Monitoring your Active Directory

Another interesting week. Client has 8 DCs distributed over 4 sites for AD management. Most of the time it works well – well enough so you don’t feel the need to be taking the pulse of the patient 24/7… BUT…. every so often, you have issues.

So… How to monitor. You are a small(ish) shop so there isn’t enough IT Operations bandwidth to monitor everything all the time. You can do several things.

– Invest in some COTS tools – Quest comes to mind – however there is a both an initial costs and these things need care and feeding as well. Often there are backend databases, specialist knowledge etc. Some of these things are more fragile than AD itself. If they break then often the solution is to completely re-install.

– Write something yourself – this is obviously where I’m going with this. WMI, Command line tools, vbscript, Powershell, performance monitor – there a is a stack of choices.

I’ve found something that seems to do the trick for me. Its “timesync” – MS DC’s rely on syncronised time for authentication. If your time between workstations, servers and DCs drifts out by more than 5 minutes the kerberos, GP etc all seem to stop.  The command you need to get to grips with is

W32tm  specifically the “/monitor /domain:<yourdom.dom>”  option. Give it a try in your domain and see – it will show you which DCs are syncronids

So I’ve written a simple HTML page in vbscript that parses the output – code to follow


One thought on “Monitoring your Active Directory”

  1. Nice tip! Just ran it across my domain here (kitchen company) and between 5 DCs my biggest positive gap was +0.0204349s and the biggest negative gap was -0.0192520s!

Leave a Reply

Your email address will not be published. Required fields are marked *