In the face of rising network breaches and computer hacks, it comes as no surprise that one of the key concerns for today’s network administrators is how to make sure their networks are kept secure from attacks. And, one of the best options they have available to them is to use a domain controller to serve as a security guard that checks the authorization of users that want to get on the network.
Therefore, we will see how we can achieve this security by ensuring the health of a domain controller.
What is a domain controller?
A domain controller is a server that is used to handle the network and identity security of a domain.
Meanwhile, domains themselves are a hierarchical way of organizing users – and their connections to devices, databases, systems, and applications – that work together on the same network.
Although domain controllers are most commonly run on Windows Servers, there are non-Windows operating system versions for UNIX and Linux, for example, which can be created using identity management solutions like Samba and Red Hat FreeIPA.
But, for the sake of keeping it within scope, this article will only focus on Windows-based domain controllers running Microsoft Azure Active Directory or any of its earlier versions.
What do we mean by a health check?
A domain controller is a server that, in itself, is a high-powered computer with higher privileges on the network. This means that, like any other mission-critical server, administrators need to make sure everything is always running well on it.
Things that can be done include:
- Seeing that all components have been installed and are running synchronously with regards to one another as well as in relation to other devices in the domain
- Making sure patches, updates, and version controls are monitored with the aim of “battening down all the hatches” and preventing attacks, breaches, and data leaks
- Checking to see the expected performance milestones are being met to make sure levels are being achieved and if the system is delivering at optimum levels
- Sifting through logs to see if there are any alerts or suspicious activities being registered
Implementing strategies and taking action on these types of steps help administrators keep their servers healthy and their networks safe and productive.
What are the tests that need to be made during health checks?
Delving deeper, and going into the specifics of what needs to be done to make sure a domain controller, in particular, stays “healthy,” we find that administrators need to:
- Ensure all domain controllers are accounted for and can be located or accessed at any given time
- Make sure that domain controllers are in sync and that replication is uninterrupted
- Verify that all the dependency services are up and running
- Spot unsecured Lightweight Directory Access Protocol (LDAP) binds
- Track patch levels and validate anti-virus and malware solutions on domain controllers
- Check user passwords, policies, and role assignments to see if they are strong, implemented properly, and adhered to strictly or whether any breaches have occurred
Administrators can implement standard auditing and security monitoring or adopt it from companies like Microsoft.
But then, of course, the admins can also perform custom tests as per their company’s unique requirements or develop their own checklists to identify issues or monitor performances. Some of these issues to look out for include:
- Connectivity between domain controllers on the network
- Monitoring SYSVOL status and its ability to synchronize with other domain controllers – also monitor replication status using Repadmin
- Checking to see if there is ample hard disk space on the domain controller
- Keeping an eye on the event log to catch any irregularities
- Updating and monitoring anti-viruses, anti-malware, and security of the domain controller
- Planning backups by scheduling, securing, testing, and tracking them regularly
Although we have just taken a few sample examples of what needs to be done to keep a domain controller healthy, it is quite easy to see that this is indeed a huge and complicated task.
But, don’t worry. You don’t need to do it on your own; we will next have a look at the tools that can help you maintain the health of your domain controllers.
What tools do we use for domain controller health checks?
Moving right on, here are some great tools to use when monitoring the health of your domain controller:
Server & Application Monitor (SAM) is a server administration software solution, of the “industrial” level, that was created by SolarWinds – one of the leading companies in the server management market.
Among the tools and features SAM has to offer, the most important one here would be the aptly named Domain Controller Monitoring – Health Check & Status Tool.
Here are some of its features:
- It keeps track of replication to see if there are any failures on the domain controller, its links, or any network issues that could result in slower replication; it also monitors key metrics, statuses, update rates, and syncs to catch any anomalies
- It monitors for user authentication issues – admins can see details of user accounts, their activities, and any domain-related interactions, once the user is connected
- Domain controller monitoring for the continuous performance of user accounts regarding their creation, modification, disablement, and locking out or deletion; also, monitoring passwords – changes, resets, errors
- Admins can manage directory service files and see the availability of Windows NT Directory Services (NTDS) files to ensure they do not run out of disk space, affecting domain controllers
- The tool has automatic application discovery and server monitoring; in fact, admins can even monitor the performance and availability of cloud services like Microsoft Azure and Amazon AWS
As we can see, this tool makes it easy to keep track of domain controller performance. But, what makes it even more suitable for administrators are the thousands of built-in monitoring templates – both out-of-the-box and community templates – to help guide administrators into implementing the industry best practices.
Download a fully functional 30-day free trial.
ManageEngine is another major player in the server management market. It shouldn’t, therefore, come as a surprise that they offer a couple of free tools packed into their ManageEngine ADManager Plus that can help administrators monitor their domain controllers.
The first of these tools is the Active Directory Domain Controller Monitoring Tool. Some of its features include:
- Auto-discovery of domain controllers
- Detailed reporting on the domain controllers on parameters like CPU, disk, and memory utilization
- Run-time information like page reads per second, page writes per second, file reads, and file writes can also be extracted for even more detailed monitoring
The second free tool is their Active Directory Replication Manager. This tool focuses on the replication of data between any two (or more) domain controllers, in an entire forest, by manually forcing the sync, should it be required. The tool can then be used to get details like replication times and schedules. You can access a 30-day free trial.
Dcdiag is a Microsoft Windows command-line tool that is used to monitor domain controllers in a forest or enterprise. It works just as well with the analysis of a single domain controller as it does with a number of them in a forest.
The tool is native to Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2012, Windows Server 2003 with SP1, and Windows 8 operating systems.
For a tiny tool, DCDiag does pack a powerful punch. It has dozens of different tests – and some tests even have sub-tests.
Running “dcdiag /?” gives us a list of all the arguments and parameters the tool uses. But, here are a few details on what it can be used to test for with the help of these arguments and parameters:
- Connectivity – to verify DNS registration, and LDAP and RPC connections, for each domain controller
- Advertising – to track the domain controller and see if it is reporting correctly
- CheckSDRefDom – to check the correctness of reference domain security descriptors of each section of application directories
- CrossRefValidation – check the validity of domain cross-references
- FRSEvent – to check for file replication service errors
- FSMOCheck – to check the connectivity between a domain controller and the KDC, PDC, and global catalog servers
- MachineAccount – to check the registration status of the machine account
- NetLogons – to check the logon permissions for replication to proceed
- Replications – to check domain controller replication status and errors (if any)
- RidManager – to check accessibility (or not) of the RID manager
Dcdiag is included with the Active Directory Domain Services (AD DS) role, Active Directory Lightweight Directory Services (AD LDS), or Remote Server Administration Tools (RSAT) tools. If not, it can be found by simply typing “download dcdiag.exe” into a favorite search engine.
With Best Practice Analyzer (BPA) we have a server management tool that, after being installed on a domain controller – which could be running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 operating systems – starts monitoring for, and reports back on, any best-practice violations.
It is designed to check if servers are configured in accordance with Microsoft’s recommended best practices.
The tool analyzes common issues that administrators typically run into and when they are encountered it reports on: the type of issue detected, its category, the level of severity, and the server that is causing it.
Admins can then simply select one of these reported issues and find out more information about the issue itself as well as the remedies that are available to fix them. It can also discover other ADs and other servers and then go on to detect and resolve issues on them too.
All this data access and investigation can be done directly from a dashboard.
Finally, Best Practice Analyzer has remote access, and control, features and even works with Hyper-V which allows admins to keep an eye on their virtual servers too.
Download Best Practice Analyzer for free.
Any administrator will have heard of this reporting tool: Event Viewer. It is a Windows-native error and security breach reporting tool that is often underestimated or even completely ignored.
But, once enabled, Event Viewer, becomes an insightful tool that can give in-depth insight into the health of any server – not just domain controllers.
Administrators can set up scripts and aggregate alerts depending on the events or issues that triggered them. They can even adjust warnings; for example, they can extract “Critical Events” from available logs. Alternatively, they can decide on, or designate, the people that will receive the alerts.
Advanced actions can also be taken; for example, the admin can attach a response to the event which starts a program – in case the event was triggered by an application that had failed to start. Similarly, they can start to run batch programs that restart services that have stopped or crashed.
This is another Windows tool that analyzes the replication status – and errors – for domain controllers in an Active Directory domain or forest.
Active Directory Replication Status Tool (ADREPLSTATUS) helps administrators resolve replication errors by linking them to Active Directory replication troubleshooting content on Microsoft TechNet.
It even allows replication data to be exported – in CSV format – so it can then be imported into spreadsheets like MS Excel for offline analysis. Admins can also play around with various scenarios to test effects and results.
The tool works on most server versions of Windows: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows 7, Windows 8.1, and Windows 10.
Download the Active Directory Replication Status Tool here.
Quest’s Active Administrator for Active Directory Health helps admins discover the flow of data from the network through a domain controller using visual flow charts, graphs, and icons. The dashboard has a futuristic-looking design that presents all the data in an easily comprehensible format.
But, it’s not just about its looks; here are some useful features:
- The tool’s Network Operations Center (NOC) servers as the central point for viewing and monitoring domain controllers as well as other assets, sites, and domains in the forest
- Administrators can enjoy flexibility when it comes to viewing the data coming from their networks as they can summarize the information and alerts for better understanding and response
- In fact, customization of the information to be displayed can even be made for each user profile and as per their roles
- The detailed information can be then used to isolate and fix problems on domain controllers – regarding their replication statuses, for example – and stored for historical reference purposes
- The tool has over 100 Active Directory health check tools for any issues that may concern domain controllers
Monitor the health of your domain controller
Any administrator that is armed with a selection of the tools we have just seen will be able to make sure they have a healthy domain controller.
We would like to hear which ones you would prefer and what you already use to monitor your domain controller’s health. Perhaps, there is a tool that you think we should have mentioned; let us know – leave us a comment below.