Active Directory Domain Discovery Checklist
During an AD DS migration or health checks, system engineers and auditors always need a checklist to keep up with what should be discovered. This checklist is a working checklist, one that has been created here for peer review and peer additions. This checklist should try and take into account all the high-level items one needs to look for during an AD DS discovery/audit. This checklist is not meant to be a step-by-step guide but a high-level overview to keep track of what needs to be discovered.
For a checklist on Active Directory Domain Deployment check out:
https://social.technet.microsoft.com/wiki/contents/articles/40225.active-directory-domain-deployment-checklist.aspx
For a checklist on Active Directory Domain Migrations check out:
https://social.technet.microsoft.com/wiki/contents/articles/43908.active-directory-migration-checklist.aspx
- Forest(s) Discovery
- All child domains
- All trust
- Stale or broken trust
- Forest Functional Level
- Domains/Sites/DCs/GCs/Exchange/Other
- Forest Features
- Tombstone lifetime
- SID filter info
- Domain(s) Discovery
- All trust
- Stale or broken trust
- Forest Functional Level
- Domains/Sites/DC/GC/Exchange/Other
- Forest Features
- Tombstone lifetime
- SID filter info
- Logical Structure
- Domain hierarchy
- OU structure
- Empty OUs
- Have default ACLs been changed
- Sites and Services
- Summary
- Site names
- Physical Locations
- DCs in each site
- Subnets
- Missing Subnets
- Site connections
- Site links
- Replication Interval
- GPOs applied to sites
- Site mirroring between domains and other domains/forest
- Domain Controller Configurations
- IP addresses
- Names
- Disk space report
- Server up time
- Physical Locations
- Journal Wrap (if FRS)
- Is DFS used in the environment
- Schema Extensions
- Azure connections
- Network and Infrastructure
- DNS
- AD integrated zones
- Forest replicated zones
- Domain replicated zones
- Conditional forwarding
- Domain level auditing
- Pull DNS zone for prosperity
- AD integrated zones
- Networking
- Physical site list
- Subnets at each site
- Site link speed and utilization level (how saturated is the link)
- Network Topology
- Firewall locations
- VLAN restrictions
- Router ACLs
- DHCP
-
- Authorized DHCP server discovery
- AD requirements
- High availability aspects
- IPAM
- Other Infrastructure Services
- WINS server discovery
- Is WINS active
- Are there application or service requirements
- Exchange server discovery
- SCCM server discovery
- WSUS
- AD CS
- AD FS
- Other
- WINS server discovery
- Time services
- Identity Management
- DNS
- Directory Objects
- Naming
- Administrator accounts
- Privileged administrator accounts
- User accounts
- Service accounts
- Application accounts
- Workstation single sign-on accounts
- Groups
- Attributes
- Attribute usage
- Administrator accounts
- Privileged administrator accounts
- User accounts
- Service accounts
- Application accounts
- Workstation single sign-on accounts
- Groups
- Computer accounts
- Attribute usage
- Naming
- Security
- Security Patch report
- What is the patching process
- What patches are missing
- Vulnerability scan
- RODC implementations
- Is ATA implemented
- Is LAPS implemented
- Application control policies
- RPC ephemeral ports
- Firewalls
- Perimeter firewalls
- Hypervisor firewalls
- Firewall policies
- Physical security
- Are authentication policies and authentication policy silos implemented
- Anti-virus solution
- Auditing
- Security Patch report
- Applications in the environment
- Team manager per App
- Application owner per App
- Tier or SLA (how critical is the app)
- Special requirements
- Down time procedures
- Authentication method
- Local
- Active Directory
- Services accounts
- Other
- Users
- All
- Detailed information
- Initial count
- Ongoing count for growth projections
- Disabled
- Count
- Password no expire
- Count
- Token size report
- Locked users
- Dial-in enabled
- Delegation
- Password not required
- Password must change
- Services accounts (accounts running as a service on computers in domain)
- All
- Computers
- Detailed report - plus the following
- With OS attribute populated
- Without OS attribute populated
- Are cluster accounts documented
- Information pulled from SCCM or scripts
- Workstation OS version
- Workstation patch level
- Outlook version
- Office version
- Drive mappings not defined by GPO
- Total computer objects
- Disabled
- Grouped by function
- Workstations
- Initial count
- Ongoing count for growth projections
- Stale
- Disabled
- Servers
- Initial count
- Ongoing count for growth projections
- Stale
- Disabled
- Workstations
- Detailed report - plus the following
- Contacts
- Count
- Logical location
- Groups
- Initial count
- Ongoing count for growth projections
- Empty
- Similar
- Nested
- Global groups
- Global distribution groups
- Domain local security
- Domain local distribution
- Admin built-in groups
Enterprise Admin
Schema Admins
Domain Admins
DNS Admins
Administrators
Account Operators
Cert Publishers
Backup Operators
Print Operators
Server Operators
-
- Membership details
- Membership counts
- Group Policy
- Backup all GPOs
- Not linked
- Empty
- Disabled
- No Settings
- Passwords in Group Policy
- Scripts/applications in GPOs
- Bat files
- Exe files
- VBScripts
- KixScripts
- PowerShell scripts
- Images in GPOs
- Default Domain Policy - Standard or modified?
- Default Domain Controllers - Standard or modified?
- Who can join computers to the domain
- Sysvol/Netlogon (What items are stored in Sysvol/Netlogon)
- Bat files
- Exe files
- VBScripts
- KixScripts
- PowerShell scripts
- Images
- Shortcuts
- RDP
- REG
- SCR
- ICO
- INI
- DLL
- MSI
- TXT
- Cer