Domain Controllers are the Most Crucial part of every AD Infrastructure and its best practice to ensure your running health checks and diagnostics on it regularly to ensure its health and functionality.
Today we’re going to take a deep dive into performing Domain Controller Health Checks & Best Practices.
The DCDiag tool is a Microsoft command-line utility that can be used to check the health of Active Directory domain controllers.
It is also used to diagnose DNS servers, AD replication, and other critical domain services within your Active Directory infrastructure.
These tests give you a brief overview of the overall health of your Active Directory Domain Controller.
This utility also allows you to check the health of all Domain Controller at a time.
With this utility, you can perform up to 30 different tests of your Active Directory Domain Controller to check its health status and other major issues that could be happening without you even knowing!
Some of the test performed by the DCDiag utility is shown below:
- Connectivity
Verify DNS registration for each domain controller and verify LDAP and RPC connections to each domain controller. - Advertising
Checks whether the domain controller is correctly reporting or not. - CheckSDRefDom
Checks that all application directory partitions have appropriate security descriptor reference domains. - CrossRefValidation
Checks the validity of cross-references for domains. - FRSEvent
Checks to see the errors in the file replication service. - FSMOCheck
Checks the connectivity between the domain controller and KDC, PDC and a global catalog server. - MachineAccount
Checks the registration status of the machine account. - NetLogons
Checks the appropriate logon permissions to allow replication to proceed. - Replications
Checks the replication status and errors between domain controllers. - RidManager
Checks whether the RID manager is accessible or not.
In this guide, we will show you how to check the health of your Active Directory Domain Controller with DCDiag utility.
Install DCDiag
If you running the modern Windows Server 2019/2016/2012R2 versions and have AD DS and RSAT roles installed, then you already have Dcdiag installed.
In previous versions of Windows Server, you need to download and install the DCDiag utility from the following link:
https://www.microsoft.com/en-us/download/details.aspx?id=31063
In a Client OS versions Windows 10/8.1/7, you will need to install the RSAT tool and then install the DCDiag utility manually from the Support Tools package.
Basic Syntax of DCDiag
The basic syntax of the DCDial utility is shown below:
dcdiag.exe /s:Domain-Controller [OPTIONS]
A brief explanation of each option is shown below:
- /s:Domain-Controller
Used to perform tests against the remote Domain Controller. - /u:domain\username
Allows you to specify the username of the remote Domain Controller. - /p:password
Allows you to specify the password of the remote Domain Controller user. - /a
Perform tests against all domain controllers. - /q
Only display an error message after testing the domain controller. - /v
Display detail information of each test. - /f
Save the test result to a specified file. - /test:testname
Used to perform only specific tests. - /skip:testname
Used to skip the specific DCDiag test.
The DCDiag is a command-line tool. So you can run it on a Command Prompt or PowerShell window as an Administrative user.
You can display the help information about the DCDiag utility using the following command:
dcdiag.exe /h
You should see the following output:
Directory Server Diagnosis
cdiag.exe /s:[:] [/u:\ /p:*||""]
[/hqv] [/n:] [/f:] [/x:XMLLog.xml]
[/skip:] [/test:]
/h: Display this help screen
/s: Use as Home Server. Ignored for DcPromo and
RegisterInDns tests which can only be run locally.
/n: Use as the Naming Context to test
Domains may be specified in Netbios, DNS or DN form.
/u: Use domain\username credentials for binding.
Must also use the /p option
/p: Use as the password. Must also use the /u option
/a: Test all the servers in this site
/e: Test all the servers in the entire enterprise. Overrides /a
/q: Quiet - Only print error messages
/v: Verbose - Print extended information
/i: ignore - ignores superfluous error messages.
/c: Comprehensive, runs all tests, including non-default tests but excluding
DcPromo and RegisterInDNS. Can use with /skip
/fix: fix - Make safe repairs.
/f: Redirect all output to a file seperately
/x: Redirect xml output to . Currently works with /test:dns option only
/xsl: Adds the processing instructions that references specified stylesheet. Works with /test:dns /x: option only
/test: - Test only this test. Required tests will still
be run. Do not mix with /skip.
/skip: - Skip the named test. Required tests will still
be run. Do not mix with /test.
Run DCDiag on a Local Domain Controller
To perform the Domain Controller test on your local system, run the DCDiag utility without any argument:
dcdiag.exe
You should see the following screen:
Run DCDiag on a Remote Server
If you want to check the health of a remote domain controller, run the DCDiag utility by specifying your remote domain controller name, administrator username and password as shown below:
dcdiag.exe /s:webserveradc.com /u:webserveradc.com\Administrator /p:password
You should see the tests result in the following screen:
Run DCDiag with Verbose Output
You can run the DCDiag utility with /v switch to display the results with more information.
dcdiag.exe /s:webserveradc.com /v
You should see the following screen:
Run DCDiag and Save the Result to a File
If you want to save the test results in a file then you can use /f switch with DCDiag command as shown below:
dcdiag.exe /s:webserveradc.com f:c:\dcdiag.txt
This command will perform tests and save results in a file dcdiag.txt, or whatever you name it!
You can open this file as shown below:
Run DCDiag to Test DNS
You can also test your DNS using the /test:dns switch as shown below:
dcdiag.exe /s:webserveradc.com /test:dns
You should see the results in the following screen:
Run DCDiag Against all Domain Controllers
If you have multiple domain controllers in your environment and want to perform tests against all domain controllers, then you can use /a switch with the DCDiag utility:
dcdiag.exe /s:webserveradc.com /a
Run DCDiag to Display Only Error Messages
If you want to remove the additional information from the test results and only want to display errors, you can use /q switch as shown below:
dcdiag.exe /s:webserveradc.com /q
If you found any errors after running the above command, you can fix it using the following command:
dcdiag.exe /s:webserveradc.com /fix
Run DCDiag to Perform Specific Test
The DCDiag utility also allows you to perform only specific tests by specifying its name.
For example, to perform only NetLogons test, you’ll run the following command:
dcdiag.exe /s:webserveradc.com /test:NetLogons
You should see the following screen:
You can also exclude a specific test from the checklist using the /skip switch.
For example, exclude the Replication test from the test results, run the following command:
dcdiag.exe /s:webserveradc.com /skip:Replication
You should see the following screen:
Conclusion
Congratulations! you have successfully tested your Domain Controller with all available options using DCDiag utility.
We hope you have now enough understanding and knowledge of how to troubleshoot Domain Controller related issues with the DCDiag utility.