Windows Server 2003 Active Directory Audit

Hi folks,

One of our customer network got 400 users in the same network with 3 DC.
(one Primary and 2 ADC). they are reporting that some time users are getting
log on error. i need to do collect entire AD logs and do analysis and suggest
the best practice.

these are the customer requirements.:

1. Effective way of configuration of Active Directory its backup and
restoration
2. DNS settings and fine tuning on the same.
3. Configuring multiple domain (how effectively the same can be
implemented), Like child domain, Domain in a different forest etc...
4. How to see the existing domain controller and its settings are working
fine and are configured properly?
5. How to check on the DNS services and it is functioning properly?


I am planing to use the following tool to check the AD health.
1. repadmin.exe
2. directory service MPS report.

is there any other free tool which will help to check the AD health ? and
what other report I need to prepare.

please share your experience, which may reduce my time & get better experice
to me.

Regards
S.Kaliyan

Here is my canned answer for folks who are looking to run diagnostics
against AD. I have the steps below in a batch file with start notepad and
the log file after each so as they complete the results pop up
automagically...

Run diagnostics against your Active Directory domain.

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslint
http://support.microsoft.com/kb/321045


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"S Kaliyan" <SKaliyan@discussions.microsoft.com> wrote in message
news:0EAF768B-5F8F-47B4-BD84-12F5F104F5A0@microsoft.com...
> Hi folks,
>
> One of our customer network got 400 users in the same network with 3 DC.
> (one Primary and 2 ADC). they are reporting that some time users are
> getting
> log on error. i need to do collect entire AD logs and do analysis and
> suggest
> the best practice.
>
> these are the customer requirements.:
>
> 1. Effective way of configuration of Active Directory its backup and
> restoration
> 2. DNS settings and fine tuning on the same.
> 3. Configuring multiple domain (how effectively the same can be
> implemented), Like child domain, Domain in a different forest etc...
> 4. How to see the existing domain controller and its settings are working
> fine and are configured properly?
> 5. How to check on the DNS services and it is functioning properly?
>
>
> I am planing to use the following tool to check the AD health.
> 1. repadmin.exe
> 2. directory service MPS report.
>
> is there any other free tool which will help to check the AD health ? and
> what other report I need to prepare.
>
> please share your experience, which may reduce my time & get better
> experice
> to me.
>
> Regards
> S.Kaliyan

Hi S Kaliyan
Please se answers inline
> One of our customer network got 400 users in the same network with 3 DC.
> (one Primary and 2 ADC). they are reporting that some time users are
> getting
> log on error. i need to do collect entire AD logs and do analysis and
> suggest
> the best practice.

Ok

> these are the customer requirements.:
> 1. Effective way of configuration of Active Directory its backup and
> restoration.
Have a look

http://technet2.microsoft.com/window....mspx?mfr=true
http://www.microsoft.com/downloads/d...displaylang=en
http://technet.microsoft.com/en-us/l.../bb727048.aspx
http://technet2.microsoft.com/window....mspx?mfr=true

> 2. DNS settings and fine tuning on the same.
This will depend of the client's network and servers design...
http://support.microsoft.com/kb/825036

> 3. Configuring multiple domain (how effectively the same can be
> implemented), Like child domain, Domain in a different forest etc...
The first question should be... Do I realy need additonal Domains? In most
situations the answer is no.

> 4. How to see the existing domain controller and its settings are working
> fine and are configured properly?
dcdiag, netdiag, eventlogs...

> 5. How to check on the DNS services and it is functioning properly?
Eventlog errors/warnings, dcdiag, nltest cmd can helpyou with that,
additionally you can do manuall tests.

>
> I am planing to use the following tool to check the AD health.
> 1. repadmin.exe
> 2. directory service MPS report.
Also do dcdiag and netdiag.

> is there any other free tool which will help to check the AD health ? and
> what other report I need to prepare.
There're other tools, but the tools specified before should give you a nice
understanding about what's going on the AD configuration.
--
I hope that the information above helps you.

Have a Nice day.

Jorge Silva
MVP Directory Services

[Jedwards33]

Download the freeware version of NetWrix Logon Reporter. That’s what we use to analyze logon events, it works well and should get the job done for you.