Get Started - Active Directory On-Demand Assessment
The Active Directory Assessment provides you with an assessment of your Active Directory Environment with domain controllers running on-premises, on Azure VMs, or on Amazon Web Services (AWS) VMs. The analysis generates a list of issues to address with remediation guidance and best practices to improve the performance of Active Directory infrastructure and features such as deploying applications, software updates, and operating systems.
Assessments are available through the Services Hub to help you optimize the availability, security, and performance of your Microsoft technology investments. These assessments use Microsoft Azure Log Analytics, which is designed to give you simplified IT and security management across your environment.
This assessment is designed to provide you specific actionable guidance grouped in Focus Areas to mitigate risks to your Active Directory and your organization.
The Active Directory Assessment focuses on several key pillars, including:
- Operational processes
- Active Directory Replication
- Site Topology and Subnets
- Name Resolution (DNS)
- Domain Controller Health
- Active Directory Database
- Sysvol replication and Group Policy Health
- Account Information and Token Size
- OS Information and Networking
- Windows Time Configuration
Run the Active Directory Assessment
In order to take full advantage of the On-Demand Assessments available through Services Hub, you must:
Have linked an active Azure Subscription to Services Hub and added the AD Assessment. For more information, see Getting Started with On-Demand Assessments article or watch Link Services Hub to Azure Log Analytics (Video).
Install the Microsoft Monitoring Agent here and choose the appropriate agent setup option on a supported Windows Server machine. You can also watch the video guides for how to install the agent or how to configure the gateway.
Have a domain account (User or Managed Service Account) with the following rights:
- Enterprise Administrator
- Administrative access to every domain controller in the forest
- Administrative access to all Microsoft Domain Name System (DNS) servers that the domain controllers participate with
- Administrative access on the data collection machine
- Sign in as a batch job privileges on the data collection machine
Review the Pre-Requisites document for the AD Assessment. This document explains the detailed technical documentation of the AD Assessment and the server preparation needed to run the assessment. It also documents the different types of data collected by the assessment.
On average, it takes two hours to initially configure your environment to run an On-Demand Assessment. After you run an assessment you can review the data in Azure Log Analytics. This will provide you with a prioritized list of recommendations, categorized across six focus areas. This allows you and your team to quickly understand risk levels, the health of your environments, act to decrease risk, and improve your overall IT health.
Set up the AD Assessment on the data collection machine
Watch the Configure an Active Directory On-Demand Assessment video.
You will only be able to successfully setup the assessment once you have linked your Azure Subscription to Services Hub and added the AD Assessment from IT Health -> On-Demand Assessments in Services Hub.
On the data collection machine, create the following folder:
C:\OMS\AD(or any other folder you want)
Open regular PowerShell (not ISE) in Administrator mode and run the below cmdlet:
- The WorkingDirectory is a path to an existing directory used to store the files created while collecting and analyzing the data from the environment.
Provide the required user account credentials that satisfy the requirements mentioned in this article earlier
Data collection is triggered by the scheduled task named ADAssessment within an hour of running the previous script and then every seven days. The task can be modified to run on a different date/time or even forced to run immediately from the Task Scheduler library, Microsoft folder, Operations Management Suite, AOI***, Assessments, then ADAssessment.
During collection and analysis, data is temporarily stored under the Working Directory folder that was configured during setup.
After a few hours, your assessment results will be available on your Log Analytics and Services Hub Dashboard. You can navigate to see the results by going into Services Hub -> Health -> Assessments and then clicking on "View all recommendations" against the active assessment.
If you wish to get a Microsoft Accredited Engineer to go over the issues about your AD Environment with you, you can contact your Microsoft Representative and ask them about the Remote or Onsite CE Led Delivery.
|Agreement||Remote Engineer||Onsite Engineer|
|Premier||AD Remote Datasheet||AD Onsite Datasheet|
|Unified||AD Remote Datasheet||AD Onsite Datasheet|
If you have general feedback on the Resource Center or its content, contact your Microsoft representative. If you have any specific requests or content updates for Services Hub, contact our Support Team.