Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 279
  • Last Modified:

Active Directory Regular Checks

Good morning experts :)

I work for a huge multi-national corporation with approx 3000 AD Servers. I am in a team of 4 that look after them :)

I have been tasked with providing a series of checks that we can perform in the morning when the first member of staff comes in... just to make sure everything is ticking over nicely. These checks are only for approx 300 servers tho.

The actual delivery mechanism isn't the issue at the moment (like using vbscripts or a web page etc), I just need a list of things that we should be checking.

As for how we go about checking things... that is something I will worry about later.

Some things to check off the top of my head would be:

FRS
Replication (maybe replmon, replview etc)
Database integrity (ntdsutil?)

Thats the kind of thing I mean.

Now, the list of checks could be huge... that won't be an issue as long as I can automate it but at this stage it's a brain dump from all you experts out there.

Thanks in advance :)
0
mickdoc
Asked:
mickdoc
1 Solution
 
bsharathCommented:
The Active Directory database is a self-maintained system and requires no daily maintenance, other than regular backup, during ordinary operation
See here
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/winsrvmg/adpog/adpog3.mspx
0
 
mickdocAuthor Commented:
I should say that it is a mix of Windows 2003 32-bit and 64-bit... we are in the process of replacing the 32-bit ones
0
 
mickdocAuthor Commented:
I agree bsharath but it isn't maintenance that I need to perform, it's checks.

We need to come in at 8am and check to see if everything is working as it should be. So I was asked to come up with a list of things to check to make sure all is working fine.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
bsharathCommented:
Ok... Many bit....
1. Event Logs for errors.
2. Backup event logs regularly...For Audit
3. If you have enabled Auditing then check them to see security alerts.
4. Check the Hardware software provided by the vendor for Health. If Dell (IT Manager) if HP (ISEE)
0
 
WeirdlyCommented:
I think you need to start using MOM 2007 :) , it's work very nice for me.
0
 
bsharathCommented:
Verify that all domain controllers are communicating with the central monitoring console or collector.
View and examine all new alerts on each domain controller, resolving them in a timely fashion.
Resolve alerts indicating the following services are not running: FRS, Net Logon, KDC, W32Time, ISMSERV. MOM reports these as Active Directory Essential Services.
Resolve alerts indicating SYSVOL is not shared.
Resolve alerts indicating that the domain controller is not advertising itself.
Resolve alerts indicating time synchronization problems.
Resolve all other alerts in order of severity. If alerts are given error, warning, and information status similar to the event log, resolve alerts marked error first.

 
From here
http://technet.microsoft.com/hi-in/library/Bb727046.aspx#ECAA

Hope this helps....
0
 
mickdocAuthor Commented:
MOM would be nice... but that isn't gonna happen. :(

Other ideas I had:

Check the Domain Admins group (make sure no extra accounts are in there)
Check server times are within 5 minutes of the time sources.

Things like that I need. Remember, it doesn't matter how hard it would be to actually pull it off... I will worry about that later. I just need ideas at this time.


Thanks
0
 
bsharathCommented:
Here are the things you need to do for a resigned user.
Hide the user from being shown in the GAL after resigning
Change user password
Remove Manager and Direct Reports if any
Remove user from all groups
Clear data (almost) from user information fields
Move user account to different OU (Always better to have all the disabled users in a different OU)

Remove all computernames that are been renamed.
Check for lame users who are not used from a long time.
0
 
bsharathCommented:
Find All Groups That Have The Message Restriction Accept Message Only From Is Defined (Need to check if unauthorised users are in it.)
Check if any computers and groups have managed by assigned.
0
 
balmasriCommented:
There is no need to make the following step [Check the Domain Admins group (make sure no extra accounts are in there)
].you can use the restricted group feature in the Default Domain controllers GPO .

suggest:
run dnslint from the following link
http://support.microsoft.com/kb/321046
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now