insight for active directory · sysinternals - adinsight is an advanced monitoring tool for windows...

ADInsightisanadvancedmonitoringtoolforWindowsthatshowsreal-timefileclient-sideActiveDirectory(LDAP-Light-weightDirectoryAccessProtocol)activity.UsingADInsight,youcantroubleshootpermissions,performance,andconfigurationissuesthataffectAD-enabledapplications,suchasExchangeandSQLServer.

ADInsightusesDLLinjectiontechniquestointerceptcallsthatapplicationsmakeintheWldap32.dlllibrary,whichisthestandardlibraryunderlyingActiveDirectoryAPIssuchldapandADSI.Unlikenetworkmonitoringtools,ADInsightinterceptsandinterpretsallclient-sideAPIs,includingthosethatdonotresultintransmissiontoaserver.ADInsightmonitorsanyprocessintowhichitcanloadit’stracingDLL,whichmeansthatitdoesnotrequireadministrativepermissions,however,ifrunwithadministrativerights,itwillalsomonitorsystemprocesses,includingwindowsservices.

ADInsightrunsonWindows2000,WindowsXP,WindowsVista,WindowsServer2003,andWindowsServer2008.

CapturingEvents

Totogglecapturemodeonandoff,clicktheCapturetoolbarbutton,chooseCaptureEventsfromtheFilemenu,orpressCtrl+E.Nodataiscollectedwhencapturemodeisoff.

Bydefaulteventsarecapturedwhenanewconnectionismade.TochangethedefaultcapturemodechoosePreferencesfromtheOptionsmenuandclearAutomaticallystarttocaptureafterconnection.

CopyinganEvent

TocopyaselectedeventtotheClipboard,choseCopyfromtheEditmenuorpressCtrl+C.

FindingText

TosearchforanoccurrenceoftextintheEventPane,clicktheFindtoolbarbutton,chooseFindontheEditmenu,orpressCtrl+F.ThisactionopenstheFinddialogbox.

IfthetextyouenteredisfoundintheEventPane,thematchingeventwillbeselectedandAutoScrollwillbeturnedofftokeepthelineinthewindow.

TorepeatasearchdowntheeventlistpresstheF3shortcutkey.TorepeatasearchuptheeventlistpresstheShift+F3shortcutkey.

YoucansearchonlyincolumnsthatarevisibleintheEventPane.Tosetthecolumndisplay,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitem.

ClearingtheDisplay

TocleartheEventPane,clicktheCleartoolbarbuttonorchooseClearDisplayfromtheEditmenu.

Thisactionresetsthesequencenumberto0;italsoresetsthevaluesdisplayedintheTimecolumnifrelativetimeisselected.

FilteringtheDisplay

Todisplayorhideprocesseswhosenamescontainspecifiedtextsubstrings,ortoaddorexcludeselectedLDAPtransactions,clicktheFiltertoolbarbutton,chooseEventFilterfromtheViewmenu,orpressCtrl+L.

ThisactionopenstheEventFiltersdialogbox.

Toviewonlyprocesseswhosenamescontainspecifiedsubstrings,typethetextexpressionintheIncludelist.Toexcludeprocesseswhosenamescontainspecifiedsubstrings,typethetextexpressionintheExcludelist.

UsingFilterExpressions

Youcanentermultipleexpressionsbyseparatingeachexpressionwithasemicolon(;).UsetheAsterisks(*)asawildcardcharacter.Donotincludespacesintheexpressionunlessyouwantthespacestobepartofthefilter.Filterexpressionsareacaseinsensitive.

SelectingDisplayedTransactions

TohideselectedLDAPtransactions,clearthecorrespondingcheckboxes.TodisplayeventsnotcommonlyusedfortroubleshootingandconfigurationselectShowAdvancedEvents.

ToresettheIncludeandExcludeexpressionsandselectthedefaultLDAPtransactioncheckboxes,clickResettoDefault.

ChangesintheEventFiltersdialogboxdonotaffectitemsalreadyinthedisplay.WhenyoustartInsightforActiveDirectorywithaProcessFilterappliedfromaprevioussession,theEventFiltersdialogboxwillopentoconfirmyourfiltersettings.TostarttheconsolewithoutopeningtheFilterdialogbox,addthe-qparametertoyourstartupcommand.

HighlightingEvents

Tosetdisplayhighlightingproperties,chooseHighlightPreferencesontheHighlightmenuorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.

ThisactionopenstheEventHighlightingdialogbox.

Tohighlighteventsinthesamesessionhandleastheselecteditem,clickSessions.Tohighlighteventswiththesameeventhandleastheselecteditem,clickRelatedItems.Tohighlighteventswhoseprocessnamescontainspecifiedtextsubstrings,clickProcessesandtypethetextexpressionintheProcessNameFilterlist.FilterexpressionrulesapplytotextintheProcessNameFilter.Tohighlighteventswitherrors,clickErrorResult.

TohighlighteventswithResultTimesthatarelongerthanaspecifiedtime,clickHighlightEventsthattakelongerthanandtypethetimeinseconds.

Tochangeahighlightcolor,clicktheColorbuttoncorrespondingtothehighlightoption.ThisactionopenstheHighlightColordialogbox.Totoggleallhighlightingonandoff,chooseEnableHighlightingontheHighlightingmenu.

TheNextandPrevtoolbarbuttonsaredisabledwhenhighlightingisdisabledorErrorResultisnotselected.

FindingEventErrors

TogotothenexterrorintheEventPane,clicktheNexttoolbarbuttonorchooseNextEventErrorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.

TogotothepreviouserrorintheEventPane,clickthePrevtoolbarbuttonorchoosePreviousEventErrorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.

TheNextandPrevtoolbarbuttonsaredisabledwhenhighlightingisoff,whenErrorResultintheEventHighlightingdialogboxisnotselected,orwhennoitemisselectedintheEventPane.

ViewingRelatedEvents

Toviewalistofeventswiththesameeventhandleastheselecteditem,chooseViewRelatedEventsontheViewmenuoronthecontextmenuthatappearswhenyouright-clickontheitem.ThisactionopenstheRelatedTransactionEventswindow.

NoteColumnsthatappearinthewindowcorrespondtothecolumnsvisibleintheEventPane.Toaddorremovecolumns,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitem.

ViewingRelatedSessionEvents

ToviewalistofeventswiththesameLDAPsessionhandleastheselecteditem,chooseViewSessionEventsontheViewmenuoronthecontextmenuthatappearswhenyouright-clickontheitem.ThisactionopenstheRelatedSessionEventswindow.

NoteColumnsthatappearinthewindowcorrespondtothecolumnsvisibleintheEventPane.Toaddorremovecolumns,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitem.

ViewingProcessInformation

ToviewinformationabouttheprocessmakinganLDAPcall,chooseProcessInformationfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.

ThisactionopenstheProcessInformationwindow.

ViewingEventInformation

ToviewsummaryinformationaboutanLDAPfunctionthatappearsintheRequestcolumn,double-clickanitemintheEventPaneorchooseEventInformationfromthecontextmenuthatappearswhenyouright-click.

Thisactionopensapop-updialogboxthatdisplaysthefullnameanddescriptionofthefunction.

ToviewdetaileddiagnosticinformationabouttheLDAPfunction,clicktheMoreInfohyperlink.ThisactionopensabrowserwindowwithinformationfromtheMSDNLibraryWebsite.

SettingTimeDisplayOptions

TotoggletheTimecolumndisplaybetweenclocktimeandrelativetime,chooseClockTimefromtheOptionsmenuorpressCtrl+T.

WhenclocktimeisselectedyoucantoggletheTimecolumndisplaytoshoworhidemillisecondsbychoosingShowMillisecondsfromtheOptionsmenu.YoucantogglethenumberofdecimalplacesdisplayedintheTimeandDurationcolumnsbychoosingShowSimpleTimefromtheOptionsmenu.SimpletimeisdisplayedintheTimecolumnonlywhenrelativetimeisselected.

SettingAutoScroll

Bydefaultthedisplayscrollstoautomaticallyshownewactivity.

TotoggleAutoScrolloffandon,clicktheScrolltoolbarbutton,chooseAutoScrollontheViewmenuorpressCtrl+A.

TurningoffAutoScrolltemporarilysetstheHistoryDepthtoanunlimitednumberoflinessothatnewitemswillcontinuetoappearinthedisplay.

SettingHistoryDepth

BydefaultolderlinesarediscardedfromtheeventlisttostaywithinaspecifiedHistorydepth.TochangeHistorydepth,clicktheHistorytoolbarbutton,chooseHistoryDepthontheViewmenu,orpressCtrl+H.

ThisactionopenstheEventListHistoryDepthdialogbox.

TypeorselectanewvalueintheHistoryDepthboxorclickDefaulttorestorethedefaultvalueof50,000lines.Typeorselect0intheHistoryDepthboxtoretainanunlimitednumberoflinesinthedisplay.

TurningoffAutoScrolltemporarilysetstheHistoryDepthtoanunlimitednumberoflinessothatnewitemswillcontinuetoappearinthedisplay.

SettingtheColumnDisplay

Toselectthecolumnsthatappearinthedisplay,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.ThisactionopenstheSelectColumnsdialogbox.

YoucanchooseanyofthefollowingcolumnstoappearintheEventPane:

SequenceNumber

theuniquesequencenumberassignedtoanevent;gapsinsequencenumbersmayindicatebufferoverflowresultingfromheavyactivityorfilteringthatpreventssomeitemsfromappearinginthedisplay

Time thetimethattheeventoccurred

Process thenameoftheprocessmakingtheLDAPcalltotheActiveDirectory

Request thenameoftheLDAPfunctioncall

Type whethertheLDAPcallissynchronousorasynchronous

Session theLDAPsessionhandle

EventID theLDAPeventhandle

Input thevaluepassedfromtheProcesstotheActiveDirectory

Output thevaluepassedtotheProcessfromtheActiveDirectory

Result theResultcodereturnedbythefunction;SuccessresultsarenotdisplayedunlessyouclearSuppressSuccessStatusontheOptionsmenu

Duration theelapsedtimebetweenthecallandtheresult

YoucanchooseanyofthefollowingcolumnstoappearintheDetailsPane:

Parameter theparameternamesfortheselectedLDAPcall

In/Out whethertheparameterisbeingsentorreceivedbytheapplication

Value thevaluepassedtoorfromtheprocessmakingtheLDAPcall

SettingOtherDisplayOptions

Tochangethefontsizeofitemsinthedisplay,chooseFontontheOptionsmenu.ChooseAlwaysonToptokeepthewindowdisplayedwhenyouswitchprogramsorwindows.TotoggletheRequestcolumnbetweenfullandsimpleLDAPfunctionnames,clickShowSimpleEventNameontheOptionsmenu.ExamplesoffullandsimpleLDAPfunctionnamesare:

FullNameldap_get_values_len

SimpleName getvalueslength

Totogglethedisplaybetweendistinguishedandsimplenames,clickShowDistinguishedNameFormatontheOptionsmenu.Examplesofequivalentdistinguishedandsimplenamesare:

DistinguishedNameCN=RCHASE-2K3,CN=Computers,DC=OA,DC=Denver,DC=Addesinc,DC=com

SimpleName OA.Denver.Addesinc.com\Computers\RCHASE-2K3

TotogglethedisplayofLDAPfilterstringsintheInputcolumnandDetailsPanebetweensimpleformat(i.e.,prefixnotation)andstandardformat(i.e.,infixnotation),clickShowSimpleLDAPFiltersontheOptionsmenu.Examplesofequivalentsimpleandstandardformatfilterstringsare:

SimpleFormat((NOT((showInAdvancedViewOnly=TRUE))AND(samAccountType=805306368))AND((name=rchase-2k3*)OR(sAMAccountName=rchase-2k3*)))

StandardFormat (&(&(!(showInAdvancedViewOnly=TRUE))(samAccountType=805306368))(name=rchase-2k3*)(sAMAccountName=rchase-2k3*)))

TotoggleoffandonthedisplayofSuccessstatusintheResultcolumn,clickSuppressSuccessStatusfromtheOptionsmenu.

Command-LineOptions

Youcanusecommand-lineparameterstosetconsolestartupoptionsandtolaunchthemonitoringservicefromabatchfileorcommandwindow.

Syntax

adinsight[-q][-o][-logFileName][-fiIncludeString][-feExcludeString][[-uUserName–pPassword]-rComputerName]...

Parameters

StartstheconsolewithoutopeningtheFilterdialogbox.BydefaulttheFilterdialogboxopensatstartupifanyfiltersareapplied.

Turnsoffeventcapture.

-logFileName

Writesactivitytoalogfilewithoutopeningtheconsole,whereFileNameisthenameoftheoutputfile.

SpecifiesanIncludestringfortheFilter.FilterexpressionrulesapplytotheIncludeStringtext.

SpecifiesanExcludestringfortheFilter.FilterexpressionrulesapplytotheExcludeStringtext.

Displayshelpatthecommandprompt.

SavingOutput

TosavethecontentsoftheEventPaneasatextfile,chooseSaveontheFilemenuorpresstheCtrl+Sshortcutkey.

TocopytheselecteditemtotheClipboard,choseCopyfromtheEditmenuorpresstheCtrl+Cshortcutkey.

YoucanalsosavethecontentsoftheEventPaneasHTMLformattedreports.

LoggingtoaFile

Youcanusethecommand-line-logoptiontowriteactivitytoalogfilewithoutopeningtheconsole.

ViewingEventReports

ToviewareportofallitemsintheEventPane,chooseEventsfromtheHTMLReportssubmenuoftheViewmenu.

ThisactionopensanHTML-formattedreportinyourWebbrowserwindow.

ToviewdetaileddiagnosticinformationaboutanLDAPfunctionintheRequestcolumn,clickthehyperlink.Tosavethecontentsofthereport,

chooseSaveAsfromtheFilemenuofyourbrowserwindow.

ColumnsthatappearinthereportcorrespondtothecolumnsvisibleintheEventPane.Toaddorremovecolumns,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitem.

ViewingEventswithDetails

ToviewareportofallitemsintheEventPanewithcorrespondingDetailsPanes,chooseEventswithDetailsfromtheHTMLReportssubmenuoftheViewmenu.

ToviewdetailedinformationaboutanLDAPfunctionintheRequest

column,clickthehyperlink.Tosavethecontentsofthereport,chooseSaveAsfromtheFilemenuofyourbrowserwindow.

ViewingEventswithTimeResults

ToviewahistogramreportofLDAPcallsintheEventPanewithTotalTime,LongestTime,andAverageTimestatistics,chooseEventTimeResultsfromtheHTMLReportssubmenuoftheViewmenu.

ToviewdetailedinformationaboutanLDAPfunction,clickthehyperlink.Tosavethecontentsofthereport,chooseSaveAsfromtheFilemenuofyourbrowserwindow.

Todisplayuncalledfunctions,choosePreferencesfromtheOptionsmenuandclearSuppressuncalledfunctionsinreports.

ViewingHighlightedEvents

ToviewareportofhighlightedentriesintheEventPane,chooseHighlightedEventsfromtheHTMLReportssubmenuoftheViewmenu.

ToviewdetailedinformationaboutanLDAPfunctionintheRequestcolumn,clickthehyperlink.Tosavethecontentsofthereport,chooseSaveAsfromtheFilemenuofyourbrowserwindow.

ChangeColorHighlighting

YoucansetcolorhighlightingpropertiesofthedisplaybychoosingHighlightPreferencesfromtheHighlightmenuorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.

DisplayOnlySelectedEvents

YoucandisplayorhideprocesseswhosenamescontainspecifiedtextoraddandexcludeselectedtransactionsbyclickingtheFilter toolbarbutton,choosingEventFilterontheViewmenu,orpressingCtrl+L.

LogSystemActivity

Youcanusethecommand-line-logoptiontowriteactivitytoalogfilewithoutopeningtheconsole.

SaveEventsintheDisplay

YoucansavethecontentsoftheEventPaneasatextfilebychoosingSaveontheFilemenuorpressingCtrl+S.

YoucancopyaselecteditemtotheClipboardbychoosingCopyfromtheEditmenuorpressingCtrl+C.

YoucanalsosavethecontentsoftheEventPaneasHTMLformattedreports.

ViewDifferentColumnsintheDisplay

YoucanselectthecolumnsthatappearinthedisplaybychoosingSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.

ReportingBugs

Ifyouencounterabugpleasesendemailtomarkruss@microsoft.com,includingthebehavioryouobserved,thebehavioryouexpected,andstepsforreproducingtheproblem.

SettingProgramPreferences

Tochangethedefaultcapturemodewhenmakinganewconnection,displayatrayicon oncomputersrunningthemonitoringservice,changetheTCP/IPportnumberoradministrativesharename,ordisplayuncalledfunctionsinEventswithTimeResultsreports,choosePreferencesfromtheOptionsmenu.

ThisactionopensthePreferencesdialogbox.

insight for active directory · sysinternals - adinsight is an advanced monitoring tool for windows...

Documents

active directory basics- active directory

active directory windows2003 server. agenda what is active...

network architecture & active directory … architecture &...

administering active directory · 2013-10-09administering...

pingfederate integration with azure active directory … ·...

how the active directory replication model works_ active...

beyond the mcse: active directory for the security...

active directory

active directory security: the journey€¦ · active...

introduction to active directory · introduction to active...

active directory

active directory upgrade - cisco.com · active directory...

tutorial sysinternals suite.doc

introduction to active directory q. what is active...

active directory 101 manage and maintain active directory...

active directory and windows - oracle.com · active...

1 administering active directory locating active directory...

1 installing and configuring active directory preparing for...

module 1: introduction to active directory. overview ...

sysinternals demo sysinternals