Tip: We explained as to why it is important to have SRV records for all domain controllers registered in the DNS Server. We also provided a PowerShell script that you can use to collect on the SRV records registered and missing SRV records for each domain controller.
We feel that there are a few more important directory checks that you should be performing to ensure you check every aspect of Active Directory to be able to run a smooth Active Directory environment and keep other applications happy that utilizes Active Directory for authentication and authorization purposes.
In a large production Active Directory environment where you have hundreds of Group Policy Objects, it becomes difficult to ensure GPOs are configured appropriately. When it comes to perform a health check for Group Policy Objects, there are at least eight important Group Policy checks that you should always perform as listed below:
• How many GPOs are configured with WMI Filters and are they configured properly?
• Have you taken backup of GPOs?
• How many GPOs are disabled and why are they disabled?
• How many GPOs are not applying?
• Is your GPO using a description text so GPOs can be identified easily?
• Are GPOs using the standard naming convention and are they configured with shorter names?
• Do you have Block Policy Inheritance configured and are they configured on the required GPOs?
• How many GPOs have No Override options set?
While you can run tiny PowerShell commands to collect required information from Active Directory and help you maintain the Production GPOs happy, but then you need to design PowerShell scripts to ensure output is reported in a CSV file of your choice and output should generate a report that only lists the required data. For example, when retrieving a list of GPOs that have WMI Filters configured, you would always want to return the output of only GPOs that have WMI Filters configured and not all. Similarly, when gathering the list of GPOs that have not been backed up, you would always want to see the list of GPOs that have not been backed up instead of GPOs that have been backed up recently.
We have worked on a few GPO PowerShell scripts that you might find useful and include in your daily Active Directory health check procedure. In the Part 1 of this article series, we will explain how to report on Group Policy Objects that do not have a description text set. In Part 2 and subsequent parts we will explain how to use several PowerShell scripts to retrieve the list of Group Policy Objects that have been configured in the domains, but are not applying to any objects, retrieving a list of GPOs that have WMI Filters configured and to ensure WMI Filters are configured properly and so on.
### Start Script ###
$TotNo=0
$ItemCount=0
$TestText = ""
$TestStatus=""
$SumVal = ""
ForEach ($ThisDomain in Get-Content "$GDomList")
{
$PDCServerToConnect = "Unknown"
IF ($HitWin2012DC -eq "Yes" -and $CredInputForPS -eq "File")
{
$PDCCSV = Import-CSV $PrefDCFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.'Preferred Domain Controller'
break
}
}
}
else
{
$PDCCSV = Import-CSV $PDCListFile
ForEach ($ItemNow in $PDCCSV)
{
IF ($ItemNow.Domain -eq $ThisDomain)
{
$PDCServerToConnect = $ItemNow.PDCServer
break
}
}
}
$Error.Clear()
$AllGPODes = Invoke-Command -ComputerName $PDCServerToConnect -Script { param($R1Now) Get-GPO -ALL -Domain
$R1Now | where{ $_.DEscription -eq $null } } -Credential $Creds -ArgumentList $ThisDomain
IF ($Error.count -eq 0)
{
}
else
{
$ErrorOrNot="Yes"
}
IF ($ErrorOrNot -eq "Yes")
{
$TestText = "Please check to make sure a Domain Controller is reachable to execute Dynamic Pack."
$SumVal = ""
$TestStatus="Error executing Dynamic Pack."
}
else
{
$Items = $AllGPODes
$ItemCount=$AllGPODes.Count
$FinalText = ""
$SumVal=$ItemCount
ForEach ($ThisItem in $Items)
{
$ThisDesToCheck = $ThisItem.Description
$StatusNow="Ok"
IF ($ThisDesToCheck -eq $Null)
{
$TotNo++
$StatusNow="Not Ok"
}
$FinalVal=$ThisDomain+","+$PDCServerToConnect+","+$ThisItem.DisplayName+","+$ThisItem.Description+","+$StatusNow
Add-Content "$TestCSVFile" $FinalVal
}
IF ($TotNo -ge 0)
{
$TestText = "Some GPOs do not have a description set. It is recommended to set a description for each GPO to identify function
of GPO easily."
$TestStatus="Medium"
$SumVal = $TotNo
}
IF ($TotNo -eq 0)
{
$TestText = "All GPOs are defined with a description text."
$TestStatus="Passed"
$SumVal = $TotNo
}
}
}
$STR = $ADTestName +","+$TestStartTime+","+$TestStatus+","+$SumVal +","+$TestText
### End Script ###
Once the script has finished executing for all domains, a report file will be generated in a CSV file as shown in the figure 1 below. The report file name is RVRecordsStatus.CSV and is located at C:\Temp.
Figure 1 – Showing CSV Report generated by the PowerShell Script
As you can see in the report generated by the script, the script reported “WARNING” in the “Final Status” column for domain controllers that have SRV records missing. As shown in the report above, domain controller DC3.ITDynamicPacks.Net, DC4.ITDynamicPacks.Net and DC7.ITDynamicPacks.Net have LDAP SRV records missing in the DNS domain zone. Once you have the SRV report, you can register the SRV records in the DNS Server to ensure Active Directory operates smoothly.
If you are using Active Directory Health Profiler, you can execute the Domain Controller Individual SRV Records Test Dynamic Pack against an Active Directory Forest or a domain to show you the status of SRV records in Active Directory Health Profiler console as shown in the Figure 2 below.
Figure 2 – Showing SRV Records Status for each domain controller in AD Health Profiler
Note that there is no use of a Group Policy Object if it doesn’t apply to user or computer objects. In other words, creating huge number of GPOs that do not apply may lead to unnecessary processing by the client side extension configured on the Windows Clients which are responsible for processing the GPO objects.
Summary
We explained the important of SRV records in an Active Directory environment. Domain Controllers rely on SRV records registered in the DNS Server to perform important functions such as replicating changes and allow Active Directory clients to locate domain controller services. Any application that uses SRV records to find a domain controller will fail if SRV records for domain controllers are not registered.
We provided a PowerShell script that you can use to collect a report on SRV records for all domain controllers and the fix the missing ones easily.
I have not attempted to run this script as of yet but I don’t see where a variable defines the expected output file and location C:\Temp\RVRecordsStatus.CSV?
This article looks like two different AD topics joined together but by mistake: one regarding GPO comments, the other SRV records. Where is the script that checks SRV records?? Please update the post as I’d like both scripts :).
Thanks.