|
Definitely. Nice thing about testing with LDAP queries
though is it can be a normal userid. No admin rights required. Also it will take
a more involved tool generally to start doing perf counters. Not saying people
shouldn't have more in depth monitoring such as MOM or OpenView but it is
sometimes an expense people can't get through the system, spinning
up products like MOM and SQL can be costly if you don't get it for free
plus there is admin overhead that has to be accounted for. I know I fought that
battle for several years for a Fortune 5 company and never got heavy duty
monitoring like that due to costs and politics. In the end it all came down
to my basic perl scripts doing basic things like this and and quite honestly,
that combined with being aware of my DCs and how they should be running kept us
running very well. However, that won't work for everyone.
Anyway, once you start seeing any slowness in basic
queries, then you can bounce into more detailed checking of what is going on. I
have used this method to ascertain issues with DCs in a couple of different
companies. It is simple and basic, but if a DC can't do these simple basic
things, there is definitely an issue to investigate.
joe
Perhaps a different way
to skin the same cat…..the problem with any single query is that it could be
performant in the fact of other, slow things. For example, who cares if ldap is
fast if you have a bind perf problem due to slow trusted dc. I think you really
want to better measure your app, not as much a single query.
That said, I’d be more
interested in watching key perfmon counters, where key==what you are interested
in. So, ldap response time, bind time, etc. If it exceeds X ms, then kick
out.
My
$0.02
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe
Sent: Saturday, November 13, 2004 7:42
AM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Script to check on
GCs response/health?
Sure that would be
fine, note that scope is by default subtree with adfind so you can cut out the
-s subtree switch.
For the initial startup
you might want to run the check every 10 or 15 minutes and see what you get.
Build up a map in your head of what it is doing. Then once you are confident on
how consistent the numbers are, push the frequency back up to once per hour.
Alternatively set a threshhold and if a machine exceed it, crank up the
frequency for that machine.
joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Thommes, Michael
M.
Sent: Saturday, November 13,
2004 9:54 AM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Script to check on
GCs response/health?
Thanks for ideas! I've built some code that runs every hour and the
numbers are interesting. I've found a couple of GCs that are in the 4
second range while the majority are in the neighborhood of 0.3 seconds but
I expect the numbers will fluctuate more as I collect more
statistics. Can I assume the following query (using each GC passed as %1)
is appropriate?
adfind.exe -h %1 -b
dc=xxx,dc=gov -f name=admin-renamed -gc -s subtree cn
-----Original
Message-----
From: listmail
[mailto:[EMAIL PROTECTED]
Sent: Thursday, November 11, 2004 12:24
PM
To:
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Script to check
on GCs response/health?
One quick and fairly
easy method to partially do this is to set up a simple script that does a
basic query (say against the schema which should be quick but not say a
rootdse query) and have a baseline acceptable time frame for the response. I
have done this in the past and found choked up GCs (specifically in relation
to Exchange) using a little perl and a little adfind.
Versus hardcoding GCs set up a
dedicated Exchange site. This protects you main site from Exchange and
Exchange from everything else. I.E. If Exchange tears down a DC, Exchange
suffers. If something else tears down a DC, Exchange should be fairly
protected as it shouldn't be a DC Exchange is using. ALSO and this is a
point I have a strong opinion of. Most GCs can go down and things don't care,
authentication will work, etc. Exchange GCs can't generally do this. This
means that you can keep certain GCs in mind for monitoring and your response
to them going offline. At the widget factory I worked for there were only a
few GCs I cared about going down in terms of speed to get them back up and
running. The Exchange GCs and the PDC's. The other DC's/GCs we cared about but
we weren't running in the middle of the night because of
them.
Anyway, set up a script that you
specify a list of GCs or (better) takes a site or list of sites and then goes
into a loop. In the loop it gets a list of GCs or DCs, it then does a basic
schema query that will return some subset of objects and attributes. Unless
you are going against a GC across some slow wires, any query should be back in
a second or less for an idle DC. As you load up you will see 1,2,3,6,8 second
responses. Once you hit 20+ seconds on a query, you really need to be looking
at things. You get to 30 seconds and you most certainly have Exchange queue
backups and probably store hangs.
If you are monitoring this and you
are normally at 3-4 seconds at main load and you hit 10 seconds consistently
on a GC, then you page on that and start chasing.
From:
[EMAIL PROTECTED] on behalf of Thommes, Michael
M.
Sent: Thu 11/11/2004 11:59
AM
To:
[EMAIL PROTECTED]
Subject: [ActiveDir] Script to check on
GCs response/health?
In our
environment we have lots of GCs, most of which I don't control.
While I run
a dcdiag report each morning that checks the overall health
of my domain
including whether a DC is advertising itself as a GC, we
see issues once in
a while when a process does a GC discovery action and
ends up on a "bad"
one, e.g., not available, busy, slow network, maybe
permissions,
etc.
The other day our Exchange cluster was running like a dog since
after a
reboot, it hooked itself up with a GC that was not
performing
particularly well. As a solution for that particular
problem, we were
able to hardcode into the Exchange servers specific GCs
that I know work
well. Has anyone developed a script that checks on
the health of GC
functionality or dealt with this issue some other
way? Thanks in
advance!
Mike Thommes
List info
: http://www.activedir.org/mail_list.htm
List
FAQ : http://www.activedir.org/list_faq.htm
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
|
