Active Directory Health Check

Active Directory is a backbone of an enterprise. Security and reliability of AD services affect everything else – from on-prem Exchange to Certificate Services to ADFS/SSO to endpoint security and so on. Environments that do not have mature operations/standards developed around Active Directory should consider performing a health check once in a while, especially prior to embarking on a major project.

AD health check can be performed by in-house personnel, but in some cases (be they political or precautionary) it may be beneficial to engage an unbiased third-party. Microsoft runs a program called AD RAP (risk assessment program), in which they run a tool such as ADST (Active Directory Snapshot Tool) or a set of tools and produce a 70-something page report. Other vendors may have their own methodologies.

What Should be Covered by an AD Health Check

Active Directory health depends on technical factors as well as organizational / process factors. While it is easy enough to analyze configuration of Active Directory and conclude that it is healthy, lack of consistent approach to things like change control can introduce randomness to an otherwise stable environment. So what should an Active Directory health check cover?

  1. Active Directory Infrastructure / Configuration
    1. Active Directory forests, domains, and trust relationships
    2. Domain functional level, forest functional level
    3. Conformity to best practices and intended purpose
  2. Domain controllers
    1. Number and physical characteristics (virtualization)
    2. DC placement / location
    3. FSMO services placement
    4. Physical security
    5. Global catalog configuration
    6. Time hierarchy review
    7. Event log review
  3. Sites and Services Infrastructure
    1. Sites mapping to physical infrastructure
    2. Site link bridging configuration
    3. Preferred bridgehead configuration
    4. Site link schedule, cost configuration
    5. IP subnet definition and mapping to sites
    6. Connection objects
  4. Namespace and Name Resolution Services
    1. DNS forwarders and delegation
    2. Zone configuration, replication, security
    3. DNS zone scavenging
    4. DHCP dynamic registration
    5. DHCP service identity
    6. DHCP configuration
  5. Authentication and Authorization Strategy
    1. Password policy, password lockouts and expirations
    2. Stale objects, stale passwords
    3. Number of accounts with non-expiring passwords
    4. Number of privileged accounts in Domain, Enterprise Admins groups
    5. Delegation of authority strategy
    6. RBAC (Role Based Access Control)
  6. Replication Health Review
    1. Directory replication / convergence
    2. NTFRS replication
    3. DFSR SYSVOL replication
  7. Antivirus, Patching, and Backup/Recovery Practices
  8. Group Policy and OU Structure Review

This is a high-level overview of what should be covered by a thorough AD health check engagement, but it does not need to stop there. Typically AD health checks are done in preparation for the next phase of a project, whatever it may be – ADFS deployment for cloud SSO integration, Exchange schema prep, PKI/ADCS deployment or assessment, etc.

Depending on the size of the environment, an engagement like this may take 3-5 business days and cost approximately $3,000-$5,000. Some vendors may offer a no-cost but more limited assessment as part of a bigger engagement where AD health check or discovery is a pre-requisite.

Active Directory Assessment Tools

The following Microsoft tools (free or part of the operating system) may be used for the technical part of the assessment:

  • ADST, Active Directory Snapshot Tool, available through ADRAP program
  • ADTD, Active Directory Topology Diagrammer
  • ADBPA, Active Directory Best Practices Analyzer, on Windows Server 2008 or higher
  • MBSA, Microsoft Baseline Security Analyzer, 2.2 or higher
  • GPMC, Group Policy Management Console
  • Command line tools: dcdiag, nltest, dfsrdiag, repadmin, dnscmd, dsget

Visio can be handy for discovering OU structures, there is a good article about it here.

In addition to technical tools, interviews need to be conducted to obtain organizational / process information, such as change management and administration model information, etc.

Active Directory Health Check Samples

You can find a few AD health check assessment samples here.


Leave a Reply

Your email address will not be published. Required fields are marked *