How to Check Active Directory Health?

Active Directory is a rather complex IT environment (even if when AD consists of primary domain controllers and one AD site only). It is very important for a sysadmin to have the ability to check Active Directory health quickly and fix the problems. In this article, we’ll take a look at common commands that you can use to check the status of AD, find and fix possible errors.

DCDiag is an important utility to check domain controller health. Log in to any domain controller, open a command prompt as an administrator and run the command:

dcdiag /e /v /q

This command performs a general health test on domain controllers and Active Directory. This report will only list errors that require the attention of a domain administrator.

dcdiag health check

Then you need to check the health of the DNS servers (we run these commands in the PowerShell console):

DCDiag /Test:DNS /e /v /s:dc01.test.com >c:\ps\DcdiagDNStest.txt

Then open the resulting report:

get-content c:\ps\DcdiagDNStest.txt

If there is no problem with the DNS service, PASS should be indicated everywhere in the “Summary of DNS test results” section.

check active directory health

If there are errors in the report, try to fix them manually. If you cannot manually fix DNS errors, try fixing them using the dcdiag command with the fix parameter:

DCDiag /Test:DNS /e /v /s:dc01.test.com /fix

Then on all domain controllers run the command:

ipconfig /registerdns

After checking DCs and DNS, you need to check the health of Active Directory replication. Log in to any DC and check replication with the command:

repadmin /replsum

If the largest delta for any DC is less than 1 hour and replication fails = 0, then there are no replication problems in your domain.

READ ALSO  Active Directory Migration to Windows Server 2016

check ad replication health

Tip. The dcdiag and repadmin utilities are available on any DC with the ADDS role. If you want to use these tools on desktop Windows 10, you need to install RSAT.

If you found replication errors, you can get detailed information about them with the command:

repadmin /showreps

This command will show which naming context is not being replicated in AD.

The following command is used to quickly check replication on a specific DC. If you need to check replication on all DCs, use the wildcard parameter (may take a long time):

repadmin /replsummary [DCname|wildcard]

Check USN records:

repadmin /showutdvec

If you need to force synchronization of a specific domain controller with other replication participants, run the command:

replmon /syncall DC01

Next, be sure to check the time synchronization on the domain controllers with the command:

 w32tm /monitor

NTP offset should be around 0 for all DCs. If not, check the time synchronization in the Active Directory domain.

active directory health

Verify if all domain controllers have SYSVOL and Netlogon folders published as network shares. These folders are needed to apply and replicate Group Policy Objects. The list of shared folders on a DC can be displayed with the command:

net share

ad health check

Now check if Netlogons is working correctly in Active Directory:

dcdiag /test:netlogons

If everything is fine with Netlogon, “passed test” should be specified for all tests.

READ ALSO  Azure AD Password Hash Synchronization (PHS)

check domain health dcdiag

It remains to check if all assigned policies are applied. You can do it on any computer in the domain using the gpresult command.

Cyril Kardashevsky

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.