{"id":564,"date":"2014-11-17T15:13:30","date_gmt":"2014-11-17T05:13:30","guid":{"rendered":"https:\/\/girl-germs.com\/?p=564"},"modified":"2020-05-13T08:55:10","modified_gmt":"2020-05-12T22:55:10","slug":"regular-ad-maintenance-checks","status":"publish","type":"post","link":"https:\/\/girl-germs.com\/?p=564","title":{"rendered":"Regular AD Maintenance &#038; Checks"},"content":{"rendered":"<p>I was inspired to write this post based on a question posted on <a href=\"http:\/\/www.reddit.com\/r\/sysadmin\/comments\/2h5x8f\/monitoring_and_backing_up_your_ad_environment\">Reddit<\/a> a little bit ago. While I was happy with my response (and that so many people agreed with me!) I figured it would benefit those who read my blog or go searching for this information and aren&#8217;t Reddit readers. I&#8217;ve also added in a few links, that I didn&#8217;t include in my original post, to extra information on the specific commands. So&#8230;onwards we go.<\/p>\n<p>We have a truck load of checks that we need to do of a morning, as part of a script, to check what&#8217;s going on with our AD. That&#8217;s not to say we just check our AD, but this post is going to be aimed at those things we do to check that our AD environment is running as smoothly as it can be and should be. I personally didn&#8217;t write the script, and I&#8217;m pretty sure it would be classified as an internal document (and intellectual property of someone\/something other than me!) so I couldn&#8217;t give it out anyway, so sadly you&#8217;re just going to have to make do with what I give you and make your <strong>own<\/strong> script. Sorry.<\/p>\n<p>That said, we&#8217;ll shuffle right along into some of the daily checks that you should be performing<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Replication<\/strong><\/span><\/p>\n<ul>\n<li><strong>Replication status<\/strong>: <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/cc770963(v=ws.11)\">repadmin commands<br \/>\n<\/a><\/li>\n<li><strong>Replication summary<\/strong>: <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc835092.aspx\">repadmin \/replsummary<\/a><\/li>\n<li><strong>Monitor AD Replication errors<\/strong>: <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/cc742066(v=ws.11)\">repadmin \/showrepl * \/errorsonly<\/a><\/li>\n<li><strong>Monitor AD Replication latency<\/strong>: <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/cc742023(v=ws.11)\">repadmin \/showutdvec * dc=domain,dc=com<\/a><\/li>\n<li><strong>Monitor AD Replication queue length<\/strong>: <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/cc742012(v=ws.11)\">repadmin \/queue *<\/a><\/li>\n<li><strong>Checking Fail Cache on ISTG DC&#8217;s<\/strong>: <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/cc770963(v=ws.11)\">repadmin \/failcache<\/a><\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>FSMO Roles<\/strong><\/span><\/p>\n<ul>\n<li><strong>FSMO role holders<\/strong>: <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/cc835089(v=ws.11)\">netdom query \/domain: FSMO<\/a><\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>ISTG<\/strong><\/span><\/p>\n<ul>\n<li><strong>Identifying ISTG DC&#8217;s<\/strong>: <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/cc770963(v=ws.11)\">repadmin \/istg \/verbose<\/a><\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Time Settings &amp; Synchronisation<\/strong><\/span><\/p>\n<ul>\n<li><strong>Set DC time settings<\/strong>:\n<ul>\n<li>PDCE:\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/archive\/blogs\/nepapfe\/its-simple-time-configuration-in-active-directory\">w32tm \/config \/manualpeerlist: \/syncfromflags:manual \/reliable:yes \/update<\/a><\/li>\n<li>Non-PDCE:\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/archive\/blogs\/nepapfe\/its-simple-time-configuration-in-active-directory\">w32tm \/config \/syncfromflags:domhier \/update<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>Verify DC time sync<\/strong>:\n<ul>\n<li><em>PDCE<\/em>: <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/windows-time-service\/windows-time-service-tools-and-settings\">w32tm \/stripchart \/computer:&lt;computer&gt; \/dataonly \/samples:1<\/a><\/li>\n<li><em>Non-PDCE<\/em>:<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/windows-time-service\/windows-time-service-tools-and-settings\"> w32tm \/stripchart \/computer:&lt;computer&gt; \/dataonly \/samples:1<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>Verify Forest Time Config<\/strong>: <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/networking\/windows-time-service\/windows-time-service-tools-and-settings\">w32tm \/query \/configuration<\/a> (run on all DC&#8217;s)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Trusts<\/strong><\/span><\/p>\n<ul>\n<li><strong>Trust Relationship check<\/strong>: <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/cc731935(v=ws.11)\">nltest \/domain_trusts<\/a><\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>DNS &amp; Networking<\/strong><\/span><\/p>\n<ul>\n<li><strong>Check DNS records across the forest and report on errors<\/strong>: <a href=\"http:\/\/support.microsoft.com\/kb\/321045\">dnslint\u00a0utility<\/a><\/li>\n<li><strong>Monitor for missing subnets<\/strong>:<a href=\"http:\/\/blogs.technet.com\/b\/askpfeplat\/archive\/2013\/01\/28\/quick-reference-troubleshooting-netlogon-error-codes.aspx#_Toc345694510\"> type %systemroot%\\debug\\netlogon.log | findstr NO_CLIENT_SITE<\/a><\/li>\n<li><strong>Monitoring DC TCP ports<\/strong>: manual or scripted, checking to make sure all ports required for DC communication are &#8216;LISTENING&#8217;. The main ports to look out for:\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2008-R2-and-2008\/dd772723(v=ws.10)\">389, 636, 3268, 3269, 135, 53, 88, 445, 139, 123<\/a><\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Event Logs<\/strong><\/span><\/p>\n<ul>\n<li><strong>Checking System Event Logs<\/strong>: This can be done however you want to do it (manual, scripted, half-and-half) &#8211; we do this via our <a href=\"https:\/\/girl-germs.com\/?p=438\">ELK<\/a> server, but any logging server that is logging your AD System\u00a0logs will pick these up. The\u00a0main event ID&#8217;s to lock out for: 29, 1056, 16645, 16650, 55<\/li>\n<li><strong>DNS Event Log checks<\/strong>: done via a script (or can be done via a logging server, but this can get noisy depending on how your DNS logs are configured) &#8211; main event ID&#8217;s: 5774, 5775, 5781<\/li>\n<li><strong>Review of Directory Service Event Logs<\/strong>:\u00a0This can be done however you want to do it (manual, scripted, half-and-half) &#8211; we do this via our <a href=\"https:\/\/girl-germs.com\/?p=438\">ELK<\/a> server, but any logging server that is logging\u00a0the DC &#8216;Directory Service&#8217; logs will pick these up.<\/li>\n<li><strong>Analyse\/archive of DC security logs<\/strong>:\u00a0This can be done however you want to do it (manual, scripted, half-and-half) &#8211; we do this via our <a href=\"https:\/\/girl-germs.com\/?p=438\">ELK<\/a> server, but any logging server that is logging your AD Security logs will pick these up<\/li>\n<\/ul>\n<p><strong>Account Security<\/strong><\/p>\n<ul>\n<li><strong>Account lockouts<\/strong>:\u00a0This can be done however you want to do it (manual, scripted, half-and-half) &#8211; we do this via our <a href=\"https:\/\/girl-germs.com\/?p=438\">ELK<\/a> server, but any logging server that is logging your AD Security logs will pick these up<\/li>\n<li><strong>Check admin group memberships<\/strong>: this will vary depending on how your administrative groups are set up, just be sure to check them regularly. Keep your &#8216;Enterprise Admins&#8217; &amp; &#8216;Schema Admins&#8217; empty, if possible.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>EVERYTHING!<\/strong><\/span><\/p>\n<p>The magic command that lets you get a high level overview of everything that&#8217;s going on in your domain and where you need to focus your attention on further:<\/p>\n<ul>\n<li><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc731968.aspx\">dcdiag \/c<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>I was inspired to write this post based on a question posted on Reddit a little bit ago. While I was happy with my response (and that so many people agreed with me!) I figured it would benefit those who read my blog or go searching for this information and aren&#8217;t Reddit readers. I&#8217;ve also added in a few links,&#8230; <a href=\"https:\/\/girl-germs.com\/?p=564\">Read more &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[8,5,328,2,7],"tags":[176,241,242,177,27],"class_list":["post-564","post","type-post","status-publish","format-standard","hentry","category-documentation","category-sys-admin","category-techstuff","category-technology","category-work","tag-ad","tag-maintenance","tag-proactive","tag-security","tag-sysadmin"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p2Tmk1-96","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/posts\/564","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/girl-germs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=564"}],"version-history":[{"count":19,"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/posts\/564\/revisions"}],"predecessor-version":[{"id":2244,"href":"https:\/\/girl-germs.com\/index.php?rest_route=\/wp\/v2\/posts\/564\/revisions\/2244"}],"wp:attachment":[{"href":"https:\/\/girl-germs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/girl-germs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/girl-germs.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}