Best Practices Analyzer for Active Directory Domain Services: Configuration

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

The topics in this section can help you bring Active Directory Domain Services (AD DS) into compliance with configuration best practices. Content in this section is most valuable to administrators who have completed a Best Practices Analyzer scan of AD DS and who want information about how to interpret and resolve scan results that identify areas of AD DS that are noncompliant with configuration best practices.

Best Practices Analyzer and configuration rules

The Best Practices Analyzer applies configuration rules to identify settings that might require modification for AD DS to perform optimally. Configuration rules can help prevent setting conflicts that can result in error messages or prevent AD DS from carrying out its prescribed duties in an enterprise.

For more information about Best Practices Analyzer and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Topics in this section

• AD DS: The RID master role and the PDC emulator master role should be owned by the same domain controller in the domain

• AD DS: This domain controller must register its DNS host A/AAAA records with correct IP addresses

• AD DS: This domain controller must register its DNS host A/AAAA records

• AD DS: This domain controller must register an alias (CNAME) resource record with its DsaGuid for the forest

• AD DS: This domain controller must register its Rfc1510UdpKpwd DNS record to advertise itself as a Kerberos server for the domain

• AD DS: This domain controller must register its Rfc1510Kpwd DNS record to advertise itself as a Kerberos server for the domain

• AD DS: This domain controller must register its Rfc1510UdpKdc DNS record to advertise itself as a Kerberos server for the domain

• AD DS: This domain controller must advertise itself as a generic global catalog server for the forest in its local site

• AD DS: This domain controller must advertise itself as a generic global catalog server for the forest

• AD DS: This domain controller must advertise itself as a Kerberos server for the domain in its local site

• AD DS: This domain controller must register its Rfc1510Kdc DNS record to advertise itself as a Kerberos server for the domain

• AD DS: This server must advertise itself as a domain controller for the domain in its local site

• AD DS: This server must advertise itself as a domain controller for the domain

• AD DS: This domain controller must advertise as a KDC for the domain in its local site

• AD DS: This domain controller must advertise as a KDC for the domain

• AD DS: This global catalog server must register its host (A/AAAA) resource records for the forest

• AD DS: This domain controller must register a DNS SRV resource record, which is required for replication to function correctly

• AD DS: This domain controller must advertise as a global catalog server for the forest in its local site

• AD DS: This domain controller must advertise as the global catalog server for the forest

• AD DS: This domain controller must advertise as a PDC for the domain

• AD DS: This domain controller must advertise as an LDAP server for the domain in its local site

• AD DS: This domain controller must advertise as an LDAP server for the domain

• AD DS: This domain controller must register its DNS host (A/AAAA) resource records for the domain

• AD DS: The schema master role and the domain naming master role should be owned by the same domain controller in the forest

• AD DS: The AD DS service must be running on this domain controller

• AD DS: The ADWS service must be running on this domain controller

• AD DS: The Active Directory module for Windows PowerShell must be installed and functioning properly on this domain controller

• AD DS: The AD DS BPA should be able to collect data for this element

• AD DS: Strict replication consistency should be enabled on all domain controllers in this forest

• AD DS: Each site in this forest should contain at least one global catalog server or have universal group membership caching enabled

• AD DS: The KCC should be enabled in this site in this forest to generate an optimal replication topology

• AD DS: The value of MaxPosPhaseCorrection on this domain controller should be equal to 48 hours

• AD DS: The value of MaxNegPhaseCorrection on this domain controller should be equal to 48 hours

• AD DS: The PDC emulator master in this forest should be configured to correctly synchronize time from a valid time source

• AD DS: This domain controller should comply with the recommended best practices guidelines because it is running on a VM

• AD DS: This directory partition on this domain controller should have been backed up within the last 8 days

• AD DS: All OUs in this domain should be protected from accidental deletion

• AD DS: The resultant backup lifetime in this forest should be equal to or greater than 180 days

• AD DS: SID filtering is not enabled for an external trust

• AD DS: An account or accounts trust(s) this unregistered SPN for delegation

• AD DS: This Service Principal Name is registered on multiple accounts

• AD DS: User accounts and trusts in this domain should not be configured for DES only

• AD DS: This domain controller must have "Access this Computer from the Network" granted to the appropriate security principals

• AD DS: This domain controller must have “Enable computer and user accounts to be trusted for delegation“ granted to the Builtin Administrators security group

• AD DS: The infrastructure master for this domain should be held by a domain controller that is not a global catalog server

• AD DS: The Default Domain Controllers Policy in this domain should be applied to this OU