Share via


Remediation steps for Active Directory On-Demand Assessment

Issues reviewed in this section

Configure all DNS zones only to allow zone transfers to specified ip addresses

Configure the Active Directory Web Services (ADWS) to start automatically on all servers

Configure the Root PDC with an Authoritative Time Source and Avoid Widespread Time Skew

Consider removing orphaned group policy containers from Active Directory

Turn off or remove the DHCP Server service installed on any domain controllers

Turn off the AllowNT4Crypto setting on all affected domain controllers

Ensure the Windows Firewall service is started and configured for auto start

Investigate a serious error in the disk subsystem

Investigate File Replication Service (FRS) journal wrap conditions on domain controllers

Investigate why Active Directory directory partitions are not backed up for longer than half the Tombstone Lifetime

Migrate SYSVOL to DFS Replication

Prevent Degraded Performance by Defining Missing Subnets

Prevent storage of LAN Manager password hashes

Regularly check for and remove inactive user accounts in Active Directory

Remove all members from the Schema Admins group unless you are actively changing the schema

Remove the highly insecure DES encryption from User accounts

Review and reduce the number of accounts in highly privileged administrative groups

Review the removal of default members from the Denied RODC Password Replication Group

Upgrade computers running an unsupported operating system

Set the account lockout threshold to the recommended value

Review accounts whose attribute "pwdlastset" has a zero value

Turn off the AllowNT4Crypto setting on all affected domain controllers

Already a Microsoft Unified Support or Microsoft Premier customer?

To unlock the benefits of On-Demand Assessments, sign in to the Services Hub. For more information about Services Hub and Microsoft Support Offerings, see Support Solutions. To find out more, contact your local Microsoft representative.