perform interactive database maintenance, using the restartable
Active Directory Domain Services mode. You can perform this operation now because there
are two DCs in the treyresearch.net domain. You must have at least two DCs to be able to use
restartable AD DS.
654 Chapter 13 Directory Business Continuity
1. Log on to SERVER11 with the domain administrator account.
2. Use Windows Explorer to create a C:\Temp and a C:\OrignalNTDS folder.
You will use these folders as temporary locations for the compacted and the original
database.

3. In Server Manager, expand the Configuration node and click Services.
4. Locate the Active Directory Domain Services service (it should be first on the list) and
right-click it to select Stop.
5. In the Stop Other Services dialog box, click Yes.
The server will stop the service.
Remember that if the service cannot contact another writable DC, it will not be able to
stop; otherwise, no one would be able to log on to the domain.
6. Launch an elevated command prompt by right-clicking Command Prompt in the Start
menu and choosing Run As Administrator.
7. Begin by compacting the database. Type the following commands:
ntdsutil
activate instance NTDS
files
compact to C:\temp
The Ntdsutil.exe will compact the database and copy it to the new location. In very large
directories, this operation can take some time.
Lesson 1: Proactive Directory Maintenance and Data Store Protection 655
8. Type the following after the compaction operation is complete:
quit
quit
9. Now, delete all the log files. Type the following:
cd %systemroot%\ntds
del *.log
You delete the log files because you will be replacing the Ntds.dit file with the newly com-
pacted file, and the existing log files will not work with the newly compacted database.
10. Now, back up the Ntds.dit file to protect it in case something goes wrong. Type the following:
copy ntds.dit \originalntds
11. Copy the newly compacted database to the original NTDS folder. Making sure you are
still within the %SystemRoot%\NTDS folder, type the following:
copy c:\temp\ntds.dit

y
12. Finally, verify the integrity of the new Ntds.dit file.
After this is done, you will also perform a semantic database analysis to verify the data
within the database. Type the following:
ntdsutil
activate instance NTDS
files
integrity
quit
semantic database analysis
go fixup
quit
quit
Note that if the integrity check fails, you must recopy the original Ntds.dit back to this
folder because the newly compacted file is corrupt. If you do not do so, your DC will no
longer be operational.
13. Return to Server Manager, expand the Configuration node, and click Services.
14. Locate the Active Directory Domain Services service (it should be first on the list) and
right-click it to select Start.
Your server is back online and ready to deliver authentication services to the network. It
can take several minutes for the dependent services to restart. Delete the Ntds.dit
located in the Original NTDS folder because it is no longer valid.
 Exercise 4 Automate Database Maintenance
You can script the entire database compaction operation from the command line if you want
to automate it. You should, however, make sure all the operational results are captured in a text
file so that you can review them if something goes wrong.
1. Log on to SERVER11 with the domain administrator account.
656 Chapter 13 Directory Business Continuity
2. Also, make sure both a C:\Temp folder and a C:\NTDS folder exist on your server and
that both folders are empty.

You will use this folder as a temporary location for the compacted database. You are
ready to automate the compaction process.
3. Move to the C:\Temp folder and right-click in the details pane to select New; then click
Text Document.
4. Name the Text document Compaction.cmd.
If you cannot see the .txt extension of the file, click Folder Options from the Tools menu
in Windows Explorer. On the View tab, clear Hide Extensions For Known File Types and
click OK. Remove the .txt extension on your file name. Confirm the removal.
5. Right-click Compaction.cmd and choose Edit. Type the following commands:
del C:\temp\*.dit
del C:\originalntds\*.dit
net stop ntds /y
ntdsutil Òactivate instance NTDSÓ files Òcompact to C:\tempÓ quit quit
\cd \windows\ntds
del *.log
copy ntds.dit \originalntds
del ntds.dit
copy c:\temp\ntds.dit
ntdsutil Òactivate instance NTDSÓ files integrity quit Òsemantic database
analysisÓ Ògo fixupÓ quit quit
net start ntds
6. Save and close the Compaction.cmd file.
Note that you can add a pause command after each command in your text file to verify
the proper operation of the commands while testing.
7. Test the file by launching an elevated command prompt by right-clicking Command
Prompt in the Start menu and choosing Run As Administrator.
8. Type:
cd \temp
compaction
9. If at any time the file does not work, use Ctrl+C to cancel the batch file and correct the

errors.
If the file works properly, you can use it to automate the compaction process.
10. Remove any pause statements you entered in the file and save it again.
You can reuse this command file each time you want to run the compaction on your sys-
tems. It is recommended that you run this command file interactively to address any
errors or issues during the process. Be very wary of putting this file into a scheduled
task. You should never run compaction in unattended mode because errors could
destroy your DC.
Lesson 1: Proactive Directory Maintenance and Data Store Protection 657
11. If a DC is nonfunctioning, you can use the following command to remove the DC role:
dcpromo /forceremoval
12. Run the Active Directory Domain Services Installation Wizard again to re-create the DC.
Perform the Ntds.dit compaction operation at least once a month.
 Exercise 5 Protect Group Policy Objects
In this exercise, you will use the GPMC to back up GPOs.
1. Log on to SERVER11 with the domain administrator account.
2. Verify the existence of a folder named Temp on the C drive.
3. Launch the GPMC from the Administrative Tools program group.
4. Expand Forest\Domains\domainname\Goup Policy Objects.
5. Right-click Group Policy Objects and select Back Up All.
6. Type the location as C:\Temp or use the Browse button to locate the folder.
7. Type a description, in this case, First GPO Backup and click Back Up.
The GPO backup tool will show the progress of the backup.
8. Click OK after the backup is complete.
Your GPOs are now protected.
9. Back up the Temp folder.
You can rely on this folder to copy the GPOs from one domain to another if you wish.
Perform this operation at least once a week.
Exam Tip Backing up and restoring GPOs are both important parts of the exam. Practice
these operations thoroughly to prepare for this topic.

Lesson Summary
■ To maintain your directory service, you must perform proactive maintenance tasks.
These tasks fall into twelve categories, many of which should be delegated to others.
Domain administrators are responsible for the AD DS service and should focus on core
directory operations such as database administration tasks.
■ Several tools are available for AD DS administration. The most commonly used tools are
the three main Active Directory consoles: Active Directory Users and Computers, Active
Directory Sites and Services, and Active Directory Domains and Trusts.
■ With Windows Server 2008, AD DS is now a manageable service like all other servers
and can be started and stopped without having to restart the server in Directory Services
Restore Mode.
■ When you delete an object in AD DS, you must restore the object to re-create its proper-
ties. If you simply re-create the object, it will not have the same SID and, therefore, will
658 Chapter 13 Directory Business Continuity
not retain any of the deleted object’s properties. Restoring an object restores the original
SID and, therefore, will automatically restore most of the access rights associated with
the object.
■ There are several ways to protect information in the directory:
❑ You can protect objects from deletion.
❑ You can audit AD DS changes to view previous and changed values when changes
are made.
❑ You can rely on the tombstone container to recover deleted objects.
❑ You can rely on backup and restore to recover lost information.
■ To restore objects from the deleted objects container in AD DS, you must use a tool that
will expose this container and enable you to modify the state of the object. Two tools are
available for this operation: Ldp.exe and Quest Object Restore for Active Directory. After
the object is restored, you must reassign its password, group memberships, and other
informational attributes and then enable the object.
■ When you restore an object from backup, the object is restored with all its previous
attributes. No additional changes are required.

Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Proactive Directory Maintenance and Data Store Protection.” The questions are also available
on the companion CD if you prefer to review them in electronic form.
NOTE Answers
Answers to these questions and explanations of why each answer choice is right or wrong are
located in the “Answers” section at the end of the book.
1. You are a systems administrator for contoso.com. You have been requested to compact the
database on one of the two DCs for the forest root domain. However, when you try to
stop the AD DS service, you find that you cannot stop it on the server you are working
on. What could be the problem?
A. You cannot stop the AD DS service on a Windows Server 2008 DC.
B. Someone else is working on another DC in this domain.
C. You must restart the server in Directory Services Restore Mode.
D. You must use the net stop command to stop the AD DS service.
2. You are the network administrator of a large network. One of your DCs recently failed.
You need to restore the DC to a working state. You have several backups of the server
that were created with Windows Server Backup. Which of the following steps should
you perform? (Choose all that apply.)
Lesson 1: Proactive Directory Maintenance and Data Store Protection 659
A. Restart the server in Directory Services Restore Mode.
B. Perform an authoritative restore using the Ntdsutil.exe command.
C. Reinstall Windows Server 2008.
D. Restart the server in WinRE.
E. Perform a nonauthoritative restore using the Ntdsutil.exe command.
F. Perform a full server recovery using the command line.
660 Chapter 13 Directory Business Continuity
Lesson 2: Proactive Directory Performance Management
The second activity you must master to maintain your DCs proactively is performance man-
agement. When you use proper installation and creation procedures, your DCs should just

work. Remember that the Domain Controller role is now in its fifth iteration since it appeared
in Microsoft Windows NT, and it has evolved with the different releases of the Microsoft server
operating system. This means that it is now a very solid and stable service.
However, you’ll find that despite this stability, things can still go wrong, whether they are
related to system or human errors. And when they do, you need to be ready to identify the
issues quickly and take appropriate steps to correct the situation. When you perform proactive
performance management, you are forewarned when untoward events might occur. This is the
crux of this lesson.
After this lesson, you will be able to:
■ Work with system performance indicators.
■ Use the Windows Server performance and reliability tools.
■ Use the Windows System Resource Monitor.
■ Generate and view performance reports.
Estimated lesson time: 45 minutes
Managing System Resources
Windows Server includes several tools that help identify potential issues with system
resources. When systems are not configured properly and are not assigned appropriate
resources such as CPU, RAM, or disk space, systems monitoring will help you identify where
bottlenecks occur. When you identify these bottlenecks, you then assign additional resources
to the system. If the system is physical, this most often means shutting down the system;
installing new resources, for example, additional memory chips; and then restarting the sys-
tem. If the system is virtual, then depending on the virtualization engine you use, you might
be able to allocate new resources while the virtual machine is still running. If not, shut it down;
allocate new resources, for example, an additional CPU and additional RAM; and then restart
it. After the system is restarted, monitor its performance again to identify whether the new
resources solved the problem.
The tools you can rely on to identify performance bottlenecks in Windows Server 2008
include:
■ Task Manager, which displays current system resource usage.
■ Event Viewer, which logs specific events, including performance related events.

Lesson 2: Proactive Directory Performance Management 661
■ Reliability Monitor, which tracks changes brought to the system, enabling you to identify
whether a change could be the cause of a new bottleneck.
■ Performance Monitor, which collects data in either real time or at specific intervals to
identify potential issues.
■ Windows System Resource Manager (WSRM), which can be used to profile specific
applications to indicate which resources they need at which time. You can also use it to
manage application resource allocation based on the profiles you generate.
You can use other tools as well, such as Microsoft System Center Operations Manager, to moni-
tor the state of a system continuously and automatically correct well-known issues. Operations
Manager relies on custom management packs to monitor specific applications.
Using Task Manager
The simplest of all tools to use is Task Manager. This tool provides real-time system status
information and covers several key aspects of a system’s performance, including:
■ Running applications
■ Running processes
■ Running services
■ Performance, including CPU and memory usage
■ Networking, including network interface card (NIC) utilization
■ Currently logged-on users
You can access Task Manager in a variety of ways, the most common of which is to right-click
the taskbar and select Task Manager. Another common method is to use the Ctrl+Alt+Delete
key combination and click Task Manager when the menu choices appear. For example, this is
how you would access Task Manager on Server Core because it does not include a taskbar. You
can also type Taskmgr.exe at a command prompt.
When you access information regarding system performance, the Performance tab is the most
useful tab. (See Figure 13-7.) This displays complete information about your system’s key
resource usage. It details physical and kernel memory usage. This tab also includes a button
that gives you access to Resource Monitor. Clicking this button will launch Resource Monitor
while keeping Task Manager open.

Resource Monitor is a super Task Manager because it brings together the CPU, disk, memory,
and network usage graphs in a single view. (See Figure 13-8.) In addition, it includes expand-
able components for each resource, displaying details of each component so that you can iden-
tify which processes might be the culprit if issues are evident. These two tools are ideal for on-
the-spot verifications of resource usage. You should rely on them if you need to identify imme-
diately whether something is wrong with a server.
662 Chapter 13 Directory Business Continuity
Figure 13-7 Viewing real-time performance information in Task Manager
For example, if the system does not have enough memory, you will immediately see that
memory usage is constantly high. In this case, Windows will be forced to use on-disk virtual
memory and will need to swap or page memory contents constantly between physical and vir-
tual memory. Constant paging is a typical issue that servers with insufficient physical memory
face and is often indicated by slow system behavior. One good indicator of insufficient mem-
ory is slow Server Manager operation.
Figure 13-8 Viewing real-time performance information in Resource Monitor
Lesson 2: Proactive Directory Performance Management 663
MORE INFO Resource Monitor
For more information on Resource Monitor, see Scenario 1 in “Windows Server 2008 Performance
and Reliability Monitoring Step-by-Step Guide” at />/en/library/7e17a3be-f24e-4fdd-9e38-a88e2c8fb4d81033.mspx?mfr=true.
Working with Event Viewer
Another excellent indicator of system health is Windows Event Log. Windows maintains sev-
eral event logs to collect information about each of the services running on a server. By default,
these include the Application, Security, Setup, System, and Forwarded Events logs, all located
in the Windows Logs folder. However, on a DC, you will also have additional logs that are spe-
cifically related to AD DS operation. These will be located in the Applications and Services
Logs folder and will include:
■ DFS Replication, which is available in domains and forests operating in Windows Server
2008 full functional mode. If you are running your domains or forests in one of the ear-
lier modes, the log will be for the FRS replication service.
■ Directory Service, which focuses on the operations that are specifically related to AD DS.

■ DNS Server, which lists all events related to the naming service that supports AD DS
operation.
However, one of the best features of Event Log is related to Server Manager. Because it acts as
the central management location for each of the roles included in Windows Server 2008,
Server Manager provides custom log views that percolate all the events related to a specific server
role. For example, if you click the Active Directory Domain Services role, Server Manager will
provide you with a log view that includes, among other things, a summary view of key events
related to this service. (See Figure 13-9.)
Event Log lists three types of events: Information, Warning, and Errors. By default, the sum-
mary view displayed under the server role will list Errors with a high priority, Warnings with
a medium priority, and Information messages with the lowest priority. Therefore, Errors will
always appear at the top of the summary, alerting you immediately if there is an issue with your
system. To drill down and see the event details, either double-click the event itself or move to
the Event Viewer section under the Diagnostics node of the tree pane in Server Manager.
664 Chapter 13 Directory Business Continuity
Figure 13-9 Viewing Summary Events for AD DS in Server Manager
MORE INFO Active Directory Services events and errors
To learn about specific events and errors related to Active Directory Services roles go to
/>f964908b072b1033.mspx.
Events provide much more information in Windows Server 2008 and Windows Vista than
ever before. In previous versions of Windows, events were arcane items that provided very lit-
tle information about an issue. Today, you get a full explanation on an event in Event Viewer,
and you can link to an online database maintained by Microsoft for each event. You can look
up an event in this database by clicking the Event Log Online Help link in the event’s Proper-
ties dialog box. You will be prompted to send information about the event to Microsoft. Click
Yes if you want information specifically about this event.
This database does not provide information about every event in Windows, but it covers the
most frequently viewed events. You can also use third-party event log databases to view infor-
mation about events.
Lesson 2: Proactive Directory Performance Management 665

MORE INFO Windows event IDs
To access a free database of Windows event IDs, go to
The more information you know about Windows events, the easier it will be to deal with the issue.
You can rely on the Microsoft online event database and free third-party event databases as well
as supplement this information with online searches through tools such as Windows Live Search
to locate information about an issue. Searching on the event ID will return the most results.
MORE INFO New features of Event Log
For more information on working with Event Log, download “Tracking Change” in Windows Vista,
a multi-page article on the new features of Event Log and how it can be integrated with Task
Manager to automate actions based on specific events as well as forward key events to a central
collection system at />Working with Windows Reliability Monitor
Another useful tool to identify potential issues on a system is Reliability Monitor. This tool,
located under the Diagnostic\Reliability and Performance\Monitoring Tools node in Server
Manager, is designed to track changes that are made to a system. Each time a change is per-
formed on the system, it is logged in Reliability Monitor. (See Figure 13-10.) Tracked changes
include system changes, software installs or uninstalls, application failures, hardware failures,
and Windows failures.
If an issue arises, one of the first places you should check is Reliability Monitor because it
tracks every change to your system and reveals what might have happened to make your sys-
tem unresponsive. For example, if the change is a new driver for a device, it might be a good
idea to roll back the device installation and see whether the system becomes more responsive.
Verify Reliability Monitor whenever an issue affecting performance arises on a server.
Exam Tip Work with Task Manager, Event Viewer, and Reliability Monitor. All are important parts
of the exam.
666 Chapter 13 Directory Business Continuity
Figure 13-10 Viewing system changes in Reliability Monitor
Working with Windows Performance Monitor
Sometimes problems and issues are not immediately recognizable and require further
research to identify them. In this case, you need to rely on Performance Monitor. This tool,
located under the Diagnostic\ Reliability and Performance\Monitoring Tools node in Server

Manager, is designed to track performance data on a system. You use Performance Monitor to
track particular system components either in real time or on a scheduled basis.
If you are familiar with previous versions of Windows Server, you’ll quickly note that Windows
Server 2008 Performance Monitor brings together several tools you might be familiar with:
Performance Logs and Alerts, Server Performance Advisor, and System Monitor. If you are new
to Windows Server with the 2008 release, you’ll quickly find that when it comes to perfor-
mance management and analysis, Performance Monitor is the tool to use. Using Performance
Monitor, you create interactive collections of system counters or create reusable data collector
sets. Performance Monitor is part of Windows Reliability and Performance Monitor (WRPM).
Table 13-5 outlines each of the tools in WRPM that support performance monitoring and the
access rights required to work with them.
Lesson 2: Proactive Directory Performance Management 667
Windows Server 2008 includes a new built-in group called Performance Log Users, which
allows server administrators who are not members of the local Administrators group to per-
form tasks related to performance monitoring and logging. For this group to be able to initiate
data logging or modify data collector sets, it must have the Log On As A Batch Job user right.
Note that this user right is assigned to this group by default.
In addition, Windows Server 2008 will create custom Data Collector Set templates when a role
is installed. These templates are located under the System node of the Data Collector Sets
node of WRPM. For example, with the AD DS role, four collector sets are created:
■ The Active Directory Diagnostics set collects data from registry keys, performance
counters, and trace events related to AD DS performance on a local DC.
■ The LAN Diagnostics set collects data from network interface cards, registry keys, and
other system hardware to identify issues related to network traffic on the local DC.
■ The System Diagnostics set collects data from local hardware resources to generate data
that helps streamline system performance on the local DC.
■ The System Performance set focuses on the status of hardware resources and system
response times and processes on the local DC.
Of the four, the most useful for AD DS is the first. This should be the data set you rely on the
most. You can create your own personalized data set. If you do, focus on the items in Table 13-6

as the counters you should include in your data set.
Table 13-5 WRPM Tools and Access Rights
Tool Description Required Membership
Monitoring Tools,
Performance Monitor
To view performance data in real time or from
log files. The performance data can be viewed
in a graph, histogram, or report.
Local Performance Log
Users group
Monitoring Tools,
Reliability Monitor
To view the system stability and the events
that affect reliability.
Local Administrators
group
Data collector sets Groups data collectors into reusable elements
that can be used to review or log performance.
Contains three types of data collectors: per-
formance counts, event trace data, and system
configuration information.
Local Performance Log
Users group with the
Log on as a batch user
right
Reports Includes preconfigured performance and
diagnosis reports. Can also be used to gener-
ate reports from data collected using any data
collector set.
Local Performance Log

Users group with the
Log on as a batch job
user right
668 Chapter 13 Directory Business Continuity
Table 13-6 Monitor Common Counters for AD DS
Counter Description Reason
Network Interface:
Bytes Total/Sec
Rate at which bytes are sent and
received over each network adapter,
including framing characters.
Track network interfaces to identify
high usage rates per NIC. This helps
you determine whether you need to
segment the network or increase
bandwidth.
Network Interface:
Packets Outbound
Discarded
Number of outbound packets that
were chosen to be discarded even
though no errors had been detected
to prevent transmission.
Long queues of items indicate that
the NIC is waiting for the network
and is not keeping pace with the
server. This is a bottleneck.
NTDS: DRA Inbound
Bytes Total/Sec
Total bytes received through repli-

cation. It is the sum of both uncom-
pressed and compressed data.
If this counter does not have any
activity, it indicates that the network
could be slowing down replication.
NTDS: DRA Inbound
Object Updates
Remaining in Packet
Number of object updates received
through replication that have not
yet been applied to the local server.
The value should be low on a con-
stant basis. High values show that
the server is not capable of ade-
quately integrating data received
through replication.
NTDS: DRA
Outbound Bytes
Total/Sec
Total bytes sent per second. It is the
sum of both uncompressed and
compressed data.
If this counter does not have any
activity, it indicates that the network
could be slowing down replication.
NTDS: DRA
Pending Replication
Synchronizations
The replication backlog on the
server.

The value should be low on a con-
stant basis. High values show that
the server is not capable of ade-
quately integrating data received
through replication.
NTDS: DS Threads In
Use
Number of threads in use by AD DS. If there is no activity, the network
might be preventing client requests
from being processed.
NTDS: LDAP Bind
Time
Time required for completion of the
last LDAP binding.
High values indicate either hardware
or network performance problems.
NTDS: LDAP Client
Sessions
Number of connected LDAP client
sessions.
If there is no activity, the network
might be causing problems.
NTDS: LDAP
Searches/Sec
Number of LDAP searches per sec-
ond.
If there is no activity, the network
might be causing problems.
NTDS: LDAP
Successful Binds/Sec

Number of successful LDAP binds
per second.
If there is no activity, the network
might be causing problems.
NTDS: LDAP Writes
/Sec
Number of successful LDAP writes
per second.
If there is no activity, the network
might be causing problems.
Lesson 2: Proactive Directory Performance Management 669
To add counters to Performance Monitor, simply click the plus (+) sign in the toolbar at the top
of the details pane. This displays the Add Counters dialog box. (See Figure 13-11.) Scroll
through the counters to identify which ones you need. In some cases, you will need sub-
counters under a specific heading (as shown in Table 13-6); in others, you need the entire
subset of counters. When you need a subcounter, click the down arrow beside the heading,
locate the subcounter, and click Add. When you need the entire counter, click the counter and
click Add. This adds the counter with a star heading below it, indicating that all subcounters
have been added.
IMPORTANT The Windows Server 2008 interface
When using the classic interface in Windows Server 2008, subcounters are accessed by clicking plus
signs. When using the Desktop Experience feature in Windows Server 2008, which simulates the
Vista interface, subcounters are accessed through down arrows.
To obtain information about a counter, click Show Description. Then, when you click any
counter or subcounter, a short description will appear at the bottom of the dialog box.
Security System-Wide
Statistics: Kerberos
Authentications
Number of Kerberos authentica-
tions on the server per second.

If there is no activity, the network
might be preventing authentication
requests from being processed.
Security System-Wide
Statistics: NTLM
Authentication
Number of NTLM authentications
on the server per second.
If there is no activity, the network
might be preventing authentication
requests from being processed.
DFS Replicated
Folders: All Counters
Counters for staging and conflicting
data.
If there is no activity, the network
might be causing problems.
DFS Replication
Connections: All
Counters
Counter for incoming connections. If there is no activity, the network
might be causing problems.
DFS Replication
Service Volumes: All
Counters
Counters for update sequence
number (USN) journal records and
database processing on each
volume.
If there is no activity, the processor

might be causing problems.
DNS: All Counters DNS Object Type handles the
Windows NT DNS service on
your system.
If there is no activity, the network
might be causing problems, and
clients might not be able to locate
this DC.
Table 13-6 Monitor Common Counters for AD DS
Counter Description Reason
670 Chapter 13 Directory Business Continuity
Figure 13-11 Adding counters to Performance Monitor
As soon as you are finished adding counters and you click OK, Performance Monitor will start
tracking them in real time. Each counter you added will be assigned a line of a specific color.
To remove a counter, click the counter, and then click the Delete button (X) on the toolbar at
the top of the details pane.
You can start and stop Performance Monitor much like a media player, using the same type of
buttons. When Performance Monitor runs, it automatically overwrites data as it collects more;
therefore, it is more practical for real-time monitoring.
If you want to capture the counters you added into a custom data set, right-click Performance
Monitor and select New; then choose New Data Collector Set. Follow the prompts to save your
counter selections so that you can reuse them later.
Exam Tip Work with Performance Monitor because it is an important part of the exam. Also,
note that there is no Server Performance Advisor (SPA) in Windows Server 2008. This Windows
Server 2003 tool has been rolled into Windows Reliability and Performance Monitor. Don’t get
caught on questions regarding SPA on the exam.
Lesson 2: Proactive Directory Performance Management 671
Creating Baselines for AD DS and DNS
For long-term system monitoring, you must create data collector sets. These sets run auto-
mated collections at scheduled times. When you first install a system, it is a good idea to cre-

ate a performance baseline for that system. Then as load increases on the system, you can
compare the current load with the baseline and see what has changed. This helps you identify
whether additional resources are required for your systems to provide optimal performance. For
example, when working with DCs, it is a good idea to log performance at peak and nonpeak
times. Peak times would be when users log on in the morning or after lunch, and nonpeak times
would be periods such as mid-morning or mid-afternoon. To create a performance baseline,
you need to take samples of counter values for 30 to 45 minutes for at least a week during
peak, low, and normal operations. The general steps for creating a baseline include:
1. Identify resources to track.
2. Capture data at specific times.
3. Store the captured data for long-term access.
IMPORTANT Performance monitoring affects performance
Taking performance snapshots also affects system performance. The object with the worst impact
on performance is the logical disk object, especially if logical disk counters are enabled. However,
because this affects snapshots at any time, even with major loads on the server, the baseline is still
valid.
You can create custom collector sets, but with Windows Server 2008, use the default tem-
plates that are added when the server role is installed to do so. For example, to create a base-
line for a DC, simply create a user-defined data collector set that is based on the Active
Directory Diagnostics template and run it on a regular basis.
Then, when you are ready to view the results of your collection, you can rely on the Reports
section of the Windows Reliability and Performance node. Right-click the collector set for
which you want to view the report (either User Defined or System) and select Latest Report.
This will generate the report if it isn’t already available and provide extensive information on
the status of your DC. (See Figure 13-12.)
MORE INFO Performance Monitor scenarios
For more information on Performance Monitor, see the scenarios in the Windows Server 2008
Performance and Reliability Monitoring Step-by-Step Guide at
/windowsserver2008/en/library/7e17a3be-f24e-4fdd-9e38-a88e2c8fb4d81033.mspx?mfr=true.
672 Chapter 13 Directory Business Continuity

Figure 13-12 Viewing an Active Directory diagnostics report
Working with Windows System Resource Manager
Windows Server 2008 includes an additional tool for system resource management, WSRM, a
feature that can be added through Add Features in Server Manager. WSRM can be used in two
manners. First, it can be used to profile applications. This means that it helps identify how
many resources an application requires on a regular basis. When operating in this mode,
WSRM logs events in the application event log only when the application exceeds its allowed
limits. This helps you fine-tune application requirements.
The second mode offered by WSRM is the manage mode. In this mode, WSRM uses its alloca-
tion policies to control how many resources applications can use on a server. If applications
exceed their resource allocations, WSRM can even stop the application from executing and
make sure other applications on the same server can continue to operate. However, WSRM will
not affect any application if combined processor resources do not exceed 70 percent utilization.
This means that when processor resources are low, WSRM does not affect any application.
WSRM also supports Alerts and Event Monitoring. This is a powerful tool that is designed
to help you control processor and memory usage on large multiprocessing servers. By
default, the WSRM includes four built-in management policies, but it also includes several
custom resources you can use to define your own policies. Basically, WSRM will ensure that
Lesson 2: Proactive Directory Performance Management 673
high-priority applications will always have enough resources available to them for continued
operation, making it a good tool for DCs.
IMPORTANT DCs and WSRM
If you use single-purpose DCs, you will not need WSRM as much as if you use multipurpose DCs.
Multipurpose DCs will usually run other workloads at the same time as they run the AD DS service.
Using WSRM in this case can ensure that the AD DS service is available during peak hours by
assigning it more resources than other applications. However, consider your choices carefully when
deciding to create a multipurpose DC. DCs are secure servers by default and should remain this
way at all times. If you add workloads to a DC, you will need to grant access rights to the DC to
application administrators, administrators that do not need domain administration access rights.
Use WSRM to first evaluate how your applications are being used; then apply management

policies. Make sure you thoroughly test your policies before applying them in your production
environment. This way, you will be able to get a feel for WSRM before you fully implement it
in your network. When you’re ready, you can use WSRM Calendar to determine when which
policy should be applied.
IMPORTANT WSRM resource requirements
If you are managing several servers with WSRM, you might need to dedicate resources to it
because it is resource-intensive. You might consider placing it on a dedicated management server
if this is the case.
Quick Check
1. You want to view potential error messages about the directory service. Where can
you find this information?
2. You are using WSRM to control processor and memory resources for several appli-
cations on a server. However, after investigation, you see that none of your policies
are applied. What could be the problem?
3. What are the objects you can use to allocate resources in WSRM?
Quick Check Answers
1. View potential error messages about the directory service in Event Log. You can
view this information in two places. The first is by clicking the server role name in
the tree pane of Server Manager. This will display a summary view of directory ser-
vice events. The second is by going to the Directory Service log itself, under Event
Viewer. This will display all the events related to the directory service.
2. WSRM will not apply any policies if the processor usage does not reach 70 percent.
3. WSRM resource allocations can be assigned to three objects: processes, users, or
IIS application pools.
674 Chapter 13 Directory Business Continuity
WSRM can be used for the following scenarios:
■ Use predefined or user-defined policies to manage system resources. Resources can be
allocated on a per-process, per-user, or per-IIS application pool basis.
■ Rely on calendar rules to apply your policies at different times and dates without any
manual intervention.

■ Automate the resource policy selection process based on server properties, events, or
even changes to available physical memory or processor count.
■ Collect resource usage information in local text files or store them in a SQL database.
You can also create a central WSRM collection system to collate resource usage from sev-
eral systems running their own instances of WSRM.
Table 13-7 outlines the default policies included in WSRM as well as the custom resources you
can use to create custom policies.
WSRM can completely control how applications can and should run.
Table 13-7 WSRM Policies and Custom Resources
Built-in Policy Description
Equal per process Assigns each application an equal amount of resources.
Equal per user Groups processes assigned to each user who is running them and
assigns equal resources to each group.
Equal per session Allocates resources equally to each session connected to the system.
Equal per IIS application
pool
Allocates resources equally to each running IIS application pool.
Custom Resource Description
Process Matching Criteria Used to match services or applications to a policy. Can be selected
by file name, command, specified users, or groups.
Resource Allocation Poli-
cies
Used to allocate processor and memory resources to the processes
that match criteria you specify.
Exclusion lists Used to exclude applications, services, users, or groups from man-
agement by WSRM. Can also use command-line paths to exclude
applications from management.
Scheduling Use a calendar interface to set time-based events to resource alloca-
tion. Supports policy-based workloads because you can set policies
to be active at specific times of day, specific days, or other schedules.

Conditional policy
application
Used to set conditions based on specific events to determine
whether policy will run.
Lesson 2: Proactive Directory Performance Management 675
PRACTICE AD DS Performance Analysis
In this practice, you will use both WRPM and WSRM to view the performance of your servers.
First, you will create a custom collector set. After the collector set is created, you will run it and
view the diagnostics report. In the second exercise, you will install WSRM to view the policies
it provides. These exercises rely on SERVER10, but SERVER11 should also be running.
 Exercise 1 Create a Data Collector Set
A data collector set is the core building block of performance monitoring and reporting in WRPM.
You can create a combination of data collectors and save them as a single data collector set.
1. Log on to SERVER10 with the domain Administrator account.
You need to be a member only of the Performance Log Users group with the Log On As
A Batch Job user right, but for the purpose of these exercises, you will use the domain
administrator account.
2. In Server Manager, expand Diagnostics\Reliability and Performance\Data Collector
Sets, right-click User Defined, select New, and then select Data Collector Set.
3. On the Template page, type Custom AD DS Collector Set, make sure Create From A
Template (Recommended) is selected, and click Next.
4. On the next page, select the Active Directory Diagnostics template and click Next.
5. By default, the wizard selects %systemdrive%\PerfLogs\Admin as the root directory;
however, you might prefer to keep your collector sets on a separate drive if it exists. In
this case, click Browse, choose drive D, and create a new folder named AD DS Collector
Sets. Press Enter and click OK to close the dialog box, and then click Next.
676 Chapter 13 Directory Business Continuity
6. On the Create The Data Collector Set page, in the Run As field, type the account name
and the password to run the data collector set. Leave the defaults and click Finish.
When you create collector sets for long-term use, use a special account that is both a

member of the Performance Log Users group and has the Log On As A Batch Job user
right to run your collector sets. Note that the Performance Log Users group has this right
assigned to it by default.
When you finish the New Collector Set Wizard, you are given three options:
❑ Open Properties Data For This Data Collector Set to view the properties of the data
collector set or to make additional modifications
❑ Start This Data Collector Set Now to run the data collector set immediately
❑ Save And Close to save the data collector set without starting the collection
Your custom data collector set has been created. Notice that it is stopped. To schedule
the Start condition for your data collector set, use the following procedure.
7. Right-click Custom AD DS Collector Set and click Properties.
8. Click the Schedule tab and click Add to create a start date, time, or day schedule.
9. In the Folder Action dialog box, make sure that today’s date is the beginning date, select
the Expiration Date check box, and set it as one week from today. Also, make sure that
the report time is set to the current time. Click OK.
You must set the start date of the schedule to now for the collection set to work. If not,
you will not be able to generate reports in later steps.
Note that you can create quite a modular schedule in this dialog box. Also, note that
selecting an expiration date will not stop data collection in progress on that date. It will
only prevent new instances of data collection from starting after the expiration date. You
must use the Stop Condition tab to configure how data collection is stopped.
10. Click the Stop Condition tab, select the Overall Duration check box, make sure it lists 5
minutes, and select the Stop When All Data Collectors Have Finished check box. Click OK.
You select the Stop When All Data Collectors Have Finished check box to enable all data
collectors to finish recording the most recent values before the data collector set is
stopped if you have also configured an overall duration.
You can also set limits on your collection. However, note that when an overall duration
is configured, it will override any limits you set. If you do want to set limits, make sure
the Overall Duration check box is cleared and define the following limits:
❑ Use When A Limit Is Reached, Restart The Data Collector Set to segment data col-

lections into separate logs.
❑ To configure a time period for data collection to write to a single log file, select the
Duration check box and set its value.
❑ To restart the data collector set or to stop collecting data when the log file reaches
a specific limit, select the Maximum Size check box and set its value.
Lesson 2: Proactive Directory Performance Management 677
Collector sets will generate a large amount of data if you allow them to run unmonitored.
To configure data management for a data collector set, use the following procedure.
11. Right-click Custom AD DS Data Collector Set and click Data Manager.
12. On the Data Manager tab, you can accept the default values or change them according to
your data retention policy. Keep the defaults.
❑ Select the Minimum Free disk or Maximum Folders check boxes to delete previous
data according to the resource policy you choose from the drop-down list (Delete
Largest or Delete Oldest).
❑ Select the Apply Policy Before The Data Collector Set Starts check box to delete
previous data sets according to your selections before the data collector set creates
its next log file.
❑ Select the Maximum Root Path Size check box to delete previous data according to
your selections when the root log folder size limit is reached.