# Assessment Test warning messages
<a name="assessment_test_warning-msgs"></a>

The following table describes warning messages that can occur during assessment tests. These warnings represent recommendations for optimal configuration but do not prevent hybrid directory setup.


| Test name | Short name | Warning code | Warning message | Description | Resolution | 
| --- | --- | --- | --- | --- | --- | 
| Domain Health Tests | `testDisabledStaleUserNumber` | `STALE_USERS_FOUND` | `{{StaleUserCount}} users were found to be stale, they have not logged in for {{StaleThresholdInDays}} days.` | Occurs if there are user accounts in your self-managed AD that have not logged in for an extended period and may be considered stale or inactive. | Clean up stale user accounts. | 
| Domain Controller Time Source Test | `testDCTimeSource` | `DC_BAD_TIMESOURCE` | `Time sources not properly configured for PDC, should using an authoritative source. Time sources not properly configured for {{dcHostName}}, should using PDC as source` | Occurs if self-managed AD has the correct time source setup and that there is no large time skewness when compared to a AWS time source. | Your primary domain controller (PDC) time server is directed to `169.254.169.123`. Your non-primary domain controllers should be pointed to the PDC as the source. For more information, see [Keeping time with Amazon Time Sync Service](https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/). | 
| Free Space Test | `testFreeSpace` | `DISK_SPACE_EXCEEDED` | `Supported service max capacity of 7 GB exceeded; SysVol + NTDS is currently using: 24 GB)` | Occurs if your self-managed AD Combined NTDS and Sysvol usage is above supported quota. | Your self-managed AD should have 24 GB of disk space for hybrid directories. | 
| FSMO Roles Test | `testFSMORoles` | `FSMO_ROLE_TEST_FAILED` | `PDC Emulator ({{dc1.example.com}}) is not among the provided domain controllers.`<br />`RID Master ({{dc1.example.com}}) is not among the provided domain controllers.` | Occurs if FSMO roles (PDC Emulator and RID Master) are not among the two domain controllers provided when you create a hybrid directory. | Your hybrid directory should have both FSMO roles (PDC Emulator and RID Master) among the two domain controllers that you provide when you create a hybrid directory. For more information, see [How to view and transfer FSMO roles](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/view-transfer-fsmo-roles). | 
| S channel SSP Test | `testSchannelSSP` | `TLS_1_2_NOT_ENABLED` | `Disabled protocol {{DisabledProtocol}} is still enabled.` | Occurs if a self-managed AD does not use TLS1.2 and AES256 encryption. | Your self-managed AD must use TLS 1.2 and AES256 for hybrid directories. | 
| Disk Corruption Test | `testDiskCorruption` | `DISK_CORRUPT` | `Disk corruption detected on {{Drive}}.` | Occurs if there is disk corruption on your self-managed AD. | Your self-managed AD disks should not be corrupted. | 
| Domain Controller Specs Test | `testDcSpecs` | `INSUFFICIENT_RESOURCES` | `{{numAvailableCores}} cores detected when {{requiredCores}} cores recommended. {{gbAvailableRam}} GB ram detected when {{requiredRam}} GB recommended.` | Occurs if your self-managed AD domain controllers don't meet the required specifications. | Your self-managed AD domain controllers should have at least 7 GB RAM and 2 CPU cores for hybrid directory. | 
| Server Level Plugin Dll Test | `testServerLevelPluginDll` | `SERVER_LEVEL_PLUGIN_DLL_IS_SET` | `ServerLevelPluginDll registry configuration is not permitted.` | Occurs if ServerLevelPluginDll is set on your self-managed AD domain controllers. | Your self-managed AD domain controllers should not have ServerLevelPluginDII configured. | 
| Allow NT4 Crypto Test | `testAllowNT4Crypto` | `NT4_CRYPTO_NOT_ALLOWED` | `Registry key AllowNt4Crypto is not allowed.` | Occurs if self-managed AD allows NT4 Cryptography. | Your self-managed AD should not use NT4 Cryptography. For more information, see Microsoft documentation. | 
| Orphaned Admin Users Test | `testOrphanedAdminUsers` | `ORPHANED_ADMIN_USER_FOUND` | `{{OrphanedUsersCount}} Orphaned Admin Users Found: [{{OrphanedUserNames}}].` | Occurs if orphaned admin users exist in your self-managed AD. | Remove orphaned users on your self-managed AD before continuing. | 
| Privileged User Count Test | `testPrivilegedUserCount` | `DOMAIN_ADMIN_COUNT_EXCEEDED` | `Number of Domain Admins ({{daCount}}) exceeded allowance of ({{allowedDomainAdminCount}}).` | Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5. | Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing. | 
| Privileged User Count Test | `testPrivilegedUserCount` | `ENTERPRISE_ADMIN_COUNT_EXCEEDED` | `Number of Enterprise Admins ({{eaCount}}) exceeded allowance of ({{allowedEnterpriseAdminCount}}).` | Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5. | Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing. | 
| Privileged User Count Test | `testPrivilegedUserCount` | `BUILTIN_ADMIN_COUNT_EXCEEDED` | `Number of Built-in Admins ({{baCount}}) exceeded allowance of ({{allowedAdminCount}}).` | Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5. | Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing. | 
| NTLM Test | `testNTLM` | `INSECURE_SETTING_NTLM` | `NTLMv1 is enabled.` | Occurs if NTLMv1 is enabled for authentication on your self-managed AD. | NT LAN Manager version 1 (NTLMv1) has known security vulnerabilities and should not be used. Disable NTLMv1 on your self-managed AD. For more information, see [Microsoft documentation](https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73). | 
| Tombstone Lifetime Test | `testTombstoneLifetime` | `TOMBSTONE_LIFETIME_ABOVE_LIMIT` | `Tombstone Lifetime is too long. DC Tombstone Lifetime is {{TombstoneLifeTime}}, AWS suggested number is {{TombstoneMaximum}} days.` | Occurs if the Tombstone lifetime on your self-managed AD is more than 180 days. | The Tombstone lifetime is the number of days before a deleted object is removed from AD. The Tombstone lifetime value for your self-managed AD should be 180 days or less. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1887de08-2a9e-4694-95e2-898cde411180). |