By Robert Meyers, MCITP

We all love Microsoft’s active directory.   It just works.  You install it and walk away.  Right?  Nothing else to do.  Right?

If a car company built a car, but only protected the outer shell from rust. painting, bluing or annealing nothing but the outer shell, the body.  Not the under carriage.  No parts of the engine…  nothing but the outer shell.  That car would run.  It would run as well as any car with a bit better finishing.  Heck, initially it might even run a bit better since it is lighter.  But how long would it be till the rust literally ate the car apart from the inside out?  Ask anyone who has ever been in a cold climate, they know: it wouldn’t last very long at all.  Heck, it isn’t uncommon in areas that salt their roads for cars to last half a decade with complete sealing.

So why don’t people finish setting up Microsoft’s active directory?  Why not just setup sites and services, setup organizational units… and maybe ever group policies?  No, I don’t know the answer.  In this case I just know this is an industry wide problem.   This is what leads to a great many problems that most administrators either don’t understand or often, just have no idea it even can occur.

In general, systems administrators’ love active directory.  It is logical and it just works.  You install it and walk away.  Or at least that is the realization I have had after viewing nearly a hundred installations of active directory over the last decade.  People install active directory and say, “we’re done!”  This is a fallacy.

When you simply install active directory, and walk away, you haven’t really setup anything.  This is normally referred to as installation, not setup.  And this can also be referred to as a disaster in waiting.

As a specialist in active directory, I always check on errors and events.  Or as Microsoft states, troubleshooting active directory starts with: “an event reported in an event log;” an alert generated by a monitoring system, such as Microsoft Operations Manager (MOM);” or “a symptom reported by a user or noticed by IT personnel.”  Working from one of the first two are a lot easier than the last.  Granted, if you didn’t setup active directory… many alerts are worthless or just don’t generate.

When active directory is fully configured, you get to view a massive amount of information.  Often information to the point of information overload.  And yes, you read right: information not data.  When it isn’t configured, you basically give up on troubleshooting.  Why?  Because in general you don’t get the alerts that you should have had to work from.

When you setup active directory, when you completely setup active directory, things really begin to work.  Your alerts actually begin to mean something (and in many case, simply begin being available).  You can actually see when you are having issues.  And most importantly: when something does go wrong, you can fix it.

So, when you see that active directory is simply installed, ask yourself: why didn’t someone they finish it?  If it’s your work: why wouldn’t you finish it?  I always hear the same from every engineer or administrator I have asked have said the same thing: it works.

Of all the answers, “it works” is completely without merit.  Professionals I have great respect for have been included in this group.  “It works” is not the answer.  It is a disaster.

The old saying is that if you take on a job, work it till completion.  So I recommend finishing active directory.  Then it really works.

Tech Tip #1:

The command to run a general domain diagnostic of all domain controllers in your domain and export to a log are listed here.