What Is an Active Directory Health Check?

Active Directory Domain Services (AD DS) is a critical part of most enterprise networks. If AD DS isn’t healthy and secure, your entire business will be at risk. Much like an annual trip to the doctor’s office for a check-up, a periodic health check on your Active Directory forest can detect potential configuration problems and security risks before they become an issue.

Configuration and Operational Risk

Enterprise networks have used AD DS for nearly twenty years. During this time, multiple administrators might have been responsible for all or part of a company’s directory. With this disparate administration comes inevitable discrepancies in configuration settings, best practices that have not been adopted, and other hidden surprises.
Ravenwood Technology Group’s automated AD DS health check process looks at hundreds of configuration settings, including DNS, FSMO roles, replication, sites and subnets, Group Policy, performance indicators, backup procedures, security settings, patching, operating system settings, and more. Through automated data collection, we can quickly gather all of this data to analyze it and make remediation recommendations.

Each finding includes a description of the problem and actionable steps to resolve the issue. One common problem we encounter is the misconfiguration of DNS scavenging. When scavenging is disabled or not configured correctly, stale DNS records can accumulate forever. The sample in the following image shows how the health check report identifies this problem.

Microsoft Directory Health Check

The health of your Active Directory forest isn’t all about its configuration, though. You might have a directory that is perfectly configured but is run haphazardly or as an afterthought. Although a clean configuration will undoubtedly result in a reliable directory with strong uptime, poor operational practices will come back to haunt you when they matter most. We look at operational practices such as backup and disaster recovery procedures, monitoring, service level objectives, lifecycle management, and change management.

Security Foundations

Today’s networks are constant targets for hackers. If a hacker can compromise your Active Directory forest, they can potentially gain access to virtually every system on the network and all the data associated with those systems. The fallout can be catastrophic. Fortunately, good practices can make it extremely difficult for an adversary to compromise your AD DS forest.

As part of the health check, we look at security settings and privileged access procedures that often provide avenues for hackers. Key components of this assessment include separation of administrative identities, two-factor authentication, tiering of privileged access, and protection of privileged user accounts in Active Directory.

Similar to the tactical analysis of AD DS configuration, each security finding is accompanied by actionable recommendations that can be used to resolve the problem and implement a best practices-based approach.

When Was Your Last Active Directory Health Check?

Ravenwood Technology Group can perform an Active Directory health check remotely or on-site in conjunction with your team. Whether you have a small forest with a few domain controllers or a complex global Active Directory installation, we can work with you to provide a comprehensive assessment of your directory’s health. Learn more about our Active Directory health check service or  contact us today to schedule your Active Directory health check.


6 Tips to Harden Your Windows LAPS Deployment

In a previous blog post, we covered how to migrate to Windows Local Administrator Password Solution (LAPS). With Windows LAPS deployments gaining traction, it’s important

Migrating to Windows LAPS

Windows Local Administrator Password Solution (LAPS), now integrated into the OS, is the replacement for Microsoft LAPS, which was a separate installation. Windows LAPS is

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.