PowerShell offers greater flexibility when it comes to interacting with Windows operating systems and interacting with Windows Server roles and features. Microsoft provides PowerShell modules for almost all roles and features. Though there is no specific PowerShell module available that can be used to check uptime of domain controllers, you can use basic PowerShell and WMI classes to check it as it is explained in this article.
Why check domain controllers’ uptime?
Before we start to use the PowerShell script provided in this article, it is imperative to understand that Active Directory domain controllers must be patched properly in order to avoid any security risks in the environment. For example, if a domain controller has been up and running for more than two months, that could give some sort of indication that the domain controller might have not been patched and that’s why it was not rebooted. So by checking the uptime, you can find out if the domain controller was patched or not because patching a domain controller requires a reboot that in turn resets the uptime. Second, domain controllers must be rebooted regularly to free up memory from LSASS.exe.
How to check uptime for a single domain controller
You can use PowerShell to check uptime of domain controllers. You can use Get-WmiObject PowerShell cmdlet to access Win23_OperatingSystem class that includes LastBootUpTime property. The LastBootUpTime property shows the last boot uptime of the domain controller. An example of checking one domain controller for uptime is shown in the PowerShell script below:
$DCName = "DC1.TechGenix.com"
$operatingSystem = Get-WmiObject Win32_OperatingSystem -ComputerName $DCName
$RTime=[ManagementDateTimeConverter]::ToDateTime($operatingSystem.LastBootUpTime)
$LocalTime=[ManagementDateTimeConverter]::ToDateTime($operatingSystem.LocalDateTime)
$CurTimeZone=$operatingSystem.CurrentTimeZone
$StatusNow = ""
$R = $RTime
$Z = Get-Date
$DayNotRebooted = (New-TimeSpan -Start $R -End $Z).Days
IF ($DayNotRebooted -ge 60)
{
$StatusNow = "WARNING: Not rebooted in last 60 days."
}
else
{
$StatusNow = "domain controller was rebooted within 60 days."
}
$StatusNow
As you can see, the above PowerShell script checks the uptime of a domain controller named “DC1.TechGenix.com” and reports “WARNING: Not rebooted in last 60 days” if the domain controller was not rebooted in the last 60 days and “domain controller was rebooted within 60 days” if the domain controller was rebooted within 60 days. You can modify the “days not rebooted” value in the above script at “IF ($DaysNotRebooted –qe 60)” line.
How to check uptime of multiple domain controllers
While above PowerShell script checks uptime for a single domain controller, below PowerShell script can be used to check uptime for multiple domain controllers or domain controllers specified in a CSV file. Let’s assume we have created a CSV file named AllDCs.CSV and it is stored in the C:\Temp folder. The file contains domain controller names per line. When you execute below PowerShell script it will check all domain controllers one by one and then generate a report in the C:\Temp folder by name DCUpTimeReport.CSV.
$AllDCs = "C:\Temp\AllDCs.CSV"
$ReportFile = "C:\Temp\DCUpTimeReport.CSV"
$STR = "DCName, Message"
Add-Content $ReportFile $STR
ForEach ($ItemName in GC $AllDCs)
{
$operatingSystem = Get-WmiObject Win32_OperatingSystem -ComputerName $ItemName
$RTime=[ManagementDateTimeConverter]::ToDateTime($operatingSystem.LastBootUpTime)
$LocalTime=[ManagementDateTimeConverter]::ToDateTime($operatingSystem.LocalDateTime)
$CurTimeZone=$operatingSystem.CurrentTimeZone
$StatusNow = ""
$R = $RTime
$Z = Get-Date
$DayNotRebooted = (New-TimeSpan -Start $R -End $Z).Days
IF ($DayNotRebooted -ge 60)
{
$StatusNow = "WARNING: Not rebooted in last 60 days."
}
else
{
$StatusNow = "domain controller was rebooted within 60 days."
}
$STR = $ItemName+","+$StatusNow
Add-Content $ReportFile $STR
}
After executing the above PowerShell script, a report will be generated that includes the name of the domain controller and a message against each domain controller as shown in the screenshot below:
As you can see in the above screenshot, it reported that the DC2.TechGenix.com, DC3.TechGenix.com and DC5.TechGenix.com domain controller requires a reboot as these domain controllers have not been rebooted in more than 60 days.
While there are many scripts available that can report uptime for domain controllers, AD Health Profiler available at www.Ossisto365.com is a robust product for checking domain controller uptime as well as help in doing a complete health check of multiple Active Directory forests. The above PowerShell script was retrieved from Active Directory Health Profiler. You can select domain controller uptime from the Dynamic Packs window and execute it to get the uptime data as shown in the screenshot below:
Active Directory Health Profiler is a well-recognized product available from Ossisto 365 to perform a complete health check of multiple Active Directory forests.
Why this will increase your security
We provided two PowerShell scripts to check domain controllers uptime. It is certainly necessary to check if the domain controllers were rebooted or not to avoid any security risks as patching a domain controller requires a reboot.
Featured image: Pixabay
