This chapter deals with tracking the activity and usage of various Active Directory components. When you need to troubleshoot a problem, often the first place you look is the logfiles. With Active Directory, there are several different logfiles, and each has different ways to increase or decrease the verbosity of the information that is logged. Viewing log messages can be a useful troubleshooting step, but you should also look at performance metrics to determine whether system hardware or a particular service is being overutilized. In this chapter, we’ll review a couple of ways you can view performance metrics, as well as monitor Active Directory performance. For more extensive monitoring, we suggest looking at Microsoft System Center Operations Manager (OpsMgr), or similar products from other vendors such as NetIQ and Quest. In addition to the typical items that you would monitor on a Windows server (e.g., disk space usage, physical and virtual memory errors, processor utilization), you should also monitor AD-specific performance metrics. This extends to monitoring replication activity and Event Log information.

We’ll also cover a somewhat-related topic called quotas, which allow you to monitor and limit the number of objects that a security principal (user, group, or computer) can create within a partition. This feature closes a hole that allowed users who had access to create as many objects in Active Directory as they wanted. ...