Core365 SentinelAD Health Score

Spread the love

The Core365 SentinelAD Health Score provides a single, easy-to-understand metric that reflects the overall health of your Active Directory environment.

It enables administrators to quickly determine whether the directory is operating normally, showing early warning signs, or requires immediate attention.

What the Health Score Represents

The Health Score is calculated by aggregating multiple critical Active Directory health checks into one unified score.

These checks include:

  • AD replication health
  • Time synchronization
  • DNS functionality
  • SYSVOL / DFSR status
  • Secure channel integrity
  • Domain and forest trust health

A higher score indicates a healthy environment, while a lower score highlights potential issues that require investigation.

Score Ranges

Score Range Status Meaning
90 – 100 ✅ Healthy Active Directory is operating normally. No major issues detected.
75 – 89 ⚠️ Warning AD is working, but one or more areas need attention.
0 – 74 ❌ Critical AD health is degraded. Immediate investigation is required.

Overall Status Indicator

The dashboard displays both:

  • A numeric score
  • A color-coded status

How it works:

  • The numeric score is calculated as the average of all health check scores.
  • The status color reflects the worst-performing category:
Condition Overall Status
If any health check is Critical 🔴 Red
If no Critical issues, but at least one check is Warning 🟠 Amber
If all checks are Healthy 🟢 Green

⚠️ Important:
Even with a high score, the status can appear amber or red if a critical component is experiencing issues.

Health Checks Included

AD Replication

Monitors whether domain controllers are replicating correctly.

Why it matters:
Replication issues can result in inconsistent data across domain controllers.

Common issues:

  • Replication failures between DCs
  • Stale replication data
  • Failed replication partners
  • Long delays since last successful replication

Time Health

Ensures domain time synchronization is functioning correctly.

Why it matters:
Kerberos authentication depends on accurate time.

Common issues:

  • PDC emulator time drift
  • Incorrect DC time sync
  • w32tm warnings
  • Missing or unavailable time source

DNS Health

Validates that AD DNS records are functioning correctly.

Why it matters:
Active Directory relies on DNS for locating services like LDAP, Kerberos, and Global Catalogs.

Common issues:

  • Missing _ldap._tcp.dc._msdcs records
  • Stale or incorrect SRV records
  • DNS resolution failures
  • Clients connecting to incorrect domain controllers

SYSVOL / DFSR

Checks the health of SYSVOL replication and DFSR.

Why it matters:
SYSVOL is essential for Group Policy and logon scripts.

Common issues:

  • DFSR backlog
  • SYSVOL not shared
  • Group Policy replication delays
  • Inconsistent policy files across DCs

Secure Channels

Verifies that domain controllers are reachable and trust relationships are intact.

Why it matters:
Detects DC connectivity and trust issues that impact authentication.

Common issues:

  • Offline or unreachable DCs
  • LDAP connectivity failures
  • Broken machine trust
  • Remote management issues

Domain / Forest Trusts

Evaluates trust relationships between domains and forests.

Why it matters:
Trusts are essential for cross-domain authentication and access.

Common issues:

  • Broken trust secure channels
  • Unreachable trusted domains
  • DNS or routing issues
  • Firewall or permission constraints

How the Score Is Calculated

The scoring method is designed to be simple and transparent:

  1. Each health category is assigned a score from 0 to 100
  2. The overall score is calculated as the average of all categories
  3. The status color is determined by the worst category status

Example

Category Score Status
AD Replication 95 Healthy
Time Health 90 Healthy
DNS Health 94 Healthy
SYSVOL / DFSR 90 Healthy
Secure Channels 94 Healthy
Domain / Forest Trusts 100 Healthy

Overall Score: 93.8 → 94
Overall Status:Healthy

Overall Score:
(95 + 90 + 94 + 90 + 94 + 100) ÷ 6 = 93.8 → 94

Overall Status: ✅ Healthy

Why the Health Score Matters

Active Directory issues often surface as user problems before administrators notice underlying faults.

Common symptoms include:

  • Users unable to log in
  • Password changes not syncing
  • Group Policy not applying
  • Application authentication failures
  • Cross-domain access issues
  • Inconsistent account or group states across DCs

The Health Score acts as an early warning system, helping you detect and resolve issues before they impact users.

Important Notes

  • The Health Score is not a replacement for a full Active Directory diagnostic review.
  • It is intended as a live operational indicator.
  • A green score means no issues are currently detected.
  • Amber or red scores require investigation via detailed health views, including:
    • Replication
    • Domain Controller health
    • DNS
    • Time synchronization
    • Trusts
    • Services

Recommended Administrator Response

✅ Healthy

  • Continue regular monitoring
  • Review trends periodically

⚠️ Warning

  • Open detailed health diagnostics
  • Identify affected categories
  • Determine if issues are transient or persistent
  • Investigate replication, DNS, time, or trust warnings

❌ Critical

  • Treat as urgent
  • Identify impacted domain controllers or domains
  • Assess authentication impact
  • Review:
    • Windows Event Logs
    • repadmin output
    • dcdiag results
    • DNS configuration
    • Service status
  • Resolve issues before making major Active Directory changes
×