It’s important to run some Active Directory Health checks on your domain. To that end, I thought it would be great to generate a weekly report that contained a DCdiag, a Repadmin and Best Practice Analyzer report. This could be done via a Scheduled task. It could then run once a week and then email you with any issues. A great way to keep on top of the health of your environment and to make sure no little niggling errors are hiding just under the covers, waiting to destroy your environment.
The hardest part of the script was executing the cmd prompt command via the script. Passing in arguments is messy in Powershell at the best of times, but passing in arguments with spaces and having to escape the correct characters etc is very tedious. So, as a disclaimer, this script is a work in progress. It works, but by no means is it an example of Powershell Best Practice. (I’ll keep a tinkering on it, and if anyone has any suggestions please leave a comment.) Hopefully, though, someone other then me may find this useful.
There are also a few caveats to be aware of. This script, the way it is presented here, will only work on Powershell v3. I found this out because in an effort to get the BPA cmdlets working, I realized that the syntax for the commands are different in the different versions of Powershell. If you would like to get this to work on Powershell v2, you just need to change the -ModelID parameters to -ID. A quick “Get-Help Invoke-BPAModel” should sort that out pretty swiftly. Also, the file locations are hard coded at this point.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
#Written by Craig Dempsey, 19/03/2013 # ** NOTE ** This script will only work if the folder C:\admin\Scripts is present. # ** NOTE ** This script will only work with Powershell v3. # ** NOTE ** To adapt this to work with Powershell v2, you will need to change BPA cmdlets parameters, because the names of the parameters are different from v2 to v3. # ** NOTE ** This script needs to be run on a domain controller. #Import Module Best Practices for Powershell v2. In v3 the module gets automatically loaded. Import-Module BestPractices #Set Variables $date = get-date -UFormat "%Y%m%d%H%M%S" $date2 = get-date $dcdiagcom = "dcdiag" $dcdiaglog = "C:\Admin\Scripts\adchex\dcdiag$date.log" $dcdiagargs = @('/a', '/c', '/v', "/f:$dcdiaglog ") $repadmincom = "repadmin" $repadminargs = @('/showrepl', '*', '/verbose', '/all', '/intersite') $repadminlog = "C:\admin\scripts\adchex\repl$date.log" $ADbparesultcsv = "C:\Admin\Scripts\adchex\ADBpaResult$date.csv" #Run the cmd commands calling the args. &cmd /c $dcdiagcom $dcdiagargs &cmd /c $repadmincom $repadminargs > $repadminlog #Run the Best Practice Analayser invoke-bpamodel -ModelId Microsoft/Windows/DirectoryServices #Format the results get-bparesult -ModelID Microsoft/Windows/DirectoryServices | Where { $_Severity -ne "Information" } | Set-BpaResult -Exclude $true| Export-CSV -Path $ADbparesultcsv #Set email variables $Subject = "AD CHEX!" $Body = "Attached is a set of automated reports for your perusal. The reports contain a DCDiag report, a Repadmin report and Best Practice Analyser Report." $SMTPServer = "YourSMTPserver" #Email the log files. Send-MailMessage -Subject $Subject -Body $body -SmtpServer $SMTPServer -Priority High -To $EmailTo -From $EmailFrom -Attachments $dcdiaglog, $repadminlog, $ADbparesultcsv |
You can find some more information about DCDiag command here.
You can find some more information about the Repadmin command here.
Here is some information aswell about running the BPA via Powershell
Pingback: Active Directory Health Check Discovery Steps | Chase’s Notes
will this check every DC in the domain or do I need to install this on each DC in the domain?
You call this with a schedule task, do you use the system account to run the scheduled task or a domain user with rights?
It checks all dc’s. I run it under a domain user. You might want to lock down the user account so it only has the rights it needs to run scheduled tasks but not to log on etc. Or, I think you could probably used a Group Managed Service account?
Hey, great script. I will add this to an article im working on, on how to perform and AD health check - http://www.networkangel.net/active-directory-health-check-tools
Active Directory Health Profiler is a tool that in my view is one of the very best in Active Directory Health management. I think we should give this one a try?
http://adhealthprof.itdynamicpacks.net/
Best,
Nick
Nick,
I could not find any pricing on it anywhere. Must be darned expensive, and with Powershell being essentially free . . .
I don’t know about the pricing as well, but I’m using the free version that helps me do what I need!
-Salone