Forest Backup – Verify last backup time should be less than X days
Forest Replication – Verify each DC in replication site can reach other replication members
Forest Optional Features – Verify Optional Feature Recycle Bin should be Enabled
Forest Optional Features- Verify Optional Feature Privileged Access Management Feature should be Enabled
Forest Optional Features – Verify Optional Feature Laps should be enabled Configured
Forest Sites Verification Verify each site has at least one subnet configured
Forest Sites Verification Verify each site has at least one domain controller configured
Forest Site Links – Verify each site link is automatic
Forest Site Links – Verify each site link uses notifications
Forest Site Links- Verify each site link does not use notifications
Forest Roles Verify each FSMO holder is reachable
Forest Orphaned/Empty Admins – Verify there are no Orphaned Admins (users/groups/computers)
Forest Tombstone Lifetime – Verify Tombstone lifetime is greater or equal 180 days
Domain Roles Verify each FSMO holder is reachable
Domain Password Complexity Requirements – Verify Password Complexity Policy should be Enabled
Domain Password Complexity Requirements – Verify Password Length should be greater than X
Domain Password Complexity Requirements – Verify Password Threshold should be greater than X
Domain Password Complexity Requirements – Verify Password Lockout Duration should be greater than X minutes
Domain Password Complexity Requirements – Verify Password Lockout Observation Window should be greater than X minutes
Domain Password Complexity Requirements – Verify Password Minimum Age should be greater than X
Domain Password Complexity Requirements – Verify Password History Count should be greater than X
Domain Password Complexity Requirements – Verify Password Reversible Encryption should be Disabled
Domain Trust Availability – Verify each Trust status is OK
Domain Trust Unconstrained TGTDelegation – Verify each Trust TGTDelegation is set to True
Domain Kerberos Account Age – Verify Kerberos Last Password Change Should be less than 180 days
Domain Groups: Account Operators – Verify Group is empty
Domain Groups: Schema Admins – Verify Group is empty
Domain User: Administrator – Verify Last Password Change should be less than 360 days or account disabled
Domain DNS Forwarders – Verify DNS Forwarders are identical on all DNS nodes
Domain DNS Scavenging Primary DNS Server – Verify DNS Scavenging is set to X days
Domain DNS Scavenging Primary DNS Server – Verify DNS Scavenging State is set to True
Domain DNS Scavenging Primary DNS Server – Verify DNS Scavenging Time is less than X days
Domain DNS Zone Aging – Verify DNS Zone Aging is set
Domain Well known folder – UsersContainer Verify folder is not at it's defaults.
Domain Well known folder – ComputersContainer Verify folder is not at it's defaults.
Domain Well known folder – DomainControllersContainer Verify folder is at it's defaults.
Domain Well known folder – DeletedObjectsContainer Verify folder is at it's defaults.
Domain Well known folder – SystemsContainer Verify folder is at it's defaults.
Domain Well known folder – LostAndFoundContainer Verify folder is at it's defaults.
Domain Well known folder – QuotasContainer Verify folder is at it's defaults.
Domain Well known folder – ForeignSecurityPrincipalsContainer Verify folder is at it's defaults.
Domain Orphaned Foreign Security Principals – Verify there are no orphaned FSP objects.
Domain Orphaned/Empty Organizational Units – Verify there are no orphaned Organizational Units
Domain Group Policy Missing Permissions – Verify Authenticated Users/Domain Computers are on each and every Group Policy
Domain DFSR Sysvol – Verify SYSVOL is DFSR
Domain Controller Information – Is Enabled
Domain Controller Information – Is Global Catalog
Domain Controller Service Status – Verify all Services are running
Domain Controller Service Status – Verify all Services are set to automatic startup
Domain Controller Service Status (Print Spooler) – Verify Print Spooler Service is set to disabled
Domain Controller Service Status (Print Spooler) – Verify Print Spooler Service is stopped
Domain Controller Ping Connectivity – Verify DC is reachable
Domain Controller Ports – Verify Following ports 53, 88, 135, 139, 389, 445, 464, 636, 3268, 3269, 9389 are open
Domain Controller RDP Ports – Verify Following ports 3389 (RDP) is open
Domain Controller RDP Security – Verify NLA is enabled
Domain Controller LDAP Connectivity – Verify all LDAP Ports are open
Domain Controller LDAP Connectivity – Verify all LDAP SSL Ports are open
Domain Controller Windows Firewall – Verify windows firewall is enabled for all network cards
Domain Controller Windows Remote Management – Verify Windows Remote Management identification requests are managed
Domain Controller Resolves internal DNS queries – Verify DNS on DC resolves Internal DNS
Domain Controller Resolves external DNS queries – Verify DNS on DC resolves External DNS
Domain Controller Name servers for primary domain zone Verify DNS Name servers for primary zone are identical
Domain Controller Responds to PowerShell Queries Verify DC responds to PowerShell queries
Domain Controller TimeSettings – Verify PDC should sync time to external source
Domain Controller TimeSettings – Verify Non-PDC should sync time to PDC emulator
Domain Controller TimeSettings – Verify Virtualized DCs should sync to hypervisor during boot time only
Domain Controller Time Synchronization Internal – Verify Time Synchronization Difference to PDC less than X seconds
Domain Controller Time Synchronization External – Verify Time Synchronization Difference to pool.ntp.org less than X seconds
Domain Controller Disk Free – Verify OS partition Free space is at least X %
Domain Controller Disk Free – Verify NTDS partition Free space is at least X %
Domain Controller Operating System – Verify Windows Operating system is Windows 2012 or higher
Domain Controller Windows Updates – Verify Last patch was installed less than 60 days ago
Domain Controller SMB Protocols – Verify SMB v1 protocol is disabled
Domain Controller SMB Protocols – Verify SMB v2 protocol is enabled
Domain Controller SMB Shares – Verify default SMB shares NETLOGON/SYSVOL are visible
Domain Controller DFSR AutoRecovery – Verify DFSR AutoRecovery is enabled
Domain Controller Windows Roles and Features – Verify Windows Features for AD/DNS/File Services are enabled
And that is just a starting point, something to expand on. I've tried to pick different tests so I can see how easy for me is to add new tests without changing how Testimo works. The goal is to mostly spend time on building new tests without touching core too much. Of course, I may have missed something or made an incorrect assumption, or even that in some cases, the test will fail for some reason. After all, this is an alpha product and something I've been developing for like three weeks on and off. Hopefully, with your help, I should be able to iron out the bugs, add new tests, and improve the quality of Testimo for different architectures. Maybe you can help out as well in other areas that need improvements? Feel free to reach out on GitHub/Twitter/Reddit/Discord. I'm in all those places.