SCOM and Quest management Xtenstions

Active Directory  Best Practice Analyzer can help you implement best practices in the configuration of your Active Directory environment. Active Directory  Best Practice Analyzer scans the Active Directory Domain Services server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations. You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform Active Directory  Best Practice Analyzer tasks by using either the Server Manager graphical user interface or cmdlets in the Windows PowerShell command-line interface.

In the Windows Server 2008 R2 Beta release, the AD DS BPA scan verifies the following AD DS configuration settings:

• Domain Name System (DNS)-related rules, which verify the following conditions, among others:
  
  
  • The domain controller is able to reach a DNS server and retrieve DNS records that are associated with this domain controller.
  • All required host (A or AAAA) resource records for this domain controller are registered in DNS.
  • All required DNS host (A or AAAA) resource records for this domain controller are registered in DNS with correct IP addresses.
  • All required site-specific and global service (SRV) resource records for this domain controller are registered in DNS.
  • The required alias (CNAME) resource record for this domain controller is registered in DNS.
    
    
• Operations master (also known as flexible single master operations or FSMO) connectivity rules, which verify whether the domain controller can connect to the relative ID (RID) operations master and the primary domain controller (PDC) emulator operations master in this domain.
  
• Operations master role ownership rules, which verify the following conditions:
  
  
  • The schema master role and the domain naming master role are owned by the same domain controller in the forest.
  • The RID master role and the PDC emulator master role are owned by the same domain controller in the domain.
    
• Number of controllers in the domain rule, which verifies the following condition: The domain has at least two functioning domain controllers.
  
• Required services-related rules, which verify the following conditions:
  
  
  • The AD DS service must be running on this domain controller.
  • The ADWS service must be running on this domain controller.
  • The Active Directory module for Windows PowerShell must be installed and functioning properly on this domain controller.
    
• Replication configuration rules, which verify the following conditions:
  
  
  • Strict replication consistency should be enabled on all domain controllers in this forest.
  • Each site in this forest should contain at least one global catalog server or have universal group membership caching enabled.
  • The Knowledge Consistency Checker (KCC) should be enabled in this site in this forest to generate an optimal replication topology.
    
• Windows Time service (W32time) configuration rules, which verify the following conditions:
  
  
  • The value of MaxPosPhaseCorrection and MaxNegPhaseCorrection on this domain controller should be equal to 48 hours.
  • The PDC emulator master in this forest should be configured to correctly synchronize time from a valid time source.
    
• A virtual machine (VM) configuration rule, which verifies that the domain controller is running on Hyper-V^TM and provides best practice guidelines for running AD DS in a VM environment.
  
• Backup and restore-related rules, which verify the following conditions:
  
  
  • The directory partitions on this domain controller have been backed up within the last 8 days.
  • All organizational units (OUs) in this domain are protected from accidental deletion.
    
• The resultant backup lifetime in this forest should be equal to or greater than 180 days.