The DCDiag utility can be used to diagnose the health of Active Directory domain controllers, DNS servers, AD replication, and other domain services. This utility is built into the modern Windows Server 2019/2016/2012R2 versions (in previous versions of Windows Server, the DCDiag utility must be installed manually from the Support Tools package). If you want to run DCDiag on client OS versions (Windows 10/8.1/7), you need to install the Remote System Administration Tools package on your computer.
The DcDiag utility can perform up to 30 different tests related to the domain infrastructure AD, DNS, FSMO roles, etc. Let us briefly list the main tests of the DCDiag utility:
| DCdiag commands (test) | Test descriptions |
| Advertising | Checks if the domain controller is correctly reporting itself and its role as the operations master. This test fails if the NetLogon service is not running. |
| CheckSDRefDom | Verifies the correctness of the reference domain security descriptors for each section of the program directories. |
| Connectivity | Checks DNS registration for each domain controller, sends a test echo packet to each domain controller, and verifies LDAP and RPC connections to each domain controller. |
| CrossRefValidation | Checks the correctness of cross-references for domains. |
| RRSSysvol | Checks readiness status for FRS SYSVOL |
| FRSEvent | Checks for replication errors in the file replication service, which may indicate problems with SYSVOL replication and, thus, the integrity of copies of GPO objects. |
| FSMOCheck | Check the global catalog server, primary domain controller, preferred time serveutili, time server and KDC. |
| Intersite | Checks for errors that may interfere with normal replication between AD sites. Microsoft warns that sometimes this test may not be accurate. |
| KnowsOfRoleHolders | Checks the ability to connect domain controllers to all five FSMO role holders. |
| MachineAccount | Verifies the correctness of the registration of the account of the target computer and the correctness of the service announcements of this computer. |
| NCSecDesc | Verifies permissions for replication in security descriptors for naming context headers. |
| NetLogons | Verifies the registration permissions that allow registration for each domain controller. |
| ObjectsReplicated | Verifies the replication of the directory server agent and computer account objects. |
| OutboundSecureChannels | Checks the presence of secure channels between all domain controllers in the domain. |
| Replications | Checks replication between domain controllers and reports all replication errors. |
| RidManager | Checks the operability and availability of the RID master. |
| Services | Verifies the health of all services required for the operation of the ADDS on the specified domain controller. |
| VerifyEnterpriseReferences | Checks the validity of the system links of the file replication service for all objects on all domain controllers in the forest. |
| VerifyReferences | Checks the validity of the file replication service system references for all objects on the specified domain controller. |
| VerifyReplicas | Checks the validity of all sections of the application directory on all servers involved in replication. |
It is recommended to run the DCdiag test on the domain controller itself, and not remotely. For example, let’s run a check on a DC01 domain controller:
dcdiag /s:DC01
When you run the utility without specifying parameters, all 30 tests for the specified domain controller are run. In our example, it is clear that all tests passed successfully (Starting test: …. passed test). It means that everything fine on this DC.
You can only perform a specific AD test by specifying its name, for example:
dcdiag /s:DC01 /a /test:NetLogons
Or you can exclude a specific test from the check list:
dcdiag /s:DC01 /a /skip:Replication
When launching the dcdiag tool remotely, you need to specify the credentials with the domain admin privileges:
dcdiag /s:DC01 /u:contosoadmin /p:P@SSwoord
In order to display the extended information and save the test results to files, use the command:
dcdiag /s:DC01 /v /f:c:psdcdiag_report.log
To test all domain controllers in an AD site, run the command:
dcdiag /s:DC01 /a
To check all DCs in the domain, use the /e parameter.
If you want to remove the extra information from the test results to display only the errors found, use the /q parameter (if no errors were found, the command will return nothing):
dcdiag /s:DC01 /q
Some trivial errors can be fixed with dcdiag by itself. To do this, use the /fix switch:
dcdiag /s:DC01 /fix