insight for active directory · sysinternals - adinsight is an advanced monitoring tool for windows...
TRANSCRIPT
ADInsightCopyright©2007MarkRussinovichandBryceCogswellSysinternals-www.sysinternals.com
ADInsightisanadvancedmonitoringtoolforWindowsthatshowsreal-timefileclient-sideActiveDirectory(LDAP-Light-weightDirectoryAccessProtocol)activity.UsingADInsight,youcantroubleshootpermissions,performance,andconfigurationissuesthataffectAD-enabledapplications,suchasExchangeandSQLServer.
ADInsightusesDLLinjectiontechniquestointerceptcallsthatapplicationsmakeintheWldap32.dlllibrary,whichisthestandardlibraryunderlyingActiveDirectoryAPIssuchldapandADSI.Unlikenetworkmonitoringtools,ADInsightinterceptsandinterpretsallclient-sideAPIs,includingthosethatdonotresultintransmissiontoaserver.ADInsightmonitorsanyprocessintowhichitcanloadit’stracingDLL,whichmeansthatitdoesnotrequireadministrativepermissions,however,ifrunwithadministrativerights,itwillalsomonitorsystemprocesses,includingwindowsservices.
ADInsightrunsonWindows2000,WindowsXP,WindowsVista,WindowsServer2003,andWindowsServer2008.
CapturingEvents
Totogglecapturemodeonandoff,clicktheCapturetoolbarbutton,chooseCaptureEventsfromtheFilemenu,orpressCtrl+E.Nodataiscollectedwhencapturemodeisoff.
Note
Bydefaulteventsarecapturedwhenanewconnectionismade.TochangethedefaultcapturemodechoosePreferencesfromtheOptionsmenuandclearAutomaticallystarttocaptureafterconnection.
CopyinganEvent
TocopyaselectedeventtotheClipboard,choseCopyfromtheEditmenuorpressCtrl+C.
FindingText
TosearchforanoccurrenceoftextintheEventPane,clicktheFindtoolbarbutton,chooseFindontheEditmenu,orpressCtrl+F.ThisactionopenstheFinddialogbox.
IfthetextyouenteredisfoundintheEventPane,thematchingeventwillbeselectedandAutoScrollwillbeturnedofftokeepthelineinthewindow.
TorepeatasearchdowntheeventlistpresstheF3shortcutkey.TorepeatasearchuptheeventlistpresstheShift+F3shortcutkey.
Note
YoucansearchonlyincolumnsthatarevisibleintheEventPane.Tosetthecolumndisplay,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitem.
ClearingtheDisplay
TocleartheEventPane,clicktheCleartoolbarbuttonorchooseClearDisplayfromtheEditmenu.
Thisactionresetsthesequencenumberto0;italsoresetsthevaluesdisplayedintheTimecolumnifrelativetimeisselected.
FilteringtheDisplay
Todisplayorhideprocesseswhosenamescontainspecifiedtextsubstrings,ortoaddorexcludeselectedLDAPtransactions,clicktheFiltertoolbarbutton,chooseEventFilterfromtheViewmenu,orpressCtrl+L.
ThisactionopenstheEventFiltersdialogbox.
Toviewonlyprocesseswhosenamescontainspecifiedsubstrings,typethetextexpressionintheIncludelist.Toexcludeprocesseswhosenamescontainspecifiedsubstrings,typethetextexpressionintheExcludelist.
UsingFilterExpressions
Youcanentermultipleexpressionsbyseparatingeachexpressionwithasemicolon(;).UsetheAsterisks(*)asawildcardcharacter.Donotincludespacesintheexpressionunlessyouwantthespacestobepartofthefilter.Filterexpressionsareacaseinsensitive.
SelectingDisplayedTransactions
TohideselectedLDAPtransactions,clearthecorrespondingcheckboxes.TodisplayeventsnotcommonlyusedfortroubleshootingandconfigurationselectShowAdvancedEvents.
ToresettheIncludeandExcludeexpressionsandselectthedefaultLDAPtransactioncheckboxes,clickResettoDefault.
Notes
ChangesintheEventFiltersdialogboxdonotaffectitemsalreadyinthedisplay.WhenyoustartInsightforActiveDirectorywithaProcessFilterappliedfromaprevioussession,theEventFiltersdialogboxwillopentoconfirmyourfiltersettings.TostarttheconsolewithoutopeningtheFilterdialogbox,addthe-qparametertoyourstartupcommand.
HighlightingEvents
Tosetdisplayhighlightingproperties,chooseHighlightPreferencesontheHighlightmenuorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.
ThisactionopenstheEventHighlightingdialogbox.
Tohighlighteventsinthesamesessionhandleastheselecteditem,clickSessions.Tohighlighteventswiththesameeventhandleastheselecteditem,clickRelatedItems.Tohighlighteventswhoseprocessnamescontainspecifiedtextsubstrings,clickProcessesandtypethetextexpressionintheProcessNameFilterlist.FilterexpressionrulesapplytotextintheProcessNameFilter.Tohighlighteventswitherrors,clickErrorResult.
TohighlighteventswithResultTimesthatarelongerthanaspecifiedtime,clickHighlightEventsthattakelongerthanandtypethetimeinseconds.
Tochangeahighlightcolor,clicktheColorbuttoncorrespondingtothehighlightoption.ThisactionopenstheHighlightColordialogbox.Totoggleallhighlightingonandoff,chooseEnableHighlightingontheHighlightingmenu.
Note
TheNextandPrevtoolbarbuttonsaredisabledwhenhighlightingisdisabledorErrorResultisnotselected.
FindingEventErrors
TogotothenexterrorintheEventPane,clicktheNexttoolbarbuttonorchooseNextEventErrorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.
TogotothepreviouserrorintheEventPane,clickthePrevtoolbarbuttonorchoosePreviousEventErrorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.
Note
TheNextandPrevtoolbarbuttonsaredisabledwhenhighlightingisoff,whenErrorResultintheEventHighlightingdialogboxisnotselected,orwhennoitemisselectedintheEventPane.
ViewingRelatedEvents
Toviewalistofeventswiththesameeventhandleastheselecteditem,chooseViewRelatedEventsontheViewmenuoronthecontextmenuthatappearswhenyouright-clickontheitem.ThisactionopenstheRelatedTransactionEventswindow.
NoteColumnsthatappearinthewindowcorrespondtothecolumnsvisibleintheEventPane.Toaddorremovecolumns,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitem.
ViewingRelatedSessionEvents
ToviewalistofeventswiththesameLDAPsessionhandleastheselecteditem,chooseViewSessionEventsontheViewmenuoronthecontextmenuthatappearswhenyouright-clickontheitem.ThisactionopenstheRelatedSessionEventswindow.
NoteColumnsthatappearinthewindowcorrespondtothecolumnsvisibleintheEventPane.Toaddorremovecolumns,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitem.
ViewingProcessInformation
ToviewinformationabouttheprocessmakinganLDAPcall,chooseProcessInformationfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.
ThisactionopenstheProcessInformationwindow.
ViewingEventInformation
ToviewsummaryinformationaboutanLDAPfunctionthatappearsintheRequestcolumn,double-clickanitemintheEventPaneorchooseEventInformationfromthecontextmenuthatappearswhenyouright-click.
Thisactionopensapop-updialogboxthatdisplaysthefullnameanddescriptionofthefunction.
ToviewdetaileddiagnosticinformationabouttheLDAPfunction,clicktheMoreInfohyperlink.ThisactionopensabrowserwindowwithinformationfromtheMSDNLibraryWebsite.
SettingTimeDisplayOptions
TotoggletheTimecolumndisplaybetweenclocktimeandrelativetime,chooseClockTimefromtheOptionsmenuorpressCtrl+T.
WhenclocktimeisselectedyoucantoggletheTimecolumndisplaytoshoworhidemillisecondsbychoosingShowMillisecondsfromtheOptionsmenu.YoucantogglethenumberofdecimalplacesdisplayedintheTimeandDurationcolumnsbychoosingShowSimpleTimefromtheOptionsmenu.SimpletimeisdisplayedintheTimecolumnonlywhenrelativetimeisselected.
SettingAutoScroll
Bydefaultthedisplayscrollstoautomaticallyshownewactivity.
TotoggleAutoScrolloffandon,clicktheScrolltoolbarbutton,chooseAutoScrollontheViewmenuorpressCtrl+A.
Note
TurningoffAutoScrolltemporarilysetstheHistoryDepthtoanunlimitednumberoflinessothatnewitemswillcontinuetoappearinthedisplay.
SettingHistoryDepth
BydefaultolderlinesarediscardedfromtheeventlisttostaywithinaspecifiedHistorydepth.TochangeHistorydepth,clicktheHistorytoolbarbutton,chooseHistoryDepthontheViewmenu,orpressCtrl+H.
ThisactionopenstheEventListHistoryDepthdialogbox.
TypeorselectanewvalueintheHistoryDepthboxorclickDefaulttorestorethedefaultvalueof50,000lines.Typeorselect0intheHistoryDepthboxtoretainanunlimitednumberoflinesinthedisplay.
Note
TurningoffAutoScrolltemporarilysetstheHistoryDepthtoanunlimitednumberoflinessothatnewitemswillcontinuetoappearinthedisplay.
SettingtheColumnDisplay
Toselectthecolumnsthatappearinthedisplay,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.ThisactionopenstheSelectColumnsdialogbox.
YoucanchooseanyofthefollowingcolumnstoappearintheEventPane:
SequenceNumber
theuniquesequencenumberassignedtoanevent;gapsinsequencenumbersmayindicatebufferoverflowresultingfromheavyactivityorfilteringthatpreventssomeitemsfromappearinginthedisplay
Time thetimethattheeventoccurred
Process thenameoftheprocessmakingtheLDAPcalltotheActiveDirectory
Request thenameoftheLDAPfunctioncall
Type whethertheLDAPcallissynchronousorasynchronous
Session theLDAPsessionhandle
EventID theLDAPeventhandle
Input thevaluepassedfromtheProcesstotheActiveDirectory
Output thevaluepassedtotheProcessfromtheActiveDirectory
Result theResultcodereturnedbythefunction;SuccessresultsarenotdisplayedunlessyouclearSuppressSuccessStatusontheOptionsmenu
Duration theelapsedtimebetweenthecallandtheresult
YoucanchooseanyofthefollowingcolumnstoappearintheDetailsPane:
Parameter theparameternamesfortheselectedLDAPcall
In/Out whethertheparameterisbeingsentorreceivedbytheapplication
Value thevaluepassedtoorfromtheprocessmakingtheLDAPcall
SettingOtherDisplayOptions
Tochangethefontsizeofitemsinthedisplay,chooseFontontheOptionsmenu.ChooseAlwaysonToptokeepthewindowdisplayedwhenyouswitchprogramsorwindows.TotoggletheRequestcolumnbetweenfullandsimpleLDAPfunctionnames,clickShowSimpleEventNameontheOptionsmenu.ExamplesoffullandsimpleLDAPfunctionnamesare:
FullNameldap_get_values_len
SimpleName getvalueslength
Totogglethedisplaybetweendistinguishedandsimplenames,clickShowDistinguishedNameFormatontheOptionsmenu.Examplesofequivalentdistinguishedandsimplenamesare:
DistinguishedNameCN=RCHASE-2K3,CN=Computers,DC=OA,DC=Denver,DC=Addesinc,DC=com
SimpleName OA.Denver.Addesinc.com\Computers\RCHASE-2K3
TotogglethedisplayofLDAPfilterstringsintheInputcolumnandDetailsPanebetweensimpleformat(i.e.,prefixnotation)andstandardformat(i.e.,infixnotation),clickShowSimpleLDAPFiltersontheOptionsmenu.Examplesofequivalentsimpleandstandardformatfilterstringsare:
SimpleFormat((NOT((showInAdvancedViewOnly=TRUE))AND(samAccountType=805306368))AND((name=rchase-2k3*)OR(sAMAccountName=rchase-2k3*)))
StandardFormat (&(&(!(showInAdvancedViewOnly=TRUE))(samAccountType=805306368))(name=rchase-2k3*)(sAMAccountName=rchase-2k3*)))
TotoggleoffandonthedisplayofSuccessstatusintheResultcolumn,clickSuppressSuccessStatusfromtheOptionsmenu.
Command-LineOptions
Youcanusecommand-lineparameterstosetconsolestartupoptionsandtolaunchthemonitoringservicefromabatchfileorcommandwindow.
Syntax
adinsight[-q][-o][-logFileName][-fiIncludeString][-feExcludeString][[-uUserName–pPassword]-rComputerName]...
Parameters
–q
StartstheconsolewithoutopeningtheFilterdialogbox.BydefaulttheFilterdialogboxopensatstartupifanyfiltersareapplied.
–o
Turnsoffeventcapture.
-logFileName
Writesactivitytoalogfilewithoutopeningtheconsole,whereFileNameisthenameoftheoutputfile.
–fi
SpecifiesanIncludestringfortheFilter.FilterexpressionrulesapplytotheIncludeStringtext.
–fe
SpecifiesanExcludestringfortheFilter.FilterexpressionrulesapplytotheExcludeStringtext.
-?
Displayshelpatthecommandprompt.
SavingOutput
TosavethecontentsoftheEventPaneasatextfile,chooseSaveontheFilemenuorpresstheCtrl+Sshortcutkey.
TocopytheselecteditemtotheClipboard,choseCopyfromtheEditmenuorpresstheCtrl+Cshortcutkey.
Note
YoucanalsosavethecontentsoftheEventPaneasHTMLformattedreports.
LoggingtoaFile
Youcanusethecommand-line-logoptiontowriteactivitytoalogfilewithoutopeningtheconsole.
ViewingEventReports
ToviewareportofallitemsintheEventPane,chooseEventsfromtheHTMLReportssubmenuoftheViewmenu.
ThisactionopensanHTML-formattedreportinyourWebbrowserwindow.
ToviewdetaileddiagnosticinformationaboutanLDAPfunctionintheRequestcolumn,clickthehyperlink.Tosavethecontentsofthereport,
chooseSaveAsfromtheFilemenuofyourbrowserwindow.
Note
ColumnsthatappearinthereportcorrespondtothecolumnsvisibleintheEventPane.Toaddorremovecolumns,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitem.
ViewingEventswithDetails
ToviewareportofallitemsintheEventPanewithcorrespondingDetailsPanes,chooseEventswithDetailsfromtheHTMLReportssubmenuoftheViewmenu.
ThisactionopensanHTML-formattedreportinyourWebbrowserwindow.
ToviewdetailedinformationaboutanLDAPfunctionintheRequest
column,clickthehyperlink.Tosavethecontentsofthereport,chooseSaveAsfromtheFilemenuofyourbrowserwindow.
Note
ColumnsthatappearinthereportcorrespondtothecolumnsvisibleintheEventPane.Toaddorremovecolumns,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitem.
ViewingEventswithTimeResults
ToviewahistogramreportofLDAPcallsintheEventPanewithTotalTime,LongestTime,andAverageTimestatistics,chooseEventTimeResultsfromtheHTMLReportssubmenuoftheViewmenu.
ThisactionopensanHTML-formattedreportinyourWebbrowserwindow.
ToviewdetailedinformationaboutanLDAPfunction,clickthehyperlink.Tosavethecontentsofthereport,chooseSaveAsfromtheFilemenuofyourbrowserwindow.
Note
Todisplayuncalledfunctions,choosePreferencesfromtheOptionsmenuandclearSuppressuncalledfunctionsinreports.
ViewingHighlightedEvents
ToviewareportofhighlightedentriesintheEventPane,chooseHighlightedEventsfromtheHTMLReportssubmenuoftheViewmenu.
ThisactionopensanHTML-formattedreportinyourWebbrowserwindow.
ToviewdetailedinformationaboutanLDAPfunctionintheRequestcolumn,clickthehyperlink.Tosavethecontentsofthereport,chooseSaveAsfromtheFilemenuofyourbrowserwindow.
Note
ColumnsthatappearinthereportcorrespondtothecolumnsvisibleintheEventPane.Toaddorremovecolumns,chooseSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitem.
ChangeColorHighlighting
YoucansetcolorhighlightingpropertiesofthedisplaybychoosingHighlightPreferencesfromtheHighlightmenuorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.
DisplayOnlySelectedEvents
YoucandisplayorhideprocesseswhosenamescontainspecifiedtextoraddandexcludeselectedtransactionsbyclickingtheFilter toolbarbutton,choosingEventFilterontheViewmenu,orpressingCtrl+L.
LogSystemActivity
Youcanusethecommand-line-logoptiontowriteactivitytoalogfilewithoutopeningtheconsole.
SaveEventsintheDisplay
YoucansavethecontentsoftheEventPaneasatextfilebychoosingSaveontheFilemenuorpressingCtrl+S.
YoucancopyaselecteditemtotheClipboardbychoosingCopyfromtheEditmenuorpressingCtrl+C.
Note
YoucanalsosavethecontentsoftheEventPaneasHTMLformattedreports.
ViewDifferentColumnsintheDisplay
YoucanselectthecolumnsthatappearinthedisplaybychoosingSelectColumnsfromtheOptionsmenuorfromthecontextmenuthatappearswhenyouright-clickonanitemintheEventPane.
ReportingBugs
[email protected],includingthebehavioryouobserved,thebehavioryouexpected,andstepsforreproducingtheproblem.
SettingProgramPreferences
Tochangethedefaultcapturemodewhenmakinganewconnection,displayatrayicon oncomputersrunningthemonitoringservice,changetheTCP/IPportnumberoradministrativesharename,ordisplayuncalledfunctionsinEventswithTimeResultsreports,choosePreferencesfromtheOptionsmenu.
ThisactionopensthePreferencesdialogbox.