Active Directory Best Practices Analyzer in Windows Server 2008 R2

In this blog post we will be learning about how we can save our valuable time by scanning our Active Directory Environment using Best Practices Analyzer tool.

As we all are aware that Exchange Best Practices Analyzer tool is one of the best tool which Exchange Administrators use as and when they want to scan Exchange ORG and it is available in the market for many years now. Many improvements has been made to help Administrators Across the globe.

There are few other Best Practices tool available to scan different server, however in this article we will be focusing on Active Directory. We believe that Active Directory is one of the critical area of troubleshooting and if we follow best practices recommended by Microsoft then it can save us with unwanted downtime.


The tool is available only with Windows Server 2008 R2 Domain Controllers. In our scenario I have only one DC for testing purpose.

DC Name :- DC1


To open the tool go to Server Manager as shown below.


Figure 1.1 : Server Manager

In Server Manager you have to go to Roles and Select Active Directory Domain Services.


Figure 1.2 : Active Directory Domain Services

In figure 1.2 we have to select directory domain services and then select Best Practices Analyzer. Post which select Scan This Role as shown in the screenshot. In this tool it scans the role and not the server. Since Active Directory is a Role. So we will not have an option to scan single server or single site.

Now lets start the scan and see what best practices I have missed and how to fix it.


Figure 2.1 : Scanning the Environment.

In the scan report there are two areas of focus.

1) Non Compliant – The result displayed here will let the Administrator know that whether the environment is Non Complaint.

2) Complaint – Good to know that the environment is complaint as per Microsoft Standards.


Figure 3.1 : Non Complaint and Complaint Report.

In figure 3.1 when you see there are severity and Title for the issue which is Non Complaint.

Now lets Expand Error and Warning and see what it has to say.


Figure 3.2 : Select and error message.

In figure 3.2 when you click on any one result you see in the right hand side the options gets highlighted. We can either select Exclude Result or Properties or Copy Result Properties.

If you have fixed the issue. Then you can select Exclude Result so that the same is not repeated.

By selecting properties you can view the result on the same window. And copying will allow you to save it in a notepad.

Now lets select Properties.


Figure 3.3 : Properties of Error Message which is Non Complaint.

In Figure 3.3 the property page is very clear and can help us in understanding what configuration changes is required so that we are complaint.

Now let me break this in five parts.

1) Title – Brief description.

2) Severity – Error

3) Date – When scan was performed with date and time.

4) Category – Configuration – This will help us which partition has the issue and that needs to be changed..

5) Details – Now Details can be broken down into three parts.

I ) Issue – Which will help us what is the issue and how it can impact ADDS.

II) Impact – Details report what is the impact and what known issue we may have.

III) Resolution – This one is very nice since it also helps us resolving the issue.


Figure 3.4 : Properties of Warning.

Figure 3.4 tells us that we should have one more domain controller in the event of failure. Best Practices.


Figure 3.5 : Warning for protecting Accidental deletion of OU. New feature introduced to save and protect Organization Unit.


Figure 3.6 : Warning to let us know that System State Backup has to be performed. Which usually Admins miss and in case of disaster its difficult to restore the deleted objects. Best Practices.

I hope this tool is helpful and a must to have with every Admins on field. This will ensure that whether the environment is Complaint or Non Complaint as per Microsoft and Industry Standards.

Happy Learning


MSEXCHANGETEAM | Ideas That Clicks

Like this post? Please share to your friends:
Comments: 1
  1. Mackay

    Active Directory Management tools available here ….

Leave a Reply