Regular Active Directory health checks are vital to both security and business operations. While Active Directory (AD) can function even if it is not 100% healthy, problems with directory and domain controller health can lead to both data breaches and network downtime.
This article explains the key areas to include in an Active Directory health check and the top issues to watch for in your AD environment. It explores how to assess AD health using Microsoft tools, and offers a robust third-party solution that will help you both assess and maintain the health of your directory.
Component of an Active Directory Health Check
Assessing the health of Active Directory involves checking the state of the following:
- AD services — A health check should ensure that Active Directory Domain Services, the Key Distribution Center (KDC) and other core directory services are running properly.
- Domain controllers (DCs) — Assessing domain controller health includes ensuring that each DC is functioning well and that data is being replicated properly between them.
- Users and computers — Active Directory can easily become cluttered with objects that are no longer being used, such as the user accounts of people who have left the organization. These orphaned objects do not merely add administrative overhead; they are common targets for takeover by malicious actors. Therefore, an AD security check must include a thorough review of all user and computer objects. In particular, make sure that decommissioned domain controller computer objects are removed from AD.
- Distribution groups (distribution lists) — Distribution lists are used to simplify sending emails to an entire group of people. Ensuring that all these lists are correct is important to ensuring both that nobody misses messages they need and that no one receives sensitive information they should not have.
- Security groups — Securitygroups are the primary means of assigning access permissions to users, so it’s important to ensure that each group is delegated the correct rights and that its membership is correct. In addition, it’s wise to keep tabs on the number of groups you have and to look for groups that are no longer needed so you can remove them.
- Permissions — Best practices recommend against assigning permissions to users and other AD object directly, rather than through group membership. Accordingly, an AD health check should include looking for any directly assigned permissions.
Symptoms of Poor Active Directory Health
Here are key symptoms of declining AD health to watch for:
- Active Directory replication issues — Active Directory is a distributed identity management system that is replicated across all DCs in the domain. Accordingly, issues with AD replication can result in users not being able to log or access the IT resources they are authorized to use and need to do their job.
- Group Policy issues — Group Policy is a vital component of Active Directory that organizations use to control everything from file share mappings to application access to authentication protocols. Therefore, issues with AD Group Policy can lead to both business disruptions and security breaches.
- DNS issues — Most of the issues that Active Directory faces are related to DNS. This includes incorrect DNS name registration and improper forwarder configuration.
- Active Directory database issues — If the AD database grows too large, you can experience issues with domain controller promotion and backup & restore processes. Regular cleanup of stale and orphaned objects can help reduce database size.
- User logon failures and account lockouts — A spike in either of these events can be a sign of domain controller issues, such as replication failures. However, they more commonly indicate a brute-force attack like password guessing or credential stuffing.
Microsoft Tools for AD Health Checks
Microsoft provides multiple tools for performing Active Directory health checks. They include:
- Best Practices Analyzer (BPA) — BPA scans the default roles installed on managed servers and highlights issues with them.
- Microsoft Product Support (MPS) reports — This tool captures data related to Windows Update Services, Exchange and SQL servers, networking and more.
- Repadmin — You can run Repadmin to report on the replication status of all domain controllers. In the results of the tests, you can easily see which DCs domain are not performing inbound or outbound replication, the time when they last replicated, and the reason why they stopped.
- DCDiag — This command-line tool provides 30 different directory health checks. If you run DCDiag, you can check the connectivity of DNS servers, the RPC and LDAP connections of domain controllers, replication errors, accessibility of RID Manager, registration status of machine accounts, and much more.
- DNSCMD — You can use DNSCMD commands to report on DNS servers, including remote servers. The table below details some common use cases for an AD health check. For more information, please see the Microsoft documentation on DNS and DNS zones.
| Display server properties | DNSCMD /INFO |
| Displays all DNS zones in the network | DNSCMD /ENUMZONES |
| Show the properties of a DNS zone | DNSCMD /ZONEINFO <ZONE NAME> |
| Dump all DNS records in a DNS zone | DNSCMD <SERVERNAME >/ZONEEXPORT <ZONE NAME > <OUTPUT FILENAME> |
- PowerShell — PowerShell is a powerful and versatile tool for administrators. Here are several cmdlets that can help with AD health checks:
| Check domain controller health | Get-ADDomainController -Filter * | Select-Object Name, OperatingSystem, IsGlobalCatalog |
| Check the membership of a group | Get-ADGroupMember -Identity “GroupName” |
| Check the event log for errors | Get-EventLog -LogName System -EntryType Error |
How Netwrix Can Help
Streamline AD Health Checks
With manual tools, performing a complete Active Directory health check can be difficult and time consuming. Netwrix GroupID streamlines the process by providing predefined reports on Active Directory that you can run with just a few clicks.
Netwrix GroupID includes reports on users, computers, groups and contacts, as shown on the left side of the screenshot below. For example, you can get a list of orphaned groups just by running the “Groups with no owner” report.
Maintain AD Health
In addition to streamlining checks on AD health, Netwrix GroupID offers powerful functionality that empowers you to maintain strong Active Directory health and performance. These capabilities include:
- Self-service portal — This portal allows users to keep their personal information accurate and up to date.
- Automatic deletion of inactive AD objects — You can require group owners to regular attest to the continued need for their groups to exist; any that are no longer needed will be expired. Similarly, you can require users to regularly validate their profiles so that inactive accounts will be removed automatically.
- Dynamic AD group membership — With Netwrix GroupID, you can create groups whose membership is determined by queries that check user’s attributes. For example, here’s how easy it is to create a group whose membership is determined by a query that checks whether “department = Engineering”:
Conclusion
Regularly assessing the health of your Active Directory is vital to maintaining security and enabling users to be productive. Microsoft offers tools that report on different aspects of AD, such as the state of objects and core AD services. To streamline AD health checks and simplify the work of maintaining AD health, administrators can use a third-party solution like Netwrix GroupID.
FAQ
How do I check the health of my AD domain?
Checking the health of your Active Directory domain involves reviewing the status of AD services, AD objects like users and groups, and domain controller health and replication.
What tools can I use to check Active Directory health?
To check Active Directory health, you can use Microsoft tools like Repadmin, DCDiag and DNSCMD. Third-party tools like Netwrix GroupID simplify AD health checks and also help you maintain the health of your AD environment more efficiently and effectively.
How do I run a health check on a domain controller?
Microsoft provides tools to run a domain controller health check. For example, Repadmin reports on DC replication status, and DCDiag provides detailed checks on DC performance.
