Dell Spotlight on Active Directory User Guide

(1)

Dell™ Spotlight™ on Active

®

6.8.3

(2)

This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Dell Software Inc.

The information in this document is provided in connection with Dell Software products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell Software products. EXCEPT AS SET FORTH IN DELL SOFTWARE’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL SOFTWARE ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL SOFTWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell Software makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell Software does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact: Dell Software Inc.

Attn: LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656

Refer to our web site (www.software.dell.com) for regional and international office information.

Patents

This product is protected by U.S. Patent #: 6,249,883.

Trademarks

Dell, the Dell logo, Spotlight are trademarks of Dell Inc.and/or its affiliates. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of others.

Spotlight on Active Directory User Guide Updated - October 2013

Software Version - 6.8.3

Legend

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not

followed.

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. MOBILE: A MOBILE icon indicates that the functionality is available in a mobile application.

(3)

1

Using

Spotlight™ on Active

®

Topology Viewer

• About This Guide

• About Spotlight on Active Directory Topology Viewer

• Connecting to Diagnostic Services

• Discovering the Topology

• Navigating the Interface

• Setting Impersonation Credentials

• Setting Notification Groups

• Customizing the Topology Viewer

• Setting Options

• Setting Properties

About This Guide

NOTE: For Frequently Asked Questions or Troubleshooting information related to Spotlight on Active Directory, see the Spotlight on Active Directory Deployment Guide.

NOTE: For information on Spotlight basics, see the Spotlight Basics section of the Help menu of the Spotlight on Active Directory Diagnostic Console.

This document has been prepared to assist you in becoming familiar with Spotlight on Active Directory, an integral component of Spotlight Suite. The type of guide contains the information required to install and use Spotlight on Active Directory. It is intended for network administrators, consultants, analysts, and any other IT professionals using the product.

About Spotlight on Active Directory

Topology Viewer

For more information on the features of Spotlight on Active Directory, see the Spotlight on Active Directory Quick Start Guide.

(8)

Connecting to Diagnostic Services

Before using Spotlight on Active Directory Topology Viewer, you must be connected to the Diagnostic Services. Diagnostic Services (DiagnosticTestEngineSLAD and DataManagerSLAD) are automatically installed during the standard installation of Spotlight on Active Directory Topology Viewer. If you select this installation option, the Spotlight on Active Directory Topology Viewer will automatically connect to the Diagnostic Services.

NOTE: For more information on the running of Spotlight on Active Directory, see the Spotlight on Active Directory Quick Start Guide.

CAUTION: The account used to run the Diagnostic Services must be a member of the Local Administrators group on the server where the Diagnostic Services are running.

However, you can also install Diagnostic Services on a different computer. If you select this installation option, then you will need to connect to Diagnostic Services the first time you run the Spotlight on Active Directory Topology Viewer. Once you have connected to the Diagnostic Services the first time, it will not be necessary to do so again unless the Diagnostic Services are located on a different server.

To connect to the Diagnostic Services

NOTE: When you launch Spotlight on Active Directory Topology Viewer, Diagnostic Services will attempt to autoconnect to the local host.

1. Select File | Connect to Diagnostic Services.

2. Enter the address of the computer where the Diagnostic Services reside.

Enter the IP address, the NetBIOS name, or the fully-qualified name of the computer. You can enter "Localhost" if the Diagnostic Services reside on the same computer as Spotlight on Active Directory Topology Viewer.

3. Click OK.

The Diagnostic Services connection status is shown in the bottom left corner of the Spotlight on Active Directory Topology Viewer window.

Discovering the Topology

NOTE: When you launch Spotlight on Active Directory Topology Viewer, Diagnostic Services will attempt to autoconnect to the local host.

You discover the topology of your Active Directory forest by connecting to a domain or DC in the forest. This DC becomes the query server, which is used to gather information about the forest.

To connect and discover your topology

1. Start Spotlight on Active Directory Topology Viewer.

2. Click Discover in the Assistant pane at the top of the Assistant pane. OR

Select File | Discover Topology.

NOTE: You can also enter either the IP address of the DC or the domain name. If you enter the domain name, the first server in the domain to answer the request becomes the query server. 3. Enter the name of the DC.

4. Click OK.

(9)

2. Click Discover in the Assistant pane at the top of the Assistant pane. OR

Select File | Discover Topology.

3. Click .

4. Browse to the DC, select it, and click OK.

Navigating the Interface

This section introduces the Spotlight on Active Directory Topology Viewer interface. The topics describe how the different menus, dialog boxes, and windows work together, and they provide details of how the parts of the application work together when administering your organization’s Active Directory network.

• Parts of the Interface

• Browsing by Site, Domain, or Grouping

• Center on Server

• Select

• Server Information

• Tools

Parts of the Interface

The Spotlight on Active Directory Topology Viewer consists primarily of three panes. The pane on the left is the Navigation pane, the center pane is the Main pane, and the pane on the right is the Assistant pane. Using the Navigation pane, you can view your topology layout, test results, manage action results, and run Web Reports. Your selection in the Navigation pane dictates the display in the Main pane and whether the Assistant pane is displayed.

The Navigation Pane

The Spotlight on Active Directory Topology Viewer contains tabs in the Navigation pane on the left

:

Table 1: Topology Viewer Tabs

Tab Description

Topology Displays the topology of the Active Directory forest to which you are connected. When you click this tab, the left pane expands to show a treeview of the forest while the main pane shows the topology view.

Analysis Test Results Displays the results of the various Analysis Tests. The Main pane lists the type of test, the last update, and the last result. You can expand the test node to show the actual test, the server that was the focus of the test, and the actions, or steps, that took place as part of the test. If you select an actual test or server, further details are displayed below the main pane.

(10)

The Assistant Pane

NOTE: Click to hide the Assistant pane. When you hide the Assistant pane, all of the icons in the various panes are still visible. You can launch a tool or run a test by selecting a server and clicking the desired icon.

The Assistant pane contains panes located on the right side of the Spotlight on Active Directory Topology Viewer interface:

Web Reports Expands to display a treeview showing all available Web Reports. When you select a report in the treeview, the main pane displays the actual report.

Getting Started Guides you through the process of discovering your topology, running analysis tests, verifying results, and using the Diagnostic Console to troubleshoot and resolve problems in Active Directory.

Table 2: Assistant Pane

Tab Description

Assistant Gives you quick access to some of the most commonly used tools and analysis tests. Hover your pointer over each icon for the title of the feature.

Native Tools When a problem occurs on a DC, to further troubleshoot and resolve the problem you may want to check some common information for that DC using native Microsoft management tools. From the Native Tools pane, you can launch any Microsoft tool:

• AD Sites & Services - allows you to review AD configuration

• AD Users & Computers - allows you to review security and permissions

• Computer Management - allows you to review service status, and manage a service

• DNS Management Console - allows you to examine DNS configuration

• Event Viewer - allows you to look for recent System event log errors on the DC Directory Replication Testing Provides quick access to the Find Replication Failures, Check GPO Synchronization,

Track Object Replication, and Test Replication Links tests. You can launch any of these tests by clicking the appropriate icon or the name of the test.

DNS Testing Provides quick access to the Check DNS Entries and Check Partners’ DNS Entries tests. You can launch either of these tests by clicking the appropriate icon or the name of the test.

File Replication Testing Provides quick access to the Confirm File Presence, GPO Synchronization, and Check NTFRS/DFSR Status tests. You can launch any of these tests by clicking the

appropriate icon or the name of the test.

Status/Performance Testing Provides quick access to the Check Service Pack and Hotfixes test and the Check Service Status test. You can launch either of these tests by clicking the appropriate icon or the name of the test.

Time Synchronization Testing Provides quick access to the Check W32Time Differential, Check W32Time Parent Synchronization, and Check W32Time Status tests. You can launch any of these tests by clicking the appropriate icon or the name of the test.

Resolve Directory Replication Allows you to exercise various management actions that address directory replication problems for selected servers. These include managing links, forcing replication, configuring Knowledge Consistency Checker (KCC) and flexible single master operation (FSMO) role transfers. You can perform any of these actions by clicking the appropriate icon or the name of the test.

Table 1: Topology Viewer Tabs

(11)

Scroll Bars

You can scroll to view different regions of your topology by clicking the red arrows on the borders of the Topology View pane.

Browsing by Site, Domain, or Grouping

You can browse by domain, site, or grouping. This makes it easier to navigate the treeview by reducing the number of branches. It is also an efficient way of finding a particular DC within its domain, site, or group structure. The default view of the Browse pane is by site. Select Browse by Domain if your network contains a large number of sites, but only a small number of domains.

To browse by site

1. Right-click the Forest node in the treeview. OR

Right-click the My Favorites node in the treeview. 2. Select Browse By | Site.

The DCs in the Browse pane are organized by their site membership.

To browse by domain

Right-click the My Favorites node in the treeview. 2. Select Browse By | Domain.

The DCs in the Browse pane are organized by their domain membership.

To browse by grouping

Right-click the My Favorites node in the treeview. 2. Select Browse By | Grouping.

The DCs in the Browse pane are organized by their group membership.

Resolve NTFRS/DFSR File Replication

Offers various management actions that you can take to address file replication problems for selected servers. Depending on the service you are using, these actions include managing the DFSR or NT File Replication Service (NTFRS) and DFSR or NTFRS logging, setting USN Journal size, and enabling and disabling advanced GPO logging. You can perform any of these actions by clicking the appropriate icon or the name of the test.

Resolve Time Synchronization

Contains the Set Parameters action with which you can set time synchronization parameters for selected servers.

Table 2: Assistant Pane

(12)

Center on Server

Use the Center on Server feature to focus on a specific server. Center on Server is useful in large topologies as you can bring a specific server to the center of the Topology View pane.

To center the topology view on a specific server

1. Click the Forest node in the treeview to see the list of DCs. 2. Select the DC you want to center in the Topology View pane.

NOTE: To go back to the original view or to see the entire topology view, either use the zoom icons (For more information, see Tools on page 14.) or reset the current layout view (For more information, see Resetting the Layout of the Current View on page 18.).

3. Right-click the DC and select Center on Server.

Select

The Select menu allows you to select specific DCs in the Topology View pane:

Create Favorite

Favorites you create are added to the Browse pane under the My Favorites node and to the Select | My Favorites menu. Each Favorite grouping expands to show the full Domain Naming System (DNS) names of its DCs.

To create a Favorite

1. Select the DCs in the Browse or Topology View pane that you want to include in the Favorite. 2. Right-click and select Select | My Favorites | Create Favorite.

NOTE: You can also right-click in the Browse or Topology View pane and select Select | My Favorites

| Create Favorite. Table 3: Select Menu

Option Description

All Selects all DCs in the forest.

By Name Selects a specific server when you enter the server’s name. DCs in Domain Selects all DCs in the same domain as a selected DC. Server Roles Selects which DCs have server roles:

• PDC Emulators

• RID Servers

• Infrastructure Masters

• Domain Naming Master

• Schema Master

• GC Servers

• ISTG Servers

My Favorites A list of all your favorite configurations. My Favorites are logical groups of DCs that you define. This makes it easy to select many DCs at once:

• Create Favorite

• Delete Favorite

• Edit Favorite(s)

(13)

This launches the Favorites dialog box. The DCs you selected are displayed in the DCs in Favorite list.

3. Enter a name for the Favorite in the Favorite Name box. 4. Click OK.

NOTE: You can select to Browse by Site or Browse by Domain within the Create Favorite dialog box by right-clicking in the Available DCs pane.

The Favorite you created will be added in the Browse pane under the My Favorites node and to the Select | My Favorites menu.

Delete Favorite

You can select and delete Favorite groupings.

To delete a Favorite

1. Select the Favorite you want to delete in the Browse pane. 2. Right-click and select Select | My Favorites | Delete Favorite.

The Favorite you deleted will be removed from the Browse pane under the My Favorites node and from the Select | My Favorites menu.

Edit Favorite(s)

You can edit the Favorites you create and perform the various tasks:

• Add or remove a DC

• Add a site

• Add a domain

• Add an entire forest

• Add another Favorite

• Change the name of the Favorite

To add items to a Favorite

1. Right-click in the Browse or Topology View pane and select Select | My Favorites | Edit Favorite(s). This launches the Favorites dialog box. Previously configured Favorites are displayed in the

Configured Favorites list.

2. Select the Favorite you want to edit in the Configured Favorites list.

The name of the Favorite is displayed in the Favorite Name box, and the DCs that make up the Favorite are displayed in the DCs in Favorite list.

3. Select the DC/site/domain/forest you want to add to the Favorite in the Available DCs list and click

Add.

NOTE: You can select to Browse by Site or Browse by Domain within the Edit Favorite(s) dialog box by right-clicking in the Available DCs pane.

Select the Favorite you want to add in the Available DCs list and click Add.

To remove DCs from a Favorite

1. Right-click in the Browse or Topology View pane and select Select | My Favorites | Edit Favorite(s). This launches the Favorites dialog box. Previously configured Favorites are displayed in the

(14)

2. Select the Favorite you want to edit in the Configured Favorites list.

The name of the Favorite is displayed in the Favorite Name box, and the DCs that make up the Favorite will display in the DCs in Favorite list.

3. Select the DC you want to remove from the Favorite in the DCs in Favorite list and click Remove.

Rename Favorite

To rename a Favorite

1. Select the Favorite you want to rename in the Browse pane. 2. Right-click and select Select | My Favorites | Rename Favorite. 3. Enter the new name for the Favorite.

Server Information

Server Information is displayed when you place the pointer over a DC in the Topology View pane. The name of the DC or server is shown.

To view Server Information

1. Discover your topology.

2. Place the pointer over a DC in the Topology View pane.

NOTE: Server Information is enabled by default when you first launch Spotlight on Active Directory. The DC name is shown.

Tools

Spotlight on Active Directory Topology Viewer provides you with various tools when working with the Topology view:

Table 4: Tools

Tool Name Description

Toggle Site Grouping On/Off

Toggles Site grouping on and off. For more information, For more information, see Working with Groups on page 62.

Toggle CustomGroup Grouping On/Off

Toggles CustomGroup groupings on and off. For more information, For more information, see Working with Groups on page 62.

Toggle Replication Links On/Off

Toggles the display of replication arrows on and off. Replication arrows are dark aqua in color.

Toggle Time Sync Links On/Off

Toggles the display of time synchronization arrows on and off. Time

synchronization arrows are blue in color. When interpreting Time Sync arrows, for example, a line from DC1 to DC2 indicates that DC1 sends its time to DC2. Therefore, DC2 synchronizes its time with DC1.

Toggle Labels On/Off

(15)

Setting Impersonation Credentials

You can configure alternate credentials under which to execute analysis tests. The user credentials you specify must have sufficient permissions to execute the analysis test.

To set impersonation credentials

1. Select Edit | Analysis Test Credentials.

Toggle Details On/Off

Toggles the display of server information on and off. Server information appears when you position your mouse over a DC in the topology. It displays the name, domain, and site of the DC, as well as the top 3 diagnostic and monitoring errors on that DC. If there are less than 3 monitoring errors, more diagnostic errors are shown.

Collapse Selected Grouping

Collapses selected expanded groups in the Topology View pane.

Expand Selected Grouping

Expands selected groups in the Topology View pane.

Group Selected Grouping(s)

Groups selected sites in the Topology View pane.

Ungroup Selected Grouping(s)

Ungroups selected sites in the Topology View pane.

Select Server or Groupings in the Topology

Allows you to select servers or groupings in the Topology View pane.

Pan the Topology Allows you to reposition DCs in your topology view by clicking a DC and dragging it to a different position in the Topology View pane.

Zoom In Magnifies the topology. Click the area of the topology where you want to zoom in.

Zoom Out Zooms out the entire topology so you can see more in the Topology View pane.

Center on Point Zooms in on the topology on the exact location you click (you do not have to click a server).

Toggle Prominent Links On/Off

Highlights the links for a selected group or node in the topology view. Links for other non selected groups or nodes in the topology view will appear as dimmed.

Autogrouping Opens the Autogrouping Rules dialog box, which allows you to create rules used to automatically organize your sites into groups.

Table 4: Tools

(16)

This opens the Credential Management dialog box. 2. Click Add.

3. Enter the domain\user name and password you want to use.

You must enter a valid Windows user name, and this account must have sufficient administrative privileges to run the analysis tests.

4. Click OK.

NOTE: You can also specify alternate credentials for impersonation in the Impersonation pane of the

Analysis Test Options on page 19, or when scheduling an analysis test. For more information, see

Running and Scheduling Analysis Tests on page 37.

The credentials are stored in a list of valid credentials for running analysis tests.

Setting Notification Groups

You can configure different notification groups to be notified upon failure of an analysis test.

To set notification groups

1. Select Edit | Notification Groups.

This opens the Notification Groups dialog box. 2. Enter the name of the SMTP server.

3. Click New in the Notification Groups pane to add a new group.

4. Enter the new group name, the subject, and the originating email address for the group. 5. Click New in the Group Members pane.

6. Enter the recipient's First Name, Last Name, Email Address, and select Yes in the Enable field.

NOTE: To delete a notification group or a member of a notification group, select the group or group member you want to delete and click Delete.

7. Click OK.

Customizing the Topology Viewer

Initially, Spotlight on Active Directory Topology Viewer defaults to a layout view of the entire forest you have specified. However, it also provides system Views that you can apply to that forest. In addition, Spotlight on Active Directory Topology Viewer allows you to filter the topology view to suit your needs. This makes it much easier for you to view the status of, and work with, the servers you are concerned about. This ability is of particular value to local administrators who are responsible for a small number of domain controllers (DCs). Spotlight on Active Directory Topology Viewer provides system Views that you can apply to the forest you have specified. Also, instead of dealing with the entire forest, you can create custom Views that display only specific domains or groups of DCs. You can also delete or edit these custom Views.

NOTE: Spotlight on Active Directory Topology Viewer retains the last View. This last View is loaded the next time you launch Spotlight on Active Directory Topology Viewer.

In addition to the topology view, system and custom Views are also applied to the treeview and the Analysis Test Results tab. Test results are shown only for the target servers that are part of the system or custom View currently applied.

You can customize the topology view by:

(17)

• Creating a Custom View

• Deleting a Custom View

• Editing a Custom View

• Resetting the Layout of the Current View

Applying a System View

Spotlight on Active Directory Topology Viewer provides system views that you can apply to the current discovered forest:

• All (default - shows entire forest)

• Domain Naming Masters

• Global Catalogs

• Infrastructure Masters

• Intersite Topology Generators

• PDC Emulators

• RID Masters

• Schema Masters

NOTE: When you apply another system or custom View, this can affect what is shown in the Analysis Test Results tab. If a server whose test results are shown is not included in the View you select, then those test results disappear from the Analysis Test Results tab.

Any custom views you create are also added to this list. You cannot delete or modify these system views.

To select a system view

1. Click in the View box above the topology view pane. 2. Select the system view you want to apply.

Creating a Custom View

You can create custom views and define them by site, domain, server or naming convention. You can select the domains or servers you want to include, or use naming conventions to filter only the servers you want to include.

To create a View

1. Select View | Create View.

This launches the View Wizard. You can also do this by clicking next to the View list above the main topology view pane.

2. Click Next.

3. Select the type of view you want and click Next.

NOTE: Your selection can also be domains, servers or naming conventions, depending on the type of view you selected.

(18)

6. Review the settings you have selected.

To make changes, click Back until the Wizard displays the page you want, make your corrections and then click Next until you are at the Summary page.

7. Click Finish to save and apply the view you have created.

Your custom view will be added to the View list above the main pane.

Deleting a Custom View

You can delete the custom View currently displayed. However, you cannot delete the systems views provided with Spotlight on Active Directory Topology Viewer.

To delete the current View

1. Select View | Delete Current View.

2. Click Yes to confirm you want to delete the current View.

Editing a Custom View

NOTE: You cannot modify the system views that are provided with Spotlight on Active Directory Topology Viewer.

Once you have created a custom View, you can modify it. Spotlight on Active Directory Topology Viewer allows you to change any of the parameters of the custom View currently displayed.

To edit the current View

1. Select View | Edit Current View.

This launches the View Wizard. You can also do this by clicking next to the View list above the main topology view pane.

2. Click Next.

3. Modify the type of view if necessary and click Next.

NOTE: You can also modify domains, servers or naming conventions, depending on the type of view you selected.

4. Modify the sites included in the View if necessary and click Next. 5. Change the name of the View if necessary and click Next. 6. Review the settings you have selected.

To make further changes, click Back until the Wizard displays the page you want, make your corrections and then click Next until you are at the Summary page.

7. Click Finish to save and re-apply the View you have modified.

Resetting the Layout of the Current View

If you have adjusted the server layout in your topology view by moving the servers, you can reset the view back to its original layout.

To reset the layout of the current View

(19)

Setting Options

Spotlight on Active Directory Topology Viewer allows you to customize or define default settings for:

• Analysis Test Options

• Global Notification Options

• Database Options

• Operations Manager Options

• Forest Discovery Options

• Web Reports Options

• Setting Properties

Analysis Test Options

You can specify default Analysis test settings for newly created analysis tests. These settings include Scheduling, Impersonation, and Notification options.

To configure the default analysis test options

1. Select Edit | Options.

2. Click the Analysis Tests icon in the Options pane.

3. In the Execution Schedule pane, select Run every and specify the interval for running the test. OR

Select Run every day at and enter the time you want the test to run.

You can select the Between check box to run the test during specified hours. The default setting is to execute the test every 30 minutes, daily, between 8 AM and 5 PM.

4. In the Notification Settings pane, accept the default - <no notification group>. OR

Select a notification group from the list. If no lists are available, see Global Notification Options on page 20.

If you select a notification group, specify the number of consecutive alarms needed to trigger the notification (whether you want to limit the number of notifications sent and the maximum number of notifications sent per alarm).

5. Select the check box if you want to forward alerts to SCOM.

6. In the Impersonation Settings pane, select Execute the credentials of the diagnostic services. These are the credentials entered during the installation of the diagnostic services. This is the default option.

OR

Select Execute using a credential.

NOTE: When you run an analysis test using the Run Once option, default notification and

(20)

Select the credentials you want to use from the list of available credentials. Click Configure

Credentials to open the Credential Management dialog box and add existing Windows credentials to the list of credentials you can use to execute analysis tests.

Global Notification Options

You can configure Spotlight on Active Directory Topology Viewer to globally send email notifications upon failure of an analysis test. All users in a defined notification group are notified when a test fails. In addition to email notifications, you can configure notifications to launch external applications.

Notifications are not sent if the test does not complete. Notifications are sent only if the test fails upon completion.

To configure the global notification options

2. Click the Global Notifications icon in the Options pane on the left of the dialog box. 3. Enter the name of SMTP server for sending email notifications.

NOTE: The application is launched by the Diagnostic Services and has no interaction with the desktop.

4. Enter the application to run on alert.

5. Enter the parameters to run the application, and click OK.

NOTE: Should you change any of the global settings after a test has been configured and scheduled to run, that test will still run with its original configuration. To modify the settings for an existing test, select Edit | Analysis Test.

The system stores this information for future use.

Database Options

The supported databases are SQL Server 2005, SQL Server 2005 Express, SQL Server 2008, SQL Server 2008 Express, SQL Server 2008 R2, SQL Server 2008 R2 Express, SQL Server 2012, and SQL Server 2012 Express.

To activate database storage

2. Click the Database icon in the Options pane.

3. Enter the interval for data retention for raw, hourly, and daily in the Database Retention box. (The default interval is 30 days. Database retention specifies the length of time analysis test results are stored. Test results older than the specified retention period are purged from the database on a nightly basis.)

(21)

Operations Manager Options

You can configure Spotlight on Active Directory Topology Viewer to integrate with Operations Manager, either System Center Operations Manager 2007 R2 or 2012 Service Pack 1. This provides end-to-end discovery, diagnosis, and resolution of Active Directory issues from a single console. You can set the location of the Operations Manager to read alerts from the Operations Manager database and display them in Spotlight on Active Directory. These alerts can be viewed by right-clicking a domain controller in the Topology Viewer, and navigating to the Operations Manager Properties tab. You can set the location of the server to allow

forwarding alerts generated from Spotlight on Active Directory to Operations Manager.

To configure Operations Manager options

2. Click the Operations Manager option. 3. You can select to do one of the following:

• disable System Center Operations Manager Connector

• configure System Center Operation Manager 2007 R2 Connector

• configure System Center Operation Manager 2012 Connector

If you want to configure SCOM, the location of the Operations Manager Server is inserted automatically.

4. Click OK.

You are prompted to exit Spotlight on Active Directory and restart the DiagnosticTestEngine service for the changes to take effect.

NOTE: Alerts will be forwarded to SCOM database and displayed at the SCOM console under Spotlight Connector Views - Alert Generated Events in SCOM Monitoring pane.

5. Open the Options dialog box again. Select the Analysis Tests option, enter the Notification Settings, and select Forward alerts to System Center Operations Manager (SCOM) check box. Click OK.

Forest Discovery Options

Every two hours, Spotlight on Active Directory Topology Viewer automatically refreshes the topology of all the forests you have discovered. However, you can configure Spotlight on Active Directory Topology Viewer to refresh only selected forests.

To configure Forest Discovery options

(22)

Web Reports Options

If the computer running IIS also has SSL installed, Spotlight on Active Directory Topology Viewer must use the SSL format in order for Web Reports to work properly. You can make this configuration change using the Web Reports options.

To configure Web Reports options

2. Click the Web Reports icon in the Options pane on the left of the dialog box. 3. Select the Use SSL when browsing Web Reports check box, and click OK.

Setting Properties

The Properties dialog box provides you with Replication and Time Synchronization properties. You can view general computer information, view and configure the monitored objects list, view messages returned by monitored objects, and view local changes on specific servers.

To view properties

1. Right-click a node in the forest. 2. Select Properties.

Spotlight on Active Directory Topology Viewer contains the these properties tabs:

• General Properties

• Operating System Properties

• DNS Properties

• Time Sync Properties

• Replication Properties

• NTFRS Properties

• DFSR PropertiesDFSR Properties

• GPO Properties

• Latency Properties

• Local Changes Properties

• SCOM Properties

General Properties

The General Properties tab contains the following:

• DNS Name - indicates the name of the selected DC on the Active Directory network

• IP Address - indicates the IP address assigned to the selected DC

• Domain - indicates the domain to which the selected DC belongs

• Site - indicates the site to which the selected DC belongs

(23)

• PDC Emulator

• RID Master

• Infrastructure Master

• Domain Naming Master

• Schema Master

• ISTG Server

• GC

• Total Physical Memory - indicates the total amount of memory available

• Processors - indicates the vendor, speed, and model number of the processors in the DCs on your network

Operating System Properties

The Operating System Properties tab contains the following:

• Version - indicates the current version of the operating system

• Build - indicates the build number of the version

• Service Pack - indicates the current service pack installed on the selected DC

• Hotfixes - indicates the details of any hotfixes that have been applied to the selected DC

• Hotfix ID - the Microsoft Knowledge Base Article Number

• Comments - the patch information for the Article Number

• Start the Service Pack and Hotfix Analysis using this configuration button - indicates the analysis process uses the Service Pack and Hotfix details of the selected DC when applying the diagnostic view.

DNS Properties

The DNS Properties tab contains the following:

• DNS Servers - indicates the DNS Servers associated with the network card

• DNS Registered Records - lists the registered DNS records on the DSN servers on the network

Time Sync Properties

The Time Sync Properties tab contains the following:

• Configuration - indicates Time Synchronization details for the selected DC:

• Synchronization Type -indicates the type of synchronization performed.

• Parent - indicates the DC being used by the selected DC to synchronize its time. By default, this is the PDC Emulator for the domain.

• Period - indicates the specified number of times per day, if the Specified times per day option is selected.

• Service State - indicates the current state of Time Synchronization. The possible states are as follows:

• Running

(24)

• Pausing • Stopped • Stopping • Starting • Resuming

Replication Properties

The Replication Properties tab contains the following:

• Distinguished Name - indicates the distinguished name of the selected DC

• KCC Enabled (intersite) - shows if the intersite (between sites) KCC is enabled on the selected DC. If the KCC is enabled, it will return a value of Enabled. If it is disabled, it will return a value of Disabled

• KCC Enabled (intrasite) - shows if the intrasite (within sites) KCC is enabled on the selected DC. If the KCC is enabled, it will return a value of Enabled. If it is disabled, it will return a value of Disabled.

• Replication Links - shows replication link direction and the DCs that replicate with the selected DC:

• Inbound - indicates if the link is inbound from the DC in the Domain Controller column

• Outbound - indicates if the link is outbound to the DC in the Domain Controller column

• Domain Controller - gives a list of replication partners

NTFRS Properties

NOTE: This property is only visible if a NTFRS server is selected.

The NT File Replication Service (NTFRS) Properties tab contains the following:

• General Settings - shows the following general settings:

• Working Directory - shows the working storage directory for replication data

• Staging Space Limit - shows the maximum amount of disk space allocated to files held on disk until they are retrieved by all downstream replication partners

• USN Journal Size - shows the current size of the update sequence number (USN) Journal in megabytes (MB)

• Short Polling Interval - shows the interval the NTFRS uses to poll the Active Directory at service startup or after configuration changes

• Long Polling Interval - shows the interval with which NTFRS polls the Active Directory for configuration changes after eight short polling intervals have finished without interruption

• Log Settings - shows the following logging-related details:

• NTFRS Logging Enabled - Shows if NTFRS Logging is enabled or disabled on the selected domain controller.

• Log File Severity Detail - Shows the level of detail that the NTFRS records in its trace log files (Ntfrs_000n.log).

• Number of Log Files Generated - The number of debug log files that are kept on the selected domain controller.

• Number of Messages per Log File - The maximum number of messages logged to a file for the selected domain controller.

(25)

NTFRS Log File Viewer

The NTFRS Log File Viewer collects the names of all the log files currently existing on a DC. Click a specific log file in the Available Log Files list to load the log file information into the bottom listview of the dialog box. The NTFRS Log File Viewer displays the following:

• Location of Log Files - indicates the DC where the log files are located

• Available Log Files - indicates the name, size (bytes), and time stamp of the log files on the DC

• Log Files - indicates the specific log file you select in the Available Log Files list

• Number of Entries - indicates the number of entries in the log file you select

• Data - shows the Log file details including the Source, Thread ID, Line, Severity, Time, and Message for each entry in the log file

• Load Progress - shows the progress of the log file as it loads into the Data pane

DFSR Properties

NOTE: This property is only visible if a DFSR server is selected.

The Distributed File System Replication Service (DFSR) Properties tab contains the following:

• General Settings - shows the following general settings:

• Staging Directory - shows the temporary storage directory for replication data.

• Polling Interval - shows the interval, in minutes, between Active Directory Domain Service cycles.

• Reghosting Rate - shows the maximum rate, in minutes, at which reghosting occurs.

• Enable Light DS Polling - shows if the periodic check for configuration changes in the Active Directory Domain Services is enabled or disabled. Enabling light DS polling speeds up the service response to certain types of configuration changes.

• Max Offline Time - shows the maximum number of days that the server can be disconnected from replication.

• Log Settings - shows the following logging-related details:

• DFSR Logging Enabled - Shows if DFSR Logging is enabled or disabled on the selected domain controller.

• Log File Severity Detail - Shows the level of detail that the DFSR records in its trace log files (Dfsr_000n.log).

• Number of Log Files Generated - The number of debug log files that are kept on the selected domain controller.

• Number of Messages per Log File - The maximum number of messages logged to a file for the selected domain controller.

• Service State - shows the current state of DFSR: Running, Stopped, or Missing

GPO Properties

The Group Policy Object (GPO) Properties tab contains the following:

• GPO Logging - shows the following details:

• Advanced GPO Event Logging Enabled - shows Enabled or Disabled, depending on whether or not GPO Event Logging is enabled

(26)

• GPO Name - shows the name given to the GPO when it is created

• GUID - shows the unique identifying number assigned to the GPO when it is created

• Created - shows the date and time the GPO was created

• Changed - shows the date and time the GPO was last changed

• SU - shows the Sysvol user version of the GPO

• SM - shows the Sysvol machine version of the GPO

• DU - shows the directory services user version of the GPO

• DM - shows the directory services machine version of the GPO

Latency Properties

The Latency Properties tab contains the following:

• Replication Latency - shows how long it takes replication to occur from one DC to another:

• Domain Controller - shows the DCs to which the selected DC has a replication path.

• Site - shows the site to which the DC belongs.

• DS Replication Time - shows the amount of time it takes for AD replication to occur.

• File Replication Time - shows the amount of time it takes for file replication to occur.

Local Changes Properties

The Local Changes Properties tab contains the following:

• Distinguished name of Root Object to obtain list from - indicates the distinguished Name of the AD object to be used as the starting point of the search. You can browse for the AD object you want to use.

• Highest Committed USN - indicates the highest committed Update Sequence Number (USN)

• List changes since - shows the USN to be used as the starting point in the search. By default, this number is the Highest Committed USN, but you can enter a different number if you want to search based on a number other than the Highest Committed USN.

NOTE: Double-click an object in the list to display its properties. The Changed Object Properties dialog box lists the name of the Object Property that changed, the version of the Object Property, the time the change occurred, the originating server, the Originating USN, and Local USN.

• List All Changes on this Server since USN - shows all of the objects with changes since the indicated USN

SCOM Properties

The SCOM Properties tab allows you to view details about errors and warnings discovered by your SCOM server. The SCOM tab will display only those alerts raised on a selected domain controller (DC) in the last 30 days.

NOTE: Select Edit | Options | Operations Manager to connect to a SCOM server. The SCOM Properties tab contains the following:

• SCOM Server - shows the location of the SCOM server

(27)

• Alerts - shows the following details:

• Description - shows the description of the alarm that was raised

• Name - shows the name of the alarm that was raised

• Repeat Count - shows the number of times a particular alarm has been raised

• Resolution State - shows the state of the event (whether it has been resolved or not)

• Severity - shows the severity of the alarm raised - 1 indicates a warning and 2 indicates a critical error

NOTE: Double-click an entry on the SCOM Properties tab to open the SCOM Alerts dialog box. The SCOM Alerts dialog box lists more detailed information about the entry. If there are multiple entries in the list, you can view them in the dialog box using the and

buttons.

• Time Raised - shows the time the alarm was raised

Integrating with Microsoft System Center

Operations Manager

The Spotlight on Active Directory Topology Viewer offers integration with System Center Operations Manager (SCOM):

• SCOM 2007 R2

• SCOM 2012 Service Pack 1

Spotlight on Active Directory must meet the following prerequisites for SCOM integration:

• The Spotlight on Active Directory Console component must be installed on the Operations Manager server.

• The Microsoft Active Directory management pack must be installed and configured on the Operations Manager administrator console

• SCOM agents must be deployed on the domain controllers (DCs) to be monitored, in order to see the Operations Manager alerts for the AD management pack.

To configure SCOM to launch Spotlight on Active Directory Diagnostic Console

To integrate the Diagnostic Console with SCOM, you must create a custom console task. 1. Select the Authoring pane, and click Create New Task.

2. Select Console Tasks as the task type and Command line as the sub-type. 3. Select Default Management Pack as the destination management pack. Click Next.

4. Enter "Diagnose using Spotlight" as the task name, and select Windows Domain Controller as the Task Target. Click OK. Click Next.

5. For the Applications Name, enter the file path to the Spotlight Launcher (either

SpotlightLauncher2007.exe or SpotlightLauncher2012.exe depending the version of SCOM used). The Spotlight Launcher is located in the Spotlight folder where Spotlight on Active Directory is installed.

6. Select Display Name as a parameter

(28)

7. Select a Working Directory. 8. Click Create.

You can now launch the Spotlight on Active Directory Diagnostic Console from SCOM by selecting a Domain Controller alert and clicking the created task.

To configure SCOM within Spotlight on Active Directory Topology Viewer, see Operations Manager Options

(29)

2

Detecting Active Directory Problems

• Detecting Active Directory Problems

• Analysis Tests Categories

• Running and Scheduling Analysis Tests

Detecting Active Directory Problems

Spotlight on Active Directory Topology Viewer provides analysis tests to help you detect and analyze Active Directory problems. You can run analysis tests instantaneously, or schedule them to run at specific times. You can also configure Spotlight on Active Directory Topology Viewer to notify you, based on the results of the different analysis tests. For more information, see Setting Notification Groups on page 16.

Analysis Tests Categories

You can run any of the following analysis test categories:

• Directory Replication • DNS • File Replication • Status/Performance • Time Synchronization

Directory Replication

(30)

Table 1: Directory Replication Analysis Tests

Directory Replication

Analysis Test Description

Verify Directory Replication Health

Creates an object in the domain partition that will be replicated to all other domain controllers. Based on what domain controllers are selected as targets, Spotlight on Active Directory will check those domain controllers for the replicated object and report back how long it took for the object to replicate. The container is found at the root of the domain naming partition and is named QuestReplicationMonitoring. A container for each target domain controller will be created within the QuestReplicationMonitoring container. It determines if a selected DC has replicated with its replication partners.

When running or scheduling the Verify Directory Replication Health analysis test, select the following:

• You cannot have more than one active test with the same source server.

• The source server cannot be the same as the destination server.

• The timeout value cannot exceed the execution frequency.

• There must be at least one destination server in the same domain as the source server or Global Catalog (GC) server.

Verify Schema Consistency Checks all target domain controllers against the Schema Master to ensure Schema consistency.

Find Replication Failures Checks all replication links for any errors that occurred in the last replication attempt. When this analysis tool fails, you should:

• Check to make sure the DC is running and is connected to the network.

• Check to see if you can connect to the DC through Microsoft Native Tools (ADSIEdit, Sites and Services). If not, then you probably do not have administrative access to bind to that computer.

Check GPO Synchronization First gets a list of all group policies from the PDC Emulator. It then compares the file and directory version of each group policy from the selected domain controllers to the version found on the PDC Emulator. If the PDC Emulator is in the list of target domain

controllers, it will be skipped as the PDC Emulator is the source to which group policies are compared. This test shows if the following GPO properties are inconsistent across any of the selected DCs in the forest:

• Sysvol user version

• Sysvol machine version

• Directory Services user version

• Directory Services machine version When this analysis tool fails, you should:

• DCs flagged as red may not have received replication updates from their partners. Try forcing replication between any affected DC and its partners using the Force Replication analysis tool.

• Check to see if there have been any replication failures on the affected DC.

• Ensure that you have administrative access to the registry on the DC. The Sysvol location is stored in the remote registry.

(31)

DNS

The DNS test category contains the following available analysis tests:

Track Object Replication Allows the user to select any object and track it as it is replicated throughout your Active Directory forest. This test is used to determine if all servers in the forest have the selected copy of an Active Directory object. The Update Sequence Number

(USN)/source computer pair for each property on the selected object is recorded from the source computer. This ensures that the tested computer has received all changes made to the object on the source computer.

When you run or schedule this analysis test, you must select more than one DC. The first DC becomes the source server. You must also enter the full LDAP path of the object you want to track.

When tracking an object in the domain naming context, Global Catalog servers outside the domain might fail the analysis test. Any Global Catalog server in the forest will fail the analysis test if it does not have the selected copy of an Active Directory object.

Test Replication Links Ensures connectivity across all selected replication links. If you run this test on a computer that is offline, you may receive the error: There are no more end points available from the end point mapper.

When this action fails, you should:

• Check to see if the replication partner is operational.

• Check if the replication partner can be contacted by the target computer. The Check Partners' DNS Entries analysis tool will tell you if the remote DC can find the DNS entries it needs from its replication partners.

• Run the Find Replication Failures analysis tool to see if there have been replication problems in the past.

• Run the Check W32Time Differential analysis tool to see if there is a time synchronization problem causing the failure.

Table 1: Directory Replication Analysis Tests

Directory Replication

(32)

File Replication

The File Replication test category contains the following available analysis tests:

Table 2: DNS Analysis Tests

DNS Analysis Test Description

Verify DNS Health Checks the health and responsiveness of DNS and whether domain controllers (DCs) are properly configured to use DNS. It checks all dependencies that Active Directory has on DNS. This test validates numerous settings with DNS.

• If the Verify Netlogon entries check box is selected, the test will enumerate all network adapters, get all the DNS servers for those adapters, ensure each DNS server is online and responsive, and then validate each entry listed for that DNS server.

• If the Verify partner Netlogon entries check box is selected, the test will enumerate all replication partners for the target domain controller and validate all entries listed for each DNS server.

• If the Verify PDC advertising check box is selected, the test will ensure that an entry is listed in DNS for each PDC Emulator in Active Directory.

• If the Verify GC advertising check box is selected, the test will ensure that an entry is listed in DNS for each Global Catalog in Active Directory.

• If the Skip Domain A record validation check box is selected, the test will not trigger an alarm on any missing Domain A records.

• If the Verify zone existence check box is selected, the test will ensure that there is a zone for that domain controller’s domain.

• If the Verify forwarder availability check box is selected, the test will check the registry on the DNS server to enumerate the forwarders and then ensure each forwarder is online.

• User-specified external records of types A, SRV, and CNAME can be resolved.

• The DNS Health test retrieves installed network adapters once every four hours.

• DNS servers other then those used by domain controllers can be tested. It queries the DNS Server IP addresses specified for the network adapter of the targeted DCs. This test reconciles Netlogon entries found on the DC with the ones registered on the DNS server. It performs this same validation for the DC’s replication partners. The status of the DNS entries registration with replication partners is shown in the test results. Click the link in the test results to see the DNS entries that have registered successfully or the individual records that are missing on the DNS server.

Check DNS Entries Validates each DNS entry for the selected domain controllers. This test verifies that the DNS Entries registered by a specific DC can be found on the DNS Servers configured for the computer running Spotlight on Active Directory Topology Viewer.

When this analysis tool fails, you should:

• Ensure that the server operational.

• Ensure that you have access to the admin$ share on the server. The tool requires access to the netlogon.dns file stored in admin$\System32\config.

• Check to see if you can make DNS requests from your computer. (The tool contacts the default DNS Servers for the local computer.)

Check Partners’ DNS Entries

Validates each DNS entry for the replication partners of the selected domain controllers. This test verifies that the DC can find the DNS records of each of its inbound replication partners on the DNS server that it is using.

When this analysis tool fails, you should:

• Ensure that the DC and its partners are operational.

• Ensure that you have access to the admin$ share on the server. This tool requires access to the netlogon.dns file stored in admin$\System32\config on each of the target DNS server's inbound replication partners.

(33)

Table 3: File Replication Analysis Test

File Replication Analysis Test Description

Verify File Replication Health Creates a file in the SYSVOL share to be replicated. Based on what domain controllers are selected as targets, Spotlight on Active Directory will check those domain controllers for the replicated file and report back how long it took for the file to replicate. The file will be created within the domain folder that resides in the SYSVOL share. The filename will be QuestFrsMonitoring<domain> where <domain> is the fully qualified domain name for that domain controller. This test determines if a selected domain controller (DC) can replicate files with its replication partners.

When running the Verify File Replication Health analysis test, you should consider the following:

• You cannot have more than one active test with the same source server.

• The source server cannot be the same as the destination server.

• The timeout value cannot exceed the execution frequency.

• There must be at least one destination server in the same domain as the source server.

For more information on starting NTFRS or DFSR, For more information, see Starting the Service on page 51.

Confirm File Presence Allows you to select any file and check for its presence on other domain controllers. This test verifies that the files stored on all shares are physically the same files. Confirm File Presence verifies the file size in bytes, file date, and file name between the source computer and all other selected computers.

When you run or schedule this analysis test, select the source server from the list and enter the name of the file or folder you want confirmed. The Confirm File Presence analysis test will stop comparing files on a DC once 10 errors have been reached. When this analysis tool fails, you should:

• Ensure that you have administrative rights to access the file system on the affected DC.

Check GPO Synchronization First gets a list of all group policies from the PDC Emulator. It then compares the file and directory version of each group policy from the selected domain controllers to the version found on the PDC Emulator. If the PDC Emulator is in the list of target domain controllers, it will be skipped as the PDC Emulator is the source to which group policies are compared. This test shows if the following GPO properties are inconsistent across any of the selected DCs in the forest:

• Sysvol user version

• Sysvol machine version

• Directory Services user version

• Directory Services machine version When this analysis tool fails, you should:

• DCs flagged as red may not have received replication updates from their partners. Try forcing replication between any affected DC and its partners using the Force Replication analysis tool.

• Check to see if there have been any replication failures on the affected DC.

• Ensure that you have administrative access to the registry on the DC. The Sysvol location is stored in the remote registry.

• Ensure that you have access to the file system on the DC. The file portion of GPOs is read from the Sysvol container on the remote DC.

Check NTFRS/DFSR Status TShows if the NTFRS or DFSR service is not running on the selected domain controllers.

For more information on starting the file replication services, For more information, see

Starting the Service on page 51. When this analysis tool fails, you should:

• Try starting the NTFRS or DFSR service through Spotlight on Active Directory Topology Viewer.

Dell Spotlight on Active Directory User Guide