Back to Cookbook

PingCastle AD Health Check Runbook

Preflight connectivity, reduce false positives, handle AV flags

PingCastle AD assessments commonly fail or mislead due to DNS/DC discovery issues, missing SMB connectivity for GPO retrieval, absent ADWS (slow scans), and AV/EDR false positives. This runbook makes those failure modes explicit and gives a repeatable preflight-to-report workflow.

House RecipeWork12 min

INGREDIENTS

PROMPT

Create a skill called "PingCastle Runbook". Inputs I will provide: - Domain FQDN and (optionally) known DC hostnames/IPs - Where I'm running from (domain-joined host vs jump host) - Any errors or warnings from PingCastle output - Whether SMB/445 is allowed from my host to DCs Task: 1) Generate a preflight checklist (DNS + port reachability). 2) Provide the right PingCastle commands for the situation. 3) If warnings indicate missing SMB/GPO access, explain which parts of the report are unreliable and what to do. 4) Include an AV/EDR handling note consistent with vendor guidance.

What this fixes

Common symptoms:

  • "Domain not found" / DNS discovery failures
  • "The server is not operational" (often stale DC references)
  • False positives/incomplete results when SMB (445) is blocked
  • Very slow runs when ADWS isn't available
  • Tool flagged by AV/EDR as suspicious

Prerequisites

  • Authorization to assess the directory environment
  • A domain-joined assessment host (preferred) or routable access to DCs
  • Network access to required services:
  • LDAP (389), ADWS (9389), SMB (445)
  • PingCastle downloaded from official sources; store hash/signature info

Steps and commands

  1. Preflight — verify name resolution and DC reachability:
  • Resolve the domain:

`nslookup `

  • Quick port checks to a DC:

`nc -vz 389 445 9389`

  1. Run baseline Healthcheck:

`PingCastle.exe --healthcheck --server `

  1. Watch for warnings during the run:
  • If PingCastle warns it cannot download GPOs (SMB blocked), treat results as incomplete.
  • Fix by enabling SMB access from the assessment host, or rerun from a host in the same security zone.
  1. Performance tuning:
  • If ADWS is available on DCs, scans are significantly faster.
  • If scans are slow, validate ADWS presence and connectivity on port 9389.
  1. AV/EDR false positives:
  • Follow vendor guidance: use a controlled allowlist for authorized assessment hosts/users.
  • Prefer running on dedicated assessment hosts; avoid placing PingCastle on general endpoints.
  1. Capture outputs and evidence:
  • Save HTML reports and run log alongside:
  • date/time, host used, PingCastle version, connectivity notes

Expected outputs

  • PingCastle HTML report(s) with a score and prioritized remediation guidance
  • A run log showing which DCs/services were used and any warnings

Common errors and troubleshooting

  • Domain not found / no DNS entries
  • Check DNS settings and DC reachability.
  • Confirm you are using the correct domain FQDN.
  • "The server is not operational"
  • Often indicates DC discovery returned a decommissioned/stale DC.
  • Validate AD Sites & Services and DNS SRV records.
  • Incomplete results when SMB is blocked
  • PingCastle requires SMB to retrieve GPO data; without it, some rules misfire.
  • Fix connectivity or rerun from within the security zone.
  • AV/EDR flags
  • Treat as operational risk; use official releases and documented allowlisting only.

References

  • https://www.pingcastle.com/documentation/
  • https://docs.netwrix.com/docs/pingcastle/3_5
  • https://github.com/netwrix/pingcastle/issues/255
  • https://github.com/netwrix/pingcastle/issues/253
  • https://github.com/netwrix/pingcastle/issues/302

Example inputs

  • ``: corp.example.local
  • ``: 10.0.0.10
Tags:#pentesting#active-directory#pingcastle#troubleshooting#reporting