During an AD DS migration or health checks, system engineers and auditors always need a checklist to keep up with what should be discovered.  This checklist is a working checklist, one that has been created here for peer review and peer additions.  This checklist should try and take into account all the high-level items one needs to look for during an AD DS discovery/audit.  This checklist is not meant to be a step-by-step guide but a high-level overview to keep track of what needs to be discovered.

For a checklist on Active Directory Domain Deployment check out:
https://social.technet.microsoft.com/wiki/contents/articles/40225.active-directory-domain-deployment-checklist.aspx

For a checklist on Active Directory Domain Migrations check out:
https://social.technet.microsoft.com/wiki/contents/articles/43908.active-directory-migration-checklist.aspx

  • Forest(s) Discovery
    • All child domains
    • All trust
    • Stale or broken trust
    • Forest Functional Level
    • Domains/Sites/DCs/GCs/Exchange/Other
    • Forest Features
    • Tombstone lifetime
    • SID filter info
  • Domain(s) Discovery
    • All trust
    • Stale or broken trust
    • Forest Functional Level
    • Domains/Sites/DC/GC/Exchange/Other
    • Forest Features
    • Tombstone lifetime
    • SID filter info
  • Logical Structure
    • Domain hierarchy
    • OU structure
      • Empty OUs
      • Have default ACLs been changed
    • Sites and Services
      • Summary
      • Site names
      • Physical Locations
      • DCs in each site
      • Subnets
      • Missing Subnets
      • Site connections
      • Site links
      • Replication Interval
      • GPOs applied to sites
      • Site mirroring between domains and other domains/forest
  • Domain Controller Configurations
    • IP addresses
    • Names
    • Disk space report
    • Server up time
    • Physical Locations
    • Journal Wrap (if FRS)
    • Is DFS used in the environment
    • Schema Extensions
    • Azure connections
  • Network and Infrastructure
    • DNS
      • AD integrated zones
        • Forest replicated zones
        • Domain replicated zones
      • Conditional forwarding
      • Domain level auditing
      • Pull DNS zone for prosperity
    • Networking
      • Physical site list
      • Subnets at each site
      • Site link speed and utilization level (how saturated is the link)
      • Network Topology
      • Firewall locations
      • VLAN restrictions
      • Router ACLs
    • DHCP
      • Authorized DHCP server discovery
      • AD requirements
      • High availability aspects
      • IPAM
    • Other Infrastructure Services
      • WINS server discovery
        • Is WINS active
        • Are there application or service requirements
      • Exchange server discovery
      • SCCM server discovery
      • WSUS
      • AD CS
      • AD FS
      • Other
    • Time services
    • Identity Management 
  • Directory Objects
    • Naming
      • Administrator accounts
      • Privileged administrator accounts
      • User accounts
      • Service accounts
      • Application accounts
      • Workstation single sign-on accounts
      • Groups
    • Attributes
      • Attribute usage
        • Administrator accounts
        • Privileged administrator accounts
        • User accounts
        • Service accounts
        • Application accounts
        • Workstation single sign-on accounts
        • Groups
        • Computer accounts
  • Security
    • Security Patch report
      • What is the patching process
      • What patches are missing
    • Vulnerability scan
    • RODC implementations
    • Is ATA implemented
    • Is LAPS implemented
    • Application control policies
    • RPC ephemeral ports
    • Firewalls
      • Perimeter firewalls
      • Hypervisor firewalls
      • Firewall policies
      • Physical security
    • Are authentication policies and authentication policy silos implemented
    • Anti-virus solution
    • Auditing
  • Applications in the environment
    • Team manager per App
    • Application owner per App
    • Tier or SLA (how critical is the app)
    • Special requirements
    • Down time procedures
    • Authentication method
      • Local
      • Active Directory
        • Services accounts
      • Other
  • Users
    • All
      • Detailed information
      • Initial count
      • Ongoing count for growth projections
    • Disabled
      • Count
    • Password no expire
      • Count
    • Token size report
    • Locked users
    • Dial-in enabled
    • Delegation
    • Password not required
    • Password must change
    • Services accounts (accounts running as a service on computers in domain)
  • Computers
    • Detailed report - plus the following
      • With OS attribute populated
      • Without OS attribute populated
      • Are cluster accounts documented
      • Information pulled from SCCM or scripts
        • Workstation OS version
        • Workstation patch level
        • Outlook version
        • Office version
        • Drive mappings not defined by GPO
    • Total computer objects
    • Disabled
    • Grouped by function
      • Workstations
        • Initial count
        • Ongoing count for growth projections
        • Stale
        • Disabled
      • Servers
        • Initial count
        • Ongoing count for growth projections
        • Stale
        • Disabled
  • Contacts
    • Count
    • Logical location
  • Groups
    • Initial count
    • Ongoing count for growth projections
    • Empty
    • Similar
    • Nested
    • Global groups
    • Global distribution groups
    • Domain local security
    • Domain local distribution
    • Admin built-in groups
      • Enterprise Admin
      • Schema Admins
      • Domain Admins
      • DNS Admins
      • Administrators
      • Account Operators
      • Cert Publishers
      • Backup Operators
      • Print Operators
      • Server Operators
        • Membership details
        • Membership counts
  • Group Policy
    • Backup all GPOs
    • Not linked
    • Empty
    • Disabled
    • No Settings
    • Passwords in Group Policy
    • Scripts/applications in GPOs
      • Bat files
      • Exe files
      • VBScripts
      • KixScripts
      • PowerShell scripts
      • Images in GPOs
    • Default Domain Policy - Standard or modified?
    • Default Domain Controllers - Standard or modified?
    • Who can join computers to the domain
  • Sysvol/Netlogon (What items are stored in Sysvol/Netlogon)
    • Bat files
    • Exe files
    • VBScripts
    • KixScripts
    • PowerShell scripts
    • Images
    • Shortcuts
    • RDP
    • REG
    • SCR
    • ICO
    • INI
    • DLL
    • MSI
    • TXT
    • Cer
web statistics