Active Directory: Operations
This statistic shows the total number of Active Directory (AD) operations at a point in time, and measures operations per second for a period of time. This statistic also shows the results of these operations.
The AD operations statistic should be used only to diagnose issues that might be related to smbd
. AD analytics should not be run continuously because they will unnecessarily consume system resources. You could generate an alert if the average latency substantially increases for a period of time, and the alert will appear on the dashboard. To set a threshold alert, see Configuring a Threshold Alert - BUI, CLI.
When to Check Active Directory Operations
This statistic provides information, such as the following:
-
User login rate
-
User authentication mechanisms used (NTLM versus Kerberos)
-
LSA lookup rate
This statistic helps identify problems, such as the following:
-
AD server connection issues
-
User authentication failures
-
AD domain join failure caused by misconfigured DNS domain name issue. For example, a symptom of such misconfiguration might be a false alarm of a duplicate machine trust account in AD.
The AD operations statistic can help identify a user account that is a member of a large number of AD groups. Normally, a single-user domain authentication is associated with one or two LSA lookup exchanges. If a user is a member of a large number of AD groups, that user will have one authentication operation (either Kerberos or NTLM authentication) followed by many LSA lookup operations. One LSA lookup operation can resolve up to 25 group SIDs to AD group names. In the following figure, the user being authenticated is a member of at most 1025 (41 * 25) AD groups.
![This figure shows one authentication operation and many LSA lookup operations. This figure shows one authentication operation and many LSA lookup operations.](img/lsalookup.png)
This statistic also provides error codes associated with AD operations, such as the following:
-
The
NT_STATUS_PIPE_NOT_AVAILABLE
error might indicate that the domain controller (DC) has limited named pipe resources. -
A Microsoft RPC (MSRPC) service provider rejection error might indicate that the DC is being patched with Microsoft Windows updates that might have limited the MSRPC services being run.
Active Directory Operations Breakdowns
This statistic can be broken down by operation and result.
Table 5-6 Breakdowns of Active Directory Operations
Breakdown | Description |
---|---|
type of operation |
The operation performed. Examples:
|
result |
The result of the operation. Examples:
|
Further Analysis
-
Active Directory: Average Latency for average latency per second