PingCastle Active Directory Scan Runbook

What this fixes

Common symptoms:

• "Domain not found" / DNS discovery failures
• "The server is not operational" (often stale DC references)
• False positives/incomplete results when SMB (445) is blocked
• Very slow runs when ADWS isn't available
• Tool flagged by AV/EDR as suspicious

Prerequisites

• Authorization to assess the directory environment
• A domain-joined assessment host (preferred) or routable access to DCs
• Network access to required services:
• LDAP (389), ADWS (9389), SMB (445)
• PingCastle downloaded from official sources; store hash/signature info

Steps and commands

1. Preflight — verify name resolution and DC reachability:

• Resolve the domain:

`nslookup `

• Quick port checks to a DC:

`nc -vz 389 445 9389`

1. Run baseline Healthcheck:

`PingCastle.exe --healthcheck --server `

1. Watch for warnings during the run:

• If PingCastle warns it cannot download GPOs (SMB blocked), treat results as incomplete.
• Fix by enabling SMB access from the assessment host, or rerun from a host in the same security zone.

1. Performance tuning:

• If ADWS is available on DCs, scans are significantly faster.
• If scans are slow, validate ADWS presence and connectivity on port 9389.

1. AV/EDR false positives:

• Follow vendor guidance: use a controlled allowlist for authorized assessment hosts/users.
• Prefer running on dedicated assessment hosts; avoid placing PingCastle on general endpoints.

1. Capture outputs and evidence:

• Save HTML reports and run log alongside:
• date/time, host used, PingCastle version, connectivity notes

Expected outputs

• PingCastle HTML report(s) with a score and prioritized remediation guidance
• A run log showing which DCs/services were used and any warnings

Common errors and troubleshooting

• Domain not found / no DNS entries
• Check DNS settings and DC reachability.
• Confirm you are using the correct domain FQDN.

• "The server is not operational"
• Often indicates DC discovery returned a decommissioned/stale DC.
• Validate AD Sites & Services and DNS SRV records.

• Incomplete results when SMB is blocked
• PingCastle requires SMB to retrieve GPO data; without it, some rules misfire.
• Fix connectivity or rerun from within the security zone.

• AV/EDR flags
• Treat as operational risk; use official releases and documented allowlisting only.

References

• https://www.pingcastle.com/documentation/
• https://docs.netwrix.com/docs/pingcastle/3_5
• https://github.com/netwrix/pingcastle/issues/255
• https://github.com/netwrix/pingcastle/issues/253
• https://github.com/netwrix/pingcastle/issues/302

Example inputs

• ``: corp.example.local
• ``: 10.0.0.10