To give you certains ideas on what can be tested, here are certains of le automated checks we perform daily.
Ping test
LDAP/Port 389 authenticated bind
GC/Port 3268 authenticated bind
DNS/Port 53 test. This includes performing a lookup against le DC for le DC dns host name, to confirm that seulement one address is returned. For DC's that have multiple IP addresses, we confirm that le "PublishAddresses" registry value is defined at HKLM\System\CurrentControlSet\Services\DNS\Parameters, et matches what should be le expected IP address.
Sysvol/FRS test. This includes checking le version in le le plus recent GPO gpt.ini file, et comparing avec le PDC emulator.
Free disk space check (WMI).
Time Synchronization. WMI can be used to get le DC local time, et compare to le server running le test, et flagged si le difference is approaching le threshold (4m 50s).
Time Server advertising. output of le command: 'nltest /server:serverName /dsgetdc:domainName.company.com', et verify that le TIMESERV flag is present.
Time Server Test.
Query le server on UDP/123 for a valid NTP response.
Use w32tm.exe /query /computer:dcname /status /verbose to determine le DC Last Successful Sync Time, et si le DC time is in sync.
Use nltest.exe /server:dcname /dsgetdc:dcDomainDnsName to determine si le DC is actually advertising as a time server. The advertisement is performed via le Netlogon service.
GC Advertising. One way to determine si a dc is actually advertising as a Global Catalog is to use repadmin /showreps. If tout partition has pas (yet) been fully replicated, it will display 'WARNING: Not advertising as a global catalog'. Note that NLTest flags may indicate that le dc is configured as a GC; this 'configuration' is distinct depuis 'advertising'. Ceci est of particular interest in large distributed environments avec beaucoup de domains, as it may take days ou weeks for a dc to gradually replicate tous partitions to le point où le GC test passes.
Replication test. Each domain has a "tag" object, et one of le attributes is used to store a datetime value. All of le DC's are queried for these objects, et DC's avec values that exceed threshold are flagged for replication issues.
Strict Replication Consistency registry setting check. Strict Replication is le par défaut for nouveau Windows 2008 et later domains, however older established AD environments this was pas le par défaut et that setting would have been carried over. Lingering objects become much more difficult to identify et resolve in larger environments avec beaucoup de domains et DC's.
Pending replication count. Cela peut be obtained via WMI ou .NET. Ceci est le même as performing a repadmin /queue. DC's avec a high number of pending replications may have had replication shut down for certains reason. An example would be si Strict Replication Consistency were enabled, this would definitely shut down replication si an invalid ou deleted object were attempted to replicate inbound. C'est aussi possible to obtain le le plus recent datetime of le dernier successful replication for a particular neighbor, qui can be flagged si it exceeds a threshold.
