November 28, 2016 at 16:39Why reboot domain controllers once a month
- Transfer
For optimal performance and security, Active Directory domain controllers require regular maintenance. Our new guide will help you get the most out of your domain controllers when serving authentication and authorization requests.
Active Directory provides authentication and authorization services. A healthy Active Directory environment allows other services to work efficiently.
Earlier in the Active Directory Health Check Server Tutoria
l) мы рассмотрели 2 важных вопроса связанных с проверкой надлежащей работы службы каталогов: «Реплицированная топология Active Directory» и «Подсети не связанные с сайтами Active Directory". Мы рассказали о преимуществах использования сетевой топологии по сравнению с «ячеичстой топологией», а также предложили скрипт в PowerShell, который вы можете использовать для получения информации о количестве сайтов, связанных по ссылке AD.
Сегодня мы объясним, для чего нужно перезагружать хотя бы раз в месяц контроллеры доменов и как можно использовать скрипт Power Shell для получения информации об аптайме контроллеров домена. Скрипт будет представлен ниже.
It is important to understand that domain controllers are designed to provide critical authentication and authorization services and are constantly in operation. Therefore, they must be reloaded monthly, or in a specially designated time period for servicing in accordance with your standards for verifying the system’s performance.
Before we consider the Power Shell script for information about the uptime of domain controllers, let's decide why we need to restart domain controllers. There are two good reasons to consider when deciding to reboot. Consider them:
Considering the above reasons for rebooting, we offer you a script in Power Shell, which you can use to obtain information about the uptime of the domain controller. This script will also help you find out the number of days that have passed since the last reboot of each domain controller.
Steps :
Change ITDynamicPacks. We register the name of the main domain in AD forest name. We get a list of all domain controllers and the main Active Directory domain by writing the command below, the result is saved in the file C: \ Temp \ DCList.TXT file:
Copy the full script below to the PS1 file and execute it in the PowerShell window
When the script is completed for all domain controllers, a report will be generated in the DCUpTimeReport.CSV file in the C: Temp folder as shown in the following screenshot:
As you can see from the report, the script makes it possible to obtain uptime information for each domain controller specified in the C: \ Temp \ DCList.TXT file. A report on how many days the domain controller has not rebooted can be seen in the "Days Not Rebooted" column.
The above script is part of the Dynamic Pack Domain Controller Test for Uptime, which is available for use with Active Directory Health Profiler. This test can be performed for one or for many AD domains and you can see the test results in the Active Directory Health Profiler console as shown in the screenshot below:
We examined in detail two key reasons for rebooting domain controllers. The main purpose of this reboot is the timely servicing by domain controllers of requests for authentication and authorization, as well as maximum security through timely updates of security systems.
The script proposed by PowerShell will help you maintain the efficiency of domain controllers at the proper level, for this you need to reboot them once a month.
l) мы рассмотрели 2 важных вопроса связанных с проверкой надлежащей работы службы каталогов: «Реплицированная топология Active Directory» и «Подсети не связанные с сайтами Active Directory". Мы рассказали о преимуществах использования сетевой топологии по сравнению с «ячеичстой топологией», а также предложили скрипт в PowerShell, который вы можете использовать для получения информации о количестве сайтов, связанных по ссылке AD.
Сегодня мы объясним, для чего нужно перезагружать хотя бы раз в месяц контроллеры доменов и как можно использовать скрипт Power Shell для получения информации об аптайме контроллеров домена. Скрипт будет представлен ниже.
It is important to understand that domain controllers are designed to provide critical authentication and authorization services and are constantly in operation. Therefore, they must be reloaded monthly, or in a specially designated time period for servicing in accordance with your standards for verifying the system’s performance.
Before we consider the Power Shell script for information about the uptime of domain controllers, let's decide why we need to restart domain controllers. There are two good reasons to consider when deciding to reboot. Consider them:
- Memory leak problems: A memory leak occurs when the Lsass.exe process starts. This process is performed on a domain controller and is responsible for providing authentication services to Active Directory clients. Over time, a memory leak can affect the performance of domain controllers. A large memory leak can lead to an unacceptable temporary response from the Lsass.exe process and high memory consumption by the operating system. In order to deal with memory leak problems, it is recommended that you periodically restart the domain controllers.
Despite the fact that in the new versions of operating systems for Windows Server 2012 R2 and Windows Server 2016, the memory recovery function is implemented automatically, it is still recommended to reboot domain controllers, which in turn can help solve memory leak problems that the operating system cannot automatically solve. - Most security updates require a reboot: It is important to note that the Windows server and domain controllers require regular patches to install service packs and hotfixes, and the security patch versions must be compatible on all domain controllers. New patches replace low-level Dll files in the operating system, so most security updates require a reboot, after which the updates will be successfully applied. Microsoft releases monthly security updates and it is therefore crucial that you reboot your controllers to make changes.
Considering the above reasons for rebooting, we offer you a script in Power Shell, which you can use to obtain information about the uptime of the domain controller. This script will also help you find out the number of days that have passed since the last reboot of each domain controller.
Steps :
Change ITDynamicPacks. We register the name of the main domain in AD forest name. We get a list of all domain controllers and the main Active Directory domain by writing the command below, the result is saved in the file C: \ Temp \ DCList.TXT file:
DSQuery Server -o rdn > C:\Temp\DCList.TXTCopy the full script below to the PS1 file and execute it in the PowerShell window
$CurForestName="ITDynamicPacks.Net"
$TestCSVFile="C:\Temp\DCUpTimeReport.CSV"
$GDCList="C:\Temp\DCList.TXT"
$TotNo=0
$ItemCount=0
$TestText = "Please check result"
$TestStatus="Completed"
$SumVal = "NA"
$ErrorOrNot = "No"
$ThisString="Domain Controller, Up Time, Local Time, Time Zone, Days Not Rebooted, Status"
Add-Content "$TestCSVFile" $ThisString
$TodaysDate = Get-Date
Foreach ($ItemName in Get-Content "$GDCList")
{
$operatingSystem = Get-WmiObject Win32_OperatingSystem -ComputerName $ItemName
IF ($Error.count -ne 0)
{
$ThisSTR = $ItemName+",Error Connecting"
$ErrorOrNot = "Yes"
Add-Content "$TestCSVFile" $ThisStr
}
else
{
$RTime=[Management.ManagementDateTimeConverter]::ToDateTime($operatingSystem.LastBootUpTime)
$LocalTime=[Management.ManagementDateTimeConverter]::ToDateTime($operatingSystem.LocalDateTime)
$CurTimeZone=$operatingSystem.CurrentTimeZone
$StatusNow = ""
$R = $RTime
$Z = $TodaysDate
$DayNotRebooted = (New-TimeSpan -Start $R -End $Z).Days
IF ($DayNotRebooted -ge 30)
{
$StatusNow = "WARNING: Not rebooted since last 30 days"
}
$ThisStr=$ItemName+","+$RTime+","+$LocalTime+","+$CurTimeZone+","+$DayNotRebooted+","+$StatusNow
Add-Content "$TestCSVFile" $ThisStr
}
}
When the script is completed for all domain controllers, a report will be generated in the DCUpTimeReport.CSV file in the C: Temp folder as shown in the following screenshot:
As you can see from the report, the script makes it possible to obtain uptime information for each domain controller specified in the C: \ Temp \ DCList.TXT file. A report on how many days the domain controller has not rebooted can be seen in the "Days Not Rebooted" column.
The above script is part of the Dynamic Pack Domain Controller Test for Uptime, which is available for use with Active Directory Health Profiler. This test can be performed for one or for many AD domains and you can see the test results in the Active Directory Health Profiler console as shown in the screenshot below:
Conclusion
We examined in detail two key reasons for rebooting domain controllers. The main purpose of this reboot is the timely servicing by domain controllers of requests for authentication and authorization, as well as maximum security through timely updates of security systems.
The script proposed by PowerShell will help you maintain the efficiency of domain controllers at the proper level, for this you need to reboot them once a month.