If you were to do a search on the web for “Active Directory health,” you’d find countless articles on how to verify the “health” of your Active Directory environment. Most contain references to checking domain controllers, AD-related services, replication, DNS, and DHCP — all in an effort to assess whether Active Directory is working correctly or not.
The degree to which an AD environment remains healthy revolves largely around the services being provided. As a whole, we compartmentalize Active Directory into two parts: the core services that Microsoft provides and the configuration that IT pros implement within Active Directory. If the core services are running as expected, we say that Active Directory is healthy. However, this is only part of the story.
Shouldn’t the health of Active Directory also consider whether those services — authentication and access — are being provided correctly?
Much of the correctness of Active Directory services relies on proper configuration being put in place by IT — from topology to security and everything in between. Some of these parts, like security, might seem to be farther away from the core services, but an improper security configuration is still reflected in the overall services that Active Directory provides: The wrong security leads to the wrong service being provided. Therefore, we respectfully submit that the true health of your Active Directory relies on the security configuration of your Active Directory.
So, what should you be looking at to ensure that the security within your Active Directory is healthy?
There are a few other parts of Active Directory that should be considered when determining the overall “health” of AD:
- The state of your permissions: Active Directory permissions are one of those parts of managing AD that simply take on a life of their own — and rightfully so. Permissions to external resources aren’t stored within AD objects, so you likely have users and groups that are heavily over-permissioned. Knowing what permissions are assigned to which objects would provide you with a more valid and more complete sense of security.
- The state of your group memberships: Like permissions, no one pays much attention to group memberships once they’ve been created. Given that these objects are likely the primary means of assigning permissions, they deserve equal attention.
- The state of groups: After a time, some groups probably shouldn’t even exist anymore: Their usefulness ended months or years ago, yet they still continue to exist, complete with members and permissions.
- The state of AD management: This is not referring to Active Directory administration — you know, the daily changes needed here and there to put out the latest fire. This refers to the true management of your Active Directory’s security, groups, and memberships. If you do not have a formal process that, at a minimum, reviews the current state of the first three items in this list, you’re not truly managing Active Directory. You’re simply addressing the latest helpdesk ticket.
You’re concern about the health of your Active Directory health is warranted — Active Directory represents the foundational service on top of which reside every other application and some access to resources. But you can’t just stop at monitoring the replication between two DCs. Health must also include how Active Directory is configured to provide services, specifically security.
To get a better picture of the overall health of your Active Directory environment, check out Imanami’s free online diagnostic tool, Health Meter.