Solved

Tips on what would be good indicators of a healthy active directory

Posted on 2011-09-07
3
202 Views
Last Modified: 2012-05-12
Hi guys hope you are all well and can help.

Guys I would love your kind help on the following.

I have been tasked with identifying things that would be good candidates for reporting on with respect to ongoing health of our Active Directory.

So, for example, our team holds weekly meetings. In those meetings, we would like to share a report on key indicators of a healthy and secure  AD environment. The idea of this is that we come up with a list of standards that we abide by to ensure the smooth running and operations of our AD. In our current environment, we have been running a bit hit and miss, reactive, and adhoc manner, which we wish to change by carving out a list of minimum standards that we regularly try and achieve. This is what this question is all about.....trying to get your guys input on what you guys deem as good standards to adopt.

For example:

1) Number of domain admins to be no more than x at any point in time
2) Only network printers to be published into AD, and not workstation-based printers
3) User account names to abide by naming convention, and exceptions to be noted.
Etc etc

If you guys can help me add to this list, that would be most greatly appreciated, as I can then hone in and customize for our own requirements.

Thanking you in advance.
0
Comment
Question by:Simon336697
  • 2
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 36499442
are you at 2008?  You could use the AD best practice analyzer for a good list   http://blogs.technet.com/b/askds/archive/2010/08/02/new-dns-and-ad-ds-bpa-s-released-or-the-most-accurate-list-of-dns-recommendations-you-will-ever-find-from-microsoft.aspx

I'd more look at replication and health using tools like repadmin and dcdiag.  

You could also setup auditing for changes to key groups like domain admin.

Thanks

Mike

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36499458
also see this question that is similar that I'm helping with

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27296228.html

Thanks

Mike
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36520019
Hi mike, we are not yet at 2008, we are still at 2003.
I am tasked with designing some guidelines for our AD in terms of administrative delegation. We are currently consolidating domains from six domains down to two, and would really love to get some tips on what people would suggest on going about this in terms of this. The complexity is dealing with current admins that currently administer their own domain, and will now come into a new consolidated domain. What I have to try and do, is provide these admins with the same level of access to do their job, but no more. Aso for example:

Current environment:

Root domain
|_____subdomainA
|_____subdomainB
|_____subdomainC
|_____subdomainD
|_____subdomainE

New environment:

Root domain
|_____subdomainA

In the current world, there are Dom admins in each subdomain.
When moving to the new world, we don't want them to have domain admin privileges to the entire subdomainA, since this would mean they have a larger footprint than what they currently have, due to the fact that the other subdomains will be consolidated into the new domain as well.

0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
EXCHANGE, ACTIVE DIRECTORY, CROSS FOREST MIGRATION 2 35
Roaming Profiles 8 62
exchange, active directory 5 17
Missing Sysvol 13 12
Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now