Test Domain Controllers Using Dcdiag.exe

The DCDiag utility can be used to diagnose the health of Active Directory domain controllers, DNS servers, AD replication, and other domain services. This utility is built into the modern Windows Server 2019/2016/2012R2 versions (in previous versions of Windows Server, the DCDiag utility must be installed manually from the Support Tools package). If you want to run DCDiag on client OS versions (Windows 10/8.1/7), you need to install the Remote System Administration Tools package on your computer.

The DcDiag utility can perform up to 30 different tests related to the domain infrastructure AD, DNS, FSMO roles, etc. Let us briefly list the main tests of the DCDiag utility:

DCdiag commands (test) Test descriptions
AdvertisingChecks if the domain controller is correctly reporting itself and its role as the operations master. This test fails if the NetLogon service is not running.
CheckSDRefDomVerifies the correctness of the reference domain security descriptors for each section of the program directories.
ConnectivityChecks DNS registration for each domain controller; sends a test echo packet to each domain controller and verifies LDAP connections to each domain controller, and RPC connections.
CrossRefValidationChecks the correctness of cross-references for domains.
RRSSysvolChecks readiness status for FRS SYSVOL.
FRSEventChecks for replication errors in the file replication service, which may indicate problems with SYSVOL replication and, thus, the integrity of copies of GPO objects.
FSMOCheckCheck the global catalog server, primary domain controller, preferred time server, and KDC.
IntersiteChecks for errors that may interfere with normal replication between AD sites. Microsoft warns that sometimes this test may not be accurate.
KnowsOfRoleHoldersChecks the ability to connect domain controllers to all five FSMO role holders.
MachineAccountVerifies the correctness of the registration of the account of the target computer and the correctness of the service announcements of this computer.
NCSecDescVerifies permissions for replication in security descriptors for naming context headers.
NetLogonsVerifies the registration permissions that allow registration for each domain controller.
ObjectsReplicatedVerifies the replication of the directory server agent and computer account objects.
OutboundSecureChannelsChecks the presence of secure channels between all domain controllers in the domain.
ReplicationsChecks replication between domain controllers and reports all replication errors.
RidManagerChecks the operability and availability of the RID master.
ServicesVerifies the health of all services required for the operation of the ADDS on the specified domain controller.
VerifyEnterpriseReferencesChecks the validity of the system links of the file replication service for all objects on all domain controllers in the forest.
VerifyReferencesChecks the validity of the file replication service system references for all objects on the specified domain controller.
VerifyReplicasChecks the validity of all sections of the application directory on all servers involved in the replication.
READ ALSO  How to set CPU Usage limit for Application Pool on IIS 8

It is recommended to run the DCdiag test on the domain controller itself, and not remotely. For example, let’s run a check on a DC01 domain controller:

dcdiag /s:DC01

When you run the utility without specifying parameters, all 30 tests for the specified domain controller are run. In our example, it is clear that all tests passed successfully (Starting test: …. passed test). It means that everything is fine on this DC.


You can perform a specific AD test only by specifying its name, for example:

dcdiag /s:DC01 /a /test:NetLogons

Or you can exclude a specific test from the checklist:

dcdiag /s:DC01 /a /skip:Replication

When launching the dcdiag tool remotely, you need to specify the credentials with the domain admin privileges:

dcdiag /s:DC01 /u:contosoadmin /p:P@SSwoord

In order to display the extended information and save the test results to files, use the command:

dcdiag /s:DC01 /v /f:c:\ps\dcdiag_report.log

To test all domain controllers in an AD site, run the command:

dcdiag /s:DC01 /a

To check all DCs in the domain, use the /e parameter.

If you want to remove the extra information from the test results to display only the errors found, use the /q parameter (if no errors were found, the command will return nothing):

dcdiag /s:DC01 /q

dcdiag commands dcdiag test

Some trivial errors can be fixed with dcdiag by itself. To do this, use the /fix switch:

dcdiag /s:DC01 /fix
Cyril Kardashevsky
READ ALSO  Configure Legal Notices on Domain Computers using Group Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.