Common Recovery Tools in Active Directory: Part 2


Monitoring with Sonar and Ultrasound

Monitoring your AD is something that needs to be done regularly, and there are many commercial utilities out there that will help you achieve this. However, it might be worth investigating tools that are available for free from Microsoft, and even from some other vendors.

Introducing Sonar

Sonar and Ultrasound are two utilities that allow you to monitor the File Replication Service (FRS), and both utilities are good at detecting problems beforehand, or issues with replication from certain DCs. Sonar can be downloaded from the Microsoft Download Center at

You will need to have the .Net Framework 1.1 installed on the machine where Sonar will run. Also, please be aware that if you have .Net Framework 2.0 installed, it does not include 1.1, and you need to install 1.1 as well.

Once installed, Sonar will not create a program menu entry, so you will need to search for it. For some reason, it will install itself into the Resource Kit folder (C:Program FilesResource Kit) and it is called Sonar.exe. Once you run it, you will be presented with the following dialog box:

active directory

At this point, you can see two buttons, which can be used either for default querying (that is, all of the DCs within your domain) or for loading the settings with the Load Query button, if you have a specific query or setup saved. In our example, we will view the results and you will see the screen that you have seen in the previous figure. Also note the drop-down for Replica Set. This allows you to monitor DFS replications within your domain. So this tool is not just used to monitor the SYSVOL replications.

active directory

From the top part, you can easily select a very wide range of Filters via a drop-down list, and the Columns can be used to select the columns to be displayed. This relates to a group of columns, so there are more columns than just the ones selected from the drop-down. To illustrate the extent of information that you can get with this little utility, the following screenshot shows both of the menus expanded.

active directory

As you can see, you can use this tool to find out any information regarding the replication. Once you select the filters and columns that you want, you can click Refresh All and it will fetch that information from all DCs within your domain. You can see the disk usage of the AD database on all different DCs including any DC that has low disk space, is too slow, is backlogged with AD replications, and so on. This small utility, when used periodically, will help you to keep your AD in good healthy, shape and might help you find trouble-spots such as low bandwidth or wrongly configured replication schedules.

Introducing Ultrasound

Although Sonar is a good utility that is small and does its job very well, some organizations either have many FRS points that they want to monitor, or want much more information.

This is where Ultrasound comes in. This utility is also a free download from Microsoft. However, it has much steeper requirements. Namely, it requires an SQL server as a backend. Even the SQL Server 2000 Desktop engine, or the free SQL Server 2005 Express Edition, downloadable from the Microsoft Download Center, will serve this purpose, but they would require a two-step setup and more resources. It also does collections periodically via agents that are deployed using WMI from within the Ultrasound interface. Although the free Desktop Engine has limitations, such as allowing only few connections, it does provide enough database functionality for Ultrasound. SQL Server 2005 Express edition will work perfectly fine with no problems.

If Sonar can be compared to a sonar on a boat, which gives you a lot of information about what's ahead and what's going on around you, then Ultrasound has all of the features of Sonar, plus an additional feature for radar and satellite surveillance. Getting familiar with Ultrasound may take some time. As Ultrasound is a Microsoft utility, it can be downloaded from the Microsoft Download Center.

Once you install the SQL server, or prepare a database on an existing server, you can proceed to installing Ultrasound. You will be asked which server to use and you can just enter the name of the PC where your SQL server is running. After deploying the database structure, which can take a few minutes, the installation will finish, and you will have a new program menu entry, called FRS Monitoring, where Ultrasound is located.

Once you launch Ultrasound for the first time, you will be asked to add an FRS replica to Ultrasound. At this point, you should click Yes and you will be prompted for your domain name and the available FRS replicas. In our case, this is similar to the example shown in the following screenshot. By simply clicking the replica set, and then clicking on Add, you can add it to the list of FRS replicas to the list of FRS replicas to be monitored.

active directory

Next, you click OK, and Ultrasound will collect the Schema data from the selected replica set, and then ask you to add all Servers found, add only the highly connected, hub, servers or add none, and you will select your own. There is also an option to install the WMI collectors, which you want to do (shown in the following screenshot).

active directory

Once you have selected your approach, a whole world of information will open up. The tool may appear confusing simply because of the volume of information you can gather with it, but the learning curve quickly flattens, and the data that it provides becomes invaluable. After the initial WMI collector deployment is done, you can close the screen. Henceforth you will find that the screen shown in the following screenshot is always displayed when you start Ultrasound:

active directory

At first, you are given a health rating, which is generally accurate as only critical errors, or errors that could cause problems, change this rating. You can expand the replica set and see each server's health rating as well. This allows you to quickly identify any critical issues with the DCs.


On the second tab, Details, you will find information about the replications of the servers you have selected. We selected only DC1, DC2, and DC30, and details of the ongoing replications and which DCs have the most inbound and outbound connections are displayed, as shown in the following screenshot. On the top, you can also change the details to be displayed, for example the files contained within this Replica Set that are replicated.

active directory

Right-clicking on a server opens up a context menu that either allows you to collect data from a specific server, or opens up the replica set and displays the details of the replica set for the server, depending on the context.

Right-clicking on the inbound or outbound connection windows will allow you to collect data, or see details regarding a specific inbound, outbound, or replica member.

Alert History

The Alert History tab (shown in the following screenshot) contains all of the alerts caused by various actions or errors in the monitoring process, including failed WMI deployments, morphed directories, and other events. This is the power of Ultrasound. The detail-each error message contains is very surprising.

active directory

You simply double-click on an alert and the general view with all its information is displayed. This information contains the usual things, such as the date and time when the event occurred, a description of the problem, and so on. It also allows you to assign the error to a support person, and change the status from active to resolved and specify the urgency of the problem. But it the general view also has an Advanced tab where a lot more information regarding the error, such as what the actual error was, which server caused it, and so on, are shown. The following screenshot shows both tabs side-by-side:

active directory

Summary and Advanced tabs

The Summary tab provides a full summary of your AD replications. It shows everything from every member, with the domain listed at the top. The domain view shows the number of files that are backlogged, the number of servers that have yellow connections, (that is, unhealthy ones) the servers that have a high connection count, and active notifications regarding the servers that are selected. All of these are illustrated in the following screenshot.

active directory

The Advanced tab extends the Summary tab, and all of the other ones. It allows you to query any information in the Ultrasound database. On the normal view, you can select pre-configured general view collections of your replica set, in the left hand pane. There are more views, such as Failed AD updates, than in any of the previous screens, although it is possible to easily create custom filters.

active directory

To create a custom filter for a view, which you can even configure to email you in case of a certain event happening, simply select the view and click on the Row Filter drop-down selection, and then click the "…" button, or leave it at NO FILTER and click the "..." button. You will be presented with a window that allows you to either change a filter by selecting it and then clicking on change, or to create a completely new one. In our case, we will edit the AD Collection error filter in the Failed AD updates view. Simply click on the second row with the Error 301 column, and click on Change.

We will change this filter to:

  1. Notify us by email if a collection error occurs and
  2. Set the health metrics for this filter to critical, as it then raises red flags immediately in the event of an AD collection failure.

This might seem a bit drastic as a collection failure can occur for a number of reasons, but unless these reasons occur a lot in your infrastructure, this should be a good way of identifying anomalies.

First, in the Change window, click on the Alert tab and select Enable notifications. Then, select the Custom notifications option. Finally, simply click on ADD on the right-hand side of the dialog box, and enter the email address to which you want the notification to be sent. You can only add one email address per notification, so, you have to add each email address separately. However, you can also log an event, even though you are receiving an email (as shown in the following screenshot).

active directory

To set the health metrics to critical, first click on the Health Metrics tab, and click on Enable health metrics. Then, simply click on ADD, leave Replica Set selected, and select Critical from the bottom drop-down menu (as shown in the following screenshot). Finally, simply click on OK and you will be returned to Ultrasound.

active directory

At this point, you could just minimize Ultrasound. The WMI collectors will continuously feed it data, and the AD collection alert will notify you for an AD replication collection failure. If you installed Ultrasound with a standard installation of SQL Server then you can close the program and the WMI collectors will continue to feed data straight into the database. If you have Ultrasound installed with a Desktop Engine, or SQL Server 2005 Express, you should have the application running continuously. You can, of course, configure many more notifications to make sure that you cover all your bases, and do not have to spend time continually watching Ultrasound.

Ultrasound is a utility that has a somewhat steep learning curve for a short time, but can help you keep a perfectly healthy, replicating AD, when deployed correctly and used well.


In this article we discussed a few tools and utilities that will help you monitor and diagnose your AD. Although these might not be directly-related to disaster recovery, it is always good to have such important information at hand, as this can then allow you to find a problem before it becomes too widespread.

Having tools such as Ultrasound deployed is useful. But if you have no processes defined for how and how often to monitor them, or the corrective course of action in to take case of a problem, its value decreases significantly.

You've been reading an excerpt of:

Active Directory Disaster Recovery

Explore Title