in

Active Directory

Active Directory Health Check

This document outlines a basic procedure for validating the health of your domain and is a good practice for iterative maintenance and an excellent pre-check before doing any potentially dangerous domain operations.

Before doing anything that might jeopardize the integrity of your domain, it is important to ensure that there are no outstanding health issues.  While important, doing this kind of check needn't be horribly complicated or take a lot of time.  It is important to do every time to be sure that you aren't replicating problems across your forest as you do domain maintenance.  This is especially critical before schema operations and domain migrations.  Using a few simple Microsoft tools in the Windows Resource Kit, the general health of the domain can be validated and much of the risk associated with the projects can be mitigated.

Tools and ResourcesTools & Resources

DCDiag --  Basic Domain Diagnostics
NetDiag -- Domain Controller Network Diagnostics
REPLMon -- Replication Monitor
NETDom -- Domain and Trust Diagnostics

Domain Controller Health Check - Project FileProject Files

Domain Controller Health Check.mpp

Domain Controller Health Check - Project File Procedure Steps

A number of people have requested that these steps be posted in HTML format as they don't have Microsoft Project or can't open the file with their version of the software.  To make this a little bit easier for everyone, here we go:

Domain Controller Health Check

Preparatory Work

Update Server Documentation

Gather Inventory of domain controllers from the ADU&C | Domain Controllers node

Locate current documentation from client on AD structure

Locate current documentation from client of site/ core topology

Document name of every AD domain and Sub-domain

Document name and IP address of every Server

Document all trust relationships

Install Support Tools

Server

Log on to the server with Server Administrator privileges

Insert the windows 2000/2003 disk into the CD drive

Navigate to CD:\\tools\Support Tools

Run Setup.exe

Wait as the Support Tools are installed on the server

Preparatory Work Completed

Verify Health of the Domain

Create Log Directories for all Diagnostic Files

Create a Logs Directory at the root of C:\ on the server as C:\Logs

Verify DNS function with NSLOOKUP

Drop to a Command Prompt

At the Command Prompt, key in 'Nslookup' <enter>

Resolve each replication partner

Resolve every AD domain and Sub-domain

Remediate any failed resolutions

Verify replication function and topology with REPLMON

<ServerName>

Navigate to Start | Programs | Administrative Tools | Support Tools | Replmon

Select the server (<ServerName>) in the Monitored Servers

Select Action | Server | Generate Status Report

When Prompted, specify the file name as c:\Logs\<ServerName>-MMDDYYYY.log

in the Report Options, select all of the reporting options

Click OK

Verify DC health with DCDIAG /verbose on each domain controller

<ServerName>

Drop to a Command Prompt

Key in 'DCDIAG /s:<ServerName> /v  /c > c:\Logs\ServerName-DCDIAG-MMDDYYYY.log' <enter>

Wait as the Diagnostic completes

Remediate any errors displayed

Run DCDIAG /s:<ServerName> /fix

Repeat the diagnostic

Verify network connectivity health with NETDIAG /verbose

<ServerName>

Drop to a Command Prompt

NETDIAG /v > C:\Logs\<ServerName>-NetDiag-MMDDYYYY.txt

Wait as the diagnostic completes

Remediate any errors displayed

Run Netdiag /fix

Run the NETDIAG diagnostic again

Verify all trusts with NETDOM

<ServerName>

Drop to a Command Prompt

At the Command Prompt, key in 'NetDom query /verify' <enter>

Verify that all trusts are working and responding to the stored passwords

Remediate all errors before continuing

Repeat for each additional Controller

 



Published Nov 22 2007, 09:28 PM by Ryan Hanisco
Filed under: , ,

Comments

 

David Overton's Blog said:

Given the recent comments about AD validation I thought I would share this excellent document on verifying

January 19, 2009 5:31 PM

About Ryan Hanisco

Ryan Hanisco is an Engagement Manager at Magenic Technologies specializing in project management and business analysis for their development group. Ryan has been in the IT industry for 10 years and working as a consultant for over five years working for both public and private sector companies. He lives on the north side of Chicago with his two cats, Cinders and Gato.
© 2008 Ryan Hanisco
Powered by Community Server (Non-Commercial Edition), by Telligent Systems