Active Directory Maintenance Checklist

With so many moving parts related to AD, it is important to know how to monitor, report, fix, and diagnose issues related to the different supporting technologies. Identifying bottlenecks and resolving them before they cause much harm improves productivity, efficient usage of resources, consistency of data and services, and reduces the number of help desk tickets.

The key aspects that help support and maintain AD include the following:

  • DNS
    • Checking zones and removing obsolete zones
      The cleanup and removal of stale zones and resource records is required to prevent its accumulation in zone data and improve responsiveness.
    • Checking name servers and removing WINS dependencies
      Active Directory is DNS intensive and WINS dependencies can be removed.
    • Checking DNS for dormant static records and configuring DNS scavenging
      DNS scavenging removes stale and orphaned DNS records from the database.
    • Clearing DNS cache
      Clearing all entries from the DNS forwarding cache helps in updating new DNS information. 
    • Updating root hints
      Root hints configure authoritative servers of non-root zones to discover other authoritative servers that exist in other subtrees or higher levels.
    • Allowing only secure dynamic updates for all DNS zones
      Ensures that only authenticated users can submit DNS updates using a secure method that prevents IP addresses from being hijacked.
    • Securing DNS Server 
      It secures access control of the DNS Server service.
  • AD Replication
    • Checking if replication is working properly and within acceptable limits
      Replication is critical to the availability and consistency of data across domain controllers. If replication fails between DCs several aspects of AD would become unavailable.
    • Verifying if all DCs are communicating with the central monitoring console and examining all replication alerts on DCs
      Examining and resolving alerts regularly can avoid service outages to some extent. A communication failure between the DC and the monitoring infrastructure creates problems in receiving these alerts.
    • Verifying that all DCs are running with the same service pack and hot fix patches
      If DCs run with different versions of software, it may cause problems.
    • Reviewing trust relationships in the forest and removing broken trusts
      Communication and authentication between domains or forests require trusts. Any broken or stale trust relationship between domains should be removed.
  • AD Backups
    • Capturing system state information related to the AD database, logs, registry, boot files, SYSVOL and other system files
      Regular backups help in restoring the most recent information in AD.
  • DHCP
    • Checking logs and monitoring real-time data
      Checking logs identifies critical DHCP related events. It is recommended to implement a proactive monitoring solution for real-time data.
  • Others
    • Checking event logs
      Event logs help in identifying if anyone has performed a sensitive administrative task. It is important to keep the log data secure and safe from tampering for performing accurate log forensic analysis.
    • Managing privileged accounts
      Managing users and groups that possess administrative privileges is necessary to prevent security breaches. Tracking changes made to privileged accounts helps detect malicious activity. 
    • Checking for inactive user accounts
      Having unused or inactive user accounts in AD is a security concern as attacks on or using them may go unnoticed. It is best to remove such accounts.



1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 3.75 out of 5)