Active Directory Health Check Tool
Active Directory Health Check Tool. Monitor DC security, replication, DNS, GPO health & more. Instantly spot replication breaks, weak policies and misconfigurations across every domain controller in real time.
Secure, Audit, & Harden your AD
Active Directory Health & Security Assessment Check
Spot and fix AD weaknesses before they turn into breaches or outages. InfraSOS rapidly inspects your on‑prem Active Directory and for hundreds of issues such as time skew, weak NTLM/LDAP settings, insecure SMB shares, stale GPOs, DNS/replication failures, over‑permissive rights, and more and delivers a clear, prioritised list and importance on which settings should be configured.
Find & Fix Risks in Active Directory with InfraSOS
With our AD health check tool you will be able to diagnose Active Directory replication issues, Active Directory security assessment checks, check DNS health and your domain controller hardware health status. Filter your reports based on any attribute or domain controller. Run reports on as many domains as you have in your forest or multiple forests.
Delegate access to reports within the InfraSOS portal to only certain team members. Schedule reports to run at certain times and have reports emailed to you. Also export reports in various formats (CSV and PDF).
All reports are fully customisable and you can create your own Active Directory, Azure AD or Office 365 reports based on any attribute or filter.
Active Directory Health & Security Assessment Tool
Try us out for Free. 100’s of reports available to gain control of your IAM & improve compliance.
Improve your AD & Entra ID security & compliance.
Find Active Directory Misconfigurations Before Attackers Do!
InfraSOS takes a deep look at your Active Directory, checking everything from clock sync and authentication hardening to DNS health, replication integrity, GPO hygiene, service roles on DCs (hello, Print Spooler), LSASS protection, firewall posture, and password/lockout policy strength. The result? A prioritised action plan that tells you what to fix first and severity level.
“It’s not the one critical CVE that burns you, it’s the twenty tiny misconfigs you never noticed.”
Did you know badly configured domain controllers cause Slow User Logins ?
Badly configured domain controllers and DNS will cause slow Active Directory user logins. If you have GPOs configured, sometimes GPOs aren’t applied correctly to users logging on who authenticate against a domain controller which isn’t replicating correctly with other domain controllers. Our tool helps diagnose these issues and many other issues so you can fix any errors like this and help speed up and secure your infrastructure.
InfraSOS Active Directory Health & Security Checks
With InfraSOS we scan over 250 check points against your domain controllers:
| Category | What We Test | Why It Matters | Typical Findings We Flag |
|---|---|---|---|
| Replication & SYSVOL Health | dcdiag replication tests, DFS/DFSR state, SYSVOL/NETLOGON share hardening, GPO count vs. folder count | Broken replication = inconsistent passwords/GPOs; attackers exploit stale DCs | Failed inbound/outbound reps, orphaned GPOs, DFSR AutoRecovery disabled |
| DNS Integrity | Zone existence, NS consistency, forwarders, scavenging, record registration, internal/external resolution | DNS is AD’s phonebook, if it’s wrong, logons and apps fail | Single scavenging server, no recent scavenging run, stale SRV records |
| Time & NTP Hygiene | Time skew internal/external, W32Time service status/intervals, DC reboot age | Kerberos allows ~5 min skew drift breaks auth and SIEM timelines | 12‑minute drift on a DC, W32Time set to Manual, last reboot 180+ days |
| Authentication & Protocol Hardening | NTLM restrictions, LDAP signing/channel binding, SMB signing, plaintext passwords disabled | Legacy/unsigned protocols enable relay & downgrade attacks | Simple binds over 389, SMB signing disabled, NTLMv1 still allowed |
| Account/Password Policies | Minimum length/history, complexity, max/min age, lockout threshold/duration/window | Weak or never‑rotated passwords are the #1 breach vector | Max password age 180 days, history <10, lockout threshold = 0 (none) |
| Privileged Access & Rights | Built‑in admin groups, logon rights, “Deny” rights, anonymous/guest access | Over‑permissive rights = lateral movement & persistence | Anonymous logon in Everyone, admins allowed interactive logon on DCs |
| Service & Role Hygiene on DCs | Critical services (KDC, NetLogon, NTDS, DNS) running/auto, non‑essential roles (Spooler, IIS, RDS, WINS) removed | DCs must be single‑purpose; extra services widen attack surface | Print Spooler running, Web Server role installed, KDC set to Manual |
| Firewall & Port Exposure | Domain/Public/Private profiles, required AD ports open, legacy ports closed, ICMP redirects/source routing | Reduces lateral movement paths and misconfig exposure | Port 139 open, firewall disabled on DC OU, ICMP redirects enabled |
| Logging & Auditing | Advanced audit policy enforced, log sizes, “crash on audit fail”, PowerShell logging | No logs = no forensics. Ensure coverage and retention | Security log full, legacy audit policies used, PS transcription off |
| GPO Hygiene & Consistency | Empty/unlinked/disabled GPOs, duplicate settings, legacy ADM files, permissions consistency | GPO sprawl slows logons & hides misconfig; perms hijacks are common | 42 unlinked GPOs, legacy ADM templates, Authenticated Users = Edit |
| Registry & SMB Server Hardening | Security/auth/communication registry baselines; SMB credits/timeouts; 8.3 naming | Low‑level settings bypass many audits but weaken the host | 8.3 naming enabled, SMBv3 compression not disabled, credits mis‑tuned |
| Backup & Recovery Readiness | Last system state/AD backup age, FSMO role health, RID pool checks | Recovery depends on recent backups & intact FSMO holders | No backup in 45 days, tombstoned FSMO holder (0ADEL:), RID pool errors |
Why You Need an AD Health Check Now
AD is still the crown jewels. 90%+ of breaches abuse identity. One weak policy or stale share can be a beachhead.
Config drift happens. Patches, quick fixes, legacy apps & settings rot silently.
Audits demand proof. Show auditors (and your CISO) evidence that core controls are enforced and monitored via PDF/CSV exports.
Downtime hurts. Time sync or DNS replication issues can take logons, Kerberos and apps down fast.
InfraSOS finds these issues in minutes. Setup AD health alerts using our Active Directory monitoring.
Check your Active Directory Health, Replication & Security Posture
Try us out for Free. 100’s of reports available to gain control of your IAM & improve your Active Directory security posture management.
Improve your AD & Entra ID security & compliance.
Customise Reports
Active Directory Reporting & Auditing
- Filter any report based on selected AD attributes
- Customise any report based on object properties
- Select which column to display and filter by days
- Delegate access to certain reports to team members
- Schedule reports to run and email.
- Export reports (CSV, Excel, PDF, HTML, CSVDE)
- Create custom reports and share with team members
Try InfraSOS for FREE
Complete Hybrid Active Directory Reporting, Auditing & Risk Assessment
- Free 15-Days Trial
- Easy Setup