Active Directory is a rather complex IT environment (even if when AD consists of primary domain controllers and one AD site only). It is very important for a sysadmin to have the ability to check Active Directory health quickly and fix the problems. In this article, we’ll take a look at common commands that you can use to check the status of AD, find and fix possible errors.
DCDiag is an important utility to check domain controller health. Log in to any domain controller, open a command prompt as an administrator and run the command:
dcdiag /e /v /q
This command performs a general health test on domain controllers and Active Directory. This report will only list errors that require the attention of a domain administrator.
Then you need to check the health of the DNS servers (we run these commands in the PowerShell console):
DCDiag /Test:DNS /e /v /s:dc01.test.com >c:\ps\DcdiagDNStest.txt
Then open the resulting report:
If there is no problem with the DNS service, PASS should be indicated everywhere in the “Summary of DNS test results” section.
If there are errors in the report, try to fix them manually. If you cannot manually fix DNS errors, try fixing them using the dcdiag command with the fix parameter:
DCDiag /Test:DNS /e /v /s:dc01.test.com /fix
Then on all domain controllers run the command:
After checking DCs and DNS, you need to check the health of Active Directory replication. Log in to any DC and check replication with the command:
If the largest delta for any DC is less than 1 hour and replication fails = 0, then there are no replication problems in your domain.
Tip. The dcdiag and repadmin utilities are available on any DC with the ADDS role. If you want to use these tools on desktop Windows 10, you need to install RSAT.
If you found replication errors, you can get detailed information about them with the command:
This command will show which naming context is not being replicated in AD.
The following command is used to quickly check replication on a specific DC. If you need to check replication on all DCs, use the wildcard parameter (may take a long time):
repadmin /replsummary [DCname|wildcard]
Check USN records:
If you need to force synchronization of a specific domain controller with other replication participants, run the command:
replmon /syncall DC01
Next, be sure to check the time synchronization on the domain controllers with the command:
NTP offset should be around 0 for all DCs. If not, check the time synchronization in the Active Directory domain.
Verify if all domain controllers have SYSVOL and Netlogon folders published as network shares. These folders are needed to apply and replicate Group Policy Objects. The list of shared folders on a DC can be displayed with the command:
Now check if Netlogons is working correctly in Active Directory:
If everything is fine with Netlogon, “passed test” should be specified for all tests.
It remains to check if all assigned policies are applied. You can do it on any computer in the domain using the gpresult command.