Active Directory Status Test

This test tracks the performance of Active Directory existing in a Windows 2000 environment. Before getting into the details of this test, it is essential for the users to know that there are two choices for network authentication in a Windows 2000 environment. They are

  • Kerberos Version 5.0: This protocol is the default network authentication protocol for Windows 2000 servers.
  • Windows NT LAN Manager (NTLM): The NTLM protocol was the default network authentication protocol for Windows NT 4.0 operating system. NTLM is also used to authenticate logons to standalone computers with Windows 2000.

When a user first authenticates to Kerberos, he/she talks to the Authentication Service (AS) on the Kerberos Key Distribution Center (KDC) to get a Ticket Granting Ticket (TGT). This ticket is encrypted with the user’s password. When the user wants to talk to a Kerberized service, he/she uses the Ticket Granting Ticket (TGT) to talk to the Ticket Granting Service (TGS), which also runs on the KDC. The Ticket Granting Service then verifies the user’s identity using the TGT and issues a ticket for the desired service. The reason the Ticket Granting Ticket exists is that a user doesn’t have to enter their password every time they wish to connect to a Kerberized service.

Target of the test : An Active Directory or Domain Controller

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every Active Directory site that is being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.

Host

The IP address of the machine where the Active Directory is installed.

Port

The port number through which the Active Directory communicates. The default port number is 389.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

Schema cache hit ratio

This measure shows the percentage of object name lookups available in the Schema Cache. This cache is present in the Domain Controller. All changes made to the Active Directory are first validated against this schema cache.

Percent

A low value of this measure indicates that the Directory Service needs high disk read/write activity to perform its job. This results in poor response time of the components available in the Active Directory.

Notify queue size

When any change in the Active Directory occurs, the originating domain controller sends an update notification requests to the other domain controllers. This measure shows the number of pending update notification requests that have been queued and not transmitted.

Number

A high value of this measure indicates that the Active Directory is changing frequently but the update notification requests have not been transmitted to the other domain controllers. This results in a loss of data integrity in the directory store. This problem can be corrected by forcing the replication process.

Current threads

This measure shows the number of threads that are currently servicing the API calls by the users.

Number

A fluctuating value for this measure indicates a change in the load.

Directory writes

This measure shows the number of successful write operations made by the directory service per second.

Writes/Sec

A high value for this measure indicates that the directory service has made write operations in the Active Directory. This results in the fragmentation of the Active Directory. This problem can be corrected by forcing the replication process.

Kerberos requests

This measure shows the number of times per second that the user uses the user credentials to authenticate himself or herself with the domain controller that is being monitored.

Reqs/Sec

A high value for this measure indicates that the user requested some network resource, which requires authentication.

Installing one or more Active Directory in the target environment can solve this problem

NTLM requests

This measure shows the number of times per second that the user uses the user credentials to authenticate himself or herself with the domain controller, which is having the PDC emulator operation role.

Reqs/Sec

A high value for this measure indicates that the user requested some network resource, which basically belongs to the Windows NT network. Accessing this kind of resource needs authentication, which is serviced by the domain controller, who is having the PDC emulator operation role.

Installing one or more domain controllers with PDC emulator operation role in the target environment can solve this problem.

Ticket requests

This measure indicates the number of requests made by the Ticket Granting Service per second.

Reqs/Sec

A high value for this measure indicates that the user requested some network resources, which needs authentication.

Installing one or more domain controllers in the target environment can solve this problem.

Authentication requests

This measure indicates the number of requests made by the Authentication Server (to obtain the TGT) per second.

Reqs/Sec

A high value for this measure indicates that the user requested some network resources, which needs authentication.

Installing one or more domain controllers in the target environment can solve this problem.

Ldap sessions

This measure indicates the number of Ldap clients currently connected to the Active Directory.

Number

This measure is just an indicator of the number of Ldap clients connected to the Active Directory. A high or low value for this measure does not always denote an error situation.