Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Tips on what would be good indicators of a healthy active directory

Posted on 2011-09-07
3
Medium Priority
?
215 Views
Last Modified: 2012-05-12
Hi guys hope you are all well and can help.

Guys I would love your kind help on the following.

I have been tasked with identifying things that would be good candidates for reporting on with respect to ongoing health of our Active Directory.

So, for example, our team holds weekly meetings. In those meetings, we would like to share a report on key indicators of a healthy and secure  AD environment. The idea of this is that we come up with a list of standards that we abide by to ensure the smooth running and operations of our AD. In our current environment, we have been running a bit hit and miss, reactive, and adhoc manner, which we wish to change by carving out a list of minimum standards that we regularly try and achieve. This is what this question is all about.....trying to get your guys input on what you guys deem as good standards to adopt.

For example:

1) Number of domain admins to be no more than x at any point in time
2) Only network printers to be published into AD, and not workstation-based printers
3) User account names to abide by naming convention, and exceptions to be noted.
Etc etc

If you guys can help me add to this list, that would be most greatly appreciated, as I can then hone in and customize for our own requirements.

Thanking you in advance.
0
Comment
Question by:Simon336697
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 36499442
are you at 2008?  You could use the AD best practice analyzer for a good list   http://blogs.technet.com/b/askds/archive/2010/08/02/new-dns-and-ad-ds-bpa-s-released-or-the-most-accurate-list-of-dns-recommendations-you-will-ever-find-from-microsoft.aspx

I'd more look at replication and health using tools like repadmin and dcdiag.  

You could also setup auditing for changes to key groups like domain admin.

Thanks

Mike

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36499458
also see this question that is similar that I'm helping with

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27296228.html

Thanks

Mike
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36520019
Hi mike, we are not yet at 2008, we are still at 2003.
I am tasked with designing some guidelines for our AD in terms of administrative delegation. We are currently consolidating domains from six domains down to two, and would really love to get some tips on what people would suggest on going about this in terms of this. The complexity is dealing with current admins that currently administer their own domain, and will now come into a new consolidated domain. What I have to try and do, is provide these admins with the same level of access to do their job, but no more. Aso for example:

Current environment:

Root domain
|_____subdomainA
|_____subdomainB
|_____subdomainC
|_____subdomainD
|_____subdomainE

New environment:

Root domain
|_____subdomainA

In the current world, there are Dom admins in each subdomain.
When moving to the new world, we don't want them to have domain admin privileges to the entire subdomainA, since this would mean they have a larger footprint than what they currently have, due to the fact that the other subdomains will be consolidated into the new domain as well.

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question