Chapter 15. Logging, Monitoring, and Quotas
This chapter deals with tracking the activity and usage of various Active Directory components. Whenever you need to troubleshoot a problem, often the first place you look is log files. With Active Directory, there are several different log files, and each have different ways to increase or decrease the verbosity of information that is logged. Viewing log messages can be useful, but you may also want to look at performance metrics to determine if the system is being over-utilized. I’ll review a couple of ways you can view performance metrics and monitor Active Directory performance. For more extensive monitoring, I suggest looking at NetPro’s (http://www.netpro.com/) Active Directory monitoring tools or Microsoft Operations Manager (http://microsoft.com/mom/).
I’ll also cover a somewhat-related topic in this chapter called quotas, which allow you to monitor and limit the number of objects a security principal (user, group, or computer) can create in a partition. This feature, introduced in Windows Server 2003, closes a hole that existed in Windows 2000 where users that had access to create objects in Active Directory could create as many as they wanted. These users could even cause a denial of service by creating objects until the disk filled on the domain controllers. This kind of attack is not likely to happen in most environments, but the possibility should still be considered.
The Anatomy of a Quota Object Container