22 Jan

A First Look at the Active Directory Domain Services Best Practice Analyzer in the Windows Server 2008 R2 Beta

Windows Server 2008 R2 includes a Best Practice Analyzer (BPA) for a limited number of server roles, including Active Directory Domain Services.

The following is a first look at the Active Directory Domain Services Best Practice Analyzer (AD DS BPA) that is included with the Windows Server 2008 R2 Beta.

Disclaimer
The following is based on the Beta build of Windows Server 2008 R2. Therefore, it may change by the time RTM is released.

Overview of Active Directory Domain Services Best Practice Analyzer

The BPA in Windows Server 2008 can be used to scan one or more servers against a set of predefined best practices. BPA will report back whether each server is compliant or noncompliant with each best practice. These scans can be performed by using Server Manager or by using PowerShell cmdlets. For more information on Best Practice Analyzer in Windows Server 2008 R2, see the following article: What’s New in Server Manager.

The AD DS BPA is installed automatically when the Active Directory Domain Services server role is installed.  The AD DS BPA can be used to collect AD DS configuration information from Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 domain controllers.

How AD DS BPA Works

A Best Practice Analyzer engine is included with Server Manager in Windows Server 2008 R2. The BPA engine runs the AD DS BPA, which consists of the following:

  • AD DS BPA PowerShell Script, which collects AD DS configuration data and stores it in an XML document.
  • XML Schema, which defines the format of the XML document that is produced by the AD DS BPA PowerShell script.
  • AD DS BPA Rules, which define the best practice configuration for AD DS.
  • AD DS BPA Guidance, which includes information on how to resolve issues found by AD DS BPA.

When an AD DS BPA scan is run, the following occurs:

  1. The BPA run engine uses the AD DS BPA PowerShell script to collect AD DS configuration information and saves the collected information into an XML document.
  2. The BPA engine validates the XML document against the XML schema.
  3. The BPA engine applies the AD DS BPA rules to the XML document and creates a report using the AD DS BPA guidance.

For more detailed information on AD DS BPA, and how it works, see the following article: What’s New in AD DS: Active Directory Best Practices Analyzer.

AD DS BPA Checks in Windows Server 2008 R2 Beta

In the Windows Server 2008 R2 Beta, the AD DS BPA includes 31 checks, or best practices. The number of checks that are run on a given server depends on a number of factors. The following is a list of checks that are performed in the Windows Server 2008 R2 Beta:

Site-Specific SRV Record Checks

  • This domain controller must advertise as an LDAP server for the domain in its local site
  • This domain controller must advertise as a KDC for the domain in its local site
  • This server must advertise itself as a domain controller for the domain in its local site
  • This domain controller must advertise itself as a Kerberos server for the domain in its local site
  • This domain controller must advertise itself as a generic global catalog server for the forest in its local site
  • This domain controller must advertise as a global catalog server for the forest in its local site

Global SRV Record Checks

(Plus domain and forest A/AAAA record checks. Plus, CNAME record check.)

  • This domain controller must register its DNS host (A or AAAA) resource records for the domain
  • This domain controller must advertise as an LDAP server for the domain
  • This domain controller must register a DNS SRV resource record, which is required for replication to function correctly
  • This domain controller must advertise as a KDC for the domain
  • This server must advertise itself as a domain controller for the domain
  • This domain controller must register its Rfc1510Kdc DNS record to advertise itself as Kerberos Server for the domain
  • This domain controller must register its Rfc1510UdpKdc DNS record to advertise itself as Kerberos Server for the domain
  • This domain controller must register its Rfc1510Kpwd DNS record to advertise itself as Kerberos Server for the domain
  • This domain controller must register its Rfc1510UdpKpwd DNS record to advertise itself as Kerberos Server for the domain
  • This domain controller must advertise as the global catalog server for the forest
  • This global catalog server must register its host (A/AAAA) resource records for the forest
  • This domain controller must advertise itself as a generic global catalog server for the forest
  • This domain controller must advertise as a PDC for the domain
  • This domain controller must register an alias (CNAME) resource record with its DsaGuid for the forest

Number of DCs in Domain Check

  • All domains should have at least two functioning domain controllers for redundancy

FSMO Connectivity Checks

  • The domain controller dcname must be able to connect to the RID master in this domain
  • The domain controller dcname must be able to connect to the infrastructure master in this domain
  • The domain controller dcname must be able to connect to the PDC emulator master in this domain
  • The domain controller dcname must be able to connect to the schema master in this forest
  • The domain controller dcname must be able to connect to the domain naming master in this forest

FSMO Role Grouping Checks

  • The schema master role and the domain naming master role should be owned by the same domain controller in the forest
  • The RID master role and the PDC emulator master role should be owned by the same domain controller in the domain

DNS Client Checks

  • This domain controller must register its DNS host A/AAAA records
  • This domain controller must register its DNS host A/AAAA records with correct IP addresses
  • This domain controller must be able to reach a DNS server and retrieve DNS records that are associated with this domain controller

For each check that a server is compliant with, the AD DS BPA will tell you that the server is compliant, for example “The domain domainname is in compliance with this best practice.  The domain domainname has at least two functioning domain controllers.”

For each check that a server is not compliant with, the AD DS BPA will tell you the issue, impact, and resolution. For example:

Issue: The domain domainname has only one functioning domain controller.

Impact: In the event of a failure on the domain’s only domain controller, users will not be able to log in to the domain or access domain resources.

Resolution: Add one or more additional domain controllers  to the domain to handle authentication and authorization requests in case there is a failure on the domain’s single available domain controller.

Running AD DS BPA Scans by Using Server Manager

As previously mentioned, the AD DS BPA scans can run by using the Server Manager or by using PowerShell cmdlets. The following is an example of running the AD DS BPA scans in Server Manager.

NOTE: Server Manager can be used to scan a local or remote computer. To scan a remote computer, simply use the Connect to Another Computer option in Server Manager.

  1. Logon to a domain controller that has Windows Server 2008 R2 installed.
  2. Open Server Manager.
  3. In the console tree of Server Manager, expand the Roles node, and then select the Active Directory Domain Services role.
  4. Scroll down to the Best Practice Analyzer section.
  5. Click on the Scan This Role link on the right.     WS08R2BetaADBPA01
  6. The AD DS BPA scan will run against the local domain controller.     WS08R2BetaADBPA02
  7. Once the scan is complete, you will see the checks that the server is not compliant with located in the Noncompliant column.     WS08R2BetaADBPA03
  8. To view the details of a check the server is noncompliant with, ensure the Noncompliant column is selected, right-click on the check, and then select Properties.     WS08R2BetaADBPA04
  9. As you can see in the above image, the issue, impact, and resolution, among other details, are listed in the properties.
  10. To view the checks that the server is compliant with, click on the Compliant column.     WS08R2BetaADBPA05
  11. To view all checks that were performed, click on the All column.     WS08R2BetaADBPA06
  12. If you have a check that you don’t want to be included in the report, for example a known issue, you can exclude it from the results by selecting the check, and then clicking Exclude Result.     WS08R2BetaADBPA07
  13. To view all checks that have been excluded from the results, click on the Excluded column.     WS08R2BetaADBPA08
  14. If you previously excluded a check from the results you can later include it by selecting the check (in the Excluded column), and then clicking Include Result.     WS08R2BetaADBPA09

 

Running AD DS BPA Scans by Using PowerShell cmdlets

As previously mentioned, AD DS BPA scans can also be performed by using PowerShell cmdlets. The PowerShell cmdlets can be used to scan a single role or all roles on a local server or on remote servers. The PowerShell cmdlets can also be used to exclude and/or include scan results. The PowerShell cmdlets can also be used to perform a number of other tasks for AD DS BPA.

I have not been able to get the PowerShell cmdlets to work on the Windows Server 2008 R2 Beta. Once I do, I will post additional information.

    One thought on “A First Look at the Active Directory Domain Services Best Practice Analyzer in the Windows Server 2008 R2 Beta

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    Copyright John Policelli