Project Description
DCHealthCheck performs several automated tests on Active Directory domain controllers, and provides a summary/status report.

These tests can help proactively identify common issues with time synchronization, replication, and name resolution. Detailed information is included in the Word document in the Collateral folder in the source code tab.

The two main components are the DCHealthCheck.exe console application which runs as a scheduled task, and an ASP.NET MVC web site for displaying the results. Collected data and results are stored in a Microsoft SQL Server database, using Entity Framework 5.0 with Code First/DbContext.

Tests Performed
  • Ping Test. Lookup the IP address, and perform a ping test 100 times and calculate average round trip time (RTT) and average packet loss.
  • LDAPBind and GCBind. Perform an authenticated bind to port 389 and 3268. Note that if a dc is configured as a global catalog (GC) but not advertising as a GC, it may still allow binds to port 3268. Binds are also performed to the SSL port, 636/3269.
  • GCAdvertising Test. repadmin /showreps dcName is run against the domain controller. If a server is not advertising as a global catalog, repadmin displays a warning.
  • DNS Test. Perform a lookup on port UDP/53 against the dc, for the dc fully-qualified domain name. For dc’s that have multiple IP addresses, this can be useful to verify it is only advertising one IP address.
  • Time Server Test. w32tm.exe /query /computer:dcName /status /verbose is run against the dc (Windows 2008 or higher). An NTPClient time synchronization request is performed against the DC on port UDP/123. nltest.exe /server:dcName /dsgetdc:domainName is run against the dc, and the flags are checked to determine if the dc is advertising as a time server. The w32Time service registry values for MaxNegPhaseCorrection and MaxPosPhaseCorrection are checked to confirm that they are set according to the best practice values specified in the Active Directory Best Practice Analyzer.
  • Time Sync Test. Determine if the dc time is approaching the five-minute threshold.
  • TagObject Test. This is a replication latency test. A “tag” object is created in each domain, and each dc is queried for the tag object. An attribute in the tag objects are updated with new information after each test run, and a test is performed to determine if a domain controller has stale information.
  • Sysvol/FRS Test. Test the most recent group policy folder. Compare the gpt.ini on each dc to verify the version information matches.
  • Strict Replication Test. Check for the registry value that enforces Strict Replication. This is located at: Key: HKLM\System\CurrentControlSet\Services\NTDS\Parameters Value: Strict Replication Consistency.
  • DNS Registry Values Test. Check for the PublishAddresses registry value if the dc has more than one IP address. This setting is new for Windows 2008. Without this setting, the dc may advertise more than one IP address. Check for the ScavengingInterval setting, to confirm that scavenging is not performed on a dc that owns a FSMO role.
  • Processor Utilization Test. Use WMI to get the list of running processes, and check if any are incurring average daily processor utilization higher than the configured threshold. LSA and DNS are excluded.
  • Free Disk Space Test. Includes thresholds for both warning and error.
  • Handle/Thread Count Test. Check for processes that exceed a configured threshold for handles/threads.
  • Uptime Test. Check for dc’s that exceeds a configured threshold for maximum uptime. This can surface dc’s that may have fallen out of the security hotfix cycle.
  • Pending Replication Count Test. Check for dc’s that have a pending replication count that exceeds the configured threshold.

Data Collected
  • Processes
  • Services
  • Installed Products
  • Replication Neighbors and Replication Operations
  • Netstat output (used to create a port-to-process map)
  • Group Policy machine/computer RSOP report

Last edited Mar 17, 2013 at 2:04 PM by GregAskew, version 17