For more advanced fiddling, you can use the /stagger parameter so that ADLB takes control of the intersite replication schedule and staggers the replication interval between the connection objects that a bridgehead server owns. This functionality spreads out the impact of the replication operation on each connection object that would otherwise hit the server all at once. However, once you've used ADLB to take the replication schedule away from the KCC, you'll have to maintain it with ADLB.
ADLB needs a set of rules to work within, and you can modify just about all of them if you deem it necessary. The /maxbridge option specifies the maximum number of connection objects that AD will modify due to bridgehead load-balancing. The /maxperserver option specifies the maximum number of changes to be moved onto a DC at one time so that it won't be overloaded with a sudden increase in connection objects. You can create /preimbalance and /postimbalance reports (only in the newest version) to view inbound replication imbalances before and after balancing occurs. These reports are in comma separated value (CSV) format for easy importing into Microsoft Excel.
ADLB can be a powerful utility for your replication topology, but you need to perform a careful evaluation before you use it. My recommendation is to start by examining your largest sites (i.e., the ones with the largest number of DCs) because they're the most likely to have an imbalance. If you discover an imbalance in the connection-object distribution, don't just assume you need to fix it. Do a performance analysis on the bridgehead server that has the greatest number of connection objects. Is it actually suffering? If it's not, leave it (and the site) alone. Leave the schedule staggering alone unless you really have to modify it. Why make automated operations manual unless you have a good reason?
If you decide that you need to use ADLB to correct your connection-object distribution, run the tool on a schedule determined by your environment. If you're actively modifying your site configuration by deploying DCs, adding or changing site links, creating sites, and so on, consider running ADLB once a day. When you're done with your changes, stop using ADLB.
GPOTool. You probably associate only GUI utilities with Group Policy, but several command-line utilities are available. The resource kit's GPOTool utility checks the health of your GPOs. It reads mandatory and optional directory services properties (e.g., version, friendly name, extension globally unique identifiers GPOTool—GUIDs, and Sysvol data), compares directory services and Sysvol version numbers, and performs other consistency checks.
Third Party
Just because a tool doesn't come from Microsoft doesn't mean it can't help you. In fact, some of the most powerful Windows tools available come from third parties. Here are some must-haves.
AdFind and AdMod. AdFind and AdMod are two powerful, easy-to-use freeware utilities written by Joe Richards. AdFind is a Dsquery-like AD-query utility that offers a wide selection of options beyond those of Dsquery. Besides basic Lightweight Directory Access Protocol (LDAP) search options such as base DN, filter, and scope, the tool gives you every option you can imagine—34 of them!—with which to refine the query or otherwise make AdFind easier to use. Particularly useful is AdFind's ability to provide search statistics, with the use of its four /stats options. These options tell you how efficient your query is and what indexes (if any) it used—information that can teach you how to make better LDAP queries or at least avoid making bad ones.
AdMod is similar to Dsmod, except it offers far broader powers. One of the nagging problems about Dsmod is that it lets you modify some, but not all, AD objects. For example, you can't use Dsmod to create sites, site links, or subnets. AdMod lets you modify anything in AD, and you can use it to make these modifications for large numbers of objects. However, AdMod's power also makes it very dangerous, if you aren't careful. Fortunately, the tool checks with you before it modifies more than x number of objects (10 is the default, but you can alter this number). If you need to modify large numbers of objects, you can use an -unsafe option that disables this notification. As with Dsquery and Dsmod, you can pipe AdFind's output into AdMod so that the first utility searches for certain objects or attributes and the second makes the changes you desire. You can use this pairing as a powerful scripting tool.
PsTools. Sysinternals' PsTools toolset is a collection of command-line administration tools that are useful in many situations. I find PsList, a remote process and memory viewer, particularly handy. What sets it apart from other similar utilities is how deeply it lets you dig into process and memory internals. The tool's -m option shows memory details, the -d option shows thread details, and the -t option shows the process tree, as Figure 3 shows. The process tree is handy for determining what processes run under other processes (e.g., the services process). You can run it with an automatic refresh so that it functions like a remote task manager (by using the -s option), and you can focus on a process name or PID only. By combining these options, you can zoom in on a process that might be causing a memory leak and monitor its memory usage, or you can watch a remote process's user and kernel time to see whether it's executing or hung.
Another handy tool in the PsTools toolset is PsExec, which lets you execute processes on a remote machine as if you're logged on to it. This functionality is quite useful for the many utilities that don't work remotely. For example, if you've ever needed to call a colleague at a distant location, but you weren't sure of the time at his or her office, you can query the time on a server in the user's time zone with the command
psexec \\<computer> net time
Figure 4 shows the command's results. If you aren't sure what command you need to use, or if you want to enter multiple commands, simply enter
psexec \\<computer> cmd.exe
to launch the command interpreter on the remote computer, and suddenly it appears as though you're in a command prompt at the console. Enter Exit to quit the remote session. For more information about PsTools, see "PsExec," July 2004, InstantDoc ID 42919.
Go Surfing
As you try out these tools in your environment, keep in mind that in many cases you can increase their functionality by combining them with one another. And many more handy utilities are available for Windows 2003. You can learn a lot by simply entering command line reference in Windows 2003 Help and surfing through the list. For now, your little black administrator's bag will definitely benefit from the utilities in this article.