Active Directory Health Check

Being a server administrator, you are always running through a series of checklists when everything is not on fire to make sure there are no problems. Sometimes this checklist can be scripted. In the case of the active directory health check, this must get looked often. If you only look at Active Directory health when there is a problem, you are already too late to fix the issue in a relatively quick manner.

Active Directory Health Check

So you might ask yourself what are things I need to check as part of my Active Directory health check? That’s a great question. There are four services I check for.

The ADWS Service: Active Directory Web Services (ADWS), in Windows Server 2008 R2 and later, is a new Windows service that provides a Web service interface to Active Directory domains, Active Directory Lightweight Directory Services (AD LDS) instances, and Active Directory Database Mounting Tool instances that are running on the same system.        

The DNS Service: DNS is an Internet service that translates domain names to IP addresses. Domain names are alphabetic and therefore easy to remember, but the Internet is based on numeric IP addresses, so a DNS server is required for computers to communicate with one another.             

The KDC Service: Kerberos Key Distribution Center – is implemented as a domain service. It uses the Active Directory as its account database and the Global Catalog for directing referrals to KDCs in other domains. … The authentication service returns a TGT for the ticket-granting service in the target computer’s domain.        

The Netlogon Service: Netlogon is an Authentication Mechanism used in the Windows Client Authentication Architecture which verifies login requests, and it registers, authenticates, and locates Domain Controllers. Netlogon service can only be used after user, service, or computer authentication has taken place.

As you can see these services play a very important part in your overall Active Directory health. There’s a ton of services you can also check like DFSR, and LanmanServer, and NtFrs for file servers.

Enough of this let’s see some code:

#Adding the Variable dance here to save the file to a specific location and with a the server name. 
$saveLocation = "C:\Scripts\"
$healthCheckFile = "_ADHealthCheck.txt"
$HealthCheckFileLocation = "$saveLocation$d$healthCheckFile"

#Building out the required dependancies 
$dcs = (Get-ADDomain).ReplicaDirectoryServers
$svcs = "adws","dns","kdc","netlogon"

#The meat of the script. This does all of the work. 
Get-Service -name $svcs -ComputerName $dcs |
Select @{Name="Computername";Expression={$_.Machinename}},DisplayName,Status | out-string | add-content "$HealthCheckFileLocation"

The first three commands are variable assignments. I have always done it this way when interjecting the device variable in between two “text” lines does not work. It’s not pretty but it does work. I use this method a lot, probably more than I should.
The $saveLocation variable saves the first part of the directory location
The $healthCheckFile variable saves the last part of the file name so I can easily distinguish this from all of the other output files.
The $HealthCheckFileLocation variable stores the entire thing.

The next two are also variable assignments, however, these assignments are a bit different.
The $dcs variable holds a command so it can be easily re-used as often as I need to.
The $svcs variable holds an array of [string] data. As opposed to [INT]data.

The last few lines are the commands that do the work.
Here the Get-Service command is pulling from the array $svcs. Then the computer name. Server name in this case, from the $dcs variable. The $dcs variable if you remember queries Active Directory for the Domain controller server names.

Note: remember the $dcs variable is a command inside a variable.

Summarizing:

The command adds data from $dcs command being run and populates the Domain Controller (Server Name) then we pipe that data with this character |. From the pipe |, we then select the name and before we output to the text file we need to add titles to the top of the table so we know what we are looking at. When these output to a file it will be formatted as a table.

The Select command takes that data from the pipe | and formats it so it is easy to read adding Computername, display name and status to the output in a table view. Select @{Name="Computername";Expression={$_.Machinename}} this takes the computer name from $dcs and places them under the computer name title in the table view.

DisplayName, Status" this part of the command adds two more column headers. | out-string | add-content "$HealthCheckFileLocation" Lastly this part of the command pipes|all of the data into the command out-string, and then pipes | the file name and location to save with.

I have sanitized the data from the output to show you what it looks like when run. Here is the output:

Computername     DisplayName                       Status
------------     -----------                       ------
DC1.fubar.ya.net Active Directory Web Services    Running
DC2.fubar.ya.net Active Directory Web Services    Running
DC1.fubar.ya.net DNS Server                       Running
DC2.fubar.ya.net DNS Server                       Running
DC1.fubar.ya.net Kerberos Key Distribution Center Running
DC2.fubar.ya.net Kerberos Key Distribution Center Running
DC1.fubar.ya.net netlogon                         Running
DC2.fubar.ya.net netlogon                         Running

That is all, I hope this helps!