Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Active Directory Regular Checks

Posted on 2007-11-28
10
Medium Priority
?
270 Views
Last Modified: 2011-10-03
Good morning experts :)

I work for a huge multi-national corporation with approx 3000 AD Servers. I am in a team of 4 that look after them :)

I have been tasked with providing a series of checks that we can perform in the morning when the first member of staff comes in... just to make sure everything is ticking over nicely. These checks are only for approx 300 servers tho.

The actual delivery mechanism isn't the issue at the moment (like using vbscripts or a web page etc), I just need a list of things that we should be checking.

As for how we go about checking things... that is something I will worry about later.

Some things to check off the top of my head would be:

FRS
Replication (maybe replmon, replview etc)
Database integrity (ntdsutil?)

Thats the kind of thing I mean.

Now, the list of checks could be huge... that won't be an issue as long as I can automate it but at this stage it's a brain dump from all you experts out there.

Thanks in advance :)
0
Comment
Question by:mickdoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 11

Expert Comment

by:bsharath
ID: 20364487
The Active Directory database is a self-maintained system and requires no daily maintenance, other than regular backup, during ordinary operation
See here
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/winsrvmg/adpog/adpog3.mspx
0
 
LVL 3

Author Comment

by:mickdoc
ID: 20364497
I should say that it is a mix of Windows 2003 32-bit and 64-bit... we are in the process of replacing the 32-bit ones
0
 
LVL 3

Author Comment

by:mickdoc
ID: 20364516
I agree bsharath but it isn't maintenance that I need to perform, it's checks.

We need to come in at 8am and check to see if everything is working as it should be. So I was asked to come up with a list of things to check to make sure all is working fine.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 11

Accepted Solution

by:
bsharath earned 750 total points
ID: 20364550
Ok... Many bit....
1. Event Logs for errors.
2. Backup event logs regularly...For Audit
3. If you have enabled Auditing then check them to see security alerts.
4. Check the Hardware software provided by the vendor for Health. If Dell (IT Manager) if HP (ISEE)
0
 
LVL 1

Expert Comment

by:Weirdly
ID: 20364569
I think you need to start using MOM 2007 :) , it's work very nice for me.
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20364616
Verify that all domain controllers are communicating with the central monitoring console or collector.
View and examine all new alerts on each domain controller, resolving them in a timely fashion.
Resolve alerts indicating the following services are not running: FRS, Net Logon, KDC, W32Time, ISMSERV. MOM reports these as Active Directory Essential Services.
Resolve alerts indicating SYSVOL is not shared.
Resolve alerts indicating that the domain controller is not advertising itself.
Resolve alerts indicating time synchronization problems.
Resolve all other alerts in order of severity. If alerts are given error, warning, and information status similar to the event log, resolve alerts marked error first.

 
From here
http://technet.microsoft.com/hi-in/library/Bb727046.aspx#ECAA

Hope this helps....
0
 
LVL 3

Author Comment

by:mickdoc
ID: 20364628
MOM would be nice... but that isn't gonna happen. :(

Other ideas I had:

Check the Domain Admins group (make sure no extra accounts are in there)
Check server times are within 5 minutes of the time sources.

Things like that I need. Remember, it doesn't matter how hard it would be to actually pull it off... I will worry about that later. I just need ideas at this time.


Thanks
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20364727
Here are the things you need to do for a resigned user.
Hide the user from being shown in the GAL after resigning
Change user password
Remove Manager and Direct Reports if any
Remove user from all groups
Clear data (almost) from user information fields
Move user account to different OU (Always better to have all the disabled users in a different OU)

Remove all computernames that are been renamed.
Check for lame users who are not used from a long time.
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20364749
Find All Groups That Have The Message Restriction Accept Message Only From Is Defined (Need to check if unauthorised users are in it.)
Check if any computers and groups have managed by assigned.
0
 
LVL 5

Expert Comment

by:balmasri
ID: 20365208
There is no need to make the following step [Check the Domain Admins group (make sure no extra accounts are in there)
].you can use the restricted group feature in the Default Domain controllers GPO .

suggest:
run dnslint from the following link
http://support.microsoft.com/kb/321046
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question