Infrastructure , | 2016/01/05 at 1:40pm

Detox your IT Infrastructure

We all know how important is it to keep our IT infrastructure clean and working efficiently – a well-oiled machine will let you focus on other projects and initiatives without worrying about inactive accounts, password expirations, permissions issues and the like. We’ve put together a list of tasks that should be done regularly in a Microsoft based environment that will ensure the health of your IT infrastructure.

Now is a great time of year to conduct this kind of maintenance (though non-invasive) and allows you to be proactive with the results to your staff and stakeholders.

A quality detox this early in the year will set up your infrastructure to maintain availability throughout.

Make sure your Domain Controllers are healthy – goes without saying but making sure you have robust and resilient Domain Services will go a long way to preventing help desk calls and system outages.


First, kick off the DC diagnosis tests. These will document any issues with your domain controller health and integral services like DNS.

Dcdiag /v > c:dcdiag.txt

Run on each of your domain controllers and review the text output and remediate as necessary.

Dcdiag /e /test:dns /DnsDynamicUpdate

This will run across all of your domain controllers servers and review the output – this will test your DNS resolution, connectivity, DNS client configuration, service availability and zone existence. This will also test your Dynamic DNS registration for your clients to make sure that is working against your DNS servers.

Active Directory Replication

Check replication across your Domain Controllers. If you’ve had a few sysadmins through your organization, you’ll likely have some kind of hangover from old Domain Controllers or ones you didn’t know existed. Using the Active Directory Replication Status Tool, you can find out the health of your Domain Controller replication, either inter-site or intra-site.

Best Practices Analyzer

Run the Best Practices Analyzer across your Domain Controllers. You can find the Best Practices Analyzer tile on role and server group pages of Server Manager in Windows Server 2012 R2 and Windows Server 2012. If you’ve still got 2008 and 2008 R2 Domain Controllers, it’s time to think about upgrading these or migrating these to Windows Server 2012 R2 services. See this link for more detail on the Best Practice Analyzers. This tool is there for a reason… so use it.


Ensure time is synced across all your domain controllers and clients – this is a big one – if you have time slippage across your organization then services like TLS and SSL cease to work. Ensure your time servers are working and available for clients to synchronise time to (typically your domain controllers). The command below (for command prompt) will determine if your domain controllers can provide time services accurately.

W32tm /query /status <IPaddressofDC>

Disable unused accounts

Every organization has a bunch of disabled or inactive accounts, long forgotten because our offboarding process didn’t exist or wasn’t followed – it happens everywhere. However, inactive and unused accounts can be a security loophole for people to access corporate systems and should be managed. We can find out inactive and unused accounts via a number of methods but here’s what works for us best.

Easy way to find inactive accounts from Server 2008 onwards, run this PowerShell cmdlet:

Search-AdAccount -AccountInactive -UsersOnly -TimeSpan 365.00:00:00

Save the below text as a .ps1 file and execute on a PowerShell session on one of your domain controllers or a machine that has the Remote Server Administration Tools installed.

$NumDays = 0 $LogDir = “.Users-Last-Logon.csv” $currentDate = [System.DateTime]::Now $currentDateUtc = $currentDate.ToUniversalTime() $lltstamplimit = $currentDateUtc.AddDays(- $NumDays) $lltIntLimit = $lltstampLimit.ToFileTime() $adobjroot = [adsi]” $objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot) $objstalesearcher.filter = “(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=” + $lltIntLimit + “))” $users = $objstalesearcher.findall() | select ` @{e={$};n=’Display Name’},` @{e={$};n=’Username’},` @{e={[datetime]::FromFileTimeUtc([int64]$[0])};n=’Last Logon’},` @{e={[string]$adspath=$;$account=[ADSI]$adspath;$account.psbase.invokeget(‘AccountDisabled’)};n=’Account Is Disabled’} $users | Export-CSV -NoType $LogDir

Exchange Server Health

We all know Exchange is typically one of the core services that organizations utilize in their day to day business – most work is conducted over email, and is always one of the first canaries in the coal mine for users to report outages or issues. If no email is received or sent, makes for angry end users!

So in order to detox your infrastructure, let’s take a look at Exchange and some of the things you can monitor in order to prevent service outages.

  • Disk Space
    • Nothing stops Exchange quicker than running out of disk space – check your volumes and database sizes – if you’ve moved to Office 365 you can quite easily reclaim space by resizing your databases to more appropriate sizes
  • Service Status
    • Check and monitor your Exchange services – services stopping like Unified Messaging or Hub Transport can quite quickly bring services to a halt, like no voicemail services for Lync/Skype for Business and no email transport for your multi-function devices
  • Certificates/PKI
    • Another big gotcha is certificates – Exchange uses certificates for various services and if these expire – expect your services to stop. Monitor your certificate expiry dates and manage your workflow around these – e.g. 2 months out from expiry, renew the certificate and reapply it to the Exchange service in a change window. This would easily account for 25% of our support calls for Exchange related issues. If this is happening often, look to a managed service provider to provide you awareness and proactive maintenance to ensure this doesn’t happen.

We suggest using a script like this to programmatically report on your Exchange infrastructure – this can email you daily or weekly regarding your Exchange server health.

If you need help detoxing your IT before the start of the year, or want assistance with any of the above items please contact us on 1300 652 207 or detox@