SlideShare a Scribd company logo

Checking the health of your active directory enviornment

ā€¢
Spiffy, profile picture
Spiffy

The document discusses checking the health of an Active Directory environment. It covers major components like Active Directory replication, SYSVOL replication, name resolution, and domain controller health. It emphasizes the importance of disaster recovery for Active Directory. Some best practices include regularly monitoring replication, event logs, and domain controller health. It's important to configure backups and have a disaster recovery plan to address issues like data loss or loss of domain controllers.

Technology
1 of 33
Downloaded 669 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Checking the Health of your Active Directory Environment Stanley Lopez, Senior Premier Field Engineer February 24, 2012
Overview of PFE Premier Field Engineering (PFE) provides technical leadership for Microsoftā€™s Premier customers around the world to promote health in their IT environments through onsite, remote and dedicated support services. Envision Canada WE UK CEE Project GCR Planning US France Germany Japan Build MEA Latam India APAC Stabilize Deploy Operate
Microsoft Driving Operations Excellence Confidential Get Healthy Stay Healthy Assess Plan Stabilize Educate Prevent Optimize Desired Service Level Configuration ā€¢ Active Management Management Directory, ADRAP Proactive Exchange & Troubleshooti Service Remediation Monitoring Windows Operation ng & Disaster Catalog Management Server Risk Strategic Recovery Design * Dedicated Software Assessment Review Workshop Support Update & Health Capacity Engineer for Management Check Messaging Roles & Management Exchange & ā€¢ Monthly Program - Service Map Knowledge Windows Hot Fix ADRAP Management Servers Change and Configuration Operations Management RAP Ready for Business & Mission Critical Support 3
Is Your AD Healthy? Major Components of Active Directory Active Directory Replication SYSVOL Replication Name Resolution Domain Controller health Why DR is important for AD
Microsoft Confidential Major Components of Active Directory Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 5
Microsoft Confidential Active Directory Replication Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 6
Active Directory Replication 101 Active Directory Replication Synchronizes changes between domain controllers in a multi-master environment Ensures data stored on all domain controllers is consistent Replication Model and Benefits Multi-Master ā€“ Scalability, Reliability and High Availability Store and forward ā€“ Reduce communication over WAN Links Pull Replication ā€“ Request-Pull ā€“ Request consist of data already received State-based and Attribute Level Replication ā€“ Minimize replication traffic 7
Directory Partition Replicas Global Catalogue Active Directory Database Schema Forest-wide Replication NTDS.DIT Configuration Forest DNZ Zone Replication occurs at partition level Domain Domain-wide Replication Domain DNS Zone Domain Y Note: sometimes called as NC (Naming Context) 8
Replication Topology ISTG Site A Connection Object Subnets Site Link A-C Cost 100/Interval 180 Bridgehead Server Site Link A-B Cost 100/Interval 15 Bridgehead Server ISTG / ISTG Site C Site B 9
Inter-site Replication Topology Connections A one-way, inbound route from one DC, the source to another DC, the destination Site Define sets of DC that are well connected together, in terms of speed and cost A site contains one or more subnets A site can contain more than one domain and one domain can span more than one site Within a site, the replication topology is generated by KCC automatically Site Links Between sites, site link have to be established in order for the KCC (ISTG) to generate the topology across the sites Site link contains the schedule which determines when replication can take place as well as an assigned ā€˜costā€™ Site Link Bridge When more than 2 sites are linked for replication and use the same transport, all of the site link are ā€˜bridgedā€™ Site link bridge are ā€˜transitiveā€™ Bridgehead Server Designated server to perform site-to-site replication, for each directory partition Bridgehead servers can be designated by the administrator or automatically assigned by KCC Inter-Site Topology Generator (ISTG) Within a site, KCC will run on each DC to generate the topology for the site Between sites, a DC will be designated as the ISTG to generate the topology for inter-site replication The first DC for the site automatically becomes the ISTG ISTG need not necessary be a bridge head server 10
Things to noteā€¦ KCC vs. Manually created connection objects No automatic fail-over for manually created connection objects Directory partition connection One for Schema and Configuration, one for Domain Global Catalog Replication Connection required for ISTG to create inter-site topology Bridgehead Servers 2000 ā€“ One per domain/per site 2003 and above ā€“ more than one may be selected Subnets to site mapping Ensure that clients communicate with the ā€˜closestā€™ DC 11
Checking Replication Repadmin Active Directory Sites and Services Event viewer DCDiag Replmon Active Directory Topology Diagrammer (ADTD) 12
AD Replication Best Practices Verify Forest-wide replication status at least once a week and prior to making major changes that rely on directory replication Monitor ISTGs and Bridgehead servers more frequently DO NOT Fix DC that has not been replicating for more than TSL Restore backups more than the TSL Decrease TSL without proper understanding of the impact, unless there is a strong justification for it. Create manual connection objects unnecessarily Assign preferred bridgehead servers without both a compelling reason and thorough understanding of expected results Change default setting without a proper understanding of the implications 13
Microsoft Confidential SYSVOL Replication Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 14
SYSVOL Replication File Replication Services Distributed File Replication Services 15
Checking SYSVOL replication Verify dependent services are functioning Name Resolution AD Replication Review FRS status SONAR Event Logs FRSDiag Review DFRS status DFS Replication has an in-box diagnostic report for the replication backlog, replication efficiency, and the number of files and folders in a given replication group Dfsrdiag.exe is a command-line tool that can generate a backlog count or trigger a propagation test. Both show the state of replication. 16
Common pitfalls for FRS Replication/FRS failures undetected Journal Wrap failures FRS service not running Improper decommissioning of domain controllers SYSVOL partition running out of disk space Storing non-group policy files in SYSVOL Configuring inappropriate permissions on SYSVOL folders Manual copying/deleting of files Improper use of D2/D4 Excessive Replication File system policy Anti-Virus Software Defragmenter Sharing Violation Files held open by applications 17
FRS best practices Proactively monitor AD and FRS replication Monitor the event logs for FRS regularly for FRS errors, sharing violations and excessive replication Clean up metadata of improperly decommissioned DC Do not stop FRS service for extended period of time Never copy files that live in the SYSVOL between DC, always try to troubleshoot why files arenā€™t replicating Use D2(Non-Authoritative) and D4(Authoritative) with care Do not configure file system policies on SYSVOL Do not scan or defrag SYSVOL Do not store non-group policy files in SYSVOL 18
DFRS Best Practices DFS Replication is a multi-master replication engine, this means that changes can be made on all locations. Do not make changes on one document on two locations at the same time, changes will not merge, the conflict is solved by using the last writer wins. Sharing violations -users open files and gain exclusive WRITE locks in order to modify their data- will prevent DFSR from replicating the modified file. Periodically those changes are written within NTFS by the application and the USN Change Journal is updated. DFSR Monitors that journal and will attempt to replicate the file, only to find that it cannot because the file is still open. An event will be logged if DFSR is repeatedly having troubles replicating open files. In the DFS Replication event log entries for 4302 and 4304 will appear. The option to adjust the replication schedule in DFSR management is greyed out. This is done because SYSVOL replication follows the same replication path and schedule as active directory. If the time window is open DFSR will replicate almost instantly. If the replication is not possible because of the schedule replication will start when the time window opens. This means that if AD replication is not permitted between 6:00 am and 10:00 am DFS Replication will also not replicate. As soon as the schedule allows replication, the changed files will be replicated. 19
Microsoft Confidential Name Resolution Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 20
DNS 101 Domain Name System Provides name resolution service Used by Client & applications ā€“ for locating DC as well as ā€˜servicesā€™ provided by DC Domain Controllers ā€“ for Active Directory Replication and File Replication Services 21
What needs to be in place for AD to function properly TCP/IP Configurations Domain Controllers must be configured with proper IP Address and pointing to valid DNS servers DNS Records Required records must be registered properly on DNS servers Servers must be functioning properly Forwarders/delegation/secondary, etc. must be configured properly and valid 22
Records Registered by DCs Host (A) record IP Address of domain controllers Registered by DHCP Client Registered by DNS Client on Windows 2008 Service Resource Record (SRV) Records Registered by Netlogon service on DC Used by clients/services to locate various type of services provided by domain controller GUID (CNAME) Record Required for AD Replication Registered only of forest root DNS server 23
Checking your DNS Verify TCP/IP configurations IPConfig Verify DNS server functionality NSLookup DCDiag /test:DNS DNS server console Event Logs Verify GUID and Glue Records DNSLint Re-register records Cycle Netlogon Cycle DHCP Client/DNS Client or IPConfig /RegisterDNS Capture Network Trace Netmon 24
Common Pitfalls Administrators not familiar/aware of name resolution design Invalid(Stale) TCP/IP, forwarders, delegation, etc. settings DCs pointing to external (invalid) DNS servers Single point of failure configurations DNS forwarder loop Zone Transfer not secured Dynamic update not enabled DNS scavenging not enabled Multi-homed domain controllers 25
DNS Best Practices Audit DNS entries used by DC replication with DNS on a monthly basis Ensure that disconnected NICs are disabled Adopt a standardized configuration for domain controllers and DNS servers Allow zone transfer to specific servers only Allow only secured dynamic updates Configure DNS Scavenging to remove stale records 26
Microsoft Confidential Major Components of Active Directory Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 27
Domain Controller Health Service Pack level When was the last time your DC was restarted? Event Logs How often do you review the logs for errors or warnings Is Time Synchronization configured properly in the environment (W32tm) 28
Common Pitfalls Potential Failures not detected Service Failing DC experiencing bottleneck System running low on disk space No proper management of event logs DCs running on outdated service pack DCs not patched with security updates Time Synchronization improperly configured 29
Best Practices Run DCDiag on a weekly basis to verify the overall well- being of domain controllers Review event logs on domain controllers regularly to uncover problems in the early stage Perform base-lining and regular monitoring of domain controllers to uncover any potential resource bottleneck Configure only the Forest root domain PDCe as NTP type server 30
Microsoft Confidential Major Components of Active Directory Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 31
Disaster Recovery Loss of DCs Loss of data Re-introduction of lingering objects Loss of configuration partition data 32
Questions?

More Related Content

PDF
SDN Presentation
Abderrahmane TEKFI
Ā 
PDF
radius dhcp dot1.x (802.1x)
rinnocente
Ā 
PPTX
Zero Trust Model
Yash
Ā 
PDF
[DDos] Trus guard dpx
ģ‹œģ˜Øģ‹œķė¦¬ķ‹°
Ā 
PDF
Comment hacker Active Directory de A Ć  Z? - Par Sylvain CortĆØs
Identity Days
Ā 
PPTX
How SASE can help you move securely from the PSN with VMware and Breeze Networks
Articulate Marketing
Ā 
PPTX
Lā€™iam : au-delĆ  des idĆ©es reƧues, les clĆ©s de la gestion des identitĆ©s et des...
Identity Days
Ā 
PPTX
Network Function Virtualization : Overview
sidneel
Ā 
SDN Presentation
Abderrahmane TEKFI
Ā 
radius dhcp dot1.x (802.1x)
rinnocente
Ā 
Zero Trust Model
Yash
Ā 
[DDos] Trus guard dpx
ģ‹œģ˜Øģ‹œķė¦¬ķ‹°
Ā 
Comment hacker Active Directory de A Ć  Z? - Par Sylvain CortĆØs
Identity Days
Ā 
How SASE can help you move securely from the PSN with VMware and Breeze Networks
Articulate Marketing
Ā 
Lā€™iam : au-delĆ  des idĆ©es reƧues, les clĆ©s de la gestion des identitĆ©s et des...
Identity Days
Ā 
Network Function Virtualization : Overview
sidneel
Ā 

What's hot (20)

PDF
Byod and guest access workshop enabling byod carlos gomez gallego_network ser...
Aruba, a Hewlett Packard Enterprise company
Ā 
PDF
Aruba Networks - Overview ClearPass
Paulo Eduardo Sibalde
Ā 
PPT
SSO Strategy Implementation Considerations
John Bauer
Ā 
PPTX
Business Case Of Desktop Virtualization
Md Yousup Faruqu
Ā 
PDF
Cloud Computing and Service oriented Architecture (SOA)
Ravindra Dastikop
Ā 
PPTX
Transform your enterprise branch with secure sd-wan
DATA SECURITY SOLUTIONS
Ā 
PDF
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?
Insight
Ā 
PPTX
Palo Alto Networks authentication
Alberto Rivai
Ā 
PDF
Rest web services
Paulo Gandra de Sousa
Ā 
PDF
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
IndicThreads
Ā 
PDF
Cloud On-Ramp Project Briefing
Robert McDermott
Ā 
PPTX
Introduction to Cloud Data Center and Network Issues
Jason TC HOU (ä¾Æå®—ęˆ)
Ā 
PDF
Presentation citrix cloud platform for infrastructure as a service
xKinAnx
Ā 
PDF
SDWAN.pdf
sushil kumar
Ā 
PPTX
Pros & Cons of Microservices Architecture
Ashwini Kuntamukkala
Ā 
PDF
Prometheus Multi Tenancy
Natan Yellin
Ā 
PDF
Software-Defined WAN: A Real World Success Story
Cisco Enterprise Networks
Ā 
PDF
How the Internet of Things and People can help improve our health, well-being...
Maged N. Kamel Boulos
Ā 
PDF
Aruba OS 7.3 User Guide
Aruba, a Hewlett Packard Enterprise company
Ā 
PPTX
Virtual Infrastructure Overview
valerian_ceaus
Ā 
Byod and guest access workshop enabling byod carlos gomez gallego_network ser...
Aruba, a Hewlett Packard Enterprise company
Ā 
Aruba Networks - Overview ClearPass
Paulo Eduardo Sibalde
Ā 
SSO Strategy Implementation Considerations
John Bauer
Ā 
Business Case Of Desktop Virtualization
Md Yousup Faruqu
Ā 
Cloud Computing and Service oriented Architecture (SOA)
Ravindra Dastikop
Ā 
Transform your enterprise branch with secure sd-wan
DATA SECURITY SOLUTIONS
Ā 
Meraki vs. Viptela: Which Cisco SD-WAN Solution Is Right for You?
Insight
Ā 
Palo Alto Networks authentication
Alberto Rivai
Ā 
Rest web services
Paulo Gandra de Sousa
Ā 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
IndicThreads
Ā 
Cloud On-Ramp Project Briefing
Robert McDermott
Ā 
Introduction to Cloud Data Center and Network Issues
Jason TC HOU (ä¾Æå®—ęˆ)
Ā 
Presentation citrix cloud platform for infrastructure as a service
xKinAnx
Ā 
SDWAN.pdf
sushil kumar
Ā 
Pros & Cons of Microservices Architecture
Ashwini Kuntamukkala
Ā 
Prometheus Multi Tenancy
Natan Yellin
Ā 
Software-Defined WAN: A Real World Success Story
Cisco Enterprise Networks
Ā 
How the Internet of Things and People can help improve our health, well-being...
Maged N. Kamel Boulos
Ā 
Aruba OS 7.3 User Guide
Aruba, a Hewlett Packard Enterprise company
Ā 
Virtual Infrastructure Overview
valerian_ceaus
Ā 
Ad

Viewers also liked (20)

PPTX
Agile in Action - Act 2: Development
Spiffy
Ā 
PDF
Active Directory Upgrade
Spiffy
Ā 
PPT
Active Directory
Sandeep Kapadane
Ā 
PDF
6425 c 01
tanvutha
Ā 
PDF
Windows Server 2012 R2 Hyper V Component Architecture
Rian Yulian
Ā 
PPTX
Microsoft Windows Network Auditing and Reporting Solution
Vyapin Software Systems Private Limited
Ā 
PPTX
Active Directory Auditing and Reporting Tool
Vyapin Software Systems Private Limited
Ā 
PPTX
Dhcp
Chinmoy Jena
Ā 
DOCX
What is active directory
Girish Vadera Girish
Ā 
PPT
70 640 Lesson03 Ppt 041009
Coffeyville Community College
Ā 
PPTX
CTU June 2011 - Guided Hands on Lab on GPO - GPP
Spiffy
Ā 
PPT
70 640 Lesson04 Ppt 041009
Coffeyville Community College
Ā 
PPTX
Microsoft Offical Course 20410C_00
gameaxt
Ā 
PPT
70 640 Lesson07 Ppt 041009
Coffeyville Community College
Ā 
PPT
70 640 Lesson05 Ppt 041009
Coffeyville Community College
Ā 
PDF
Windows server 2012 r2 active directoryå»ŗē½®åƦ務
Sergio Io
Ā 
PPT
70 640 Lesson02 Ppt 041009
Coffeyville Community College
Ā 
PPTX
What's new in Windows Server 2012 R2
Christopher Keyaert
Ā 
PPTX
Microsoft Offical Course 20410C_01
gameaxt
Ā 
PPTX
Best MCSA - SQL SERVER 2012 Training Institute in Delhi
Information Technology
Ā 
Agile in Action - Act 2: Development
Spiffy
Ā 
Active Directory Upgrade
Spiffy
Ā 
Active Directory
Sandeep Kapadane
Ā 
6425 c 01
tanvutha
Ā 
Windows Server 2012 R2 Hyper V Component Architecture
Rian Yulian
Ā 
Microsoft Windows Network Auditing and Reporting Solution
Vyapin Software Systems Private Limited
Ā 
Active Directory Auditing and Reporting Tool
Vyapin Software Systems Private Limited
Ā 
Dhcp
Chinmoy Jena
Ā 
What is active directory
Girish Vadera Girish
Ā 
70 640 Lesson03 Ppt 041009
Coffeyville Community College
Ā 
CTU June 2011 - Guided Hands on Lab on GPO - GPP
Spiffy
Ā 
70 640 Lesson04 Ppt 041009
Coffeyville Community College
Ā 
Microsoft Offical Course 20410C_00
gameaxt
Ā 
70 640 Lesson07 Ppt 041009
Coffeyville Community College
Ā 
70 640 Lesson05 Ppt 041009
Coffeyville Community College
Ā 
Windows server 2012 r2 active directoryå»ŗē½®åƦ務
Sergio Io
Ā 
70 640 Lesson02 Ppt 041009
Coffeyville Community College
Ā 
What's new in Windows Server 2012 R2
Christopher Keyaert
Ā 
Microsoft Offical Course 20410C_01
gameaxt
Ā 
Best MCSA - SQL SERVER 2012 Training Institute in Delhi
Information Technology
Ā 
Ad

Similar to Checking the health of your active directory enviornment (20)

PPTX
Virtualization Map Tech Ed2009
rsnarayanan
Ā 
PDF
SURFnetRelatiedagen Microsoft Online Strategie 15 5 2008 V1.0
Peter de Haas
Ā 
PDF
Seguridad en SQL Azure Windows azure
Eduardo Castro
Ā 
PPTX
The Project Network - Service Offering
tpnuk
Ā 
PDF
MSP Best Practice | Using Strategic IT Roadmaps to Get More Contracts
David Castro
Ā 
PDF
Dev ops intro
Lilian Schaffer
Ā 
PPTX
Pronet for slideshare
PRONET
Ā 
PDF
Richard Diver - Visual Resume
Richard Diver
Ā 
PDF
Novell Virtual Desktop Infrastructure
Novell
Ā 
PPTX
Cloud os and management overview of windows server 2012 and system center 2...
ā˜ļøCarl Nakamura [MSFT]ā˜ļø
Ā 
PPTX
Net@Work Client Presentation with Security
Ray Glass
Ā 
PPTX
Razor Technology Holistic Virtualization
Razor Technology
Ā 
PDF
12.08.09 Event Mike Perdue Presentation
mcini
Ā 
PDF
Shared Services in Health IT (based on SOA principles)
paneja
Ā 
PDF
Itil
Hussein Elmenshawy
Ā 
PDF
BOI 2011 - Be what's next
Tudor Damian
Ā 
PDF
System Center And Sql Server
Eduardo Castro
Ā 
PPTX
How Microsoft Technologies And Windows Vista Improve Supporting
Microsoft TechNet
Ā 
PPTX
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
ā˜ļøCarl Nakamura [MSFT]ā˜ļø
Ā 
PPTX
Preso
danebalia
Ā 
Virtualization Map Tech Ed2009
rsnarayanan
Ā 
SURFnetRelatiedagen Microsoft Online Strategie 15 5 2008 V1.0
Peter de Haas
Ā 
Seguridad en SQL Azure Windows azure
Eduardo Castro
Ā 
The Project Network - Service Offering
tpnuk
Ā 
MSP Best Practice | Using Strategic IT Roadmaps to Get More Contracts
David Castro
Ā 
Dev ops intro
Lilian Schaffer
Ā 
Pronet for slideshare
PRONET
Ā 
Richard Diver - Visual Resume
Richard Diver
Ā 
Novell Virtual Desktop Infrastructure
Novell
Ā 
Cloud os and management overview of windows server 2012 and system center 2...
ā˜ļøCarl Nakamura [MSFT]ā˜ļø
Ā 
Net@Work Client Presentation with Security
Ray Glass
Ā 
Razor Technology Holistic Virtualization
Razor Technology
Ā 
12.08.09 Event Mike Perdue Presentation
mcini
Ā 
Shared Services in Health IT (based on SOA principles)
paneja
Ā 
Itil
Hussein Elmenshawy
Ā 
BOI 2011 - Be what's next
Tudor Damian
Ā 
System Center And Sql Server
Eduardo Castro
Ā 
How Microsoft Technologies And Windows Vista Improve Supporting
Microsoft TechNet
Ā 
What's new in windows server 2012 and system center 2012 sp1 for hosting and ...
ā˜ļøCarl Nakamura [MSFT]ā˜ļø
Ā 
Preso
danebalia
Ā 

More from Spiffy (20)

PDF
01 server manager spiffy
Spiffy
Ā 
PDF
Agile in Action - Act 3: Testing
Spiffy
Ā 
PPTX
Agile in Action - Keynote: Becoming and Being Agile - What Does This Mean?
Spiffy
Ā 
PPTX
Agile in Action - Act 1 (Set Up, Planning, Requirements and Architecture)
Spiffy
Ā 
PDF
MS TechDays 2011 - WCF Web APis There's a URI for That
Spiffy
Ā 
PDF
MS TechDays 2011 - NUI, Gooey and Louie
Spiffy
Ā 
PDF
MS TechDays 2011 - Mango, Mango! Developing for Windows Phone 7
Spiffy
Ā 
PDF
MS TechDays 2011 - Generate Revenue on Azure
Spiffy
Ā 
PDF
MS TechDays 2011 - HTML 5 All the Awesome Bits
Spiffy
Ā 
PDF
MS TechDays 2011 - Cloud Computing with the Windows Azure Platform
Spiffy
Ā 
PDF
MS TechDays 2011 - Simplified Converged Infrastructure Solutions
Spiffy
Ā 
PDF
MS TechDays 2011 - SCDPM 2012 The New Feature of Data Protection
Spiffy
Ā 
PDF
MS TechDays 2011 - Microsoft Exchange Server and Office 365 Hybrid Deployment
Spiffy
Ā 
PDF
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
Spiffy
Ā 
PDF
MS TechDays 2011 - Cloud Management with System Center Application Controller
Spiffy
Ā 
PDF
MS TechDays 2011 - Virtualization Solutions to Optimize Performance
Spiffy
Ā 
PDF
MS TechDays 2011 - Automating Your Infrastructure System Center Orchestrator ...
Spiffy
Ā 
PDF
MS TechDays 2011 - Self-Service Private Cloud Management through Integrated P...
Spiffy
Ā 
PDF
MS TechDays 2011 - SCVMM 2012 Building of Private Clouds and Federation to th...
Spiffy
Ā 
PDF
MS TechDays 2011 - Operation Manager 2012 - New features to Enhance Enterpris...
Spiffy
Ā 
01 server manager spiffy
Spiffy
Ā 
Agile in Action - Act 3: Testing
Spiffy
Ā 
Agile in Action - Keynote: Becoming and Being Agile - What Does This Mean?
Spiffy
Ā 
Agile in Action - Act 1 (Set Up, Planning, Requirements and Architecture)
Spiffy
Ā 
MS TechDays 2011 - WCF Web APis There's a URI for That
Spiffy
Ā 
MS TechDays 2011 - NUI, Gooey and Louie
Spiffy
Ā 
MS TechDays 2011 - Mango, Mango! Developing for Windows Phone 7
Spiffy
Ā 
MS TechDays 2011 - Generate Revenue on Azure
Spiffy
Ā 
MS TechDays 2011 - HTML 5 All the Awesome Bits
Spiffy
Ā 
MS TechDays 2011 - Cloud Computing with the Windows Azure Platform
Spiffy
Ā 
MS TechDays 2011 - Simplified Converged Infrastructure Solutions
Spiffy
Ā 
MS TechDays 2011 - SCDPM 2012 The New Feature of Data Protection
Spiffy
Ā 
MS TechDays 2011 - Microsoft Exchange Server and Office 365 Hybrid Deployment
Spiffy
Ā 
MS TechDays 2011 - How to Run Middleware in the Cloud Story of Windows Azure ...
Spiffy
Ā 
MS TechDays 2011 - Cloud Management with System Center Application Controller
Spiffy
Ā 
MS TechDays 2011 - Virtualization Solutions to Optimize Performance
Spiffy
Ā 
MS TechDays 2011 - Automating Your Infrastructure System Center Orchestrator ...
Spiffy
Ā 
MS TechDays 2011 - Self-Service Private Cloud Management through Integrated P...
Spiffy
Ā 
MS TechDays 2011 - SCVMM 2012 Building of Private Clouds and Federation to th...
Spiffy
Ā 
MS TechDays 2011 - Operation Manager 2012 - New features to Enhance Enterpris...
Spiffy
Ā 

Recently uploaded (20)

PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
Ā 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
Ā 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
Ā 
PDF
Doc9.....................................
SofiaCollazos
Ā 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
Ā 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
Ā 
PDF
Software Development Methodologies in 2025
KodekX
Ā 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
Ā 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
Ā 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
Ā 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
Ā 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
Ā 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
Ā 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
Ā 
PDF
The Future of Mobile Is Context-Awareā€”Are You Ready?
iProgrammer Solutions Private Limited
Ā 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
Ā 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
Ā 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
Ā 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
Ā 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
Ā 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
Ā 
Simple and concise overview about Quantum computing..pptx
mughal641
Ā 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
Ā 
Doc9.....................................
SofiaCollazos
Ā 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
Ā 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
Ā 
Software Development Methodologies in 2025
KodekX
Ā 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
Ā 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
Ā 
The Future of AI & Machine Learning.pptx
pritsen4700
Ā 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
Ā 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
Ā 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
Ā 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
Ā 
The Future of Mobile Is Context-Awareā€”Are You Ready?
iProgrammer Solutions Private Limited
Ā 
cloud computing vai.pptx for the project
vaibhavdobariyal79
Ā 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
Ā 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
Ā 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
Ā 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
Ā 

Checking the health of your active directory enviornment

  • 1. Checking the Health of your Active Directory Environment Stanley Lopez, Senior Premier Field Engineer February 24, 2012
  • 2. Overview of PFE Premier Field Engineering (PFE) provides technical leadership for Microsoftā€™s Premier customers around the world to promote health in their IT environments through onsite, remote and dedicated support services. Envision Canada WE UK CEE Project GCR Planning US France Germany Japan Build MEA Latam India APAC Stabilize Deploy Operate
  • 3. Microsoft Driving Operations Excellence Confidential Get Healthy Stay Healthy Assess Plan Stabilize Educate Prevent Optimize Desired Service Level Configuration ā€¢ Active Management Management Directory, ADRAP Proactive Exchange & Troubleshooti Service Remediation Monitoring Windows Operation ng & Disaster Catalog Management Server Risk Strategic Recovery Design * Dedicated Software Assessment Review Workshop Support Update & Health Capacity Engineer for Management Check Messaging Roles & Management Exchange & ā€¢ Monthly Program - Service Map Knowledge Windows Hot Fix ADRAP Management Servers Change and Configuration Operations Management RAP Ready for Business & Mission Critical Support 3
  • 4. Is Your AD Healthy? Major Components of Active Directory Active Directory Replication SYSVOL Replication Name Resolution Domain Controller health Why DR is important for AD
  • 5. Microsoft Confidential Major Components of Active Directory Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 5
  • 6. Microsoft Confidential Active Directory Replication Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 6
  • 7. Active Directory Replication 101 Active Directory Replication Synchronizes changes between domain controllers in a multi-master environment Ensures data stored on all domain controllers is consistent Replication Model and Benefits Multi-Master ā€“ Scalability, Reliability and High Availability Store and forward ā€“ Reduce communication over WAN Links Pull Replication ā€“ Request-Pull ā€“ Request consist of data already received State-based and Attribute Level Replication ā€“ Minimize replication traffic 7
  • 8. Directory Partition Replicas Global Catalogue Active Directory Database Schema Forest-wide Replication NTDS.DIT Configuration Forest DNZ Zone Replication occurs at partition level Domain Domain-wide Replication Domain DNS Zone Domain Y Note: sometimes called as NC (Naming Context) 8
  • 9. Replication Topology ISTG Site A Connection Object Subnets Site Link A-C Cost 100/Interval 180 Bridgehead Server Site Link A-B Cost 100/Interval 15 Bridgehead Server ISTG / ISTG Site C Site B 9
  • 10. Inter-site Replication Topology Connections A one-way, inbound route from one DC, the source to another DC, the destination Site Define sets of DC that are well connected together, in terms of speed and cost A site contains one or more subnets A site can contain more than one domain and one domain can span more than one site Within a site, the replication topology is generated by KCC automatically Site Links Between sites, site link have to be established in order for the KCC (ISTG) to generate the topology across the sites Site link contains the schedule which determines when replication can take place as well as an assigned ā€˜costā€™ Site Link Bridge When more than 2 sites are linked for replication and use the same transport, all of the site link are ā€˜bridgedā€™ Site link bridge are ā€˜transitiveā€™ Bridgehead Server Designated server to perform site-to-site replication, for each directory partition Bridgehead servers can be designated by the administrator or automatically assigned by KCC Inter-Site Topology Generator (ISTG) Within a site, KCC will run on each DC to generate the topology for the site Between sites, a DC will be designated as the ISTG to generate the topology for inter-site replication The first DC for the site automatically becomes the ISTG ISTG need not necessary be a bridge head server 10
  • 11. Things to noteā€¦ KCC vs. Manually created connection objects No automatic fail-over for manually created connection objects Directory partition connection One for Schema and Configuration, one for Domain Global Catalog Replication Connection required for ISTG to create inter-site topology Bridgehead Servers 2000 ā€“ One per domain/per site 2003 and above ā€“ more than one may be selected Subnets to site mapping Ensure that clients communicate with the ā€˜closestā€™ DC 11
  • 12. Checking Replication Repadmin Active Directory Sites and Services Event viewer DCDiag Replmon Active Directory Topology Diagrammer (ADTD) 12
  • 13. AD Replication Best Practices Verify Forest-wide replication status at least once a week and prior to making major changes that rely on directory replication Monitor ISTGs and Bridgehead servers more frequently DO NOT Fix DC that has not been replicating for more than TSL Restore backups more than the TSL Decrease TSL without proper understanding of the impact, unless there is a strong justification for it. Create manual connection objects unnecessarily Assign preferred bridgehead servers without both a compelling reason and thorough understanding of expected results Change default setting without a proper understanding of the implications 13
  • 14. Microsoft Confidential SYSVOL Replication Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 14
  • 15. SYSVOL Replication File Replication Services Distributed File Replication Services 15
  • 16. Checking SYSVOL replication Verify dependent services are functioning Name Resolution AD Replication Review FRS status SONAR Event Logs FRSDiag Review DFRS status DFS Replication has an in-box diagnostic report for the replication backlog, replication efficiency, and the number of files and folders in a given replication group Dfsrdiag.exe is a command-line tool that can generate a backlog count or trigger a propagation test. Both show the state of replication. 16
  • 17. Common pitfalls for FRS Replication/FRS failures undetected Journal Wrap failures FRS service not running Improper decommissioning of domain controllers SYSVOL partition running out of disk space Storing non-group policy files in SYSVOL Configuring inappropriate permissions on SYSVOL folders Manual copying/deleting of files Improper use of D2/D4 Excessive Replication File system policy Anti-Virus Software Defragmenter Sharing Violation Files held open by applications 17
  • 18. FRS best practices Proactively monitor AD and FRS replication Monitor the event logs for FRS regularly for FRS errors, sharing violations and excessive replication Clean up metadata of improperly decommissioned DC Do not stop FRS service for extended period of time Never copy files that live in the SYSVOL between DC, always try to troubleshoot why files arenā€™t replicating Use D2(Non-Authoritative) and D4(Authoritative) with care Do not configure file system policies on SYSVOL Do not scan or defrag SYSVOL Do not store non-group policy files in SYSVOL 18
  • 19. DFRS Best Practices DFS Replication is a multi-master replication engine, this means that changes can be made on all locations. Do not make changes on one document on two locations at the same time, changes will not merge, the conflict is solved by using the last writer wins. Sharing violations -users open files and gain exclusive WRITE locks in order to modify their data- will prevent DFSR from replicating the modified file. Periodically those changes are written within NTFS by the application and the USN Change Journal is updated. DFSR Monitors that journal and will attempt to replicate the file, only to find that it cannot because the file is still open. An event will be logged if DFSR is repeatedly having troubles replicating open files. In the DFS Replication event log entries for 4302 and 4304 will appear. The option to adjust the replication schedule in DFSR management is greyed out. This is done because SYSVOL replication follows the same replication path and schedule as active directory. If the time window is open DFSR will replicate almost instantly. If the replication is not possible because of the schedule replication will start when the time window opens. This means that if AD replication is not permitted between 6:00 am and 10:00 am DFS Replication will also not replicate. As soon as the schedule allows replication, the changed files will be replicated. 19
  • 20. Microsoft Confidential Name Resolution Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 20
  • 21. DNS 101 Domain Name System Provides name resolution service Used by Client & applications ā€“ for locating DC as well as ā€˜servicesā€™ provided by DC Domain Controllers ā€“ for Active Directory Replication and File Replication Services 21
  • 22. What needs to be in place for AD to function properly TCP/IP Configurations Domain Controllers must be configured with proper IP Address and pointing to valid DNS servers DNS Records Required records must be registered properly on DNS servers Servers must be functioning properly Forwarders/delegation/secondary, etc. must be configured properly and valid 22
  • 23. Records Registered by DCs Host (A) record IP Address of domain controllers Registered by DHCP Client Registered by DNS Client on Windows 2008 Service Resource Record (SRV) Records Registered by Netlogon service on DC Used by clients/services to locate various type of services provided by domain controller GUID (CNAME) Record Required for AD Replication Registered only of forest root DNS server 23
  • 24. Checking your DNS Verify TCP/IP configurations IPConfig Verify DNS server functionality NSLookup DCDiag /test:DNS DNS server console Event Logs Verify GUID and Glue Records DNSLint Re-register records Cycle Netlogon Cycle DHCP Client/DNS Client or IPConfig /RegisterDNS Capture Network Trace Netmon 24
  • 25. Common Pitfalls Administrators not familiar/aware of name resolution design Invalid(Stale) TCP/IP, forwarders, delegation, etc. settings DCs pointing to external (invalid) DNS servers Single point of failure configurations DNS forwarder loop Zone Transfer not secured Dynamic update not enabled DNS scavenging not enabled Multi-homed domain controllers 25
  • 26. DNS Best Practices Audit DNS entries used by DC replication with DNS on a monthly basis Ensure that disconnected NICs are disabled Adopt a standardized configuration for domain controllers and DNS servers Allow zone transfer to specific servers only Allow only secured dynamic updates Configure DNS Scavenging to remove stale records 26
  • 27. Microsoft Confidential Major Components of Active Directory Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 27
  • 28. Domain Controller Health Service Pack level When was the last time your DC was restarted? Event Logs How often do you review the logs for errors or warnings Is Time Synchronization configured properly in the environment (W32tm) 28
  • 29. Common Pitfalls Potential Failures not detected Service Failing DC experiencing bottleneck System running low on disk space No proper management of event logs DCs running on outdated service pack DCs not patched with security updates Time Synchronization improperly configured 29
  • 30. Best Practices Run DCDiag on a weekly basis to verify the overall well- being of domain controllers Review event logs on domain controllers regularly to uncover problems in the early stage Perform base-lining and regular monitoring of domain controllers to uncover any potential resource bottleneck Configure only the Forest root domain PDCe as NTP type server 30
  • 31. Microsoft Confidential Major Components of Active Directory Active Directory Replication SYSVOL Domain Controller Replication Health Name Resolution Disaster Recovery 31
  • 32. Disaster Recovery Loss of DCs Loss of data Re-introduction of lingering objects Loss of configuration partition data 32