A couple years back someone made a recommendation on Microsoft Exchange Forums that equivalent to Exchange BPA, it would be nice for AD Admins to have an AD Best Practices Analyzer, this was passed on to the AD Team. Though I am not if this particular thread was the driver behind it, but starting in Windows Server 2008 R2, AD Admin will have the BPA.

“Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations. You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.”

ADBPA is a great idea, it gives you a quick glance into the new DC you have just stood up. It points you toward setting the NTP settings correctly if the DC is also PDC. It lets you know if your OUs are not set to be protected from accidental deletion. It also reminds you that certain directory partitions (NC) have not been backed up since a certain of period time. You can access the ADBPA from the Server Manager -> ADDS.

You may notice that if you are running the Windows Server 2008 Beta version, there seems to be a bug with ADBPA rule. One of the non-compliant complain is about the DC’s inability to reach a DNS server to retrieve DC specific records even when the DC itself is also the DNS and the pertaining records are existing. This behavior has been corrected in the RC version.

The compliant section also shows where your DC meets the expected configuration, such as when it advertises itself as a DC in its local site. One downside I see with ADBPA is that it cannot be self-launched into its separate MMC. Or unlike the Exchange BPA, it is only accessible in a small window from within the Server Manager. So there if is large number of non-compliant/compliant messages, the browsing ability is not that great.

How does ADBPA gather this data ?

“When you run the AD DS BPA scan on a domain controller, the BPA engine invokes the AD DS BPA Windows PowerShell script that collects configuration data from the AD DS environment that this domain controller belongs to. The AD DS BPA Windows PowerShell script then saves the collected AD DS configuration data to an XML document. The BPA run-time engine validates this XML document against the XML schema.”

For more information on ADBPA. See this.