With so many moving parts related to AD, it is important to know how to monitor, report, fix, and diagnose issues related to the different supporting technologies. Identifying bottlenecks and resolving them before they cause much harm improves productivity, efficient usage of resources, consistency of data and services, and reduces the number of help desk tickets.
The key aspects that help support and maintain AD include the following:
- DNS
- Checking zones and removing obsolete zones
The cleanup and removal of stale zones and resource records is required to prevent its accumulation in zone data and improve responsiveness.
- Checking name servers and removing WINS dependencies
Active Directory is DNS intensive and WINS dependencies can be removed.
- Checking DNS for dormant static records and configuring DNS scavenging
DNS scavenging removes stale and orphaned DNS records from the database.
- Clearing DNS cache
Clearing all entries from the DNS forwarding cache helps in updating new DNS information.
- Updating root hints
Root hints configure authoritative servers of non-root zones to discover other authoritative servers that exist in other subtrees or higher levels.
- Allowing only secure dynamic updates for all DNS zones
Ensures that only authenticated users can submit DNS updates using a secure method that prevents IP addresses from being hijacked.
- Securing DNS Server
It secures access control of the DNS Server service.
- Checking zones and removing obsolete zones
- AD Replication
- Checking if replication is working properly and within acceptable limits
Replication is critical to the availability and consistency of data across domain controllers. If replication fails between DCs several aspects of AD would become unavailable.
- Verifying if all DCs are communicating with the central monitoring console and examining all replication alerts on DCs
Examining and resolving alerts regularly can avoid service outages to some extent. A communication failure between the DC and the monitoring infrastructure creates problems in receiving these alerts.
- Verifying that all DCs are running with the same service pack and hot fix patches
If DCs run with different versions of software, it may cause problems.
- Reviewing trust relationships in the forest and removing broken trusts
Communication and authentication between domains or forests require trusts. Any broken or stale trust relationship between domains should be removed.
- Checking if replication is working properly and within acceptable limits
- AD Backups
- Capturing system state information related to the AD database, logs, registry, boot files, SYSVOL and other system files
Regular backups help in restoring the most recent information in AD.
- Capturing system state information related to the AD database, logs, registry, boot files, SYSVOL and other system files
- DHCP
- Checking logs and monitoring real-time data
Checking logs identifies critical DHCP related events. It is recommended to implement a proactive monitoring solution for real-time data.
- Checking logs and monitoring real-time data
- Others
- Checking event logs
Event logs help in identifying if anyone has performed a sensitive administrative task. It is important to keep the log data secure and safe from tampering for performing accurate log forensic analysis.
- Managing privileged accounts
Managing users and groups that possess administrative privileges is necessary to prevent security breaches. Tracking changes made to privileged accounts helps detect malicious activity.
- Checking for inactive user accounts
Having unused or inactive user accounts in AD is a security concern as attacks on or using them may go unnoticed. It is best to remove such accounts.
- Checking event logs