Active Directory Management Pack Overview

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

This is part of the Microsoft Active Directory Management Pack Technical Reference guide

Active Directory Management Pack provides a predefined, ready-to-run set of processing rules, monitoring scripts, and reports that are specifically designed to monitor the performance, availability, and security of Active Directory. ADMP provides a complete Active Directory monitoring solution by:

  • Monitoring all aspects of Active Directory health.

  • Monitoring the health of vital processes that Active Directory depends on, including replication, LDAP protocol, DC Locator, trusts, NetLogon, FRS, Intersite Messaging service, Windows Time service, and KDC.

  • Monitoring client service levels

  • Collecting key performance data.

  • Comprehensive reporting, including reporting on service availability, service health, as well as use in capacity planning.

By detecting, creating alerts for, and automatically responding to critical events, ADMP helps to indicate, correct, and prevent possible Active Directory service outages.

ADMP monitors events that are placed in the Application, System, and Directory Service event logs by different Active Directory components and subsystems. It includes key performance metrics to monitor the overall performance of Active Directory and to alert you to critical performance issues. Using MOM Reporting, you can analyze and graph this performance data to understand usage trends and to manage system capacity.

ADMP includes Active Directory–specific views that provide a quick look at the health of your Active Directory implementation. ADMP contains 42 reports in the following key areas:

  • Active Directory discovery

  • Health monitoring and operational recovery

  • Replication monitoring

  • Operations

  • Service level monitoring

On This Page

Design Goals
Active Directory Management Pack Functionality
OnePoint Service Account and ADMP
Active Directory Management Pack Monitoring Scenarios

Design Goals

The Microsoft Active Directory product team designed Active Directory Management Pack to meet the following monitoring design goals, which represent important criteria for any Active Directory monitoring effort:

  • The cost in dollars, time, and complexity that is required to monitor Active Directory should not exceed the expected benefit of greater reliability and service availability.

  • The monitoring system should be ready-to-run, with no postinstallation customization required.

  • All alerts that the monitoring system generates to notify the operator of problems should provide help suggesting the corrective action.

  • Alerts should only be generated when a problem needs attention. The monitoring system should not generate so many events as to overwhelm the operator who is responsible for resolving the problems.

  • Monitoring should not consume so many resources as to diminish system performance and core service delivery.

  • The monitoring solution should generate a minimal amount of network traffic.

  • The total number of performance counters and the frequency with which they are collected should be kept as low as possible — to keep demands on the system low — while still capturing relevant data in a timely manner.

  • Scripts should be run locally, instead of remotely, to reduce network bandwidth and latency.

  • Any Active Directory monitoring solution should also monitor services on which Active Directory heavily depends, such as DNS and FRS.

  • Using a distributed architecture, such as the architecture that is provided by Microsoft Operations Manager 2000, greatly increases monitoring scalability.

  • Any Active Directory monitoring solution should include comprehensive monitoring from the perspective of clients, not just from the perspective of domain controllers.

Active Directory Management Pack Functionality

Based on these design goals, Active Directory Management Pack includes some key technical functionality for monitoring Active Directory, as described in the following sections.

Proactive, Early Warning Alerts

Active Directory Management Pack is designed as a proactive system that watches for, prevents, and remediates Active Directory problems before they become large problems.

Service-Level Monitoring

The health of an Active Directory deployment cannot be determined simply by monitoring the health of individual domain controllers. Some processes, such as time synchronization and replication, require the monitoring of Active Directory as a distributed service. In addition, the health of Active Directory from the perspective of the client must be considered. For example, while a domain controller may appear to be running properly, from the perspective of a directory client that is unable to locate the domain controller because of broken service locator records, the health of that domain controller is very poor. Active Directory Management Pack does not just monitor the health of individual domain controllers; it also monitors the health of Active Directory as a distributed service and from the perspective of directory clients.

Minimizing Alert Quantity

A powerful design feature of Active Directory Management Pack is the consolidation of related events into a single alert that you can use to take action. In addition, you can tune the volume of events and alerts, based on the needs of your organization or topology. For monitoring systems across limited-bandwidth connections, for example, you can disable nonessential monitoring rules, such as rules for capacity planning.

Maximizing Alert Quality

Active Directory Management Pack is designed so that every alert that is presented to an administrator includes information regarding corrective actions to take. In addition, ADMP categorizes alerts into multiple severity levels, depending on the urgency of the alert. ADMP can easily be configured to page administrators immediately for the more severe error levels.


All Active Directory Management Pack alerts include context-specific Help suggesting the corrective action.

Ready-to-Run Rules

With Active Directory Management Pack, you do not need to determine what aspects of Active Directory to monitor. ADMP has been designed by the Microsoft Active Directory product team to include a “ready-to-run” collection of more than 400 processing rules that run by default — out of the box — to monitor all aspects of Active Directory operations.

Support for Windows 2000 Server and Windows Server 2003

Active Directory Management Pack can monitor domain controllers running Windows 2000 Server, as well as domain controllers running Windows Server 2003. In addition, ADMP includes separate processing rule groups for each of the two operating systems, and it applies the appropriate set of processing rule groups when monitoring a domain controller, based on the operating system that the domain controller is running.

Knowledge Base Guidance for Every Processing Rule

Every processing rule in Active Directory Management Pack includes a Microsoft Knowledge Base entry to provide troubleshooting information and to help administrators understand and address the alert triggered by that processing rule. For each processing rule, you can also add information that is specific to your environment, through the MOM console.

OnePoint Service Account and ADMP

For Active Directory Management Pack to properly monitor Active Directory, the MOM service (OnePoint) must be run under the Local System account on the domain controllers that are being monitored.

Active Directory Management Pack Monitoring Scenarios

Active Directory Management Pack is designed to provide valuable monitoring information for most implementations of Active Directory. In particular, ADMP is designed for use in the most common Active Directory deployment scenarios. These scenarios are described in the following sections.

Well-connected LAN

In a well-connected, local area network (LAN) environment, all computers communicate with servers — and with each other — over LAN connections with bandwidth of at least 10 megabits per second and often 100 megabits per second. Usually, servers communicate with each other over faster backbone connections of up to 1 gigabit per second. Furthermore, this high bandwidth can be expected to be available all the time. The default, out-of-the-box installation of Active Directory Management Pack is designed for a well-connected LAN. In this scenario, as shown in the following illustration, you can safely leave enabled all ADMP rules and reports, including those for trend and capacity planning, without compromising network bandwidth.

The following figure illustrates the use of ADMP in a well-connected LAN.


Figure 3: ADMP in a Well-connected LAN

Branch Office

In a branch office environment, a satellite local office or regional office of an organization runs as a smaller subnet of a larger LAN. The branch office connects to a larger corporate or headquarters LAN through a limited bandwidth, wide area network (WAN) connection, such as a 56-kilobits-per-second leased line or a 1.544-megabits-per-second T1 line. In this scenario, Microsoft Operations Manager 2000 agents run on domain controllers at the branch office site, and they report their data to a MOM server that is located at the main office. Because of the limited bandwidth between the branch office and the main office, administrators usually want to minimize the bandwidth overhead of MOM-related and ADMP-related traffic.

In this environment, Microsoft Operations Manager 2000 and Active Directory Management Pack provide easy controls for reducing the volume of alerts that are reported by MOM agents to the MOM server. For example, MOM administrators managing branch office scenarios typically turn off capacity planning, trend analysis, and performance monitoring rules. These rules can provide important information when ample bandwidth is available. But for simply maintaining Active Directory health on a day-to-day basis, they can be disabled when bandwidth is limited, as shown in the following illustration.


Figure 4: Branch Office Scenario

Well-connected LAN/Branch Office Hybrid

In terms of general network topology, this scenario is identical to the previous scenario, with a smaller, satellite office communicating with a central, well-connected LAN through a limited bandwidth connection. But unlike the previous scenario, the hybrid scenario includes full Active Directory Management Pack monitoring for domain controllers in some of the branch offices, in addition to full monitoring for domain controllers in the main office.

In this scenario, you can use computer groups in Microsoft Operations Manager 2000 to configure both high-bandwidth and low-bandwidth monitoring configurations, and you can assign domain controllers into computer groups as appropriate, depending on the available bandwidth. The following illustration shows an example of a hybrid MOM scenario.


Figure 5: Well-connected LAN/Branch Office Hybrid Scenario

Note: Dial-on-demand scenarios include isolated networks that do not have an “always-on” connection to a larger corporate environment. Dial-on-demand scenarios represent a smaller, but still important, segment of Active Directory deployments. Dial-on-demand scenarios have not yet been incorporated into ADMP functionality, except where a dial-on-demand scenario overlaps with one of the other Active Directory scenarios.