Active Directory: Operations

This statistic shows the total number of Active Directory (AD) operations at a point in time, and measures operations per second for a period of time. This statistic also shows the results of these operations.

The AD operations statistic should be used only to diagnose issues that might be related to smbd. AD analytics should not be run continuously because they will unnecessarily consume system resources. You could generate an alert if the average latency substantially increases for a period of time, and the alert will appear on the dashboard. To set a threshold alert, see Configuring a Threshold Alert - BUI, CLI.

When to Check Active Directory Operations

This statistic provides information, such as the following:

User login rate
User authentication mechanisms used (NTLM versus Kerberos)
LSA lookup rate

This statistic helps identify problems, such as the following:

AD server connection issues
User authentication failures
AD domain join failure caused by misconfigured DNS domain name issue. For example, a symptom of such misconfiguration might be a false alarm of a duplicate machine trust account in AD.

The AD operations statistic can help identify a user account that is a member of a large number of AD groups. Normally, a single-user domain authentication is associated with one or two LSA lookup exchanges. If a user is a member of a large number of AD groups, that user will have one authentication operation (either Kerberos or NTLM authentication) followed by many LSA lookup operations. One LSA lookup operation can resolve up to 25 group SIDs to AD group names. In the following figure, the user being authenticated is a member of at most 1025 (41 * 25) AD groups.

This figure shows one authentication operation and many LSA lookup operations.

This statistic also provides error codes associated with AD operations, such as the following:

The NT_STATUS_PIPE_NOT_AVAILABLE error might indicate that the domain controller (DC) has limited named pipe resources.
A Microsoft RPC (MSRPC) service provider rejection error might indicate that the DC is being patched with Microsoft Windows updates that might have limited the MSRPC services being run.

Active Directory Operations Breakdowns

This statistic can be broken down by operation and result.

Table 5-6 Breakdowns of Active Directory Operations

Breakdown	Description
type of operation	The operation performed. Examples: LSA lookup Locate trust account NTLM auth Kerberos auth DC failover DC monitor DC discovery Domain join Negotiate authentication mechanism
result	The result of the operation. Examples: `SUCCESS` `UNSUCCESSFUL` `DOMAIN_CONTROLLER_NOT_FOUND` `NONE_MAPPED` `Key table entry not found` `Ticket not yet valid` `Workstation trust account update failed: The name is in use` `NO_SUCH_USER` `NT status` `System error`

Breakdown

Description

type of operation

The operation performed. Examples:

LSA lookup
Locate trust account
NTLM auth
Kerberos auth
DC failover
DC monitor
DC discovery
Domain join
Negotiate authentication mechanism

result

The result of the operation. Examples:

SUCCESS
UNSUCCESSFUL
DOMAIN_CONTROLLER_NOT_FOUND
NONE_MAPPED
Key table entry not found
Ticket not yet valid
Workstation trust account update failed: The name is in use
NO_SUCH_USER
NT status
System error

Further Analysis

Active Directory: Average Latency for average latency per second
Active Directory: MSRPC Bindings