How to do an Active Directory health and risk assessment

Active Directory is a critical component for an organization. All business applications use the Active Directory authentication subsystem before access to application data can be allowed. Active Directory is a base component that must be working effectively in order to avoid downtimes for critical business applications. For example, if an in-house designed application processes 100 authentication requests and if the domain controller does not respond in a timely manner to the authentication requests coming from applications, this might result in business loss. Similarly, you would expect the changes created in an Active Directory site to be replicated to all other Active Directory sites as soon as possible. The big question is how do you perform these checks? As a Microsoft MVP in Directory Services, I have done many engagements with local and global customers on Active Directory health assessment. In the past, I used to design individual PowerShell scripts to check a specific component of the Active Directory. However, I have worked with many other automated tools that I can share with you so you can choose the best one based on your requirements.

Why perform Active Directory risk assessment?

There are several reasons as to why an Active Directory risk and health assessment must be done as listed below:

  • Audit and compliance purposes: For large organizations, it becomes certainly necessary that the organizations are in compliance with SOX, PCI, HIPPA, and GDPR standards. Many of the Active Directory risk assessment products follow guidelines provided by the compliance standards.
  • Before moving to the cloud: If your organization has decided to move to the cloud you must consider an Active Directory health and risk assessment check. Before you decide to move to the cloud an Active Directory health check must be performed that includes checking stale user accounts, disabled user and computer accounts, and any orphaned objects that must not be replicated to the could. Similarly, if you decide to implement domain controllers in the cloud, you must check replication to ensure it is working properly.
  • Before making a big change in the production environment: Before you make any big changes in your production environment, it is advisable to perform a thorough check on all Active Directory components. The checks that you perform make sure that Active Directory is healthy before making a big change such as implementing a technology that is heavily dependent on Active Directory infrastructure and objects.
  • Merging with another company: You may also require to perform an Active Directory health check before your production Active Directory forest is merged with another company’s Active Directory forest.

Available methods for Active Directory health check

There are several methods available based on your requirements such as using Microsoft PowerShell scripts, Microsoft ADRAP Engagement, and Office 365 IT Health and Risk Scanner. While there are several tools available in the market that can offer a few checks but not all tools can perform a complete health and risk assessment of Active Directory forests. For example, some tools might not include health checks that are certainly necessary and some products can actually uncover hidden issues, which, in turn, help in avoiding disruption in the service.

Using PowerShell scripts

You can use PowerShell scripts to check each component of Active Directory, but you need to know all components you would like to check as part of the health check. For example, you might have decided to check Active Directory forest replication status but might have forgotten to check other components of the Active Directory such as Group Policy, Active Directory sites, and so on. Though Microsoft provides the necessary PowerShell cmdlets to check a specific Active Directory component, it might take months to design a PowerShell script that contains checks to be performed on important aspects of Active Directory. As an example, using the below PowerShell command you can check replication status in an Active Directory site:

Get-ADReplicationFailure -scope SITE -target Seattle | FT Server, FirstFailureTime, FailureClount, LastError, Partner -AUTO

Microsoft ADRAP Engagement

Microsoft offers Active Directory Risk Assessment Program for premier customers. The ADRAP program covers all checks to be performed in an Active Directory environment and also generate a report on issues uncovered by the tool. The ADRAP program is performed by Microsoft Premier Field Engineer who is qualified in the assessment process. Though the ADRAP program can uncover all Active Directory issues using the Active Directory Snapshot Tool, it is quite expensive and can only be used for a single Active Directory forest. In addition to single forest limitation, the ADRAP tool is not available to customers who do not have a premier contract. If you have multiple Active Directory forests you will be required to pay for each Active Directory forest. It is also worth mentioning that the ADRAP tool can be used only for one year.

O365 IT Health and Risk Scanner

There is a great product available in the market called O365 IT Health and Risk Scanner. The O365 IT Scanner is designed to perform a complete health check of your Microsoft ecosystem that includes Active Directory, Hyper-V, Microsoft Exchange, SQL servers, Microsoft Azure, Office 365, and so on. The product can perform complete Active Directory health and risk checks and provide issues and recommendations to fix the issues. One good thing about O365 IT Health and Risk Scanner is that the product is dynamic. It allows you to create your own health checks related to any technology. The O365 IT Health and Risk Scanner product is becoming the first choice for IT admins, IT architects, and managed service providers. As you can see in the screenshot below, you can add health checks of your choice by clicking on the technology labels and then create an assessment profile:

active directory health

I have used the O365 IT Scanner for many of our customers and find it quite useful. Some of the notable features of the O365 IT Health and Risk Scanner are helping in finding the critical and high health issues and risks in the Active Directory environment, ability to delegate health and risk assessment tasks by using Delegation Add-On, ability to schedule dynamic packs and be able to generate a risk and health assessment report quickly and be able to perform customize the report according to your needs.

Active Directory health and risk assessment: A must-do

We provided an overview of why it is necessary to perform an Active Directory health and risk assessment for your production Active Directory forest. We provided available methods that we can use to perform health and risk assessment of Active Directory forests. While the Microsoft ADRAP tool can perform an Active Directory assessment, O365 IT Health and Risk Scanner can perform health and risk assessment of the complete Microsoft ecosystem.

Featured image: Shutterstock

About The Author

1 thought on “How to do an Active Directory health and risk assessment”

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top