Solved

Active Directory Regular Checks

Posted on 2007-11-28
10
257 Views
Last Modified: 2011-10-03
Good morning experts :)

I work for a huge multi-national corporation with approx 3000 AD Servers. I am in a team of 4 that look after them :)

I have been tasked with providing a series of checks that we can perform in the morning when the first member of staff comes in... just to make sure everything is ticking over nicely. These checks are only for approx 300 servers tho.

The actual delivery mechanism isn't the issue at the moment (like using vbscripts or a web page etc), I just need a list of things that we should be checking.

As for how we go about checking things... that is something I will worry about later.

Some things to check off the top of my head would be:

FRS
Replication (maybe replmon, replview etc)
Database integrity (ntdsutil?)

Thats the kind of thing I mean.

Now, the list of checks could be huge... that won't be an issue as long as I can automate it but at this stage it's a brain dump from all you experts out there.

Thanks in advance :)
0
Comment
Question by:mickdoc
10 Comments
 
LVL 11

Expert Comment

by:bsharath
Comment Utility
The Active Directory database is a self-maintained system and requires no daily maintenance, other than regular backup, during ordinary operation
See here
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/winsrvmg/adpog/adpog3.mspx
0
 
LVL 3

Author Comment

by:mickdoc
Comment Utility
I should say that it is a mix of Windows 2003 32-bit and 64-bit... we are in the process of replacing the 32-bit ones
0
 
LVL 3

Author Comment

by:mickdoc
Comment Utility
I agree bsharath but it isn't maintenance that I need to perform, it's checks.

We need to come in at 8am and check to see if everything is working as it should be. So I was asked to come up with a list of things to check to make sure all is working fine.
0
 
LVL 11

Accepted Solution

by:
bsharath earned 250 total points
Comment Utility
Ok... Many bit....
1. Event Logs for errors.
2. Backup event logs regularly...For Audit
3. If you have enabled Auditing then check them to see security alerts.
4. Check the Hardware software provided by the vendor for Health. If Dell (IT Manager) if HP (ISEE)
0
 
LVL 1

Expert Comment

by:Weirdly
Comment Utility
I think you need to start using MOM 2007 :) , it's work very nice for me.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 11

Expert Comment

by:bsharath
Comment Utility
Verify that all domain controllers are communicating with the central monitoring console or collector.
View and examine all new alerts on each domain controller, resolving them in a timely fashion.
Resolve alerts indicating the following services are not running: FRS, Net Logon, KDC, W32Time, ISMSERV. MOM reports these as Active Directory Essential Services.
Resolve alerts indicating SYSVOL is not shared.
Resolve alerts indicating that the domain controller is not advertising itself.
Resolve alerts indicating time synchronization problems.
Resolve all other alerts in order of severity. If alerts are given error, warning, and information status similar to the event log, resolve alerts marked error first.

 
From here
http://technet.microsoft.com/hi-in/library/Bb727046.aspx#ECAA

Hope this helps....
0
 
LVL 3

Author Comment

by:mickdoc
Comment Utility
MOM would be nice... but that isn't gonna happen. :(

Other ideas I had:

Check the Domain Admins group (make sure no extra accounts are in there)
Check server times are within 5 minutes of the time sources.

Things like that I need. Remember, it doesn't matter how hard it would be to actually pull it off... I will worry about that later. I just need ideas at this time.


Thanks
0
 
LVL 11

Expert Comment

by:bsharath
Comment Utility
Here are the things you need to do for a resigned user.
Hide the user from being shown in the GAL after resigning
Change user password
Remove Manager and Direct Reports if any
Remove user from all groups
Clear data (almost) from user information fields
Move user account to different OU (Always better to have all the disabled users in a different OU)

Remove all computernames that are been renamed.
Check for lame users who are not used from a long time.
0
 
LVL 11

Expert Comment

by:bsharath
Comment Utility
Find All Groups That Have The Message Restriction Accept Message Only From Is Defined (Need to check if unauthorised users are in it.)
Check if any computers and groups have managed by assigned.
0
 
LVL 5

Expert Comment

by:balmasri
Comment Utility
There is no need to make the following step [Check the Domain Admins group (make sure no extra accounts are in there)
].you can use the restricted group feature in the Default Domain controllers GPO .

suggest:
run dnslint from the following link
http://support.microsoft.com/kb/321046
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now