The article below has a collection of reliable and updated guideline / Checklist to perform an Active Directory Health Check !

This as a "living" article, so please feel free to update, extend this article !

Your own risk

Neither Microsoft, nor the authors do not provide any guarantee.

Although i have been working with the following cmdlets and scripts in this checklist, please use with caution and at your own risk!

1. Clean-Up Domain groups

Clean-Up the following domain groups by removing orphaned Accounts or Accounts that do not need the permission anymore.

  1. Domain-Admins
  2.  Entreprise-Admins (in german "Organisations-Admins")
  3.  Schema-Admins
  4. all further Domain-Builtin-Administrator groups

If you have created custom security groups, it is required to clean them up as well.

2. Check existing Service Accounts

Speaking of User-Accounts you also need to check your Service Accounts. You can list them with the following cmdlet:

get-aduser -filter {ServicePrincipalName -like “*”} -Properties PasswordLastSet,LastLogonDate,TrustedForDelegation,ServicePrincipalName

In this case, you can also have a look at gmsa (so called 'group managed service accounts')

3. List all Service Principal Names (SPN) in your domain

4. Clean-Up SYSVOL-Share

Make sure the SYSVOL-Share does only contain data which is really needed. So far i have seen SYSVOL-Shares containing and replicating many of unnecessary and unneeded files, e.g. expired certifications, different kinds of zipped-files, multiple installer-files of the same application, etc.

5. Check SYSVOL-Replication Health-State

if you still run a domain controller on Windows Server 2012 R2, you should already use DFS-R for SYSVOL-Replication.

To check the Health Check you can use the dfs management Tool and run propagation test, propagation report and a general health report.

In Addition check the DFS Replication Log in the eventviewer on the domain-controllers!

If you still run older OS´ and use FRS for SYSVOL-replication, please check the FRS / File Replication Log in the eventviewer.

6. Check the Domain / Forest Functional Level

Most of todays technologies require an update of the domain / forest functional level. In this case you need to check your Functional Level.

7. Password Policy in Default Domain Policy / Domain Controllers Policy

8. OU-Permissions

Several Infrastructure use delegated Rights on OU´s. So in this case, make sure:

  1. delegated Rights on OU-Structure is still needed
  2. delegated Rights are provided only to User-Groups, not to single-users

9. Windows Security Baseline for Windows Server

To improve your OS´ security you can check the Microsoft recommended Windows Security Baseline for WIndows Server Systems and enable features that do fit your configuration!

10. Active Directory Recycle bin

Check if the Recycle bin is enabled - it is recommended to use it with Office365.

11. Kerberos Maxtokensize

Here is a link to a PS Gallery Link for a Script to check the Maxtoken Size of an user:

Here is an article for troubleshooting authentication issues when the maxtokensize is too high:

12. Active Directory: Sites and Services

Check the following:

  1. Are there any deprecated sites which can be deleted ?
  2. Are there any deprecated subnets or sitelinks which can be deleted ?
  3. Is the topology not update, e.g. missing sites, missing subnets, etc. ?
  4. If possible take a short look into the NTDS settings and check which kind of replication connections are available:

The "Auto-Created" ones are ok but often, especially in troubleshooting cases people manually add or create
ntds-replication connections to workaround the error.

13. Active Directory: Trust

  1. Check if there any Domain Trusts configured

14. DNS

  1. Check each DNS Zone if the 'Name Server' Records are up to date (i nearly everytime find name server entries of server which are already gone for years)
  2. Check each DNS Zone the settings of  'dynamic update' configuration (nonsecure or secure)
  3. Check if 'DNS Scavenging' is enabled
  4. Check if the configured 'DNS Forwarder' ist still correct and up to date (to be done on each DNS / DC)
  5. Check if there are any dns records which can be deleted, e.g. regular a-record of deleted computer accounts, etc.