The article below has a collection of reliable and updated guideline / Checklist to perform an Active Directory Health Check !
This as a "living" article, so please feel free to update, extend this article !
Neither Microsoft, nor the authors do not provide any guarantee.
Although i have been working with the following cmdlets and scripts in this checklist, please use with caution and at your own risk!
Clean-Up the following domain groups by removing orphaned Accounts or Accounts that do not need the permission anymore.
If you have created custom security groups, it is required to clean them up as well.
Speaking of User-Accounts you also need to check your Service Accounts. You can list them with the following cmdlet:
get-aduser -filter {ServicePrincipalName -like “*”} -Properties PasswordLastSet,LastLogonDate,TrustedForDelegation,ServicePrincipalName
In this case, you can also have a look at gmsa (so called 'group managed service accounts')
https://docs.microsoft.com/de-de/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
https://gallery.technet.microsoft.com/List-all-SPNs-Used-in-your-e0c6267a
Make sure the SYSVOL-Share does only contain data which is really needed. So far i have seen SYSVOL-Shares containing and replicating many of unnecessary and unneeded files, e.g. expired certifications, different kinds of zipped-files, multiple installer-files of the same application, etc.
if you still run a domain controller on Windows Server 2012 R2, you should already use DFS-R for SYSVOL-Replication.
To check the Health Check you can use the dfs management Tool and run propagation test, propagation report and a general health report.
In Addition check the DFS Replication Log in the eventviewer on the domain-controllers!
If you still run older OS´ and use FRS for SYSVOL-replication, please check the FRS / File Replication Log in the eventviewer.
Most of todays technologies require an update of the domain / forest functional level. In this case you need to check your Functional Level.
https://docs.microsoft.com/de-de/windows-server/identity/ad-ds/active-directory-functional-levels
https://activedirectorypro.com/how-to-configure-a-domain-password-policy/
Several Infrastructure use delegated Rights on OU´s. So in this case, make sure:
To improve your OS´ security you can check the Microsoft recommended Windows Security Baseline for WIndows Server Systems and enable features that do fit your configuration!
https://docs.microsoft.com/de-de/windows/security/threat-protection/windows-security-baselines
Check if the Recycle bin is enabled - it is recommended to use it with Office365.
https://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5
Here is an article for troubleshooting authentication issues when the maxtokensize is too high:
https://support.microsoft.com/en-us/help/327825/problems-with-kerberos-authentication-when-a-user-belongs-to-many-grou
Check the following:
The "Auto-Created" ones are ok but often, especially in troubleshooting cases people manually add or create ntds-replication connections to workaround the error.