Solved

Active Directory Regular Checks

Posted on 2007-11-28
10
261 Views
Last Modified: 2011-10-03
Good morning experts :)

I work for a huge multi-national corporation with approx 3000 AD Servers. I am in a team of 4 that look after them :)

I have been tasked with providing a series of checks that we can perform in the morning when the first member of staff comes in... just to make sure everything is ticking over nicely. These checks are only for approx 300 servers tho.

The actual delivery mechanism isn't the issue at the moment (like using vbscripts or a web page etc), I just need a list of things that we should be checking.

As for how we go about checking things... that is something I will worry about later.

Some things to check off the top of my head would be:

FRS
Replication (maybe replmon, replview etc)
Database integrity (ntdsutil?)

Thats the kind of thing I mean.

Now, the list of checks could be huge... that won't be an issue as long as I can automate it but at this stage it's a brain dump from all you experts out there.

Thanks in advance :)
0
Comment
Question by:mickdoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 11

Expert Comment

by:bsharath
ID: 20364487
The Active Directory database is a self-maintained system and requires no daily maintenance, other than regular backup, during ordinary operation
See here
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/winsrvmg/adpog/adpog3.mspx
0
 
LVL 3

Author Comment

by:mickdoc
ID: 20364497
I should say that it is a mix of Windows 2003 32-bit and 64-bit... we are in the process of replacing the 32-bit ones
0
 
LVL 3

Author Comment

by:mickdoc
ID: 20364516
I agree bsharath but it isn't maintenance that I need to perform, it's checks.

We need to come in at 8am and check to see if everything is working as it should be. So I was asked to come up with a list of things to check to make sure all is working fine.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 11

Accepted Solution

by:
bsharath earned 250 total points
ID: 20364550
Ok... Many bit....
1. Event Logs for errors.
2. Backup event logs regularly...For Audit
3. If you have enabled Auditing then check them to see security alerts.
4. Check the Hardware software provided by the vendor for Health. If Dell (IT Manager) if HP (ISEE)
0
 
LVL 1

Expert Comment

by:Weirdly
ID: 20364569
I think you need to start using MOM 2007 :) , it's work very nice for me.
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20364616
Verify that all domain controllers are communicating with the central monitoring console or collector.
View and examine all new alerts on each domain controller, resolving them in a timely fashion.
Resolve alerts indicating the following services are not running: FRS, Net Logon, KDC, W32Time, ISMSERV. MOM reports these as Active Directory Essential Services.
Resolve alerts indicating SYSVOL is not shared.
Resolve alerts indicating that the domain controller is not advertising itself.
Resolve alerts indicating time synchronization problems.
Resolve all other alerts in order of severity. If alerts are given error, warning, and information status similar to the event log, resolve alerts marked error first.

 
From here
http://technet.microsoft.com/hi-in/library/Bb727046.aspx#ECAA

Hope this helps....
0
 
LVL 3

Author Comment

by:mickdoc
ID: 20364628
MOM would be nice... but that isn't gonna happen. :(

Other ideas I had:

Check the Domain Admins group (make sure no extra accounts are in there)
Check server times are within 5 minutes of the time sources.

Things like that I need. Remember, it doesn't matter how hard it would be to actually pull it off... I will worry about that later. I just need ideas at this time.


Thanks
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20364727
Here are the things you need to do for a resigned user.
Hide the user from being shown in the GAL after resigning
Change user password
Remove Manager and Direct Reports if any
Remove user from all groups
Clear data (almost) from user information fields
Move user account to different OU (Always better to have all the disabled users in a different OU)

Remove all computernames that are been renamed.
Check for lame users who are not used from a long time.
0
 
LVL 11

Expert Comment

by:bsharath
ID: 20364749
Find All Groups That Have The Message Restriction Accept Message Only From Is Defined (Need to check if unauthorised users are in it.)
Check if any computers and groups have managed by assigned.
0
 
LVL 5

Expert Comment

by:balmasri
ID: 20365208
There is no need to make the following step [Check the Domain Admins group (make sure no extra accounts are in there)
].you can use the restricted group feature in the Default Domain controllers GPO .

suggest:
run dnslint from the following link
http://support.microsoft.com/kb/321046
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question