What's New in AD DS: Active Directory Best Practices Analyzer

Applies To: Windows Server 2008 R2

What are the major changes?

Best Practices Analyzer (BPA) is a server management tool that is available in Windows Server 2008 R2 for the following server roles:

  • Active Directory Domain Services (AD DS)

  • Active Directory Certificate Services (AD CS)

  • DNS Server

  • Terminal Services

AD DS BPA can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations. You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface. For more information, see Running and Filtering Scans in Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=134007).

Who will be interested in this feature?

The following groups might be interested in AD DS BPA in Windows Server 2008 R2:

  • Early adopters of Windows Server 2008 R2 and information technology (IT) administrators, planners, and analysts who are technically evaluating Windows Server 2008 R2

  • Enterprise IT planners and designers

  • IT operations managers who are accountable for network and server management, IT hardware and software budgets, and technical decisions

  • AD DS administrators

What new functionality does AD DS BPA provide?

Server Manager in Windows Server 2008 R2 includes a BPA engine that can run the AD DS BPA service. The AD DS BPA service consists of the following components:

  • AD DS BPA Windows PowerShell script: The script collects AD DS configuration data and stores it in an XML document.

  • XML schema: The schema defines the format, which follows the logical structure of the directory, of the XML document that the AD DS BPA Windows PowerShell script produces.

  • AD DS BPA rules: The rules define the best-practice configuration for an AD DS environment.

  • AD DS BPA guidance: This information can help administrators make adjustments to their AD DS environment to comply with the best practice configuration.

Note

The AD DS BPA service in Windows Server 2008 R2 can successfully collect AD DS configuration information from domain controllers that are running Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2.

When you run the AD DS BPA scan on a domain controller, the BPA engine invokes the AD DS BPA Windows PowerShell script that collects configuration data from the AD DS environment that this domain controller belongs to.

The AD DS BPA Windows PowerShell script then saves the collected AD DS configuration data to an XML document. The BPA run-time engine validates this XML document against the XML schema.

Next, the BPA engine applies each rule in the AD DS BPA rules set to this XML document. If the configuration data in the XML document does not violate the best practice that is defined in a particular AD DS BPA rule, this rule appears as compliant in the Server Manager GUI.

If the BPA engine detects a best-practice violation in the XML document against a particular AD DS BPA rule, the corresponding noncompliant guidance for that rule appears in the Server Manager GUI. The noncompliant guidance for each AD DS BPA rule includes a description of the AD DS BPA violation (the problem), a description of the impact that this violation can have on the rest of your AD DS environment, and a recommendation regarding how to resolve the AD DS BPA violation.

The following illustration describes the functionality of AD DS BPA.

In the Windows Server 2008 R2 Beta release, the AD DS BPA scan verifies the following AD DS configuration settings:

  • Domain Name System (DNS)-related rules, which verify the following conditions, among others:

    • The domain controller is able to reach a DNS server and retrieve DNS records that are associated with this domain controller.

    • All required host (A or AAAA) resource records for this domain controller are registered in DNS.

    • All required DNS host (A or AAAA) resource records for this domain controller are registered in DNS with correct IP addresses.

    • All required site-specific and global service (SRV) resource records for this domain controller are registered in DNS.

    • The required alias (CNAME) resource record for this domain controller is registered in DNS.

  • Operations master (also known as flexible single master operations or FSMO) connectivity rules, which verify whether the domain controller can connect to the relative ID (RID) operations master and the primary domain controller (PDC) emulator operations master in this domain.

  • Operations master role ownership rules, which verify the following conditions:

    • The schema master role and the domain naming master role are owned by the same domain controller in the forest.

    • The RID master role and the PDC emulator master role are owned by the same domain controller in the domain.

  • Number of controllers in the domain rule, which verifies the following condition: The domain has at least two functioning domain controllers.

  • Required services-related rules, which verify the following conditions:

    • The AD DS service must be running on this domain controller.

    • The ADWS service must be running on this domain controller.

    • The Active Directory module for Windows PowerShell must be installed and functioning properly on this domain controller.

  • Replication configuration rules, which verify the following conditions:

    • Strict replication consistency should be enabled on all domain controllers in this forest.

    • Each site in this forest should contain at least one global catalog server or have universal group membership caching enabled.

    • The Knowledge Consistency Checker (KCC) should be enabled in this site in this forest to generate an optimal replication topology.

  • Windows Time service (W32time) configuration rules, which verify the following conditions:

    • The value of MaxPosPhaseCorrection and MaxNegPhaseCorrection on this domain controller should be equal to 48 hours.

    • The PDC emulator master in this forest should be configured to correctly synchronize time from a valid time source.

  • A virtual machine (VM) configuration rule, which verifies that the domain controller is running on Hyper-V™ and provides best practice guidelines for running AD DS in a VM environment.

  • Backup and restore-related rules, which verify the following conditions:

    • The directory partitions on this domain controller have been backed up within the last 8 days.

    • All organizational units (OUs) in this domain are protected from accidental deletion.

    • The resultant backup lifetime in this forest should be equal to or greater than 180 days.

How should I prepare to deploy AD DS BPA?

The AD DS BPA service is installed automatically when AD DS is installed on a computer that is running the Windows Server 2008 R2 and that computer becomes a domain controller. This includes both writable domain controllers and read-only domain controllers (RODCs). No other preparations are required.

Which editions include AD DS BPA?

AD DS BPA is available in the following editions of Windows Server 2008 R2:

  • Windows Server 2008 R2 Standard

  • Windows Server 2008 R2 Enterprise

  • Windows Server 2008 R2 Datacenter

AD DS BPA is not available in the following editions of Windows Server 2008 R2:

  • Windows Server 2008 R2 for Itanium-Based Systems

  • Windows Web Server 2008 R2