domain- ontroller health check guide

Domain Controllers are the Most Crucial part of every AD Infrastructure and its best practice to ensure your running health checks and diagnostics on it regularly to ensure its health and functionality.

Today we’re going to take a deep dive into performing Domain Controller Health Checks & Best Practices.

 

The DCDiag tool is a Microsoft command-line utility that can be used to check the health of Active Directory domain controllers.

It is also used to diagnose DNS servers, AD replication, and other critical domain services within your Active Directory infrastructure.

These tests give you a brief overview of the overall health of your Active Directory Domain Controller.

This utility also allows you to check the health of all Domain Controller at a time.

With this utility, you can perform up to 30 different tests of your Active Directory Domain Controller to check its health status and other major issues that could be happening without you even knowing!

Some of the test performed by the DCDiag utility is shown below:

  • Connectivity
    Verify DNS registration for each domain controller and verify LDAP and RPC connections to each domain controller.
  • Advertising
    Checks whether the domain controller is correctly reporting or not.
  • CheckSDRefDom
    Checks that all application directory partitions have appropriate security descriptor reference domains.
  • CrossRefValidation
    Checks the validity of cross-references for domains.
  • FRSEvent
    Checks to see the errors in the file replication service.
  • FSMOCheck
    Checks the connectivity between the domain controller and KDC, PDC and a global catalog server.
  • MachineAccount
    Checks the registration status of the machine account.
  • NetLogons
    Checks the appropriate logon permissions to allow replication to proceed.
  • Replications
    Checks the replication status and errors between domain controllers.
  • RidManager
    Checks whether the RID manager is accessible or not.

In this guide, we will show you how to check the health of your Active Directory Domain Controller with DCDiag utility.

Install DCDiag

If you running the modern Windows Server 2019/2016/2012R2 versions and have AD DS and RSAT roles installed, then you already have Dcdiag installed.

In previous versions of Windows Server, you need to download and install the DCDiag utility from the following link:

https://www.microsoft.com/en-us/download/details.aspx?id=31063

In a Client OS versions Windows 10/8.1/7, you will need to install the RSAT tool and then install the DCDiag utility manually from the Support Tools package.

Basic Syntax of DCDiag

The basic syntax of the DCDial utility is shown below:

dcdiag.exe /s:Domain-Controller [OPTIONS]

A brief explanation of each option is shown below:

  • /s:Domain-Controller
    Used to perform tests against the remote Domain Controller.
  • /u:domain\username
    Allows you to specify the username of the remote Domain Controller.
  • /p:password
    Allows you to specify the password of the remote Domain Controller user.
  • /a
    Perform tests against all domain controllers.
  • /q
    Only display an error message after testing the domain controller.
  • /v
    Display detail information of each test.
  • /f
    Save the test result to a specified file.
  • /test:testname
    Used to perform only specific tests.
  • /skip:testname
    Used to skip the specific DCDiag test.

The DCDiag is a command-line tool. So you can run it on a Command Prompt or PowerShell window as an Administrative user.

You can display the help information about the DCDiag utility using the following command:

dcdiag.exe /h

You should see the following output:


Directory Server Diagnosis


cdiag.exe /s:[:] [/u:\ /p:*||""]
[/hqv] [/n:] [/f:] [/x:XMLLog.xml]
[/skip:] [/test:]
/h: Display this help screen


/s: Use as Home Server. Ignored for DcPromo and
RegisterInDns tests which can only be run locally.
/n: Use as the Naming Context to test
Domains may be specified in Netbios, DNS or DN form.
/u: Use domain\username credentials for binding.
Must also use the /p option
/p: Use as the password. Must also use the /u option
/a: Test all the servers in this site
/e: Test all the servers in the entire enterprise. Overrides /a
/q: Quiet - Only print error messages
/v: Verbose - Print extended information
/i: ignore - ignores superfluous error messages.
/c: Comprehensive, runs all tests, including non-default tests but excluding
DcPromo and RegisterInDNS. Can use with /skip
/fix: fix - Make safe repairs.
/f: Redirect all output to a file seperately
/x: Redirect xml output to . Currently works with /test:dns option only
/xsl: Adds the processing instructions that references specified stylesheet. Works with /test:dns /x: option only


/test: - Test only this test. Required tests will still
be run. Do not mix with /skip.
/skip: - Skip the named test. Required tests will still
be run. Do not mix with /test.

Run DCDiag on a Local Domain Controller

To perform the Domain Controller test on your local system, run the DCDiag utility without any argument:

dcdiag.exe

You should see the following screen:

dcdiag Domain Controller test on your local system

Run DCDiag on a Remote Server

If you want to check the health of a remote domain controller, run the DCDiag utility by specifying your remote domain controller name, administrator username and password as shown below:

dcdiag.exe /s:webserveradc.com /u:webserveradc.com\Administrator /p:password

You should see the tests result in the following screen:

check the health of a remote domain controller

Run DCDiag with Verbose Output

You can run the DCDiag utility with /v switch to display the results with more information.

dcdiag.exe /s:webserveradc.com /v

You should see the following screen:

DCDiag with Verbose Output

Run DCDiag and Save the Result to a File

If you want to save the test results in a file then you can use /f switch with DCDiag command as shown below:

dcdiag.exe /s:webserveradc.com f:c:\dcdiag.txt

This command will perform tests and save results in a file dcdiag.txt, or whatever you name it!

You can open this file as shown below:

DCDiag and Save the Result to a File

Run DCDiag to Test DNS

You can also test your DNS using the /test:dns switch as shown below:

dcdiag.exe /s:webserveradc.com /test:dns

You should see the results in the following screen:

DCDiag to Test DNS

Run DCDiag Against all Domain Controllers

If you have multiple domain controllers in your environment and want to perform tests against all domain controllers, then you can use /a switch with the DCDiag utility:

dcdiag.exe /s:webserveradc.com /a

Run DCDiag to Display Only Error Messages

If you want to remove the additional information from the test results and only want to display errors, you can use /q switch as shown below:

dcdiag.exe /s:webserveradc.com /q

If you found any errors after running the above command, you can fix it using the following command:

dcdiag.exe /s:webserveradc.com /fix

Run DCDiag to Perform Specific Test

The DCDiag utility also allows you to perform only specific tests by specifying its name.

For example, to perform only NetLogons test, you’ll run the following command:

dcdiag.exe /s:webserveradc.com /test:NetLogons

You should see the following screen:

DCDiag to Perform Specific Tests

You can also exclude a specific test from the checklist using the /skip switch.

For example, exclude the Replication test from the test results, run the following command:

dcdiag.exe /s:webserveradc.com /skip:Replication

You should see the following screen:

exclude a specific test from DCDIAG

Conclusion

Congratulations! you have successfully tested your Domain Controller with all available options using DCDiag utility.

We hope you have now enough understanding and knowledge of how to troubleshoot Domain Controller related issues with the DCDiag utility.