Problem solve Get help with specific problems with your technologies, process and projects.

Active Directory: Monitoring AD performance

In this series, Active Directory expert Laura E. Hunter gives tips on monitoring AD usage and totaling users in a specified group. She also works out issues when trying to add a child domain in a Windows Server 2003 Active Directory.

The following is a collection of expert responses to reader questions by Laura Hunter.

Laura E. Hunter

Hi there. Recently my customers bought a new server and they need to migrate everything to this new server including AD, DNS and SQL Server 2000. Could you kindly advise me on any step-by-step instructions or precautions to take note of before the migration. Thanks!

Laura Hunter: The best place to start planning an Active Directory migration is the following TechNet link, which will give you an overview of a number of different tools that are available for your use. In addition, there is an entire area of Microsoft's Web site devoted to planning SQL server migrations, located here.

How many partitions are there in a Windows 2000 Active Directory?

LH: If by partitions you are referring to naming contexts, there are a minimum of three: the Configuration NC contains forest-wide configuration data and is replicated to every domain controller in a forest. The Schema NC contains schema information and is also replicated forest-wide. Finally, each AD domain within a forest has a Domain Naming Context that is fully replicated to the domain controllers within the individual domain, while Global Catalog Servers (GCs) maintain a partial, read-only replica of every domain NC in the forest.

Is it possible to monitor the usage of Active Directory? I work in a company where many techs have access to AD and can modify as needed. If so, I will be notified whenever someone changes stuff in AD. I am just a branch administrator of the local office. I would like to know a way to monitor from the local PC where the AD connection is available. Please advise me. Thanks.

LH:There are any number of free and third-party tools available to monitor Active Directory performance and security events. You can use Microsoft's free EventCombMT or LogParser utility to comb through Event Viewer log files on multiple servers and then use scripts to respond accordingly. If you're willing to throw a bit of money at the solution, there is always the Microsoft Operations Manager (MOM), which provides a centralized management console to monitor services and system performance, in addition to third-party tools from vendors like Quest and NetPro.

Is there a utility that will total the number of users in a specified group in Active Directory? I need to know how many users are in one of our groups but I wanted to know if there was a utility to count them instead of doing it manually.

LH: You can easily retrieve this information using VBScript, as follows:

Set objGroup = GetObject _ ("LDAP://cn=Scientists,ou=R&D,dc=NA,dc=fabrikam,dc=com") objGroup.GetInfo

arrMemberOf = objGroup.GetEx("member") WScript.Echo("Group members: " & arrMemberOf.length)

I'm setting up a new forest in which I will have two different child domains. I have just set up the parent domain ( using Windows Server 2003. Now I want to add a child domain using a Windows 2000 Server but every time I try to set up AD and contact the parent domain ( or encorepr using NetBIOS) I get an error message that states that it cannot contact the parent domain and if I recently set it up it may take time to register with DNS.

I've let it sit for a little while and I still cannot figure out why it will not connect to the parent domain.

Am I doing something wrong or did I miss something in the setup of either server? The parent domain is on a network and the child domain I want to create is on a network. I want to try to keep them as separated as possible so that's why I used different subnets.

Any idea what I might be doing wrong? Thanks in advance for all of your help!

LH:Based on your description, the first place that I would start troubleshooting is your DNS setup. From the server in the child domain that you're trying to promote, can you ping the domain controllers in the parent domain by their IP address? By their DNS name? By their associated GUID in the _msdcs. domain? Be sure that the server in your child domain is using a DNS server that can resolve the SRV records associated with the parent domain, particularly that of the Domain Naming Master.

Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at

Dig Deeper on Windows administration tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.