Easy AD Troubleshooting

NetPro's Directory Troubleshooter fills the Active Directory management void.

One of the toughest parts about troubleshooting Active Directory (AD) has always been the sheer number of tools you need to employ to see what's under the hood.

Microsoft gives you most everything you need, but it's spread out across System Monitor, Resource Kit tools like Repadmin and Replmon, the Windows Event Log and more. Integration between tools is sometimes lacking, forcing you to do lots of work to get a grip on what AD is doing from moment to moment.

For some time now, NetPro has been trying to fill the AD management void with its Directory Troubleshooter (DT) product, offering some good monitoring features and basic analysis capabilities. But, judging from the Beta 1 version that I tested, version 4.0 of the product is a total rewrite that makes troubleshooting significantly easier. The tool comes with a slick, easy-to-understand interface and packs in an amazing number of AD troubleshooting tools. Heads up, Microsoft: This is the tool your administrators have been asking for. And, unlike the bevy of Resource Kit tools we've been using in the past, DT is a fully supported product.

Built-In Tests
DT comes with a set of built-in, "black box" tests that analyze specific problem areas of AD functionality, such as File Replication Service (FRS), which is vital to AD's health and well-being, but not well understood by many administrators. Built-in troubleshooting categories pull up relevant information for a variety of AD problems, such as FRS and DNS resolution. Other tests cover AD disk space usage, replication and so forth. Figure 1 shows an AD disk space report that picks up on some best practice violations.

Figure 1. Directory Troubleshooter.
Figure 1. Directory Troubleshooter identifies best practice violations, such as these that cropped up in a disk space report. (Click image to view larger version.)

Each built-in test allows you to target one or more specific DCs (or, in many cases, an entire domain), and presents reports in an intuitive outline format so you can see exactly how everything is configured. Built-in tests in the beta version include client networking tests, DNS, Directory Replication Agent (DRA), Directory System Agent (DSA), event log, File Replication Service (FRS), GPOs, the Knowledge Consistency Checker (KCC), Kerberos checks (useful for seeing what authentication protocols are enabled), network, server, tombstoned or lost objects, trusts and more. It's invaluable to be able to access this information from one console when you're troubleshooting; with a couple of button clicks, for example, you can see which DCs hold the various Flexible Single Master Operations (FSMO) roles in a particular domain.

NetPro Directory Troubleshooter 4.0
Version reviewed:
Beta 1
Current status:
Beta 1 released in early August 2004
Expected release:
Late 2004 to early 2005

Security Check
In the new era of heightened security awareness (at least, I'm told it's heightened, but given all the companies routinely hit by viruses that attack already-patched exploits, I wonder), it's almost unreasonable to release a tool without including some security bits. DT is no exception, but its security components aren't afterthoughts.

The "Security Configuration" report is a godsend, listing each domain controller's OS, service packs, hot fixes, enabled authentication methods, volume information and more. As with many other reports, best practices are built-in. As shown in Figure 2, a bright yellow band warns that a DC has LAN Manager authentication enabled, and notes that Microsoft recommends disabling it (which makes me wonder why Microsoft enabled it to begin with). DT falls short of actually making the configuration change for you, but keep in mind that a number of its best-practice recommendations can require significant configuration or even design changes, many of which will require advance planning. It would be nice, however, if the tool provided a link to a knowledge base article or other resource that describes the highlighted issue and lists steps to correct it.

Figure 2. Best practices are built in to Directory Troubleshooter.
Figure 2. Best practices are built in to Directory Troubleshooter, such as this one regarding authentication. (Click image to view larger version.)

Your Own Tests
You can also configure your own ready-to-run tests. Each test is essentially a list of target DCs, and a list of reports or jobs to run against those DCs. A test, then, is a preconfigured set of reports or jobs designed to quickly pull up the information you need to troubleshoot a particular category of problem. The list of included reports is insanely long; I can't imagine anything that you could pull out of AD that isn't covered by an existing report.

Jobs, meanwhile, are a clever addition. While reports can help you figure out what's wrong, jobs can in some cases actually fix a problem by reconfiguring AD or taking some other corrective action.

The list of jobs, while shorter than the report list, is intriguing: Jobs exist to clean up AD metadata after demoting a DC, change the status or startup type of specified services, and so forth. For example, one job can retrieve the boot.ini file from a DC and let you edit it, right within the DT console. And it's not just a shortcut to Notepad—you're actually given a UI copied straight out of Windows, making it easier to edit the sometimes-complex boot.ini settings. There's even a "Manage Users" job that allows you to modify a particular user account.

Beta Man's Routine Disclaimer:
The software described here is incomplete and still under development; expect it to change before its final release--and hope it changes for the better.

Super PerfMon
Because so much AD diagnostic data comes from System Monitor (aka Performance Monitor, or PerfMon), you really can't do without it from a troubleshooting point of view. DT incorporates PerfMon-like capabilities, and goes one step further in many regards. For example, Figure 3 shows a custom diagnostic view, which allows me to review a DC's CPU and memory utilization in one view, updated in real time. Other data, such as processor queue length, disk statistics, pagefile hits and misses, are all available on this screen (making a 1024x768 or better resolution pretty much a necessity). A drop-down list at the top of the page provides instant access to memory stats, the OS, detailed disk stats, the network adapter stats and more. There are also pages for AD replication statistics and FRS replication statistics, which each display replication partners and replica information, among other data.

Figure 3. Custom diagnostic views.
Figure 3. Custom diagnostic views allow you to view multiple parameters, updated in real time, on a single screen. (Click image to view larger version.)

What makes DT so much better than PerfMon—for me at least—is the fact that it requires no configuration. The key counters configure automatically and the display is much easier to interpret. Rather than deciphering a crazy-looking line graph with eight colors and patterns, each key diagnostic gets its own little meter, not dissimilar to the basic stats shown in Task Manager, allowing you to more quickly see what's what with a DC.

Wanted: Betas for Review

Beta Man is always on the lookout for quality products to review. If you know of a software product that is currently or soon to be in beta, contact Beta Man at [email protected]. Vendors are welcome, but please act early–the meticulous Beta Man needs plenty of lead time.

Of course, DT has alerting options, too, essentially mimicking PerfMon's ability to alert you when a particular counter reaches a threshold. While these alerts aren't as complex as those offered by a product like Microsoft Operations Manager (MOM), I consider them more useful than the ones in PerfMon. Because DT offers so much data in such a small package, it wouldn't be unreasonable to have an older hand-me-down computer running the DT console nonstop, acting as sort of an "AD dashboard." Pop-up alerts on that machine would be noticeable, and the DT console would let you immediately investigate. What would be even better is if DT could cycle through its performance screens—processor, memory, disk and so forth—automatically.

A Must-See Tool
More information should be forthcoming about DT 4.0 soon. Check out NetPro's Web site at www.netpro.com to see what's available. I regard DT as a must-see tool, and once you see it I expect you'll consider it a must-have tool. The sheer time savings from having so much troubleshooting information all in one console is invaluable, especially in large environments.

Featured