Microsoft Active Directory is a key component of the IT infrastructure of any organization that uses Microsoft Windows servers or desktops.
Active Directory is responsible for managing users, their accounts and their access to individual computers, shared drivers, printers, servers and more. From a user’s perspective, Active Directory’s single sign-on capability ensures that users do not have to remember and use different passwords for different types of accesses.
From an administration perspective, Active Directory also offers big benefits. User accounts, passwords, access rights, etc. can be centrally managed. When a new user has to be added or an existing user’s permissions revoked, administrators can handle this centrally through Active Directory.
Given the central role it performs, it is no wonder that monitoring the availability and performance of Active Directory is extremely important. If the Active Directory service is down, users will not be able to be authenticated to access any of the shared resources in the network. Likewise, if Active Directory is slow, user logons and accesses to key services will be much slower than normal. Often, users may not realize that they are accessing Active Directory services when they logon or launch an application. Their complaints are often about application slowness when the actual problem is that Active Directory services are slow. Hence, it is imperative that administrators monitor the availability and performance of Active Directory services 24×7 so they can proactively detect and correct issues that can affect user experience and productivity.
Because it manages credentials and permissions in the IT infrastructure, Active Directory also has to be monitored from a security perspective. Frequent invalid user accesses, account lockouts, permission errors, etc. need to be tracked. Password policies are also enforced through Active Directory. From a monitoring perspective, administrators must be able to track users who have not logged on several days or those who have not changed passwords for a long period.
Here are 8 common Active Directory problems that organizations face, the consequences of these problems, and how administrators can proactively detect and resolve them. Before we get started, let’s review some of the common Active Directory terminologies:
- Active directory is the authentication and directory service that is provided by one or more servers. Each of these servers is a Domain Controller.
- An Active Directory domain is a collection of objects within a Microsoft Active Directory network. An object can be a single user or a group or it can be a hardware component, such as a computer or printer. Each domain holds a database containing object identity information.
- An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, users, computers, and group policies.
Top 8 Active Directory Performance Problems
#1 Active Directory Replication Issues
Because of the importance of Active Directory services, organizations rarely have just one Active Directory server. In large organizations, it is common to have multiple Active Directory servers, and user requests, directory searches, etc. can be directed to the Active Directory server closest to the location from where the request originated to minimize latency and bandwidth usage.
Replication is a crucial function in Active Directory when it comes to or more domains or domain controllers, regardless of whether they belong to the same site or to different ones. Active Directory replication keeps changes synchronized with other domain controllers in an Active Directory forest. Replication must occur on the local site as well as on additional sites so that all corresponding domain and forest data remain the same across every one of the domain controllers.
Healthy replication in an AD forest is crucial for its uninterrupted functioning. Without this, the changes made in one domain controller are not passed on to all other domain controllers. This can lead to all kinds of problems including authentication failures and issues accessing network resources (files, printers, applications). Replication issues may not appear immediately. Therefore, failure to monitor replication at least periodically may result in a serious issue at a very inconvenient/critical time. An AD monitoring tool helps by keeping tabs on the status of AD replication and detect errors, as well as other common AD replication issues.
#2 User Account Lockouts
Most organizations have (or should have) an account lockout strategy. This is a security measure that is specially designed to prevent unauthorized third parties from trying to guess passwords. Account lockout policies can be implemented using Active Directory. Trying the wrong password repeatedly results in the account becoming unusable until an administrator reactivates it manually.
Sometimes account lockouts can happen for no apparent reason. Even if a SysAdmin changes the password, the account may get locked out again very soon thereafter. This can be extremely frustrating for both users and administrators. Often, the problem is exacerbated by the unknown origin of lockouts. Such lockouts can happen when an automated script or process is configured to use a user account for performing a task (e.g., backing up a file) and if the script has not been updated with the latest password, the account used can be locked out.
An AD monitoring tool can seamlessly identify and track when user lockouts are happening, identify which accounts are affected, and provide details of the system from where the invalid login happened. All this information is useful for administrators to get notified to potential security problems or configuration issues that can be causing account lockouts.
#3 Group Policy Issues
Group Policy is an incredibly beneficial tool for system administrators, which allows them to centrally configure and deploy just about anything in their Active Directory environment. From deploying software to configuring the default printer for a system, Group Policies address them all. However, bigger organizations may have many Group Policy rules and exceptions, and this can make it difficult for system administrators to keep track of everything. Logon slowness can happen if Group Policies are incorrectly set and administrators must determine which Group Policy is causing slowness.
Some common Group Policy issues in an Active Directory environment include:
- Group Policies not being applied as expected
- Group Policies being applied but not working as expected
- Loops in Group Policies causing slowness during processing
- Group Policies that have not been updated when the infrastructure has changed (i.e. a policy that tries to mount a drive that no longer exists)
- Slow network links resulting in some group policies not being applied
- Odd folder redirections
Monitoring Group Policy activities and events is a must to know when and how they are executed and if there are any delays or failures. Changes to Group Policies should also be tracked, and any performance impact of these changes should be detected earlier to resolve any issues in the Group Policies.
#4 DNS / DHCP Issues
DHCP and DNS are two of the most essential services in all IT networks. A DHCP server is responsible for managing IP addresses that are dynamically issued to servers and clients to enable them to communicate. When monitoring DHCP services, track the number of IP addresses in use, so you can determine when you may potentially run out of IP addresses to allocate.
DNS services ensure that servers, clients, and services can be found by name. Those who deal with Active Directory are well aware of the critical role that DNS plays in such configurations. In fact, a survey published by Microsoft indicates that 70% of all Active Directory issues are DNS related.
Some of the most common DNS issues faced by SysAdmins include:
- Improper forwarder configuration
- Incorrect DNS name registration
- Improper delegation of AD DNS domains
- Incoherence between domain controllers, global catalogs, and the DNS
- Incoherence in the AD site infrastructure
DNS and DHCP services are so fundamental to any network that continuous monitoring of their availability and performance is of extreme importance. Microsoft provides the dcdiag command line utility that can be used to check the DNS configuration of an Active Directory server. Dcdiag can also perform tests to check different aspects of DNS configuration, including checks of forwarders, root hints, delegations, record registrations, external name resolution and so on.
#5 FSMO Roles
Active Directory was designed as a multi-master enabled database. The great advantage is that changes are possible on every Domain Controller. It is also possible to transfer roles to any domain controller. Because an Active Directory role is not bound to a single Domain Controller, it is referred to as a Flexible Single Master Operation (FSMO) role.
Currently in Windows there are five FSMO roles:
- Schema master
- Master domain name
- RID Master
- PDC emulator
- Infrastructure Master
Some of the most common FSMO related problems that SysAdmins encounter on a regular basis have to do with the
- Seizing of roles
- Transfer of roles
- Losing roles
It is important to track which Domain Controller is performing a specific FSMO role and at what time.
#6 Logon Failures
Logon failures are a common issue in any AD infrastructure. While mistyping passwords or forgotten passwords can cause logon failures, the main issue that administrators are concerned about is unauthorized attempts to log into the network by malicious users. When there are repetitive incorrect password attempts, it is a sign of a cybersecurity breach. One way to guard against hacking is to consistently keep monitoring consecutive unsuccessful login attempts. On Windows systems, this is done by paying attention to the security event log.
The security event log may have thousands of events related from different sources, pertaining to user login, login failure, account locking, and so on. Analyzing the events in order to make out discrepancies as well as identify sources of potential hacking attempts is a laborious, time-consuming, and painstaking task! An AD monitoring tool that keeps an eye on the system events log for potential hacking attempts comes in handy in such cases.
#7 Active Directory Database Issues
This first thing that comes to mind when one thinks of the word “database” is a software like Microsoft SQL, MySQL, Oracle, or such. An Active Directory database, however, is very different in that it uses an ESE (Extensible Storage Engine), which is an ISAM (Indexed and Sequential Access Method) database. Such databases employ a record-oriented database architecture that provides extremely fast access to records. ESE works by indexing the data in the database file. This database file can reach up to 16 terabytes and contain more than 2 billion records.
Each object in an Active Directory occupies space in the AD database (ntds.dit). For optimal performance, domain controllers cache AD databases in RAM because access to random access memory data is much faster than accessing data on traditional hard disks or solid-state disks. When parts of the AD database are not cached in-memory, these parts will be much slower than those that are.
Keeping the AD database as small as possible is the key to the performance of the domain controller, especially on hardware that can no longer be updated and on Windows Server installations that are incapable of supporting additional CPUs or RAM.
While large Active Directory databases have grown steadily over the years, the addition of new features could result in sudden and unprecedented growth. Storing user photos and BitLocker recovery information in Active Directory without proper planning can lead to the performance of the Active Directory quickly degrading.
Tracking the storage usage of the AD database and database connectivity is key to ensure seamless Active Directory operations.
#8 Kerberos Issues
The Key Distribution Center is based on Kerberos and is the most important service in an Active Directory. Whenever a computer or a user requests access to a resource, an exchange of credentials transmitted by the KDC takes place. Monitoring is continuously needed in order to identify any issues related to authorizations within the AD environment.
Issues that can be addressed by monitoring Kerberos include being able to find out:
- Where a user used their account to run critical business tasks despite having their account completely disabled
- Where a user’s account got locked out
- Which computer specifically has a time difference (skew) that’s preventing them from being able to access certain resources
- Which computers have passwords that are out-of-sync
As you can see, monitoring is key to easily identifying and understanding the causes of availability, replication, security, and other Active Directory performance issues. Try eG Enterprise, an end-to-end Active Directory monitoring solution that automatically discovers your AD environment and monitors all aspects of AD performance.