This PowerShell script provides comprehensive monitoring and maintenance capabilities for Active Directory environments. It performs various health checks, generates detailed reports, and optionally fixes common issues.
- Domain Controller service monitoring
- AD replication status checks
- FSMO roles verification
- DNS health assessment
- Database and log file analysis
- Account status monitoring
- Group Policy verification
- Automated issue remediation
- HTML report generation
- Windows Server with AD DS role
- PowerShell 5.1 or higher
- Active Directory PowerShell module
- DNS Server PowerShell module
- Domain Admin or Enterprise Admin privileges
- Remote PowerShell enabled on target DCs
DomainController: Target DC name (default: local computer)ReportPath: HTML report output path (default: Desktop)MaxPasswordAge: Maximum password age in days (default: 90)InactiveDays: Days to consider account inactive (default: 30)FixIssues: Switch to enable automatic issue remediation
# Basic health check of local DC
.\AD-HealthMonitor.ps1
# Monitor specific DC with custom report path
.\AD-HealthMonitor.ps1 -DomainController "DC01" -ReportPath "C:\Reports\AD-Health.html"
# Check and fix issues automatically
.\AD-HealthMonitor.ps1 -FixIssues
# Custom thresholds for account monitoring
.\AD-HealthMonitor.ps1 -MaxPasswordAge 60 -InactiveDays 45- NTDS service
- DFSR service
- DNS Server service
- Kerberos KDC
- NetLogon
- LDAP connectivity
- Partner status
- Last successful replication
- Replication errors
- Consecutive failures
- Schema Master
- Domain Naming Master
- RID Master
- PDC Emulator
- Infrastructure Master
- Service status
- Zone configuration
- SRV records
- Record counts
- NTDS.dit size
- Log file count
- Available disk space
- Database integrity
- Expired accounts
- Locked accounts
- Password expiration
- Inactive accounts
- GPO status
- Version information
- Modification times
- Link status
-
Domain Controller Health
- Service status overview
- Critical service alerts
- Connectivity status
-
Replication Health
- Partner status matrix
- Error indicators
- Timing metrics
-
FSMO Roles
- Role distribution
- Holder verification
- Transfer status
-
DNS Status
- Zone health
- Record verification
- Service metrics
-
Database Information
- Size metrics
- Growth trends
- Space utilization
-
Account Status
- Problem accounts
- Security issues
- Compliance status
-
Group Policy
- Policy inventory
- Version control
- Application status
When -FixIssues is specified, the script can:
- Unlock locked accounts
- Enable disabled accounts
- Reset password expiration
- Clear replication errors
- Fix DNS record issues
The script includes comprehensive error handling:
- Connection failures
- Permission issues
- Service problems
- Resource constraints
- Replication errors
-
Scheduling
- Run during off-peak hours
- Schedule regular checks
- Maintain report history
-
Permissions
- Use dedicated service account
- Apply least privilege
- Audit access
-
Monitoring
- Review reports regularly
- Track trends
- Set up alerts
Common issues and solutions:
-
Access Denied
- Verify account permissions
- Check group membership
- Review security logs
-
Connectivity Issues
- Check network connectivity
- Verify DNS resolution
- Test RPC connectivity
-
Report Generation
- Check disk space
- Verify write permissions
- Review error logs
- Fork the repository
- Create a feature branch
- Submit pull request with:
- Clear description
- Test results
- Documentation updates
This script is released under the MIT License.
- 1.0.0 (2024-01-20)
- Initial release
- Basic monitoring features
- HTML report generation
- Microsoft Active Directory team
- PowerShell community
- Contributing developers