25

I've had some Active Directory troubles lately was was wondering what checks I could do on a regular basis I could do to ensure everything is working optimally?

Improve this question

4 Answers 4

Reset to default
14

At a smaller company I worked for in the past we used this. It is a script that compares PASS/FAILS, certainly not a bad tool to try out. Interested to see what others have used.

Improve this answer
19

To give you some ideas on what can be tested, here are some of the automated checks we perform daily.

  • Ping test
  • LDAP/Port 389 authenticated bind
  • GC/Port 3268 authenticated bind
  • DNS/Port 53 test. This includes performing a lookup against the DC for the DC dns host name, to confirm that only one address is returned. For DC's that have multiple IP addresses, we confirm that the "PublishAddresses" registry value is defined at HKLM\System\CurrentControlSet\Services\DNS\Parameters, and matches what should be the expected IP address.
  • Sysvol/FRS test. This includes checking the version in the most recent GPO gpt.ini file, and comparing with the PDC emulator.
  • Free disk space check (WMI).
  • Time Synchronization. WMI can be used to get the DC local time, and compare to the server running the test, and flagged if the difference is approaching the threshold (4m 50s).
  • Time Server advertising. output of the command: 'nltest /server:serverName /dsgetdc:domainName.company.com', and verify that the TIMESERV flag is present.
  • Time Server Test.
    1. Query the server on UDP/123 for a valid NTP response.
    2. Use w32tm.exe /query /computer:dcname /status /verbose to determine the DC Last Successful Sync Time, and if the DC time is in sync.
    3. Use nltest.exe /server:dcname /dsgetdc:dcDomainDnsName to determine if the DC is actually advertising as a time server. The advertisement is performed via the Netlogon service.
  • GC Advertising. One way to determine if a dc is actually advertising as a Global Catalog is to use repadmin /showreps. If any partition has not (yet) been fully replicated, it will display 'WARNING: Not advertising as a global catalog'. Note that NLTest flags may indicate that the dc is configured as a GC; this 'configuration' is distinct from 'advertising'. This is of particular interest in large distributed environments with many domains, as it may take days or weeks for a dc to gradually replicate all partitions to the point where the GC test passes.
  • Replication test. Each domain has a "tag" object, and one of the attributes is used to store a datetime value. All of the DC's are queried for these objects, and DC's with values that exceed threshold are flagged for replication issues.
  • Strict Replication Consistency registry setting check. Strict Replication is the default for new Windows 2008 and later domains, however older established AD environments this was not the default and that setting would have been carried over. Lingering objects become much more difficult to identify and resolve in larger environments with many domains and DC's.
  • Pending replication count. This can be obtained via WMI or .NET. This is the same as performing a repadmin /queue. DC's with a high number of pending replications may have had replication shut down for some reason. An example would be if Strict Replication Consistency were enabled, this would definitely shut down replication if an invalid or deleted object were attempted to replicate inbound. It's also possible to obtain the most recent datetime of the last successful replication for a particular neighbor, which can be flagged if it exceeds a threshold.
Improve this answer
4
  • Thorough, thanks! However; any chance you can elaborate on "time server test"? How do you do this manually (or in a script, say?) with minimal effort? :)
    – Ashley
    Commented Sep 4, 2012 at 21:41
  • 1
    I built an NTPClient to perform a time sync with the DC on UDP/123. For Windows 2008, a wealth of information may be obtained by using: w32tm.exe /query /computer:dcname /status /verbose. It provides all of the information that can be obtained by an NTPClient sync, plus the Last Successful Sync Time, and if the DC is in sync. This is a huge difference from Windows 2003. To determine if the DC is actually advertising as a time server, you need to use: nltest.exe /server:dcname /dsgetdc:dcDomainDnsName.
    – Greg Askew
    Commented Sep 4, 2012 at 23:55
  • this is just wow! would you mind share the scripts running for these. I will be trying to run these using powershell.
    – whizkid
    Commented Sep 5, 2012 at 4:26
  • 1
    @whizkid: I don't have a powershell script, but I've recently developed a C# application that does all of this, and will be publishing it on CodePlex.com in a week or so.
    – Greg Askew
    Commented Sep 5, 2012 at 4:44
8

Active Directory relies heavily on DNS, So Start With some DNS checks.

NSLOOKUP hostname This test that DNS is able to resolve a host name to an IP address

DCDIAG /TEST:DNS This will check that DNS and Active Directory are working properly.

NETDIAG /TEST:DNS More DNS testing

Once you are satisfied that DNS is running correctly here are sime more tests

REPADMIN /SHOWREPS This will show you the last time that replication occurred with the replication partners

REPADMIN /REPLSUM /ERRORSONLY This displays any replication errors between domain controllers.

DCDIAG /Q The king of AD diagnostic tools. Tests and reports all AD components.

NETDIAG Tests all

Improve this answer
1

Recently saw that Microsoft released a interesting new replication status tool which seems pretty neat. More of a gui mutli server replication status check. This would certainly be one step in any AD health check:

http://blogs.technet.com/b/askds/archive/2012/08/23/ad-replication-status-tool-is-live.aspx

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .