One of the critical parts of Active Directory is DFS. It allows you to share same NETLOGON/SYSVOL folders across all Domain Controllers in your Forest. Its health is vital to the functionality of your Active Directory. If it's broken, a lot of things may not work, and it's not that easy to tell the status of it. At first sight, everything may seem to work correctly, but if you take a closer look – not so much. It's great if you find it out by yourself, but not fun if suddenly GPO's don't apply to some users, computers, and you find out a year later.
So what to do? Verify that your DFS is healthy on all your DC's, and do it frequently enough. For this purpose I've automated this process and created a single function Get-WinADDFSHealth.
Get-WinADDFSHealth | Format-Table -AutoSize *
As you can see above, the Get-WinADDFSHealth function does a lot of verifications on each DC. It verifies replication is healthy, GPO count matching SYSVOL count, and multiple other settings. In case something is wrong, one can asses this quickly by checking the Status command. Of course, not everything fits into the screen. If we check details for each DC, we can get more information.
Additionally DFSEvents are provided for quick assesment.
You can also limit the amount of DCs for testing. You can use SkipRODC, IncludeDomains, ExcludeDomains, IncludeDomainControllers and ExcludeDomainControllers. This allows you to be flexible with what you want to test at any given moment.
This function is available as part of the ADEssentials module. It also requires Administrative privileges (Domain Admin or similar) You also need to have ActiveDirectory and GPO module installed from RSAT. That's a standard for Domain Admins.
Install-Module ADEssentials -Force
After installing or updating that module, you're good to go, and the above commands should be available. As always, before running anything on production, make sure to test in the test environment and review source codes that I provide on GitHub.
Now that you know the Get-WinADDFSHealth command, I wanted to remind you that this command is used as part of Testimo. If you never heard of Testimo, it's worth to read “What do we say to health checking Active Directory?” blog post. It's not up to date with all the features it currently has, but it should give you an idea of what it is about. In short, with just a single command, it's able to provide a health check of your entire Active Directory. It works on defaults that I've defined, but everyone can modify settings in configuration files to match their environment needs. Testimo is heavy work in progress, and I keep on adding more tests and enhancements.
Why mentioning it now? When you install Testimo, you get a single command called Invoke-Testimo. You can run it without any parameters, which will trigger a full scan and provide you a “quick” overview of potential problems. The word quick is not a good description because if your Forest\Domain has multiple DCs, this is going to take a while. However, Testimo also provides an easy way to pick the tests you want.
As you can see above, there are a lot of defined tests you can use. To execute Get-WinADDFSHealth, but through Invoke-Testimo, you can use the following command:
Invoke-Testimo -Sources DCDFS
As you can see, Testimo did a health assessment of your DFS using internally Get-WinADDFSHealth command. You can also use the same command with ShowReport switch, which triggers an HTML summary for DCFS, but also providing details that you can verify.
Invoke-Testimo -Sources DCDFS -ShowReport
As you can see, Testimo did a health assessment of your DFS using internally Get-WinADDFSHealth command. You can also use the same command with ShowReport switch, which triggers an HTML summary for DCFS, but also providing details that you can verify. Each report has a diagram, exact code that was used to generate it the results which you can use separately, output table with details from that command and finally results of assessment.
Of course, that's just one test executed on six Domain Controllers. Testimo can be performed without parameters doing 30+ tests in one go, or you can handpick multiple ones that are of interest to you. Do you remember the last articles?
Both of those blog posts covered commands from ADEssentials and Testimo uses them internally to make sure AD is healthy without much effort on the operations. You can schedule it or do adhoc tests. Up to you.
Invoke-Testimo -Sources DCDFS,DCLDAP,DCLDAPInsecureBindings,DomainGroupPolicyMissingPermissions
Whether it's just one source or multiple sources ShowReport switch can be used as well
Invoke-Testimo -Sources DCDFS,DCLDAP,DCLDAPInsecureBindings,DomainGroupPolicyMissingPermissions -ShowReport
Testimo is one of my favorite PowerShell modules that I frequently use for quick or not so quick assessment of Active Directory. I don't have to remember all the commands for testing LDAP, finding whether DFS is functioning correctly or checking if Active Directory replication is working as expected.
Installing Testimo is as easy as using ADEssentials.
Install-Module Testimo -Force
After installing or updating that module, you're good to go, and the above commands should be available. As always, before running anything on production, make sure to test in the test environment and review source codes that I provide on GitHub.