Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Inorbit Consulting Corp Pre AD Domain Upgrade Report
1. Risk and Health Assessment
Program for Active Directory
ACME
Ed Longstrom
Inorbit Consulting Corporation
2. Example
Risk Assessment Program Overview
• Program Goals:
• Assess risks of specified environment using a suite of data collection
tools and operational interview
• Identify key areas where your environment deviates from MS Best
Practices
• Provide enough details to plan improvements and mitigate risks
• Program Phases:
• Environmental Assessment: Accredited MS personnel collected
detailed data regarding your environment focusing on key known critical
areas
• Analysis and Reporting: Accredited MS personnel collected data
analyzed and compared to best practices, yielding reports and data
reflecting key findings and risks
• Remediation: Once identified issues and risks have been remediated,
you should see a reduction in support incidents and improvements in
infrastructure efficiencies
3. Example
Overall Risk
Based on the scope of this assessment, your
Active Directory Environment is found to be
at High Risk.
4. Example
Consolidated Scorecard
Active Directory Consolidated Scorecard Before After
Account Information High High
Token Size High High
AD Database Medium Medium
AD Object Count Low Low
Database Info Medium Medium
AD Integrated Services Low Low
Certificate Services Low Low
AD Replication High High
Account Policies Low Low
Forest/Domain Info Low Low
Large Groups High High
5. Example
Consolidated Scorecard (2)
Active Directory Consolidated Scorecard Before After
Replication Configuration Low Low
Replication Status High High
Site Configuration High High
Subnet Information Medium Medium
Backup Low Low
Backup Status Low Low
DC Health High High
DCDiag - General Medium Medium
Event Logs High High
OS Information High High
Performance Info High High
6. Example
Consolidated Scorecard (3)
Active Directory Consolidated Scorecard Before After
Security Updates High High
Time Configuration High High
FRS/Group Policy High High
FRS Convergence Low Low
GPOTool Low Low
SYSVOL Information High High
Unlinked GPOs Low Low
Name Resolution High High
DCDiag - DNS Medium Medium
DNS Information High High
DNSLint High High
7. Example
Consolidated Scorecard (4)
Active Directory Consolidated Scorecard Before After
IP Information Medium Medium
WINS 1B & 1C Medium Medium
Operational Excellence High High
Backup Low Low
Design High High
Disaster Recovery High High
Environmental Dependencies Low Low
Monitoring High High
Operate Low Low
RODC Low Low
Strategy Medium Medium
8. Example
Consolidated Scorecard (5)
Active Directory Consolidated Scorecard Before After
Transition High High
Virtualization Low Low
Other Low Low
Account Lockouts Low Low
Exchange DSAccess Low Low
Machine Account Info Low Low
User Account Info Low Low
Prerequisites High High
ADST Dependencies High High
9. Example
Key Issues and Risks - Critical
The following Critical risks were identified in
your environment:
• AD Replication
• Site Configuration
• Preferred Bridgeheads Excluding NC (Resolved)
• DC Health
• Event Logs
• Event ID 1388, NTDS Replication, Lingering Object
Replicated
10. Example
Key Issues and Risks - Critical
• OS Information
• Supportability of Windows Server 2003 Service Pack 1
• Performance Info
• Non-Paged Pool Memory Leak (Resolved)
• Security Updates
• Critical Security Updates Missing
• FRS/Group Policy
• SYSVOL Information
• FRS is in Journal Wrap
11. Example
Key Issues and Risks - Critical (2)
• Operational Excellence
• Monitoring
• The organization has not implemented management
packs or guides to monitor the service environment.
12. Example
High Risk Scorecard
Active Directory High Risk Scorecard Before After
Account Information
Token Size
User access tokens causing 16K or
greater Paged Pool allocations
High High
User Kerberos tickets larger than IIS 5
can accept by default
High High
User Kerberos tickets may be larger than
IIS 6 or 7 can accept by default
High High
Users’ Kerberos tickets may exceed
default OS buffer limit
High High
13. Example
High Risk Scorecard (2)
Active Directory High Risk Scorecard Before After
AD Replication
Large Groups
Group Legacy Members Greater Than
5,000 in 2000 FFL Forest
High High
Replication Status
NC Failed to Replicate Multiple Times High High
14. Example
High Risk Scorecard (3)
Active Directory High Risk Scorecard Before After
Site Configuration
DCs not in Domain Controllers OU High High
Preferred Bridgeheads Excluding NC High Low
15. Example
High Risk Scorecard (4)
Active Directory High Risk Scorecard Before After
DC Health
Event Logs
Event ID 1388, NTDS Replication,
Lingering Object Replicated
High High
OS Information
Event Logs Exceed 300MB High High
Supportability of Windows Server 2003
Service Pack 1
High High
16. Example
High Risk Scorecard (5)
Active Directory High Risk Scorecard Before After
Performance Info
High Paged Pool Usage High High
Non-Paged Pool Memory Leak High Low
Security Updates
Critical Security Updates Missing High High
17. Example
High Risk Scorecard (6)
Active Directory High Risk Scorecard Before After
Time Configuration
Maximum Negative Phase Correction
Greater Than 48 Hours
High High
Maximum Positive Phase Correction
Greater Than 48 Hours
High High
18. Example
High Risk Scorecard (7)
Active Directory High Risk Scorecard Before After
FRS/Group Policy
SYSVOL Information
FRS is in Journal Wrap High High
SYSVOL Not Shared High Low
SYSVOL Replication Partners Failing to
Replicate
High High
19. Example
High Risk Scorecard (8)
Active Directory High Risk Scorecard Before After
Name Resolution
DNS Information
Zone Transfer is Enabled to Any Server High High
DNSLint
Missing Host/Glue Registrations High High
20. Example
High Risk Scorecard (9)
Active Directory High Risk Scorecard Before After
Operational Excellence
Design
The organization does not have defined
Operating Level Agreements (OLAs)
between dependent IT units.
High High
Disaster Recovery
The organization does not test service
continuity plans after a major release or
on a regular basis.
High High
21. Example
High Risk Scorecard (10)
Active Directory High Risk Scorecard Before After
Monitoring
The organization has not implemented
management packs or guides to monitor
the service environment.
High High
Transition
The organization does not receive alerts
when a change is made to services or
hardware.
High High
22. Example
High Risk Scorecard (11)
Active Directory High Risk Scorecard Before After
Prerequisites
ADST Dependencies
FRS Service Stopped Or Does Not Start
Automatically
High Low
Inconsistent Infrastructure Master FSMO
Role Owner
High High
Inconsistent RID Master FSMO Role
Owner
High High
Kerberos KDC Service Stopped Or Does
Not Start Automatically
High Low
23. Example
High Risk Scorecard (12)
Active Directory High Risk Scorecard Before After
Scalable Networking Pack Components
Enabled
High High
24. Example
Appendix – Medium Risk Scorecard
Active Directory Medium Risk Scorecard Before After
Account Information
Token Size
User access tokens causing 12K Paged
Pool allocations
Medium Medium
25. Example
Appendix – Medium Risk Scorecard (2)
Active Directory Medium Risk Scorecard Before After
AD Database
Database Info
Low Free Disk Space on Database and
Log Path
Medium Medium
26. Example
Appendix – Medium Risk Scorecard (3)
Active Directory Medium Risk Scorecard Before After
AD Replication
Replication Status
A DC Has Never Replicated an NC With
a Partner
Medium Medium
Subnet Information
DCs in Sites With Conflicting Subnet
Definitions
Medium Medium
Sites With No Subnet Definitions Medium Medium
27. Example
Appendix – Medium Risk Scorecard (4)
Active Directory Medium Risk Scorecard Before After
DC Health
DCDiag - General
DCDiag Errors Medium Medium
Performance Info
Average Disk Sec/Write on Log Drive Is
25 Milliseconds or Greater
Medium Medium
Average Disk Sec/Write on NTDS Drive
Is 25 Milliseconds or Greater
Medium Medium
28. Example
Appendix – Medium Risk Scorecard (5)
Active Directory Medium Risk Scorecard Before After
Average Disk Sec/Write on System Drive
Is 25 Milliseconds or Greater
Medium Medium
Average LDAP Bind Time Is 20
Milliseconds or Greater
Medium Medium
Overall CPU Utilization 80 Percent or
Greater
Medium Medium
Security Updates
Important Security Updates Missing Medium Medium
29. Example
Appendix – Medium Risk Scorecard (6)
Active Directory Medium Risk Scorecard Before After
Time Configuration
DCs Are 30 Seconds or More Out of Sync Medium Low
FRS/Group Policy
SYSVOL Information
Large Backlogged Connections Medium Medium
30. Example
Appendix – Medium Risk Scorecard (7)
Active Directory Medium Risk Scorecard Before After
Name Resolution
DCDiag - DNS
DNS Service Stopped Medium Medium
Single Valid Forwarder Medium Medium
31. Example
Appendix – Medium Risk Scorecard (8)
Active Directory Medium Risk Scorecard Before After
IP Information
WINS Split Registration Medium Medium
WINS 1B & 1C
1C Record Contains Less Than 2 Valid
Entries
Medium Low
Static Domain 1B Registrations Found Medium Medium
32. Example
Appendix – Medium Risk Scorecard (9)
Active Directory Medium Risk Scorecard Before After
Operational Excellence
Disaster Recovery
Disaster Recovery Plan Does Not Include
Common Scenarios
Medium Medium
Strategy
The organization does not review
performance against their existing
support agreements
Medium Medium
33. Example
Appendix – Low Risk Scorecard
Active Directory Low Risk Scorecard Before After
Account Information
Token Size
User access tokens approaching next
jump in Paged Pool allocation
Low Low
User access tokens causing 08K Paged
Pool allocations
Low Low
User Kerberos tickets approaching
maximum size that IIS 5 can accept by
default
Low Low
User Kerberos tickets may be
approaching the default size limit for IIS 6
and 7
Low Low
34. Example
Appendix – Low Risk Scorecard (2)
Active Directory Low Risk Scorecard Before After
Users and/or Groups with SID History Low Low
Users’ Kerberos tickets may approach
default OS buffer limit
Low Low
AD Database
AD Object Count
DLT Objects Found Low Low
35. Example
Appendix – Low Risk Scorecard (3)
Active Directory Low Risk Scorecard Before After
Database Info
Low Free Disk Space Low Low
AD Replication
Replication Configuration
Strict Replication Consistency Disabled Low Low
36. Example
Appendix – Low Risk Scorecard (4)
Active Directory Low Risk Scorecard Before After
Site Configuration
Bridgehead With Many Inter-Site Inbound
Replication Connections Is Virtualized
Low Low
Single Preferred Bridgehead Low Low
Site Not Contained in a Site Link Low Low
37. Example
Appendix – Low Risk Scorecard (5)
Active Directory Low Risk Scorecard Before After
Subnet Information
Orphaned Subnet Definitions Low Low
DC Health
Event Logs
Event ID 11, KDC, Duplicate UPN or SPN Low Low
38. Example
Appendix – Low Risk Scorecard (6)
Active Directory Low Risk Scorecard Before After
OS Information
LAN Manager Hash for Passwords
Stored
Low Low
PAE Enabled on Microsoft Windows 2003
or Greater DCs
Low Low
System Drive Has Less Than 1GB Free
Space
Low Low
39. Example
Appendix – Low Risk Scorecard (7)
Active Directory Low Risk Scorecard Before After
Performance Info
Average Disk Sec/Read on Log Drive is
Between 25 and 49 Milliseconds
Low Low
Average Disk Sec/Read on NTDS Drive
Is Between 25 and 49 Milliseconds
Low Low
Average Disk Sec/Read on System Drive
Is Between 25 and 49 Milliseconds
Low Low
Average Disk Sec/Write on Log Drive Is
Between 15 and 24 Milliseconds
Low Low
Average Disk Sec/Write on NTDS Drive
Is Between 15 and 24 milliseconds
Low Low
40. Example
Appendix – Low Risk Scorecard (8)
Active Directory Low Risk Scorecard Before After
Average Disk Sec/Write on System Drive
Is Between 15 and 24 Milliseconds
Low Low
Average LDAP Bind Time Is Between 15
and 19 Milliseconds
Low Low
Overall CPU Utilization 60 Percent or
Greater
Low Low
41. Example
Appendix – Low Risk Scorecard (9)
Active Directory Low Risk Scorecard Before After
FRS/Group Policy
FRS Convergence
Did Not Replicate Within Time-out Low Low
GPOTool
GPOTOOL Detected Errors Low Low
42. Example
Appendix – Low Risk Scorecard (10)
Active Directory Low Risk Scorecard Before After
SYSVOL Information
SYSVOL Free Space Less Than 1GB Low Low
SYSVOL Staging Path Free Space Less
Than 1GB
Low Low
43. Example
Appendix – Low Risk Scorecard (11)
Active Directory Low Risk Scorecard Before After
Name Resolution
DCDiag - DNS
Broken Delegation Low Low
Invalid DNS Address Low Low
44. Example
Appendix – Low Risk Scorecard (12)
Active Directory Low Risk Scorecard Before After
IP Information
Single WINS Server Specified Low Low
WINS 1B & 1C
Static Domain 1C Registrations Found Low Low
45. Example
Appendix – Low Risk Scorecard (13)
Active Directory Low Risk Scorecard Before After
Operational Excellence
Strategy
Base Level IT Certification Is Not
Required
Low Low
Transition
No Active Directory Lab That Mirrors the
Production Environment
Low Low