Introducing AD DS Best Practices Analyzer

Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations. You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.

The AD DS BPA service is installed automatically when AD DS is installed on a computer that is running the Windows Server 2008 R2 and that computer becomes a domain controller. This includes both writable domain controllers and read-only domain controllers (RODCs). No other preparations are required.

For more information, including detailed explanation of the AD DS BPA logic and the list of the Active Directory configuration settings that AD DS BPA scans, see What's New in AD DS: Active Directory Best Practices Analyzer (

This posting is provided "AS IS" with no warranties, and confers no rights.

Comments (4)

  1. AD DS BPA is in Server Manager, on the AD DS server role page. It's only available on Windows Server 2008 R2. For more info, see…/dd759260.aspx.


    Justin [MSFT]

  2. Klaus Jakobsen says:

    So where can this tool be found in Windows?

  3. Sniperdoc says:

    An equally helpful too is the Microsoft IT Environment Health Scanner.

  4. Jason Lehr says:

    Having a bunch of trouble with the BPA- We have a mixture of 2008 R2, 2012 and 2012 R2 DCs and on each one it throws a bunch of errors about "not being able to collect data about…" I have checked and remediated all the usual suspects (unresolved SIDs
    on GPOs, "Access this from network" setting in Default DC Policy, and looked at replication and DNS SRV records (including permissions). If I run the powershell it throws a "directory object not found". Here is the full text:

    WARNING: Cannot collect the list of DCs in current domain
    ScriptLineNumber: 2342
    OffsetInLine: 13
    ScriptLine: Get-ADDomainController -Filter $filter -Server $computer

    Type: Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException
    Message: Directory object not found
    rFault, Microsoft.ActiveDirectory.Management, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]
    Message: Active Directory returned an error processing the operation.
    InnerException: N/A

Skip to main content