Starting with Windows 2008 R2, Microsoft introduced a Best Practices Analyzer (BPA) for Active Directory that is included as part of the operating system. The tool analyzes many of the most common issues that administrators typically run into.
To access BPA, go to server manager, click on ADDS node, scroll down the panel.
To run a BPA scan click Task / Start BPA Scan on the right. You can select one or more domain controller then start scan.
Once the scan completes, you’ll see the result. Each result gives you the server exhibiting the issue, a severity level, the name of the issue and an overall category. When you select an issue, a description of the issue is shown below with a link to more information and remediation steps.
How to run BPA with PowerShell:
First get the available BPA models. Use the cmdlet Get-BpaModel
Now you can run the BPA on one of the model ID. Use the Invoke-BPAModel cmdlet. For instance to run BPA on Directory services execute the cmdlet
To run BPA on all roles execute the cmdlet
Get-BPAModel | Invoke-BPAModel
How to run BPA remotely:
Connect to remote server using
Enter-PSSession Computername –Credential Username
Then run the Invoke-BPAModel
Retrieve results from BPA:
Use the cmdlet Get-BPAResult
You can also filter the results
Get-BpaResult “Microsoft/Windows/DirectoryServices” | where severity –eq Warning