Having a healthy Active Directory infrastructure is very important part of any IT department. The amount of times i have been on a client site and seen all too many times neglected domain controllers, bad replication, badly configured DNS which all cause problems for end users.
If you are a Microsoft premier customer, you can use their Active Directory RAP service. The Microsoft AD RAP service is a report on the health of your Active Directory environment. Microsoft will perform an assessment of your Active directory infrastructure and provide you with a detailed report of any issues/mis-configurations on your domain that you will need to address for your AD environment to be healthy.
If your not a premier customer, all of their assessment you can do yourself. I have been lucky enough to of worked for clients and done similar assessments. I will provide detailed steps on how you can assess your Active Directory domains that will help resolve any problems you may have in your environment.
Items to check when performing a health check on your AD environment is the following:
- Active Directory Replication
- Site Topology and Subnets
- Domain Controller Health
- Active Directory Database
- Sysvol and Group Policy
- DNS Health / Configuration
- Windows time configuration
Active Directory Replication Problems
To check your domain controller replication use the following tools:
Active Directory Replication Status Tool – A free tool from Microsoft that analyzes the replication status of your domain controllers. It will show you any errors for your domain or forest within a friendly gui interface.
Alternatively there are a number of built in Active Directory tools that you can use:
Repadmin /replsum – This will show you the replication details with largest delta replication. Here you can see if there have been any failures and locate with domain controller isn’t replicating. Most of the time its a firewall issue or network issue if you have an unreachable domain controller.
Repadmin /showreps – This will show you if data in your partition replicas are being replicated correctly
My favorite command line tool to use is DCDIAG, as this will check everything about how your domain controllers and DNS are configured and working
Run the following command lines:
On each domain controller you can run the following:
DCDIAG /v– This is my favorite as this will run verbouse mode and give a very detailed report about the health of your domain controller. If you want to export the results to a text file for easy reading, run the following:
DCDIAG /v > c:\dcdiagresults.txt
DCDIAG /TEST:DNS – This will perform a test against your DNS server health
Site Topology and Subnets
Having your AD sites and services configured correctly is very important if you have a number of different locations in your company within the same domain. For example if you had different offices in different countries within the same domain. Problems you may experience if this is configured incorrectly is slow logon times, slow to access email within your Exchange environment.
Setup a site for each office and link the subnets to this site. If you have run the DCDIAG tool it will tell you if you have any un-mapped subnets to your sites. Which means when a user logs on within that subnet, they will logon to a domain controller from another site, the first DC to reply. This can cause a slow logon time for the user because it wont be using the DC that is closest to their office/site.
You should be able to get a list of subnets from your network team or you can also get them from your DHCP scopes aswell.
Heres a great tutorial for setting up AD sites & services
Domain Controller Health
To check the the health of your domain controllers there are a couple of tasks that i always do. First check the event logs for any errors relating to directory services, DNS, DFS, Application, System
Then i like to run the following command line:
DCDIAG /V /C /D /E > C:\dcdiaglog.txt
This will run a very detailed report on the health of your domain controller and any errors within your Active Directory environment. Run this on all your domain controllers and resolve any errors it finds.
You can also run the best practices analyzer from server manager on each DC for the Active Directory domain services under Roles. This will highlight any non compliant issues for your AD or configuration of your DC.
Make sure that all your DCs are all up to date with the latest Microsoft patches and service packs and that all DCs are all on the same service pack and patch level.
I use SCOM to monitor my DCs and event logs using the Active Directory management pack. If your not using SCOM (Systems Center Operations Manager) then i recommend you install it in your environment to monitor your active directory. Solarwinds also have a very good monitoring solution.
You should also make sure your DC system state is backed up everyday just incase you need to do an authoritative restore of any of your AD objects. I recommend using Data Protection Manager (DPM) from the Systems Center suite.
Sysvol and Group Policy Replication
If you have problems with group policys not working or being applied to users, check that your replication is working and that the sysvol directory and group polices are being replicated. Use the Microsoft AD replication tool to see if your replication is working correctly.
If you are using DFRS for your replication you can use the diagnostic tools within the DFS management console. From the DFS management tool, which will show the system volume group that contains the sysvol share, if you right click and select create diagnostic report. This will give a report of the health of your DFSR environment.
Heres a great tutorial on running the GPOTOOL.exe tool from the windows 2003 resource kit that will check if your GPOs are being replicated between your domain controllers. The tool will check the consistency of your GPOs and checks the replication of your GPOs.
Windows Time Configuration
Having the correct time on your DCs is extremely important. If your DCs time are out of sync with each other you will have alot of problems for example exchange wont work correctly, users will have problems with some network applications, problem logging on etc
If you do have a problem with your DCs time not in sync with each other, perform the following:
You can check the registry entries if the domain controller is using NTP (should be on PDC) or NT5DS (on non-PDC):
Find the value of Type under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
- You can also check for time advertisement on the PDC by running this command w32tm.exe /resync /rediscover /no_wait, then check for Event ID 139
- To check the source time server: w32tm /query /status
Here’s the official Microsoft article on windows time