How to do an Active Directory Health Check

Scenario:

You have been tasked with completing an Active Directory Health Check, what should you do?

Walkthrough:

This step-by-step guide takes you through 7 steps with things to include in an Active Directory Health Check (ADHC.) It is roughly ordered by what is most important/should be done first, and proceeds in order to obtain more and more information as and when the time permits.

Note: To make life easier, there are software packages out there like Quest’s Spotlight on Active Directory (latest version 6.8.1) which are well worth trialing-out/investing-in. The following post only covers freely available tools.

Step 1: Run the Microsoft Active Directory Topology Diagrammer (ADTD)

This will need a workstation on the domain, with Microsoft Visio installed.

Obtain “ADTD.Net Setup.msi” from here .

Install and run “ADTD.exe”.

Populate the Server/Domain box, and run through the tabs ticking off what is to be included in the Visio output (the more detail the better) > click Discover! > click Draw!

This will provide a lot of useful information - FSMO role holders, Operating System and Service Pack Level of Domain Controllers, Site Links …

Fig. Example ADTD Domains Output

Fig. Example ADTD Sites Output

Step 2: (Windows 2008 R2 domain controllers) Active Directory Domain Services and DNS Server Best Practices Analyzer

One of the great things about Windows Server 2008 R2 was the inclusion of Best Practice Analyzer’s for all roles. Even if there is only one 2008 R2 domain controller in the domain, this can be used to gain valuable information.

The BPA is located in Server Manager > Roles > Active Directory Domain Services > Scroll down to find ‘Best Practices Analyzer’ and click ‘Scan This Role’

Similarly, the DNS Server BPA is located in Server Manager > Roles > DNS Server > Scroll down to find ‘Best Practices Analyzer’ and click ‘Scan This Role’

Step 3: Command Prompt CLI Commands

From a domain controller, run the commands - below in bold - via the command prompt (can be piped to a text file by appending > textfilename.txt at the end):

Note 1: If running on a DC prior to Server 2008, you will need to install the Windows Server 2003 Administration Tools Pack (Adminpak) from here

Note 2: Instead of manually running the below, can use the Active Directory Health Check script from thesysadmins

Find System Boot Time and Uptime:

systeminfo | find “System Boot Time:”

systeminfo | find “System Up Time:”

Display current TCP/IP network configuration:

ipconfig /all

Analyze the state of domain controllers in a forest:

dcdiag /a

Provide an overview of any replication failures, and if last replication attempts were successful:

repadmin /replsummary

repadmin / showrepl

Update: Instead of using repadmin, check out the new Active Directory Replication Status Tool (ADREPLSTATUS) which is currently in version 1.0, requires .NET Framework 4, and is for Server 2003 DCs and above.

Returns the FSMO roles holders:

netdom query fsmo

Step 4: Active Directory Sites and Services (ADSS)

·         Are site objects created for every geographical site?

·         Are subnets object created for every subnet?

·         Are subnets correctly assigned sites?

Step 5: Decommissioned/Rogue DCs

Sometimes DCs are decommissioned/die without being removed from Active Directory using DCPROMO (the ADTD might pick up old DCs):

·         If the DC is not tombstoned then DCPROMO the DC

·         If the DC has been decommissioned but is still in ADSS, then delete from ADSS, also remove traces from Active Directory Users and Computers (ADUC), and DNS.

·         Advanced DC removal requires using NTDSUTIL Metadata Cleanup, and - if that is not possible - then ADSIEDIT.

Step 6: Check Domain Controllers for …

·         IP Configuration: Is the subnet configured correctly? Are DNS servers configured correctly - domain PDC should be first, then the DC itself or another local DC (if the PDC) second, then 3^rd and 4^th can be the higher level (root domain) PDC and Secondary DNS servers (if a child domain)?

·         Time: All DCs should be in time synchronization with the root domain PDC - find the time on the PDC (taking time zones into account) and verify….

·         Windows Firewall: Inbound ports - UDP/TCP 53, 88, 389, 464; UDP 123, 137; TCP 139, 445, 3268

Fig. Domain Controller Inbound ports

Step 7: Additional Investigations

·         Active Directory design - OUs and objects

·         Security and Group Policy

      ·         Wireshark/Network Analysis - for dropped packets to/from DCs

 http://cosonok.blogspot.com/2012/08/how-to-do-active-directory-health-check.html

More reference: http://pdtechguru.wordpress.com/2012/10/04/active-directory-health-check/