Active Directory Health Check: An Annual Maintenance Checklist

Summary: Active Directory (AD) is the identity heart of SME Windows environments — yet it's most often left in "installed, working, ignore" mode. An annual health check covers six basics: replication health (dcdiag, repadmin), confirming FSMO roles sit on the right host, GPO auditing (unused or conflicting settings), user/group hygiene (stale accounts, permission creep), schema backups, and a disaster-recovery test. A poorly tended AD lets former employees keep elevated rights, loses updates because replication is broken, and — once compromised — becomes the attack vector that takes the whole network down.

The default position on AD in SMEs is "no news is good news" — the admin only looks at it when something breaks. But silently accumulating problems eventually do break loudly: replication has been broken for weeks and a password reset never reaches the other DC; the previous employee's domain-admin rights have been active for five years; FSMO roles still point at a host that's been switched off. An annual health check turns those silent problems into something visible.

In this article we offer a practical AD-maintenance checklist at SME scale. Target audience: IT managers, system administrators, and decision-makers who want to turn "should I do an annual AD review?" into concrete steps.

Three Reasons AD Health Matters

1. The Identity Heart

A problem in AD = every user, device, and application is affected. With no domain controller, nobody can log on, email won't open, file shares don't work.

2. An Attack Target

If a domain admin is compromised, the whole network is compromised. AD is the favourite target of ransomware and advanced attacks.

3. Accumulation Effect

An AD that goes 5–10 years without a clean-up carries thousands of unnecessary users, GPO conflicts, and stale group memberships. That accumulation becomes a security and performance risk.

Six Core Health-Check Areas

1. Replication Health

When you have more than one domain controller, replication is critical. Even a single-DC environment should be ready to scale up.

Commands

# Replication summary
repadmin /replsummary

# Detailed replication
repadmin /showrepl

# Replication errors only
repadmin /showrepl * /errorsonly

# Force replication
repadmin /syncall /AeD

Common Issues

• DNS problems (DCs can't find each other)
• Network firewall ports closed (135, 445, 389, 636, 88, etc.)
• Site / subnet configuration off
• A DC has been offline past the tombstone lifetime

2. dcdiag — Overall DC Health

# Full health report
dcdiag /v /c /e

# A specific DC
dcdiag /s:dc01.firma.local /v

# Replication tests
dcdiag /test:replications /e

# DNS tests
dcdiag /test:dns /e

"passed" lines are what you want; any "failed" line needs an action.

3. FSMO Roles Check

The 5 FSMO roles:

• Schema Master (forest)
• Domain Naming Master (forest)
• PDC Emulator (domain)
• RID Master (domain)
• Infrastructure Master (domain)

# All FSMO roles
netdom query fsmo

Checks

• Which DC holds each role? Is it healthy and online?
• If a single DC holds multiple roles, is there a fallback?
• With multiple DCs, are the roles distributed sensibly?
• If the holder is offline, the role needs to be seized

4. GPO Audit

Group Policy Objects accumulate over the years.

Checks

• Total GPO count (10–50 is reasonable; 200+ is uncomfortable)
• Any unlinked GPOs? (unused)
• Any GPO conflicts?
• Are WMI filters still working?
• Is security filtering set correctly?
• Is there a backup?

Commands

# List every GPO
Get-GPO -All | Select DisplayName, GpoStatus

# Which GPO is linked where?
Get-GPInheritance -Target "ou=Sales,dc=firma,dc=local"

# GPO backup
Backup-GPO -All -Path "D:\GPOBackups"

5. User and Group Hygiene

The most often-skipped area.

Checks

• Stale accounts (90+ days without a logon)
• Accounts whose password is more than a year old
• Not-disabled accounts that haven't been used in a long time
• Domain Admins / Enterprise Admins membership (review it)
• Service accounts (have their passwords rotated?)
• Nested group memberships (token-bloat risk)

Commands

# Users not logged on for 90+ days
Search-ADAccount -AccountInactive -TimeSpan 90 -UsersOnly | 
  Select Name, LastLogonDate

# Not disabled, but long inactive
Get-ADUser -Filter * -Properties LastLogonDate, Enabled |
  Where-Object {$_.Enabled -eq $true -and $_.LastLogonDate -lt (Get-Date).AddDays(-90)}

# Domain Admins members
Get-ADGroupMember "Domain Admins"

6. AD Backup and DR

When something does go wrong in AD (accidental deletion, ransomware, hardware), you need a way back.

Backup Strategy

• System-state backup (on at least two DCs)
• AD Recycle Bin enabled (so deleted objects can be recovered)
• Documented authoritative-restore procedure
• Awareness of the tombstone lifetime (default 180 days)

Test

• An annual DR drill: restore AD into a test environment
• Forest-recovery scenario (annually)
• Test the authoritative-restore procedure

Annual Maintenance Checklist

#	Task	Cadence
1	dcdiag /v /c /e — full health	Monthly
2	repadmin /replsummary	Monthly
3	DNS health (dcdiag /test:dns)	Monthly
4	DC disk-usage check	Monthly
5	FSMO role verification	Quarterly
6	Inactive-user report	Quarterly
7	Domain Admins membership audit	Quarterly
8	GPO backup	Quarterly
9	Unused GPO cleanup	Annually
10	Unused group cleanup	Annually
11	Schema backup	Annually
12	DR drill	Annually
13	Tombstone-lifetime check	Annually
14	Site / subnet review	Annually
15	Audit-log analysis	Annually

Common Problems and Fixes

Issue: DC disk filling up

The %SYSTEMROOT%\NTDS directory grows and log files accumulate.

Fix: NTDS database optimisation (offline defragmentation):

# Boot to DSRM (Directory Services Restore Mode)
ntdsutil
activate instance ntds
files
compact to D:\TempCompact
quit

Issue: Replication broken

Between two DCs:

# Error check
repadmin /showrepl /errorsonly

# Try a manual sync
repadmin /syncall /AeD

# Network / firewall check
ping dc02.firma.local
nltest /sc_query:firma.local

Issue: FSMO role on an offline DC

The DC is completely down and the role-holder is gone:

# Seize (force takeover)
ntdsutil
roles
connections
connect to server dc02.firma.local
quit
seize PDC
seize RID master
quit

Don't power the old DC back on before doing a metadata cleanup.

Issue: AD Recycle Bin Disabled

Enable it:

Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=firma,DC=local' -Scope ForestOrConfigurationSet -Target firma.local

This enablement is not reversible — be careful. After enabling, deleted objects can be recovered for 180 days.

Active Directory and Security

AD-specific security checks:

An AD Health Score with PingCastle

PingCastle (free / commercial) is an AD-security audit tool:

• Forest health
• Stale objects
• Trust relationships
• Privileged-group analysis
• Kerberos delegation checks
• Run annually; track the score over time

Typical Findings

• Old Windows 2003 functional level
• LDAP signing disabled
• SMBv1 still on
• Accounts with Kerberos pre-authentication disabled
• No reverse DNS zones

LAPS — Local Administrator Password Solution

Every domain-joined machine gets a unique local-admin password, stored encrypted in AD. The password from a compromised box won't work anywhere else.

What Yamanlar Bilişim Offers

Our AD support areas at SME scale:

• Current AD health report (dcdiag, repadmin, PingCastle)
• Annual maintenance plan
• FSMO / replication issue resolution
• User / group cleanup campaigns
• GPO audit and tidy-up
• LAPS rollout
• AD backup + DR drill
• AD modernisation (functional-level upgrade)

Frequently Asked Questions

ntdsutil
metadata cleanup
connections
connect to server dc01.firma.local
quit
select operation target
list domains
select domain X
list servers in site
select server Y
quit
remove selected server

It's a stepwise procedure; you walk through site, server, NTDS settings one at a time. Mistakes amplify problems — back up first, and a partner is recommended.

Conclusion

Active Directory is undoubtedly the most critical component of SME identity infrastructure — yet the "it's working, don't touch" mindset hides silently accumulating problems. An annual health check — replication, FSMO, GPO, user/group hygiene, backups, and security audit — converts that accumulation into measured, managed discipline. dcdiag, repadmin, and PingCastle give you a free starting point; a regular monthly / quarterly / annual schedule turns it into routine.

Yamanlar Bilişim provides AD health audits, cleanup campaigns, and modernisation services sized to your needs — making your AD a measured, trusted backbone rather than a source of surprise outages.