5 free Microsoft tools for monitoring Active Directory health

Gary Olsen, MVP in Directory Services and Solution Architect at HP, recently published a review of 5 free Microsoft tools that can be used to evaluate Active Directory health . This review seemed to us quite useful, so we decided to give a translation here.
We invite interested persons under cat.


Evaluation of AD health is already a problem in itself, especially for small and medium-sized companies that cannot afford to purchase expensive third-party solutions or hire an administrator who would only deal with AD administration.
The first manifestation of the “sick” Active Directory is the increasing flow of calls to the support service, which indicates a impending crisis. Fortunately, Active Directory itself can “recover” and even without being 100% healthy, it still works. However, it is precisely because of this that the problems that have arisen can be ignored, and the IT service switches to solving more important tasks.
I remember as a couple of years ago, as one of the employees told me that the domain controller does not want to replicate. After analyzing the logs, it turned out that this CD was not replicated for almost three years.
Therefore, I decided to collect here 5 basic tools that help me in conducting a basic health assessment of Active Directory. All are free and relatively easy to use.

1. Active Directory Best Practices Analyzer

')
By releasing the Active Directory Best Practices Analyzer (ADBPA) utility that is present in Windows Server 2008 R2, Microsoft has opened up extensive health information about Active Directory. Many administrators know the Exchange Best Practices Analyzer (ExBPA) utility. I expected from ADBPA the same level of detail of the reports and in-depth analysis of the best AD practices as from ExBPA in terms of solving the problems that arise. ADBPA, of course, provides useful information, but I would like it to be more. ADBPA is available under the Active Directory Domain Services role in Server Manager, as shown in Figure 1.



Please note that you can get a description of each entry by simply clicking on it. This example shows that all domain controllers marked in green correspond to the list of best practices of AD. Errors and warnings are also displayed. What is checked: all the lipermic domain controllers are configured to a valid time source (? - valid time source), all domains have two functioning CDs, all OUs are protected from accidental deletion when the last backups were made; Whether DNS is configured correctly, whether Group Policy and FRS replications work.
ADBPA is suitable for the primary review of AD health, but I would still like to receive more information. For example, it does not show information about Active Directory replication or whether there are CDs that have not replicated for a certain period of time (for example, during the lifetime of tombstone objects). The utility shows whether DNS works in such a way that allows clients to connect, nothing indicates that the DNS server may be incorrectly configured.

2. MPS Reports

In the old days of Windows 2000, Microsoft released Microsoft Product Support (MPS) Reports, a script for diagnosing AD. First, it was released for Microsoft partners, and then for everyone. For me, this utility is a key tool for assessing AD health or resolving problems. The utility can be downloaded here . You must select either the x86 or x64 version of the installer. When MPSReports.exe is launched, the dialog box shown in Figure 2 appears. Note that MPS Reports requires administrative rights to collect correct information and requires the following components to be installed: Microsoft .NET Framework 2, Windows PowerShell 1.0, Windows Installer 3.1 and Microsoft Core XML Services 6.0.



Figure 3 shows the running diagnostic menu. Previously, there were several versions of MPS Reports for Networking, SQL, Exchange, Active Directory and other components. Now everything is included in one package and you just choose what you need. To resolve AD issues, check General, Internet and Networking, Business Networks, Server Components, and Exchange Servers.



Select “Link to more info” and you will see the files to which the utility collects information. Click “Next” to start collecting data for diagnostics - it will take some time.
The utility of MPS Reports is that the utility launches a number of command-line tools and procedures and provides the results in a simple file in which it is easy to find information. For example, event logs can be collected in txt, ectx and cvs formats. I like the cvs format the most. You can open it in Excel and easily find or sort something, for example, by error text, event ID, etc. Along with the txt version, cvs displays a description of the event for applications - so when you read them on your computer, you can see the description of events without downloading the application (for example, Exchange and SQL).
MPS Reports allow you to save a CAB file to any location, or you can open it right away (Figure 4). In the CAB file there will be one or several XML files (Fig. 5) that show different reports, so you will not need to run the micro reports one by one.

3. Repadmin and Replsum

Repadmin is a powerful command line tool for troubleshooting Active Directory issues. The Replication Summary option, or the Replsum command, provides information on the replication status of all domain controllers in all domains in the forest. When evaluating Active Directory health, it is extremely important to know whether all domain controllers are replicated - and for those that do not, you undoubtedly come to find out lately when replication took place and why it became unsuccessful.
Repadmin allows you to quickly get answers to these questions. You can save a lot of time with it, as opposed to the widely used Repadmin / showrepl, which shows all domain controllers in a long list. The Replsum option analyzes all domain controllers in all domains in the forest and places information about them in a table that is easy to read. Use the following command:
Repadmin / bysrc / bydest sort: Delta> repadmin.txt
There are also other options and formats for this command, but I only use this one and it works great. Table 1 shows an example of what we get at the output.


Notice that the Source DC is the Outbound Replication list and the Destination DC is the Inbound Replication list. For example, at the top of the list, WTEC-DC2 is the source domain controller and has not replicated for more than five days. This is outbound replication because WTEC-DC2 is the source when we get an error message. Also, WTEC-DC1 did not perform inbound replication in the lower list, as it is the final domain controller. (Destination DC). The reason for this is indicated by event id 1722: RPC server is unavailable. This error usually indicates that there is a communication error at the physical level in this domain controller.
Here is my advice: if replication did not occur during the tomstone lifetime, the entry “the largest delta” will be displayed for> 60 days. This means that the domain controller does not have to be returned online, because it can introduce lingering objects. You must manually downgrade and then upgrade the domain controller again.

4. DCDiag / Test: DNS

Besides replication, another common cause of AD problems is DNS. DNS is often the cause of failed replication. The problem is that in a large number of environments DNS servers are installed on all domain controllers in AD, and this leads to the fact that the likelihood that the DNS can fall is increased. The study of each of them can take a lot of time. In Windows Server 2003, / Test: DNS was added to the DC diag command. Run the following command:

DCDiag / Test: DNS / e / v> DcdiagDNS.txt

This command will analyze each DNS server on the network and test DNS server authentication, basic connection, sender configuration, delegation, dynamic registration and resource record registration. For the last flagged one, DCDiag creates a test resource record and tries to register it. If this cannot be done, new entries cannot be registered (which will lead to other problems).
The team displays three potential outcomes: Pass (Pass), Fail (Failure) and Warn (Warning). A warning is not yet a problem, but rather an occasion to conduct additional analysis. For example, Warn in the Dynamic Registration (DYN) column means that protected dynamic updates are not activated. This does not indicate a failure, but you must be 100% sure that you want everything to remain as it is.
Table 2 shows typical team results.



Table 2 shows a complete and accurate report on all DNS servers in all domains on the network. So we can check the health of the DNS. This table appears at the end of the DCDiag output. Details of these tests for each server are included in the DCDiag report before the final summary table is displayed. If the user who ran the command does not have permissions in this domain, the tests will fail.
In the above case, tests of the EMEA domain were unsuccessful, because the user who launched DCDiag did not have the necessary permissions. “N / A” appears when the previous tests were unsuccessful, therefore, the remaining tests will depend on this “failure”. For example, in the EMEA-DC03 domain, the Auth and Basc tests failed. The remaining texts are shown as N / A. DCDiag does not carry out further tests, but only places N / A in each column. The Ext column is the fifth test to test external connectivity. DCDiag / Test: DNS does not check it by default.
Therefore, a tip: The list of domains and CD in the table is a convenient display of all domains in the forest and all CDs (which are DNS servers) in each domain. Thus, we get a map of the structure of domains and CD. In most environments, all CDs are DNS servers, so this is a convenient way to see domain and CD structures.

5. DNSCMD command line tool

If you are working on a remote system in an environment you are not familiar with, or if you just want to get information about the DNS environment you are working with, the DNSCMD team will give you all the necessary information. Please note that I need this level of detail, because I diagnose problems without access to the environment, and therefore I depend on reports that could give me a complete picture. Those commands that I use are presented in Table 3. I would recommend using them even if you can access the DNS server - sometimes it is much easier to look at the necessary information in a report than to “roam” the DNS interface. Also, these reports are periodically saved to files, so you can analyze the changes - especially if someone changed the config, and you want to know what the parameters were before. And, of course, these commands can be presented as a table.



There are other tools, such as the Group Policy Management Console (GPMC), which is great for analyzing group policies. GPMC also allows you to save a report on group objects as HTML in order to subsequently send it to support service for analysis. GPMC is not included in MPS Reports.

Staying healthy!

The above tools allow you to quickly generate reports about the health of Active Directory, and indicate the presence of problems. Of course, the administrator should make some effort to run them, but the process itself is simple - especially if you use MPS Reports. In conclusion, my advice is:
1. Use ADPBA as a tool for the widest perspective on AD health.
2. Download and run MPS Reports to delve deeper into solving the problem.
3. Run DCDiag / Test: DNS, Repadmin and Replsum as described above to get a quick and easy-to-understand snapshot of the replication and DNS configuration for the entire health of Active Directory and to highlight problem areas.
4. Use DNSCMD to obtain detailed DNS configuration information for offline analysis and comparison with previous configurations.
Nobody says that Active Directory management is a simple matter. But the application of the recommendations described should provide better monitoring and management of Active Directory, providing a more secure administration environment.

Source: redmondmag.com/Articles/2012/07/01/5-Free-Microsoft-Tools-for-Top-Active-Directory-Health.aspx?Page=1

PS Want to keep abreast of changes in Active Directory? Our NetWrix AD Change Reporter program allows you to receive notifications and reports on any changes in AD. Learn more about the program's features by downloading a 20-day trial version or by registering for a regular webinar .