Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
During an AD DS migration or health checks, system engineers and auditors always need a checklist to keep up with what should be discovered. This checklist is a working checklist, one that has been created here for peer review and peer additions. This checklist should try and take into account all the high-level items one needs to look for during an AD DS discovery/audit. This checklist is not meant to be a step-by-step guide but a high-level overview to keep track of what needs to be discovered.
For a checklist on Active Directory Domain Deployment check out:
https://social.technet.microsoft.com/wiki/contents/articles/40225.active-directory-domain-deployment-checklist.aspx
For a checklist on Active Directory Domain Migrations check out:
https://social.technet.microsoft.com/wiki/contents/articles/43908.active-directory-migration-checklist.aspx
- Forest(s) Discovery
- All child domains
- All trust
- Stale or broken trust
- Forest Functional Level
- Domains/Sites/DCs/GCs/Exchange/Other
- Forest Features
- Tombstone lifetime
- SID filter info
- Domain(s) Discovery
- All trust
- Stale or broken trust
- Forest Functional Level
- Domains/Sites/DC/GC/Exchange/Other
- Forest Features
- Tombstone lifetime
- SID filter info
- Logical Structure
- Domain hierarchy
- OU structure
- Empty OUs
- Have default ACLs been changed
- Sites and Services
- Summary
- Site names
- Physical Locations
- DCs in each site
- Subnets
- Missing Subnets
- Site connections
- Site links
- Replication Interval
- GPOs applied to sites
- Site mirroring between domains and other domains/forest
- Domain Controller Configurations
- IP addresses
- Names
- Disk space report
- Server up time
- Physical Locations
- Journal Wrap (if FRS)
- Is DFS used in the environment
- Schema Extensions
- Azure connections
- Network and Infrastructure
- DNS
- AD integrated zones
- Forest replicated zones
- Domain replicated zones
- Conditional forwarding
- Domain level auditing
- Pull DNS zone for prosperity
- AD integrated zones
- Networking
- Physical site list
- Subnets at each site
- Site link speed and utilization level (how saturated is the link)
- Network Topology
- Firewall locations
- VLAN restrictions
- Router ACLs
- DHCP
-
- Authorized DHCP server discovery
- AD requirements
- High availability aspects
- IPAM
- Other Infrastructure Services
- WINS server discovery
- Is WINS active
- Are there application or service requirements
- Exchange server discovery
- SCCM server discovery
- WSUS
- AD CS
- AD FS
- Other
- WINS server discovery
- Time services
- Identity Management
- DNS
- Directory Objects
- Naming
- Administrator accounts
- Privileged administrator accounts
- User accounts
- Service accounts
- Application accounts
- Workstation single sign-on accounts
- Groups
- Attributes
- Attribute usage
- Administrator accounts
- Privileged administrator accounts
- User accounts
- Service accounts
- Application accounts
- Workstation single sign-on accounts
- Groups
- Computer accounts
- Attribute usage
- Naming
- Security
- Security Patch report
- What is the patching process
- What patches are missing
- Vulnerability scan
- RODC implementations
- Is ATA implemented
- Is LAPS implemented
- Application control policies
- RPC ephemeral ports
- Firewalls
- Perimeter firewalls
- Hypervisor firewalls
- Firewall policies
- Physical security
- Are authentication policies and authentication policy silos implemented
- Anti-virus solution
- Auditing
- Security Patch report
- Applications in the environment
- Team manager per App
- Application owner per App
- Tier or SLA (how critical is the app)
- Special requirements
- Down time procedures
- Authentication method
- Local
- Active Directory
- Services accounts
- Other
- Users
- All
- Detailed information
- Initial count
- Ongoing count for growth projections
- Disabled
- Count
- Password no expire
- Count
- Token size report
- Locked users
- Dial-in enabled
- Delegation
- Password not required
- Password must change
- Services accounts (accounts running as a service on computers in domain)
- All
- Computers
- Detailed report - plus the following
- With OS attribute populated
- Without OS attribute populated
- Are cluster accounts documented
- Information pulled from SCCM or scripts
- Workstation OS version
- Workstation patch level
- Outlook version
- Office version
- Drive mappings not defined by GPO
- Total computer objects
- Disabled
- Grouped by function
- Workstations
- Initial count
- Ongoing count for growth projections
- Stale
- Disabled
- Servers
- Initial count
- Ongoing count for growth projections
- Stale
- Disabled
- Workstations
- Detailed report - plus the following
- Contacts
- Count
- Logical location
- Groups
- Initial count
- Ongoing count for growth projections
- Empty
- Similar
- Nested
- Global groups
- Global distribution groups
- Domain local security
- Domain local distribution
- Admin built-in groups
Enterprise Admin
Schema Admins
Domain Admins
DNS Admins
Administrators
Account Operators
Cert Publishers
Backup Operators
Print Operators
Server Operators
-
- Membership details
- Membership counts
- Group Policy
- Backup all GPOs
- Not linked
- Empty
- Disabled
- No Settings
- Passwords in Group Policy
- Scripts/applications in GPOs
- Bat files
- Exe files
- VBScripts
- KixScripts
- PowerShell scripts
- Images in GPOs
- Default Domain Policy - Standard or modified?
- Default Domain Controllers - Standard or modified?
- Who can join computers to the domain
- Sysvol/Netlogon (What items are stored in Sysvol/Netlogon)
- Bat files
- Exe files
- VBScripts
- KixScripts
- PowerShell scripts
- Images
- Shortcuts
- RDP
- REG
- SCR
- ICO
- INI
- DLL
- MSI
- TXT
- Cer