Domain Controller Health Check

Active Directory is coordinated by domain controllers. These controllers are essential to the smooth running of your AD implementations. Therefore, it is important to know how to check on their statuses.

A health check for Active Directory domain controllers can be performed with native Microsoft tools that cost nothing. However, there are some skills you need to acquire in order to carry out the check. We will show you how.

Repadmin

The first tool that you need in order to check up on your domain controllers is called repadmin. This is a command that is built into Windows Server, so you don’t need to download or install any software in order to use it.

All of the domains in a forest need to be coordinated through replication. The repadmin utility lets you check on how that process is faring by accessing a summary report from repadmin. This is available through the command repadmin /replsumary.

In the output of the summary, you will be able to see that all of your domain controllers are replicating properly. The largest replication delta means the longest time gap that occurred between replications for that domain controller. You can also see in the output if any replication activities failed.

You can get more detail of the replication activity of each domain controller with the command repadmin /showrepl. To limit the output to just the information for one domain controller, put its label at the end of the showrepl option, such as repadmin /showrepl DC1. The showrepl option will display the neighbors (replication partners) that update the domain controller.

You can home in on the replication errors if any were reported in the summary output by specifying the /errorsonly option, eg. repadmin /showrepl /errorsonly.

If one of your domain controllers is out of date, you can command an immediate replication run with the option repadmin /syncall. Name the domain controller that needs to be updated in the repadmin command. This command should be run on the server that hosts the AD domain. For example, to update domain controller DC2 immediately, you would use repadmin /syncall dc2. There is a long list of options that can be added to the end of this command. To see them all, enter repadmin /syncall /?.

To see the full list of repadmin commands, type repadmin /?.

Services-check in PowerShell

Access PowerShell to see that the Active Directory Domain services are running properly. These are the six services to look at:

  • DNS server
  • DFS replication
  • Intersite messaging
  • Kerberos key distribution
  • Active Directory Domain Services
  • NetLogon

In order to check that these four services are all running, use the following two lines:

$Services='DNS','DFS Replication','Intersite Messaging','Kerberos Key Distribution Center','NetLogon',’Active Directory Domain Services’
ForEach ($Service in $Services) {Get-Service $Service | Select-Object Name, Status}

Although this is a complicated request to write, the output is very straightforward, you should just get a report that each of these services is running.

DCDiag (dcdiag.exe)

A key tool that you need in order to keep tabs on your AD domain controllers is called DCDiag, or dcdiag.exe. This also covers issues around replication. As well as this, it can check on DNS servers and other essential services. The command is bundled in with the Remote Server Administration Tools (RAST) and it is also included with the AD DS role.

DCDiag is able to run 30 different tests on your Active Directory domain controllers and their supporting services. Among these tests are:

  • Initial tests to verify the availability of key services and to ensure that they are contactable. These tests must be performed before all others and they can’t be left out. They check on the DNS server, that the domain controller can be contacted over the network, that the domain controller allows binding to an LDAP instance, and to the AD RPC interface.
  • Advertising tests that check on the ability of other devices to locate the domain controller, which means that the controller is correctly notifying all other devices of its presence. The details of the response to this test are important – not just that there is a response – because it includes flags that indicate which services the domain controller can locate. These services are an LDAP server, the Write or Read-Only status, the time server, whether the DC is a global catalog and whether it is ready to respond, and the Key Distribution Center (KDC).
  • Cross-reference objects test to see if the application partition’s cross-reference objects have the correct domain name.
  • Cross-reference validation gets the naming contexts in the DC and checks them.
  • Security services check to test that there is at least one reachable KDC per domain, that the Knowledge Consistency Checker (KCC) is working, that the GC’s computer object has replicated to other domain controllers, that it also has an account within the Active Directory setup that marks it as a domain controller and has the correct flags set. It also checks on the likelihood of fragmentation of Kerberos packets.
  • DC connectivity tests examine whether all domain controllers can communicate with their partner DCs.
  • File Replication Service tests look in the Event log for any error warnings related to the FRS that occurred over the last 24 hours. This is for Windows Server versions before 2008.
  • Distributed File Service Replication tests examine DFSR Event log warnings over the last 24 hours to verify that the replication system is working correctly. This is for Windows Server 2008 and later.
  • Registry key validation is carried out to ensure that the domain controller’s Netlogon SysvolReady value in the registry is properly set. This test contributes to the FRS and DFRS tests that are outlined above.
  • Account validation makes sure that the user accounts that require access to the domain controller’s NetLogon and Sysvol values in order to function can actually get access. Other account-related tests include a verification that the account of the domain controller can access Active Directory and that it is marked as a Domain Controller account, that all flags on the account are correct and that it has the correct server reference. These account tests also offer repair options in the commands that run the checks.
  • Object replication verification checks a small number of objects and attributes on several domain controllers to ensure that they have been replicated. The test will also show the last update date and time of each value on each instance. Note that this replication is for the data within the domain controller.
  • Replication checks return data on recent replication attempts, showing statuses and times of each event. It particularly focuses on whether any replication took more than 12 hours and whether any domain controller has replication disabled.
  • RID Master tests see whether the RID Master role holder can be located and contacted and has valid RID pool values.
  • Services tests look at the statuses of all vital services for AD, such as DNS, FRS/DFRS, and KDC.
  • Event log tests ensure that Windows Event logs related to Active Directory are being preserved. These print all related log messages from the last 60 minutes.
  • Replication topology checks look at whether inter and intra-site replication is possible for a specific domain controller by exploring the settings of all upstream and downstream replication partners.

It is possible to see all of the test categories available in dcdiag.exe by issuing the command dcdiag /h.

How to run DCDiag tests

The dcdiag.exe program makes operating tests very easy. You don’t need to issue a command for each test. Instead, one short dcdiag.exe request launches a group of tests. Some guides tell you that you have to name the dcdiag program in full in order to run it, typing dcdiag.exe. However, this is not necessary – typing dcdiag is enough.

There are two formats to running the command depending on whether you want to query the domain controller that is resident on the host on which you run the command or on a DC that is hosted on a remote server. If you want to test a remote domain controller, you put its name immediately after the command with the /s: switch; if you are examining the local domain controller, you leave that bit out.

It is also possible to specify a username and password for a remote domain controller account. The label for the account name is /u: and for the password is /p. So, an example of a command to test a remote domain controller could be:

dcdiag /s:DC01 /u:Administrator /p:ComPlex1PssWd7

To run tests on a local domain controller, you would just need to type in

dcdiag

The good news is that this one command runs a battery of tests. There is a list of individual test names that you can run individually.

DCDiag options

DCDiag options go after the command and an optional identifier for a remote domain controller. You can get a list of them by entering dcdiag /? Or dcdiag /h. Here is the list:

  • /a Test all domain controllers on this site.
  • /e Test all domain controllers for this enterprise.
  • /q Quiet mode. Only show error messages.
  • /v Verbose mode. Display detailed information on each test.
  • /c Comprehensive mode. Run all tests except DCPromo, RegisterInDNS, Topology, CutoffServers, and OutboundSecureChannels.
  • /i Ignore superfluous error messages.
  • /fix Fix the Service Principal Name (only for the MachineAccount test).
  • /f: <filename> Send all output to the named file.
  • /test: <testname> Perform only the named test.
  • /skip: <testname> Skip the named test from the series.
  • /ReplSource: <SourceDomainController> Test the relationship between the subject DC and the named DC.

It isn’t necessary to add any options to the command; DCDiag can be run alone, without any further keywords, just the command name itself.

Running specific tests with DCDiag (dcdiag.exe)

The straightforward dcdiag command runs a battery of tests. It is possible to just run one of these tests or a category of tests. For example, DNS-related tests are all grouped under the test name DNS. To run these tests on a local server, you just need to enter:

dcdiag /test:DNS

This command will run a suite of tests:

  • DNSBasic Basic tests, such as connectivity, DNS client configuration, service availability, and zone existence.
  • DnsForwarders Checks the configuration of forwarders plus the DnsBasic tests.
  • DnsDelegation Checks for proper delegations plus the DnsBasic tests.
  • DnsDynamicUpdate Checks whether a dynamic update is enabled in the Active Directory zone plus the DnsBasic tests.
  • DnsRecordRegistration Checks if the address (A), canonical name (CNAME), and well-known service (SRV) resource records are registered, creating an inventory report. Also performs the DnsBasic tests.
  • DnsResolveExtName [/DnsInternetName:<InternetName>] Tests the DNS records by resolving Microsoft.com. if the optional DnsInternetName is specified, this will be resolved instead. Also runs the DnsBasic tests.
  • DnsAll Performs all tests, except for DnsResolveExtName.

As well as running a group of tests, the /test option can launch individual tests. So, in the DNS option above, the user could also choose to just run the DnsBasic package with the command:

dcdiag /test:DnsBasic

DCDiag (dcdiag.exe) is a very useful tool but be aware that some tests can take a long time to run. Especially if you use the /e option to test the entire system, don’t expect to see a report straight away. Those administrating the system for a large company with many inter-connected sites that share an AD structure should launch the command and then go to lunch while waiting for a response.

ManageEngine ADManager Plus (FREE TRIAL) 

Although the native administration screens and PowerShell commands are adequate for Active Directory management, many systems administrators have concluded that it is worth investing in an automated AD administration tool and ManageEngine ADManager Plus is one to consider.

This package installs on Windows Server and it provides automated account management services, such as abandoned account cleanup. It also enables bulk actions, such as upload of accounts or password resets. The package also provides status reports, including compliance reporting formats for GDPR, GLBA, SOX, HIPAA, and PCI DSS.

Task automation assistance in the ManageEngine service includes user onboarding scripts and license management for Office 365. Workflows including Active Directory can help with user monitoring and insider threat detection. The ManageEngine tool also protects AD domains from unauthorized changes.

ManageEngine ADManager Plus is available in three editions and one of these is Free. The Free edition is limited to managing a domain with 100 objects. You can get a 30-day free trial of the top plan.

ManageEngine ADManager Plus Start a 30-day FREE Trial

SolarWinds Active Directory Monitoring (FREE TRIAL)

As an alternative to ManageEngine ADManager Plus, you could examine SolarWinds Admin Bundle for Active Directory. This is a free service and includes three utilities. These are:

  • Inactive User Account Removal Tool
  • Inactive Computer Removal Tool
  • User Import Tool

These three services are just handy tools to have available if you find the admin screens of Active Directory difficult to use. This bundle installs on Windows Server and you can download it for free.

SolarWinds provides more comprehensive Active Directory monitoring services in the Server and Application Monitor. This system tracks the performance of many applications and will look after all of your infrastructure, excluding the network. This package will discover all of your applications and work out how they interact with each other. The application dependency map that the package draws up creates capacity forecasts that will raise an alert if it identifies potential shortages.

This package runs on Windows Server and you can get it on a 30-day free trial.

SolarWinds Admin Bundle for Active Directory Download a 30-day FREE Trial

Summary

By using Repadmin, a PowerShell services check, and DCDiag, you can get a very good view of your AD structure. However, despite the great services of these free utilities, you will still be using manual methods to maintain a complicated IT system.

Active Directory is vital for effective system security but it can be difficult to visualize and manage. Consider an automated tool instead. You should check out ManageEngine ADManager Plus and the SolarWinds Active Directory Monitoring tool for some good automated AD management tools.

Domain Controller Health Check FAQs

How do I run a domain controller diagnostic?

For an Active Directory domain controller check, run the dcdiag command in a Command Prompt window with Administrator privileges. Typing the command by itself gives you a test on the local domain controller. You can also examine a remote domain controller by adding the option /s:<DC_name> where <DC_name is the domain controller that you want to test.

How can I tell if Active Directory is functioning properly?

Run dcdiag to check on the status of Active Directory. This tool provides 30 tests on domain controllers. You have to run it in a Command Prompt window that has been run as Administrator.

How do I check global catalog health?

Check on the status of the global catalog for Active Directory by opening a Command Prompt window as Administrator and running use dsquery server -isgc. Another option you should implement is to run the command dcdiag / v /c /d /e for a full status report.