Testing Active Directory Domain Controllers Using DcDiag.exe

The DCDiag tool can be used to diagnose the health of Active Directory domain controllers, DNS servers, AD replication, and other ADDS infrastructure services. This utility is built into the modern Windows Server 2019/2016/2012R2 versions (in previous versions of Windows Server, the DCDiag utility must be installed manually from the Support Tools package). If you want to run DCDiag on client OS versions (Windows 11/10/8.1), you need to install the Remote System Administration Tool (RSAT) pack on your computer.

The DcDiag utility can perform up to 30 different tests related to the AD domain infrastructure, DNS, FSMO roles, etc. Let us briefly list the main tests of the DCDiag utility:

DCDiag commands (test)

Test description

Advertising

Checks if the domain controller is correctly reporting itself and its role as the operations master. This test fails if the NetLogon service is not running.

CheckSDRefDom

Verifies the correctness of the reference domain security descriptors for each section of the program directories.

Connectivity

Checks DNS registration for each domain controller; sends a test echo packet to each domain controller and verifies LDAP connections to each domain controller, and RPC connections.

CrossRefValidation

Checks the correctness of cross-references for domains.

RRSSysvol

Checks readiness status for FRS SYSVOL.

FRSEvent

Checks for replication errors in the file replication service, which may indicate problems with SYSVOL replication and, thus, the integrity of copies of GPO objects.

FSMOCheck

Check the global catalog server, primary domain controller, preferred time server, and KDC.

Intersite

Checks for errors that may interfere with normal replication between AD sites. Microsoft warns that sometimes this test may not be accurate.

KnowsOfRoleHolders

Checks the ability to connect domain controllers to all five FSMO role holders.

MachineAccount

Verifies the correctness of the registration of the account of the target computer and the correctness of the service announcements of this computer.

NCSecDesc

Verifies permissions for replication in security descriptors for naming context headers.

NetLogons

Verifies the registration permissions that allow registration for each domain controller.

ObjectsReplicated

Verifies the replication of the directory server agent and computer account objects.

OutboundSecureChannels

Checks the presence of secure channels between all domain controllers in the domain.

Replications

Checks replication between domain controllers and reports all replication errors.

RidManager

Checks the operability and availability of the RID master.

Services

Verifies the health of all services required for the operation of the ADDS on the specified domain controller.

VerifyEnterpriseReferences

Checks the validity of the system links of the file replication service for all objects on all domain controllers in the forest.

VerifyReferences

Checks the validity of the file replication service system references for all objects on the specified domain controller.

VerifyReplicas

Checks the validity of all sections of the application directory on all servers involved in the replication.

Topology

Checks if the KCC generates the correct topology for all domain controllers.

CutoffServers

Checks if there are replication servers without a partner.

DNS

Includes six additional DNS (see below).

DcPromo

Checks the DNS infrastructure for any computer that you want to promote to a domain controller. If the infrastructure meets the requirements, you can install the ADDS domain controller role on the computer.

  
  

The general syntax of the DcDiag utility is:

dcdiag [/s:<DomainController>] [/n:<NamingContext>] [/u:<Domain>\<UserName> /p:{* | <Password> | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:<LogFile>] [/c [/skip:<Test>]] [/test:<Test>] [/fix] [{/h | /?}] [/ReplSource:<SourceDomainController>]

Useful Examples of DcDiag Command

It is recommended to run the DcDiag test on the domain controller itself, and not remotely. For example, let’s run a check on a DC01 domain controller:

dcdiag /s:DC01

Hint. Note that you are likely to encounter warning events when running DcDiag tests remotely. Tests such as SystemLog will fail unless you run dcdiag.exe locally on a domain controller.

When you run the tool without specifying parameters, all 30 tests for the specified domain controller are run. In our example, it is clear that all tests passed successfully (Starting test: …. passed test). It means that everything is fine on this DC.

dcdiag commands

The test results will show Passed if the test was successful and DcDiag found no errors. If an error is found, the Failed message will appear next to the check name.

dcdiag

DcDiag allows you to perform a quick general health test of Active Directory and domain controllers. To check all DCs in the domain, use the /e parameter. The following command will only list errors that require the AD administrator’s attention:

dcdiag /e /v /q

You can perform a specific AD test only by specifying its name, for example:

dcdiag /s:DC01 /a /test:NetLogons

or test the health of the RID master FSMO owner in the domain:

Dcdiag.exe /TEST:RidManager /v

Or you can exclude a specific test from the checklist:

dcdiag /s:DC01 /a /skip:Replication

When launching the DcDiag tool remotely, you need to specify the credentials with the domain admin privileges:

dcdiag /s:DC01 /u:contosoadmin /p:P@SSwoord

In order to display the extended information and save the test results to files, use the command:

dcdiag /s:DC01 /v /f:c:\ps\dcdiag_report.log

To test all domain controllers in the current Active Directory site, run the command:

dcdiag /s:DC01 /a

If you want to remove the extra information from the test results to display only the errors found, use the /q parameter (if no errors were found, the command will return nothing):

dcdiag /s:DC01 /q

dcdiag windows 10

Some trivial errors can be fixed with DcDiag by itself. To do this, use the /fix switch:

dcdiag /s:DC01 /fix

How to Test Active Directory DNS with DcDiag?

You can check the health of your name resolution service in AD using the DNS tests. For example, to run all DNS tests for a specific domain controller and export the result to a text file:

DCDiag /Test:DNS /e /v /s:dc01.theitbros.com >c:\logs\DcdiagDNSCheck.txt

Open the resulting DNS test log file:

Get-Content c:\logs\DcdiagDNSCheck.txt

The result of each DNS test is listed in a column under the “Summary of DNS test results” section. In this example, all DNS tests passed successfully (PASS), except for the DNS forwarding test (FAIL):

dcdiag command list

You can only run certain DNS tests:

dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate | /DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:<InternetName>] | /DnsAll] [/f:<LogFile>] [/x:<XMLLog.xml>] [/xsl:<XSLFile.xsl> or <XSLTFile.xslt>] [/s:<DomainController>] [/e] [/v]

/DnsBasic

Basic DNS tests, connectivity, DNS client configuration, service availability, presence of a domain zone

/DnsForwarders

DnsBasic Tests and DNS Forwarding

/DnsDelegation

DnsBasic Tests and delegation verification

/DnsDynamicUpdate

Tests DnsBasic and checks if dynamic update is enabled for an Active Directory zone

 

/DnsRecordRegistration

DnsBasic tests and also checks if A records, CNAMEs, and SRV services are registered. In addition, an inventory report is generated based on the test results.

/DnsResolveExtName **[/DnsInternetName:<**InternetName>]

DnsBasic tests and resolves the InternetName. If DnsInternetName is not specified, the tool attempts to resolve www.microsoft.com address. If DnsInternetName is specified, it resolves the specified InternetName.

For example, you need to automatically fix some common DNS errors. Use the following command to fix any errors found in the DNS service on the specified domain controller:

DCDiag /Test:DNS /e /v /s:dc01.theitbros.com /fix

Hint. DNS errors on a domain controller are often the source of the 1722 RPC Server Unavailable (RPC_S_SERVER_UNAVAILABLE) issue in an Active Directory domain.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.