Why do I need to reboot domain controllers once a month
For optimal performance and security, Active Directory directory service domain controllers require regular maintenance. Our new guide will help you to most effectively configure the work of your domain controllers when servicing authentication and authorization requests.
Active Directory provides authentication and authorization services. A working Active Directory environment allows other services to work efficiently.
Earlier in the Active Directory Health Check Server Tutoria l Active Directory Health Check Guide, we looked at 2 important issues related to verifying proper directory service operation: “Replicated Active Directory Topology” and “Subnets Not Related to Active Directory Sites." the advantages of using the network topology compared to the “cellular topology”, as well as the proposed script in PowerShell, which you can use to obtain information on the number of sites linked by AD link.
')
Today we will explain why you need to restart domain controllers at least once a month and how you can use the Power Shell script to get information about the uptime of domain controllers. The script will be presented below.
It is important to understand that domain controllers are designed to provide critical authentication and authorization services and are constantly in operation. Therefore, they must be restarted on a monthly basis, or at a dedicated time interval in accordance with your system performance testing standards.
Before looking at the Power Shell script to get information about the uptime of domain controllers, let's determine why we need to restart domain controllers. There are two good reasons to consider when making a reboot decision. Consider them:
Taking into account the above reasons for the reboot, we offer you a script in Power Shell, which you can use to obtain information about the uptime of the domain controller. This script will also help you find out the number of days that have passed since the last restart of each domain controller.
Steps :
We are changing ITDynamicPacks. Register the name of the main domain in the AD forest name. We get a list of all domain controllers and the main Active Directory domain by writing the command below, the result is saved in the file C: \ Temp \ DCList.TXT file:
Copy the full script specified below to the PS1 file and execute it in the PowerShell window
When the script is completed for all domain controllers, a report will be generated in the DCUpTimeReport.CSV file in the C: Temp folder as shown in the following screenshot:
As you can see from the report, the script allows you to get information about the uptime of each domain controller specified in the C: \ Temp \ DCList.TXT file. A report on how many days the domain controller has not rebooted can be seen in the “Days Not Rebooted” column.
The above script is part of Dynamic Pack Test Domain Controllers for Uptime, which is available for use with Active Directory Health Profiler. This test can be performed for one or multiple AD domains and you can see the test results in the Active Directory Health Profiler console as shown in the screenshot below:
We examined in detail two key reasons for rebooting domain controllers. The main purpose of this reboot is the timely maintenance of authentication and authorization requests by domain controllers, as well as maximum security through timely updates of security systems.
The script proposed by PowerShell will help you to maintain the efficiency of domain controllers at the proper level. To do this, you need to reboot them once a month.
Active Directory provides authentication and authorization services. A working Active Directory environment allows other services to work efficiently.
Earlier in the Active Directory Health Check Server Tutoria l Active Directory Health Check Guide, we looked at 2 important issues related to verifying proper directory service operation: “Replicated Active Directory Topology” and “Subnets Not Related to Active Directory Sites." the advantages of using the network topology compared to the “cellular topology”, as well as the proposed script in PowerShell, which you can use to obtain information on the number of sites linked by AD link.
')
Today we will explain why you need to restart domain controllers at least once a month and how you can use the Power Shell script to get information about the uptime of domain controllers. The script will be presented below.
It is important to understand that domain controllers are designed to provide critical authentication and authorization services and are constantly in operation. Therefore, they must be restarted on a monthly basis, or at a dedicated time interval in accordance with your system performance testing standards.
Before looking at the Power Shell script to get information about the uptime of domain controllers, let's determine why we need to restart domain controllers. There are two good reasons to consider when making a reboot decision. Consider them:
- Memory Leak Issues: A memory leak occurs when the Lsass.exe process starts. This process is carried out on a domain controller and is responsible for providing identity services to Active Directory clients. Over time, a memory leak can affect the performance of domain controllers. A massive memory leak can lead to an unacceptable temporary response from the Lsass.exe process and a high memory consumption by the operating system. In order to cope with memory leak problems, it is recommended to periodically restart domain controllers.
Although the newer operating system versions for Windows Server 2012 R2 and Windows Server 2016 automatically restore memory, it is still recommended to reboot domain controllers, which in turn can help solve memory leaks that the operating system cannot automatically decide. - Most security updates require a reboot: It is important to note that Windows server and domain controllers require regular patches to install service packs and hotfixes, and security patch versions must be compatible on all domain controllers. New patches replace low-level Dll files in the operating system, so most security updates require a reboot, after which the updates will be successfully applied. Microsoft releases security updates on a monthly basis and it is therefore essential to restart controllers in order to make changes.
Taking into account the above reasons for the reboot, we offer you a script in Power Shell, which you can use to obtain information about the uptime of the domain controller. This script will also help you find out the number of days that have passed since the last restart of each domain controller.
Steps :
We are changing ITDynamicPacks. Register the name of the main domain in the AD forest name. We get a list of all domain controllers and the main Active Directory domain by writing the command below, the result is saved in the file C: \ Temp \ DCList.TXT file:
DSQuery Server -o rdn > C:\Temp\DCList.TXT Copy the full script specified below to the PS1 file and execute it in the PowerShell window
$CurForestName="ITDynamicPacks.Net" $TestCSVFile="C:\Temp\DCUpTimeReport.CSV" $GDCList="C:\Temp\DCList.TXT" $TotNo=0 $ItemCount=0 $TestText = "Please check result" $TestStatus="Completed" $SumVal = "NA" $ErrorOrNot = "No" $ThisString="Domain Controller, Up Time, Local Time, Time Zone, Days Not Rebooted, Status" Add-Content "$TestCSVFile" $ThisString $TodaysDate = Get-Date Foreach ($ItemName in Get-Content "$GDCList") { $operatingSystem = Get-WmiObject Win32_OperatingSystem -ComputerName $ItemName IF ($Error.count -ne 0) { $ThisSTR = $ItemName+",Error Connecting" $ErrorOrNot = "Yes" Add-Content "$TestCSVFile" $ThisStr } else { $RTime=[Management.ManagementDateTimeConverter]::ToDateTime($operatingSystem.LastBootUpTime) $LocalTime=[Management.ManagementDateTimeConverter]::ToDateTime($operatingSystem.LocalDateTime) $CurTimeZone=$operatingSystem.CurrentTimeZone $StatusNow = "" $R = $RTime $Z = $TodaysDate $DayNotRebooted = (New-TimeSpan -Start $R -End $Z).Days IF ($DayNotRebooted -ge 30) { $StatusNow = "WARNING: Not rebooted since last 30 days" } $ThisStr=$ItemName+","+$RTime+","+$LocalTime+","+$CurTimeZone+","+$DayNotRebooted+","+$StatusNow Add-Content "$TestCSVFile" $ThisStr } } When the script is completed for all domain controllers, a report will be generated in the DCUpTimeReport.CSV file in the C: Temp folder as shown in the following screenshot:
As you can see from the report, the script allows you to get information about the uptime of each domain controller specified in the C: \ Temp \ DCList.TXT file. A report on how many days the domain controller has not rebooted can be seen in the “Days Not Rebooted” column.
The above script is part of Dynamic Pack Test Domain Controllers for Uptime, which is available for use with Active Directory Health Profiler. This test can be performed for one or multiple AD domains and you can see the test results in the Active Directory Health Profiler console as shown in the screenshot below:
Conclusion
We examined in detail two key reasons for rebooting domain controllers. The main purpose of this reboot is the timely maintenance of authentication and authorization requests by domain controllers, as well as maximum security through timely updates of security systems.
The script proposed by PowerShell will help you to maintain the efficiency of domain controllers at the proper level. To do this, you need to reboot them once a month.
Source: https://habr.com/ru/post/316318/
All Articles