I've had some Active Directory troubles lately was was wondering what checks I could do on a regular basis I could do to ensure everything is working optimally?
To give you some ideas on what can be tested, here are some of the automated checks we perform daily.
Ping test
LDAP/Port 389 authenticated bind
GC/Port 3268 authenticated bind
DNS/Port 53 test. This includes performing a lookup against the DC for the DC dns host name, to confirm that only one address is returned. For DC's that have multiple IP addresses, we confirm that the "PublishAddresses" registry value is defined at HKLM\System\CurrentControlSet\Services\DNS\Parameters, and matches what should be the expected IP address.
Sysvol/FRS test. This includes checking the version in the most recent GPO gpt.ini file, and comparing with the PDC emulator.
Free disk space check (WMI).
Time Synchronization. WMI can be used to get the DC local time, and compare to the server running the test, and flagged if the difference is approaching the threshold (4m 50s).
Time Server advertising. output of the command: 'nltest /server:serverName /dsgetdc:domainName.company.com', and verify that the TIMESERV flag is present.
Time Server Test.
Query the server on UDP/123 for a valid NTP response.
Use w32tm.exe /query /computer:dcname /status /verbose to determine the DC Last Successful Sync Time, and if the DC time is in sync.
Use nltest.exe /server:dcname /dsgetdc:dcDomainDnsName to determine if the DC is actually advertising as a time server. The advertisement is performed via the Netlogon service.
GC Advertising. One way to determine if a dc is actually advertising as a Global Catalog is to use repadmin /showreps. If any partition has not (yet) been fully replicated, it will display 'WARNING: Not advertising as a global catalog'. Note that NLTest flags may indicate that the dc is configured as a GC; this 'configuration' is distinct from 'advertising'. This is of particular interest in large distributed environments with many domains, as it may take days or weeks for a dc to gradually replicate all partitions to the point where the GC test passes.
Replication test. Each domain has a "tag" object, and one of the attributes is used to store a datetime value. All of the DC's are queried for these objects, and DC's with values that exceed threshold are flagged for replication issues.
Strict Replication Consistency registry setting check. Strict Replication is the default for new Windows 2008 and later domains, however older established AD environments this was not the default and that setting would have been carried over. Lingering objects become much more difficult to identify and resolve in larger environments with many domains and DC's.
Pending replication count. This can be obtained via WMI or .NET. This is the same as performing a repadmin /queue. DC's with a high number of pending replications may have had replication shut down for some reason. An example would be if Strict Replication Consistency were enabled, this would definitely shut down replication if an invalid or deleted object were attempted to replicate inbound. It's also possible to obtain the most recent datetime of the last successful replication for a particular neighbor, which can be flagged if it exceeds a threshold.
At a smaller company I worked for in the past we used this. It is a script that compares PASS/FAILS, certainly not a bad tool to try out. Interested to see what others have used.
Recently saw that Microsoft released a interesting new replication status tool which seems pretty neat. More of a gui mutli server replication status check. This would certainly be one step in any AD health check:
To give you some ideas on what can be tested, here are some of the automated checks we perform daily.
w32tm.exe /query /computer:dcname /status /verboseto determine the DC Last Successful Sync Time, and if the DC time is in sync.nltest.exe /server:dcname /dsgetdc:dcDomainDnsNameto determine if the DC is actually advertising as a time server. The advertisement is performed via the Netlogon service.repadmin /showreps. If any partition has not (yet) been fully replicated, it will display 'WARNING: Not advertising as a global catalog'. Note that NLTest flags may indicate that the dc is configured as a GC; this 'configuration' is distinct from 'advertising'. This is of particular interest in large distributed environments with many domains, as it may take days or weeks for a dc to gradually replicate all partitions to the point where the GC test passes.repadmin /queue. DC's with a high number of pending replications may have had replication shut down for some reason. An example would be if Strict Replication Consistency were enabled, this would definitely shut down replication if an invalid or deleted object were attempted to replicate inbound. It's also possible to obtain the most recent datetime of the last successful replication for a particular neighbor, which can be flagged if it exceeds a threshold.At a smaller company I worked for in the past we used this. It is a script that compares PASS/FAILS, certainly not a bad tool to try out. Interested to see what others have used.
Active Directory relies heavily on DNS, So Start With some DNS checks.
NSLOOKUP hostname This test that DNS is able to resolve a host name to an IP address
DCDIAG /TEST:DNS This will check that DNS and Active Directory are working properly.
NETDIAG /TEST:DNS More DNS testing
Once you are satisfied that DNS is running correctly here are sime more tests
REPADMIN /SHOWREPS This will show you the last time that replication occurred with the replication partners
REPADMIN /REPLSUM /ERRORSONLY This displays any replication errors between domain controllers.
DCDIAG /Q The king of AD diagnostic tools. Tests and reports all AD components.
NETDIAG Tests all
Recently saw that Microsoft released a interesting new replication status tool which seems pretty neat. More of a gui mutli server replication status check. This would certainly be one step in any AD health check:
http://blogs.technet.com/b/askds/archive/2012/08/23/ad-replication-status-tool-is-live.aspx