building and managing a resilient active directory infrastructure with sms and mom

Security Seminar ‘06


Building and Managing a Building and Managing a Resilient Active Directory Resilient Active Directory Infrastructure with SMS and Infrastructure with SMS and MOMMOMJeff AlexanderJeff AlexanderIT Pro EvangelistIT Pro EvangelistMicrosoft AustraliaMicrosoft Australia


AgendaAgenda

Building the BaseBuilding the BaseIntroducing the Active Directory Introducing the Active Directory Management Pack (ADMP)Management Pack (ADMP)ADMP Monitoring and Server HealthADMP Monitoring and Server HealthADMP ReportingADMP ReportingSMS 2003 Patch Management (ITMU)SMS 2003 Patch Management (ITMU)Summary and Q&ASummary and Q&A


Resilient Infrastructure

Other NOSOther NOS

Application Application PackagesPackages

Internet

•VPN•Quarantine

Cisco FWSMCisco MPLS VPN


Administrator

Web

Operator

Reporting• Agent-managed• Agent-managed• MOM Reporting Server

• Reporting Database

MOM Database

Management Pack

• Agentless managed• Agent-managed

MOM 2005 ArchitectureMOM 2005 Architecture

MOM Server

Domain A

Domain B

Management GroupSupport Users


MOM 2005 SizerMOM 2005 Sizer


Monitoring the stackMonitoring the stack

Partners provide Partners provide complete complete monitoring monitoring solutionssolutions

SybariSybari

Jalasoft Network Jalasoft Network ManagementManagement

ExchangeExchange

WindowsWindows

HP Proliant ServersHP Proliant Servers

Jalasoft Power ManagementJalasoft Power Management


AgendaAgendaBuilding the BaseBuilding the BaseIntroducing the Active Directory Introducing the Active Directory Management Pack (ADMP)Management Pack (ADMP)ADMP Monitoring and Server HealthADMP Monitoring and Server HealthADMP ReportingADMP ReportingSMS 2003 Patch Management (ITMU)SMS 2003 Patch Management (ITMU)Summary and Q&ASummary and Q&A


Why Monitor Active Why Monitor Active Directory?Directory?

• Hardware failures• Disk space• Network connectivity• Configuration errors• Errant applications

•Login/password issues•Group Policy•Resource access•Exchange e-mail•Replication issues


Active Directory Management Active Directory Management PackPack


Other Management PacksOther Management Packs

Base Operating Systems

Exchange

Group Policy

DNS


Health Monitoring• Active Directory Domain Controller Alerts

• Lingering Object Alerts

• Service Level Exceptions for DCs

Discovery• Domain Controllers by OS Version

Task Status• Enumerate Trusts

• Replication Status Snapshot

• Service Principal Name Health

Discovery• Number of Client Sessions

Health Monitoring• Active Directory Database

• CPU and Memory Usage on DCs

• DC and GC Response Time

Replication Monitoring• Replication Traffic

• Replication Latency

Replication Topology• Broken Connection Objects

• Connection Objects

• Site Links

Client Side Monitoring• Client Side Events

Health Monitoring• GC Search Response Events

• Active Directory Op Master Response Events

• Directory Service Errors

• NTDS Events

• Clean Up After Cross-Domain Moves

Active Directory Public ViewsActive Directory Public Views

Computer Group Views

Event Views

Performance Views

Alert Views

Task Status Views

Diagram Views


Replication Topology Diagram Replication Topology Diagram ViewsViews

Three different views:Three different views:

Broken Connection ObjectsBroken Connection Objects

Connection ObjectsConnection ObjectsSite Links

Site Links• Server health state

• Annotated server roles

• Site links• Detailed tool tips


demonstrationIntroducing the ADMP

Exploring the Administrator Console Exploring the Operator Console Defining Client Side Monitoring Computers


• Is each DC configured properly?• Are all DCs replicating?• Is replication occurring in a timely fashion? • Has initial replication completed in the last 24 hours?

• Active Directory service healthy?• Other processes that are vital to the health of Active Directory?• Database growth and log file free space OK?

• Are the necessary FSMO role holders responsive?• Is the Active Directory service responsive?• Can clients connect to the directory?

• End-to-end replication via change injection • Health of inbound connection objects• Appropriate number of replication partners• Site islands• Slow replication

• Health of LSASS, KCC, Userenv• State of NetLogon, FRS, ISM, W32Time, KDC• Name resolution and DC locator• SYSVOL accessibility

• Serverless bind threshold• GC Search Time• Lost object count• Availability of LDAP and crucial roles • Name resolution and DC locator• Client Pack tests

Active Directory State Active Directory State MonitoringMonitoringClient View

Server Health

Replication Health

Service Health

• Serverless bind• PDC availability• Minimum number of GCs available• Targeted DCs availability and responsiveness

• Can clients connect to PDC, GCs?• Is Active Directory responsive to clients?


Monitoring ScenariosMonitoring ScenariosClient Side Monitoring

Ping

ICMP

LDAP

Search

Global Catalogs PDC Emulator


Monitoring ScenariosMonitoring ScenariosActive Directory Trust Relationships

Monitors and detects problems


Monitoring ScenariosMonitoring ScenariosAccount and Authentication Issues

Password issues Credential issues

Duplicate accounts Other problems


Other Monitoring ScenariosOther Monitoring ScenariosNet Logon Service UGMC

Dependent Services Active Directory Availability

Replication Performance Monitoring


Seattle.contoso.com

London.contoso.comClient Side Monitoring Client Side Monitoring ScenarioScenario

LON-DC-01

LON-DC-02

SEA-DC-02SEA-DC-01

LON-EXC-01Exchange user

Help Desk MOM 2005

My e-mail is slow!


Replication MonitoringReplication Monitoring

Source DCs Target DCs

New container: CN=MomLatencyMonitorsScripts add timestamps to monitor latencySeparate thresholds for intra- and intersiteComputers can be both source and target


ADMP Monitoring and Server Health

Troubleshooting Replication Problems Configuring Low-Privilege Account Forcing Data Collection

demonstration


ADMP ReportsADMP ReportsConfiguration

Disk Space

Operations

Replication


ADMP Reporting

Performing the Initial Triage Using Predefined Reports

demonstration


Overview of Inventory Overview of Inventory Tool for Microsoft Updates Tool for Microsoft Updates (ITMU) (ITMU) Why the change to ITMU?Why the change to ITMU?

SMS 2003 currently uses Microsoft Baseline SMS 2003 currently uses Microsoft Baseline Security Analyzer (MBSA)Security Analyzer (MBSA)The MBSA scan engine is built on a third-The MBSA scan engine is built on a third-party tool named party tool named ShavlikShavlik. . SMS and Microsoft Update Partnership SMS and Microsoft Update Partnership ITMU – Reduced dependency on MBSAITMU – Reduced dependency on MBSAThe SMS ITMU enables customers to The SMS ITMU enables customers to standardize on the patch technology of standardize on the patch technology of choice for Microsoft going forward. choice for Microsoft going forward.


Overview of Inventory Tool Overview of Inventory Tool for Microsoft Updates for Microsoft Updates (ITMU)(ITMU)What does the new ITMU do What does the new ITMU do

differently?differently?Improved patch management through a Improved patch management through a more comprehensive and widely supported more comprehensive and widely supported detection technologydetection technologyBroaderBroader detection support for detection support for moremore Microsoft productsMicrosoft productsConsistent product support across multiple Consistent product support across multiple detection technologies including parity detection technologies including parity with Automatic Updateswith Automatic Updates


Overview of Inventory Tool Overview of Inventory Tool for Microsoft Updates for Microsoft Updates (ITMU)(ITMU)How is ITMU different from MBSA?How is ITMU different from MBSA?

ITMU supports security updates, service packs and ITMU supports security updates, service packs and rollupsrollupsITMU supports Office XP and later for security ITMU supports Office XP and later for security updates and service packsupdates and service packsITMU only supports Windows 2000 SP3 or laterITMU only supports Windows 2000 SP3 or laterITMU catalog (WSUSScan.cab) includes all ITMU catalog (WSUSScan.cab) includes all languageslanguagesITMU Supports SQL Server 2000 and beyondITMU Supports SQL Server 2000 and beyond

ITMU provides automatic updates of the ITMU provides automatic updates of the Microsoft Updates CatalogMicrosoft Updates CatalogUses Windows Updates Agent to scan Uses Windows Updates Agent to scan and identify current patch statusand identify current patch status


Inventory Tool for Inventory Tool for Microsoft Updates (ITMU) Microsoft Updates (ITMU) DiagramDiagram


Client Scans with ITMUClient Scans with ITMURequires Windows Update AgentRequires Windows Update Agent

If agent is not already installed, SMS can If agent is not already installed, SMS can automatically install the agent through a automatically install the agent through a dependent programdependent programScan program calls Windows Update Agent Scan program calls Windows Update Agent installation programinstallation programConfigurable through ITMU SetupConfigurable through ITMU Setup

Once Windows Updates Agent is Once Windows Updates Agent is installed, scan for Microsoft Updates installed, scan for Microsoft Updates can occurcan occur


Client Scans with ITMUClient Scans with ITMUScan Agent process:Scan Agent process:

Scanwrapper.exeScanwrapper.exe verifies Windows verifies Windows Updates Agent Updates Agent installedinstalledScanwrapper.exeScanwrapper.exe calls calls SMSWushandler.exeSMSWushandler.exeSMSWusHandler.exeSMSWusHandler.exe performs scan through calls performs scan through calls to the Windows Updates Agentto the Windows Updates Agent

Scan Agent process:Scan Agent process:Scan Data is stored in WMIScan Data is stored in WMI

Data is stored in the Win32_PatchState_Extended Data is stored in the Win32_PatchState_Extended class class ““Type” attribute is set to “Microsoft Update”Type” attribute is set to “Microsoft Update”

Scan results reported through hardware inventoryScan results reported through hardware inventorySMS 2003 SP1 sms_def.mof file already supports SMS 2003 SP1 sms_def.mof file already supports the Extended Patch State class and datathe Extended Patch State class and data


Viewing Results for ITMUViewing Results for ITMUData is maintained on the client in WMIData is maintained on the client in WMIData is returned to the SMS site database Data is returned to the SMS site database in in Extended Patch StateExtended Patch StateData can be viewed in Resource Explorer, Data can be viewed in Resource Explorer, Software Updates (SMS Administrator Software Updates (SMS Administrator Console node), and SMS ReportsConsole node), and SMS ReportsPreviously existing Software Compliance Previously existing Software Compliance reports are updated to support both reports are updated to support both classesclassesThere are six new reports added with this There are six new reports added with this tooltool

Two in Software Update – ComplianceTwo in Software Update – ComplianceFour in Software Update – Distribution StatusFour in Software Update – Distribution Status


Update DistributionUpdate DistributionAs with MBSA, the Distribute Software As with MBSA, the Distribute Software Updates Wizard is usedUpdates Wizard is used

Presents a list of available updates for Presents a list of available updates for distributiondistributionDownloads updates and creates SMS objects Downloads updates and creates SMS objects required to deploy themrequired to deploy them

Optionally the administrator can pre-download and Optionally the administrator can pre-download and stage the patches prior to using the wizardstage the patches prior to using the wizard

Administrator selects which updates to Administrator selects which updates to deploy to which clientsdeploy to which clients

Can have multiple updates in a single packageCan have multiple updates in a single packageInstalled on all SMS 2003 SP1 Installed on all SMS 2003 SP1 Administrator Consoles automaticallyAdministrator Consoles automatically


Inventory Tool for Microsoft Updates Overview of the tool Sending out patches

demonstration


TroubleshootingTroubleshootingThere are new (and some old) log files that There are new (and some old) log files that can be helpful in troubleshooting patch can be helpful in troubleshooting patch deploymentdeploymentSMSWUSHANDLER.logSMSWUSHANDLER.log

Advertisement.logAdvertisement.logSMSCLIUI.logSMSCLIUI.logPatchUIMonitor.logPatchUIMonitor.logEXECMGR.logEXECMGR.logPatchinstall.logPatchinstall.logWUSSyncXML.logWUSSyncXML.logPatchDownloader.logPatchDownloader.log


Troubleshooting (continued)Troubleshooting (continued)Client Side DebuggingClient Side Debugging

ITMU puts the inventory scan results ITMU puts the inventory scan results in the CIMV2 namespace on SP1 in the CIMV2 namespace on SP1 clientsclientsTo review the information collectedTo review the information collected

Connect to the Connect to the root\cimv2root\cimv2 namespace namespace (using WBEMTEST) on the Advanced (using WBEMTEST) on the Advanced ClientClientReview the class instances stored within Review the class instances stored within the the Win32_PatchState_ExtendedWin32_PatchState_Extended WMI WMI classclass

Basic setup issues may be solved by Basic setup issues may be solved by ensuring that the customer has the ensuring that the customer has the supported platforms installedsupported platforms installed


Session SummarySession SummaryInstall additional MPs for the complete Install additional MPs for the complete picturepictureTake advantage of client side monitoringTake advantage of client side monitoringIdentify trends and issues through Identify trends and issues through reportingreportingBe able to respond to update Be able to respond to update requirementsrequirements

building and managing a resilient active directory infrastructure with sms and mom

Documents