Beruflich Dokumente
Kultur Dokumente
Active Directory
1) Review User Accounts and remove retired accounts.
2) Run Microsofts Domain Controller Diagnostics From a command prompt, run dcdiag.exe (on DC
only). If the commands are unrecognized, install Windows Support Tools.
3) Verify that approved password policy is being enforced.
4) Review the domain controller disk space reports.
5) Check your backups - AD backup includes capturing system state, information related to AD database,
logs, registry, boot files, SYSVOL and other system files.
6) Check to make sure that AD replication is working correctly. To check, you can run the following
command:
repadmin /showrepl
7) Check event logs for persistent errors.
8) Perform defragmentation to increase performance as large directories running for long time can get
large and fragmented.
9) Verify integrity of AD DS database files with respect to AD semantics using NTDSUTIL.
DNS
1) Review DNS Records for obsolete static entries.
2) Ensure DNS Scavenging is configured.
3) Clean up forwarders
4) Remove stale zones
5) Remove WINS dependencies (DNS is fully capable of providing all long and short name resolution
services)
6) Security Aspects
- Allow only secure dynamic updates for all DNS zones. This ensures that only authenticated users can
submit DNS updates using a secure method, which helps prevent the IP addresses of trusted hosts from
being hijacked by an attacker.
- If the server running the DNS Server service is a domain controller, use AD ACLs to secure access
control of the DNS Server service.
DHCP
1) As always, check logs for critical DHCP related events. It would be recommended to implement a
proactive monitoring solution for real-time data.
2) Frequent maintenance of the DHCP database is needed to keep it functioning properly and to recover
whitespace. While DHCP is configured to do online maintenance to the database by default when there
are no client requests; for busy DHCP servers, which possibly doesn't have downtime, it is recommended
to run offline maintenance against the dhcp.mdb file on a quarterly or half-yearly basis.
On a DHCP server computer, open a command prompt (Administrative access)
Use the Jetpack.exe tool to perform offline compaction.
Syntax: jetpack database_name temporary_database_name
Example:
cd WINDOWS\system32\dhcp
net stop dhcpserver
jetpack dhcp.mdb tmp.mdb
net start dhcpserver
This should work for both Windows Server 2003 and Windows Server 2008
http://community.spiceworks.com/how_to/11521-checklist-ad-dns-dhcp
http://serverfault.com/questions/191096/daily-weekly-monthly-annualsysadmin-tasks
This should probably be community wiki. I'm trying to come up with a list of all the sysadmin
tasks that we should be doing on a regular basis because I believe we're not doing enough
at our company. The attitude around here is that fixing problems is inconvenient, but we
don't have time to do preventative maintenance or continuous improvement.
Daily:
Weekly:
Monthly:
Annual:
If you have insufficient time to do preventative maintenance and spend most of your time
solving problems your entire methodology needs to be revised. Rather than tell you what
you should be doing each period I'll give you some ideas so that you won't have to do
things.
Fist up you need a good monitoring system and as much automation as you can manage.
These two items should free up more time than many admins realise until after they have it
set up well.
Just a few of the things your monitoring system should be doing for you are:
Alert you when mail or spam filter queues grow too large or too suddenly.
Alert you when drive space gets too low, CPU use gets too high, etc.
Record things like disk utilisation so that you can see trends over time.
Same thing for anything serving the outside world. e.g. DNS and web servers.
Alert you if AV updates are too old of if any machine has the AV software turned off
or uninstalled.
Here are some monthly backups you might not have thought of:
1) Even if automated, I still copy my core network switch config to a local machine
2) Firewall configs
3) SAN configs
4) exported ISA configs (win 2003)
5) DHCP static reservations (win 2008)
6) DNS entries (win 2008)
7) Encryption keys (stored in binary files) to KeePass, especially since our backups are
encrypted - additionally saved outside of our backup systems
8) our IT documentation folder, additionally saved outside of our backup systems