How to do an Active Directory Health Check

Scenario:
You have been tasked with completing an Active Directory Health Check, what should you do?

Walkthrough:
This step-by-step guide takes you through 7 steps with things to include in an Active Directory Health Check (ADHC.) It is roughly ordered by what is most important/should be done first, and proceeds in order to obtain more and more information as and when the time permits.

Note: To make life easier, there are software packages out there like Quest’s Spotlight on Active Directory (latest version 6.8.1) which are well worth trialing-out/investing-in. The following post only covers freely available tools.

Step 1: Run the Microsoft Active Directory Topology Diagrammer (ADTD)

This will need a workstation on the domain, with Microsoft Visio installed.
Obtain “ADTD.Net Setup.msi” from here .
Install and run “ADTD.exe”.

Populate the Server/Domain box, and run through the tabs ticking off what is to be included in the Visio output (the more detail the better) > click Discover! > click Draw!

This will provide a lot of useful information - FSMO role holders, Operating System and Service Pack Level of Domain Controllers, Site Links …

Fig. Example ADTD Domains Output

Fig. Example ADTD Sites Output

Step 2: (Windows 2008 R2 domain controllers) Active Directory Domain Services and DNS Server Best Practices Analyzer

One of the great things about Windows Server 2008 R2 was the inclusion of Best Practice Analyzer’s for all roles. Even if there is only one 2008 R2 domain controller in the domain, this can be used to gain valuable information.

The BPA is located in Server Manager > Roles > Active Directory Domain Services > Scroll down to find ‘Best Practices Analyzer’ and click ‘Scan This Role’

Similarly, the DNS Server BPA is located in Server Manager > Roles > DNS Server > Scroll down to find ‘Best Practices Analyzer’ and click ‘Scan This Role’

Step 3: Command Prompt CLI Commands

From a domain controller, run the commands - below in bold - via the command prompt (can be piped to a text file by appending > textfilename.txt at the end):
Note 1: If running on a DC prior to Server 2008, you will need to install the Windows Server 2003 Administration Tools Pack (Adminpak) from here
Note 2: Instead of manually running the below, can use the Active Directory Health Check script from thesysadmins

Find System Boot Time and Uptime:
systeminfo | find “System Boot Time:”
systeminfo | find “System Up Time:”

Display current TCP/IP network configuration:
ipconfig /all

Analyze the state of domain controllers in a forest:
dcdiag /a

Provide an overview of any replication failures, and if last replication attempts were successful:
repadmin /replsummary
repadmin / showrepl
Update: Instead of using repadmin, check out the new Active Directory Replication Status Tool (ADREPLSTATUS) which is currently in version 1.0, requires .NET Framework 4, and is for Server 2003 DCs and above.

Returns the FSMO roles holders:
netdom query fsmo

Step 4: Active Directory Sites and Services (ADSS)

·         Are site objects created for every geographical site?
·         Are subnets object created for every subnet?
·         Are subnets correctly assigned sites?

Step 5: Decommissioned/Rogue DCs

Sometimes DCs are decommissioned/die without being removed from Active Directory using DCPROMO (the ADTD might pick up old DCs):

·         If the DC is not tombstoned then DCPROMO the DC
·         If the DC has been decommissioned but is still in ADSS, then delete from ADSS, also remove traces from Active Directory Users and Computers (ADUC), and DNS.
·         Advanced DC removal requires using NTDSUTIL Metadata Cleanup, and - if that is not possible - then ADSIEDIT.

Step 6: Check Domain Controllers for …

·         IP Configuration: Is the subnet configured correctly? Are DNS servers configured correctly - domain PDC should be first, then the DC itself or another local DC (if the PDC) second, then 3rd and 4th can be the higher level (root domain) PDC and Secondary DNS servers (if a child domain)?
·         Time: All DCs should be in time synchronization with the root domain PDC - find the time on the PDC (taking time zones into account) and verify….
·         Windows Firewall: Inbound ports - UDP/TCP 53, 88, 389, 464; UDP 123, 137; TCP 139, 445, 3268

Fig. Domain Controller Inbound ports

Step 7: Additional Investigations

·         Active Directory design - OUs and objects
·         Security and Group Policy
·         Wireshark/Network Analysis - for dropped packets to/from DCs

Comments

  1. Hi, a few weeks ago I stumbled upon a tool from Microsoft - it's called Active Directory Replication Status Tool
    (http://www.microsoft.com/en-us/download/details.aspx?id=30005).

    It's a good GUI replacement for the CLI commands and it helps to prioritise on errors. Give it a try.

    ReplyDelete
    Replies
    1. Hi Bitflip, thank you very much for the comment. I have added an update to the post underneath where repadmin is mentioned, to suggest using ADREPLSTATUS instead. It looks like an interesting new tool. Cheers!

      Delete
  2. Active Directory Health Check and Repadmin

    http://pdtechguru.wordpress.com/2012/10/04/active-directory-health-check/

    ReplyDelete
  3. How about using Dynamic AD Replication Checker Tool - An advanced tool for experienced AD Administrators at www.Dynamic-SpotAction.com

    ReplyDelete
  4. Great post. I just located your blog and wished to let you know that I have certainly loved reading your blogs. At any rate I’m going to be subscribing to your feed and I really hope you are writing again soon.

    ReplyDelete
  5. Nice post Vidad! I especially liked the AD replication status tool...didn't know that it existed.

    ReplyDelete
  6. Great post. I just located your blog and wished to let you know that I have certainly loved reading your blogs. At any rate I’m going to be subscribing to your feed and I really hope you are writing again soon. EZ Money Formula

    ReplyDelete
  7. You are great thx for the valuable info.

    ReplyDelete
  8. Wow!! i am very impressed with your lovely post..
    Chiropractic cash software

    ReplyDelete
  9. Here is a detailed article that will show you how to perform a health check for your Active directory, DC's, DNS, Replication - http://www.networkangel.net/active-directory-health-check-tools

    ReplyDelete
  10. Active Directory Health Profiler is a tool that in my view is one of the very best in Active Directory Health management. I think we should give this one a try?
    http://adhealthprof.itdynamicpacks.net/

    Best,
    John

    ReplyDelete

Post a Comment