Skip to content

Commit

Permalink
Merge pull request #114 from rebelinux/dev
Browse files Browse the repository at this point in the history 
Health Check improvements
  • Loading branch information
@rebelinux
rebelinux committed Jun 26, 2023
2 parents 1ef27f5 + 2893383 commit 44ef915
Show file tree
Hide file tree
Showing 19 changed files with 363 additions and 199 deletions.
2 changes: 1 addition & 1 deletion AsBuiltReport.Microsoft.AD.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
RootModule = 'AsBuiltReport.Microsoft.AD.psm1'

# Version number of this module.
ModuleVersion = '0.7.13'
ModuleVersion = '0.7.14'

# Supported PSEditions
# CompatiblePSEditions = @()
Expand Down
9 changes: 6 additions & 3 deletions Src/Private/Get-AbrADDCRoleFeature.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ function Get-AbrADDCRoleFeature {
.DESCRIPTION
.NOTES
Version: 0.7.13
Version: 0.7.14
Author: Jonathan Colon
Twitter: @jcolonfzenpr
Github: rebelinux
Expand Down Expand Up @@ -68,9 +68,12 @@ function Get-AbrADDCRoleFeature {
}
$OutObj | Table @TableParams
if ($HealthCheck.DomainController.Software -and ($OutObj | Where-Object {$_.'Name' -notin @('Active Directory Domain Services','DNS Server','File and Storage Services')})) {
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Health Check:" -Bold -Underline
BlankLine
Paragraph "Best Practices: Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation." -Italic -Bold
Paragraph {
Text "Best Practices:" -Bold
Text "Domain Controllers should have limited software and agents installed including roles and services. Non-essential code running on Domain Controllers is a risk to the enterprise Active Directory environment. A Domain Controller should only run required software, services and roles critical to essential operation."
}
}
}
}
Expand Down
23 changes: 16 additions & 7 deletions Src/Private/Get-AbrADDFSHealth.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ function Get-AbrADDFSHealth {
.DESCRIPTION
.NOTES
Version: 0.7.13
Version: 0.7.14
Author: Jonathan Colon
Twitter: @jcolonfzenpr
Github: rebelinux
Expand Down Expand Up @@ -87,9 +87,12 @@ function Get-AbrADDFSHealth {
}
$OutObj | Sort-Object -Property 'DC Name' | Table @TableParams
if ($HealthCheck.Domain.DFS -and (($OutObj | Where-Object { $_.'Identical Count' -like 'No' }) -or ($OutObj | Where-Object { $_.'Replication Status' -in $ReplicationStatusError }))) {
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Health Check:" -Bold -Underline
BlankLine
Paragraph "Corrective Actions: SYSVOL is a special directory that resides on each domain controller (DC) within a domain. The directory comprises folders that store Group Policy objects (GPOs) and logon scripts that clients need to access and synchronize between DCs. For these logon scripts and GPOs to function properly, SYSVOL should be replicated accurately and rapidly throughout the domain. Ensure that proper SYSVOL replication is in place to ensure identical GPO/SYSVOL content for the domain controller across all Active Directory domains." -Italic -Bold
Paragraph {
Text "Corrective Actions:" -Bold
Text "SYSVOL is a special directory that resides on each domain controller (DC) within a domain. The directory comprises folders that store Group Policy objects (GPOs) and logon scripts that clients need to access and synchronize between DCs. For these logon scripts and GPOs to function properly, SYSVOL should be replicated accurately and rapidly throughout the domain. Ensure that proper SYSVOL replication is in place to ensure identical GPO/SYSVOL content for the domain controller across all Active Directory domains."
}
BlankLine
}
}
Expand Down Expand Up @@ -144,9 +147,12 @@ function Get-AbrADDFSHealth {
}
$OutObj | Sort-Object -Property 'Extension' | Table @TableParams
if ($OutObj | Where-Object { $_.'Extension' -notin ('.bat','.exe','.nix','.vbs','.pol','.reg','.xml','.admx','.adml','.inf','.ini','.adm','.kix','.msi','.ps1','.cmd','.ico')}) {
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Health Check:" -Bold -Underline
BlankLine
Paragraph "Corrective Actions: Make sure Sysvol folder has no malicious extensions or unnecessary content." -Italic -Bold
Paragraph {
Text "Corrective Actions:" -Bold
Text "Make sure Sysvol folder has no malicious extensions or unnecessary content."
}
}
}
}
Expand Down Expand Up @@ -203,9 +209,12 @@ function Get-AbrADDFSHealth {
}
$OutObj | Sort-Object -Property 'Extension' | Table @TableParams
if ($OutObj | Where-Object { $_.'Extension' -notin ('.bat','.exe','.nix','.vbs','.pol','.reg','.xml','.admx','.adml','.inf','.ini','.adm','.kix','.msi','.ps1','.cmd','.ico')}) {
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Health Check:" -Bold -Underline
BlankLine
Paragraph "Corrective Actions: Make sure Netlogon folder has no malicious extensions or unnecessary content." -Italic -Bold
Paragraph {
Text "Corrective Actions:" -Bold
Text "Make sure Netlogon folder has no malicious extensions or unnecessary content."
}
}
}
}
Expand Down
72 changes: 6 additions & 66 deletions Src/Private/Get-AbrADDNSInfrastructure.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ function Get-AbrADDNSInfrastructure {
.DESCRIPTION
.NOTES
Version: 0.7.13
Version: 0.7.14
Author: Jonathan Colon
Twitter: @jcolonfzenpr
Github: rebelinux
Expand Down Expand Up @@ -66,69 +66,6 @@ function Get-AbrADDNSInfrastructure {
}
$OutObj | Sort-Object -Property 'DC Name' | Table @TableParams
#---------------------------------------------------------------------------------------------#
# DNS IP Section #
#---------------------------------------------------------------------------------------------#
if ($InfoLevel.DNS -ge 2) {
try {
Section -Style Heading5 "Domain Controller DNS IP Configuration" {
$OutObj = @()
foreach ($DC in $DCs) {
if (Test-Connection -ComputerName $DC -Quiet -Count 1) {
Write-PscriboMessage "Collecting DNS IP Configuration information from $($DC)."
$DCPssSession = New-PSSession $DC -Credential $Credential -Authentication $Options.PSDefaultAuthentication
try {
$DNSSettings = Invoke-Command -Session $DCPssSession { Get-NetAdapter | Get-DnsClientServerAddress -AddressFamily IPv4 }
foreach ($DNSSetting in $DNSSettings) {
try {
$inObj = [ordered] @{
'DC Name' = $DC.ToString().ToUpper().Split(".")[0]
'Interface' = $DNSSetting.InterfaceAlias
'DNS IP 1' = ConvertTo-EmptyToFiller $DNSSetting.ServerAddresses[0]
'DNS IP 2' = ConvertTo-EmptyToFiller $DNSSetting.ServerAddresses[1]
'DNS IP 3' = ConvertTo-EmptyToFiller $DNSSetting.ServerAddresses[2]
'DNS IP 4' = ConvertTo-EmptyToFiller $DNSSetting.ServerAddresses[3]
}
$OutObj += [pscustomobject]$inobj
}
catch {
Write-PscriboMessage -IsWarning "$($DC.ToString().ToUpper().Split(".")[0]) DNS IP Configuration Section: $($_.Exception.Message)"
}
}
}
catch {
Write-PscriboMessage -IsWarning "Domain Controller DNS IP Configuration Table Section: $($_.Exception.Message)"
}
}
}
if ($DCPssSession) {
Remove-PSSession -Session $DCPssSession
}

if ($HealthCheck.DNS.DP) {
$OutObj | Where-Object { $_.'DNS IP 1' -eq "127.0.0.1"} | Set-Style -Style Warning -Property 'DNS IP 1'
}

$TableParams = @{
Name = "DNS IP Configuration - $($Domain.ToString().ToUpper())"
List = $false
ColumnWidths = 20, 20, 15, 15, 15, 15
}
if ($Report.ShowTableCaptions) {
$TableParams['Caption'] = "- $($TableParams.Name)"
}
$OutObj | Sort-Object -Property 'DC Name' | Table @TableParams
if ($HealthCheck.DNS.DP -and ($OutObj | Where-Object { $_.'DNS IP 1' -eq "127.0.0.1"})) {
Paragraph "Health Check:" -Italic -Bold -Underline
BlankLine
Paragraph "Best Practices: DNS configuration on network adapter should include the loopback address, but not as the first entry." -Italic -Bold
}
}
}
catch {
Write-PscriboMessage -IsWarning "Domain Controller DNS IP Configuration Section: $($_.Exception.Message)"
}
}
#---------------------------------------------------------------------------------------------#
# DNS Aplication Partitions Section #
#---------------------------------------------------------------------------------------------#
if ($InfoLevel.DNS -ge 2) {
Expand Down Expand Up @@ -282,9 +219,12 @@ function Get-AbrADDNSInfrastructure {
}
$OutObj | Sort-Object -Property 'DC Name' | Table @TableParams
if ($HealthCheck.DNS.Zones -and ($OutObj | Where-Object { $_.'Scavenging State' -eq 'Disabled'})) {
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Health Check:" -Bold -Underline
BlankLine
Paragraph "Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs." -Italic -Bold
Paragraph {
Text "Best Practices:" -Bold
Text "Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs."
}
}
}
}
Expand Down
14 changes: 10 additions & 4 deletions Src/Private/Get-AbrADDNSZone.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ function Get-AbrADDNSZone {
.DESCRIPTION
.NOTES
Version: 0.7.6
Version: 0.7.14
Author: Jonathan Colon
Twitter: @jcolonfzenpr
Github: rebelinux
Expand Down Expand Up @@ -160,7 +160,10 @@ function Get-AbrADDNSZone {
if ($HealthCheck.DNS.Zones -and ($OutObj | Where-Object { $_.'Secure Secondaries' -eq "Send zone transfers to all secondary servers that request them."})) {
Paragraph "Health Check:" -Italic -Bold
BlankLine
Paragraph "Best Practices: Configure all DNS zones only to allow zone transfers from Trusted IP addresses." -Italic -Bold
Paragraph {
Text "Best Practices:" -Bold
Text "Configure all DNS zones only to allow zone transfers from Trusted IP addresses."
}
}
}
}
Expand Down Expand Up @@ -290,8 +293,11 @@ function Get-AbrADDNSZone {
}
$OutObj | Sort-Object -Property 'Zone Name' | Table @TableParams
if ($HealthCheck.DNS.Zones -and ($OutObj | Where-Object { $_.'Aging Enabled' -ne 'Yes'})) {
Paragraph "Health Check:" -Italic -Bold -Underline
Paragraph "Best Practices: Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs." -Italic -Bold
Paragraph "Health Check:" -Bold -Underline
Paragraph {
Text "Best Practices:" -Bold
Text "Microsoft recommends to enable aging/scavenging on all DNS servers. However, with AD-integrated zones ensure to enable DNS scavenging on one DC at main site. The results will be replicated to other DCs."
}
}
}
}
Expand Down
Loading

0 comments on commit 44ef915

Please sign in to comment.