Checklist - AD, DNS, DHCP

Active Directory
1) Review User Accounts and remove retired accounts.
2) Run Microsofts Domain Controller Diagnostics From a command prompt, run dcdiag.exe (on DC
only). If the commands are unrecognized, install Windows Support Tools.
3) Verify that approved password policy is being enforced.
4) Review the domain controller disk space reports.
5) Check your backups - AD backup includes capturing system state, information related to AD database,
logs, registry, boot files, SYSVOL and other system files.
6) Check to make sure that AD replication is working correctly. To check, you can run the following
command:
repadmin /showrepl
7) Check event logs for persistent errors.
8) Perform defragmentation to increase performance as large directories running for long time can get
large and fragmented.
9) Verify integrity of AD DS database files with respect to AD semantics using NTDSUTIL.

DNS
1) Review DNS Records for obsolete static entries.
2) Ensure DNS Scavenging is configured.
3) Clean up forwarders
4) Remove stale zones

5) Remove WINS dependencies (DNS is fully capable of providing all long and short name resolution
services)
6) Security Aspects
- Allow only secure dynamic updates for all DNS zones. This ensures that only authenticated users can
submit DNS updates using a secure method, which helps prevent the IP addresses of trusted hosts from
being hijacked by an attacker.
- If the server running the DNS Server service is a domain controller, use AD ACLs to secure access
control of the DNS Server service.

DHCP
1) As always, check logs for critical DHCP related events. It would be recommended to implement a
proactive monitoring solution for real-time data.
2) Frequent maintenance of the DHCP database is needed to keep it functioning properly and to recover
whitespace. While DHCP is configured to do online maintenance to the database by default when there
are no client requests; for busy DHCP servers, which possibly doesn't have downtime, it is recommended
to run offline maintenance against the dhcp.mdb file on a quarterly or half-yearly basis.
On a DHCP server computer, open a command prompt (Administrative access)
Use the Jetpack.exe tool to perform offline compaction.
Syntax: jetpack database_name temporary_database_name
Example:
cd WINDOWS\system32\dhcp
net stop dhcpserver
jetpack dhcp.mdb tmp.mdb
net start dhcpserver
This should work for both Windows Server 2003 and Windows Server 2008

http://community.spiceworks.com/how_to/11521-checklist-ad-dns-dhcp
http://serverfault.com/questions/191096/daily-weekly-monthly-annualsysadmin-tasks

This should probably be community wiki. I'm trying to come up with a list of all the sysadmin
tasks that we should be doing on a regular basis because I believe we're not doing enough

at our company. The attitude around here is that fixing problems is inconvenient, but we
don't have time to do preventative maintenance or continuous improvement.
Daily:

swap nightly backup tape/drive

check that antivirus updates were pushed out to all systems

Weekly:

swap weekly backup tape/drive

clean temporary files from all systems

defrag all systems

Monthly:

plan infrastructure improvements

deliver/send obsolete equipment to electronics recycler

rebuild or replace aging workstations

test restore from backup

Annual:

rebuild or replace aging servers

replace UPS batteries

If you have insufficient time to do preventative maintenance and spend most of your time
solving problems your entire methodology needs to be revised. Rather than tell you what
you should be doing each period I'll give you some ideas so that you won't have to do
things.
Fist up you need a good monitoring system and as much automation as you can manage.
These two items should free up more time than many admins realise until after they have it
set up well.
Just a few of the things your monitoring system should be doing for you are:

Alert you when mail or spam filter queues grow too large or too suddenly.

Alert you when drive space gets too low, CPU use gets too high, etc.

Record things like disk utilisation so that you can see trends over time.

Same thing with mailboxes.

Alert you when the firewall registers an abnormal number of hits.

Same thing for anything serving the outside world. e.g. DNS and web servers.

Alert you if AV updates are too old of if any machine has the AV software turned off
or uninstalled.

Defragging shouldn't even be on your list of tasks because it should be an automated

process. At your desired interval have the server run disk checks and a defrag after a
reboot. Consider tying this in with a system to install queued updates and patches (which
have previously been tested on a non-production machine).
Temporary folders can also be cleaned with automation. I create a simple application that is
triggered after a reboot which waits for 10 minutes and then cleans out all temporary
locations. The delay is to ensure it doesn't delete files that may be required for an install or
upgrade that completes after the reboot (learned that the hard way!).
One thing you must do manually at whatever time period suits you is to monitor the
monitoring system and automation, just to be safe. I check mine daily but haven't actually
encountered an issue for over a year.
When you do get your system and automation going make sure you also have a version
control system to put it in. It can be real annoying to discover that last little tweak broke
something else but you can't remember exactly what you changed.

Here are some monthly backups you might not have thought of:
1) Even if automated, I still copy my core network switch config to a local machine
2) Firewall configs
3) SAN configs
4) exported ISA configs (win 2003)
5) DHCP static reservations (win 2008)
6) DNS entries (win 2008)

7) Encryption keys (stored in binary files) to KeePass, especially since our backups are
encrypted - additionally saved outside of our backup systems
8) our IT documentation folder, additionally saved outside of our backup systems