At some point last year, I was tasked with cleaning up and optimizing our Active Directory infrastructure before we migrated to Windows Server 2008 R2. I then went ahead and created a one-pager high level overview of the work required. I split the project into two phases, Phase 1 (Back-end Infrastructure) and Phase 2 (Front End). Unfortunately, I never really had the opportunity to spend the much needed time on optimizing and cleaning up the environment because I was put on more critical projects and so we had to outsource the project to another consultant. Of course, I still lead the project from the architectural/decision influence perspective.
With that said, one of the very first things I was looking into, was creating a current-state analysis (baseline or outline of the existing infrastructure, a starting point and a referencing point I could use for when I finished optimizing the environment). The first tool that came to mind was BPA (Best Practices Analyzer). For those that are not familiar, BPA is a tool that is built in to Windows Server 2008/2012 R2 which allows you to scan your environment and provide a report with all the deficiencies. Exchange Server also has a similar tool called EXBPA (Exchange Best Practices Analyzer). There are also other tools like MBSA (Microsoft Best Practices Analyzer). We ended up using one of Microsoft’s other tools called ADRAP (Active Directory Risk and Health Assessment Program) tool. What this tool does, is essentially scan all of your Active Directory environment from top to bottom, from security to performance, and provide a dashboard with all the details of your scan, similar to that of BPA. You can then review the results and make the changes accordingly.
Microsoft defines the Best Practices Analyzer tool as a way to reduce best practices violations by scanning one or more roles that are installed on the Windows Server. So what does that mean? If you’ve read some of my earlier posts about my VCAP-DCD notes, there’s a section in there where I mention use cases for best practices. To reiterate for this post, best practices are solutions that have been tested and are known to function optimally and correctly in most environments. These solutions are also flagged as supported configurations so that when a call is placed for technical support, you would be assisted. However, not all best practices apply to all infrastructures, but that also does not mean that the configuration would not be supported (always check the documentation). With that in mind, as an Architect or a Senior Administrator responsible for the health of your infrastructure, it is important to understand these principles and guidelines.
To make our life easier, Microsoft allows us to scan our environments when needed in order to detect deficiencies in our infrastructure and fix them to comply with the company policy. So how does the BPA scan work? In Windows Server 2012 R2 it’s very simple:
Server Manager -> All Servers -> “Your Server”
- Warning – All Domains should have at least two domain controllers for redundancy
- The PDC emulator master in this forest should be configured to correctly synchronize time from a valid time source
- All OUs in this domain should be protected from accidental deletion
These are very good pointers to securing and ensuring that the Active Directory environment is functioning properly.
Once the deficiencies have been addressed, we can initiate another BPA scan to ensure everything is in good working order and that there are no more warnings or issues at hand.
Personally, I find this to be a great tool. Simply because it is so much more efficient to just scan your environment rather than doing all the work manually. Microsoft has incorporate it’s best practices into the Best Practices Analyzer and through their baseline, we can easily optimize our environment by being able to identify areas that are in need of improvement. This tool can also save us a lot of time and headaches by detecting issues that could cause major problems down the road.
Keep this tool in your toolbox, and use it regularly.