?
Solved

Active Directory Regular Checks

Posted on 2007-11-28
10
Medium Priority
?
266 Views
Last Modified: 2011-10-03
Good morning experts :)

I work for a huge multi-national corporation with approx 3000 AD Servers. I am in a team of 4 that look after them :)

I have been tasked with providing a series of checks that we can perform in the morning when the first member of staff comes in... just to make sure everything is ticking over nicely. These checks are only for approx 300 servers tho.

The actual delivery mechanism isn't the issue at the moment (like using vbscripts or a web page etc), I just need a list of things that we should be checking.

As for how we go about checking things... that is something I will worry about later.

Some things to check off the top of my head would be:

FRS
Replication (maybe replmon, replview etc)
Database integrity (ntdsutil?)

Thats the kind of thing I mean.

Now, the list of checks could be huge... that won't be an issue as long as I can automate it but at this stage it's a brain dump from all you experts out there.

Thanks in advance :)
0
Comment
Question by:mickdoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 11

Expert Comment

by:bsharath
ID: 20364487
The Active Directory database is a self-maintained system and requires no daily maintenance, other than regular backup, during ordinary operation
See here
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/winsrvmg/adpog/adpog3.mspx
0
 
LVL 3

Author Comment

by:mickdoc
ID: 20364497
I should say that it is a mix of Windows 2003 32-bit and 64-bit... we are in the process of replacing the 32-bit ones
0
 
LVL 3

Author Comment

by:mickdoc
ID: 20364516
I agree bsharath but it isn't maintenance that I need to perform, it's checks.

We need to come in at 8am and check to see if everything is working as it should be. So I was asked to come up with a list of things to check to make sure all is working fine.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 11

Accepted Solution

by:
bsharath earned 750 total points
ID: 20364550
Ok... Many bit....
1. Event Logs for errors.
2. Backup event logs regularly...For Audit
3. If you have enabled Auditing then check them to see security alerts.
4. Check the Hardware software provided by the vendor for Health. If Dell (IT Manager) if HP (ISEE)
0
 
LVL 1

Expert Comment

by:Weirdly
ID: 20364569
I think you need to start using MOM 2007 :) , it's work very nice for me.
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20364616
Verify that all domain controllers are communicating with the central monitoring console or collector.
View and examine all new alerts on each domain controller, resolving them in a timely fashion.
Resolve alerts indicating the following services are not running: FRS, Net Logon, KDC, W32Time, ISMSERV. MOM reports these as Active Directory Essential Services.
Resolve alerts indicating SYSVOL is not shared.
Resolve alerts indicating that the domain controller is not advertising itself.
Resolve alerts indicating time synchronization problems.
Resolve all other alerts in order of severity. If alerts are given error, warning, and information status similar to the event log, resolve alerts marked error first.

 
From here
http://technet.microsoft.com/hi-in/library/Bb727046.aspx#ECAA

Hope this helps....
0
 
LVL 3

Author Comment

by:mickdoc
ID: 20364628
MOM would be nice... but that isn't gonna happen. :(

Other ideas I had:

Check the Domain Admins group (make sure no extra accounts are in there)
Check server times are within 5 minutes of the time sources.

Things like that I need. Remember, it doesn't matter how hard it would be to actually pull it off... I will worry about that later. I just need ideas at this time.


Thanks
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20364727
Here are the things you need to do for a resigned user.
Hide the user from being shown in the GAL after resigning
Change user password
Remove Manager and Direct Reports if any
Remove user from all groups
Clear data (almost) from user information fields
Move user account to different OU (Always better to have all the disabled users in a different OU)

Remove all computernames that are been renamed.
Check for lame users who are not used from a long time.
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20364749
Find All Groups That Have The Message Restriction Accept Message Only From Is Defined (Need to check if unauthorised users are in it.)
Check if any computers and groups have managed by assigned.
0
 
LVL 5

Expert Comment

by:balmasri
ID: 20365208
There is no need to make the following step [Check the Domain Admins group (make sure no extra accounts are in there)
].you can use the restricted group feature in the Default Domain controllers GPO .

suggest:
run dnslint from the following link
http://support.microsoft.com/kb/321046
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
A hard and fast method for reducing Active Directory Administrators members.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month12 days, 23 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question