What are the most common periodic activities that are to be performed to make sure that medium to large Active Directory implementation runs smoothly and securely.
What are the most common periodic activities that are to be performed to make sure that medium to large Active Directory implementation runs smoothly and securely.
DCDiag.exe is a good place to start.
I'll add replmon and repadmin as basics - these should be checked at least once per week to ensure that your AD replication is functioning correctly.
If you can pull all the relevant event logs (Directory Service, DNS, FRS) from your DCs it's also a good way to get a handle on what's going on.
Deleting or disabling former users and computers. Users are fairly easy, but computers can be difficult depending on your setup. Check out the multitudes of Powershell scripts, they can really make AD management easier. Also check to make sure that your OU structure is being kept. Review any GPOs that might not be necessary and disable them.
Depending on your environment you may want to know when certain groups change membership ( like the payroll dept. ) I suggest finding a tool/method you are happy with. I had some scripts and would run windiff to visually see the changes.
Microsoft Baseline Security Analyzer would be good way to keep a track of the number of patches are needed.
Active Directory ( NTP, DNS, LDAP, NTFRS )
NTP - be sure your PDC emulator is getting time synced from the Internet.
DNS - I was told on the DCs have all of the goto a main DC running DNS as the first DNS serer listed for them, have the second DNS address by the server's own ip.
LDAP - I had 14 DCs to take care of so I created an OU and create contacts for each of the DCs, I had scripts on the DC run every 10 minutes to update the description field with the GMT and local time. That way if my Exchange admin or anyone else wanted to know when the DCs last gotten replication change from another site they could look at the local site's dc in ADUC at this OS and see the time changes.
NTFRS - this is what replicate group policy information. I had seen a p2v on a DC ( not supported) cause problems for group policy replication, after this I wanted to know when group policy was not replicating so I would update a txt file in a test policy folder then look to see if that file updated across my domain controllers.
Besure to keep notes on which DC are also GC, where the FSMO role holders are - and what steps should be taken if one of the DCs should fail.
If you are locking account after a certain number of invalid attempts or have systems setup to take action for events like that you may want to trigger them periodically to see they are operating as expected.
I also like keep a audit of the uninstall key, ip config info, windows components installed.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OcManager\Subcomponents ipconfig /all > ip_info.txt
Mark