Test Domain Controllers Using Dcdiag.exe

The DCDiag utility can be used to diagnose the health of Active Directory domain controllers, DNS servers, AD replication, and other domain services. This utility is built into the modern Windows Server 2019/2016/2012R2 versions (in previous versions of Windows Server, the DCDiag utility must be installed manually from the Support Tools package). If you want to run DCDiag on client OS versions (Windows 10/8.1/7), you need to install the Remote System Administration Tools package on your computer.

The DcDiag utility can perform up to 30 different tests related to the domain infrastructure AD, DNS, FSMO roles, etc. Let us briefly list the main tests of the DCDiag utility:

DCdiag commands (test) Test descriptions
Advertising Checks if the domain controller is correctly reporting itself and its role as the operations master. This test fails if the NetLogon service is not running.
CheckSDRefDom Verifies the correctness of the reference domain security descriptors for each section of the program directories.
Connectivity Checks DNS registration for eachhttps://theitbros.com/ldap-query-examples-active-directory/ domain controller, sends a test echo packet to each domain controller, and verifies LDAP connections to each domain controller and RPC connections.
CrossRefValidation Checks the correctness of cross-references for domains.
RRSSysvol Checks readiness status for FRS SYSVOL
FRSEvent Checks for replication errors in the file replication service, which may indicate problems with SYSVOL replication and, thus, the integrity of copies of GPO objects.
FSMOCheck Check the global catalog server, primary domain controller, preferred time serveutili, time server and KDC.
Intersite Checks for errors that may interfere with normal replication between AD sites. Microsoft warns that sometimes this test may not be accurate.
KnowsOfRoleHolders Checks the ability to connect domain controllers to all five FSMO role holders.
MachineAccount Verifies the correctness of the registration of the account of the target computer and the correctness of the service announcements of this computer.
NCSecDesc Verifies permissions for replication in security descriptors for naming context headers.
NetLogons Verifies the registration permissions that allow registration for each domain controller.
ObjectsReplicated Verifies the replication of the directory server agent and computer account objects.
OutboundSecureChannels Checks the presence of secure channels between all domain controllers in the domain.
Replications Checks replication between domain controllers and reports all replication errors.
RidManager Checks the operability and availability of the RID master.
Services Verifies the health of all services required for the operation of the ADDS on the specified domain controller.
VerifyEnterpriseReferences Checks the validity of the system links of the file replication service for all objects on all domain controllers in the forest.
VerifyReferences Checks the validity of the file replication service system references for all objects on the specified domain controller.
VerifyReplicas Checks the validity of all sections of the application directory on all servers involved in replication.
READ ALSO  Converting CRT to PEM Format

It is recommended to run the DCdiag test on the domain controller itself, and not remotely. For example, let’s run a check on a DC01 domain controller:

dcdiag /s:DC01

When you run the utility without specifying parameters, all 30 tests for the specified domain controller are run. In our example, it is clear that all tests passed successfully (Starting test: …. passed test). It means that everything fine on this DC.


You can only perform a specific AD test by specifying its name, for example:

dcdiag /s:DC01 /a /test:NetLogons

Or you can exclude a specific test from the check list:

dcdiag /s:DC01 /a /skip:Replication

When launching the dcdiag tool remotely, you need to specify the credentials with the domain admin privileges:

dcdiag /s:DC01 /u:contosoadmin /p:P@SSwoord

In order to display the extended information and save the test results to files, use the command:

dcdiag /s:DC01 /v /f:c:psdcdiag_report.log

To test all domain controllers in an AD site, run the command:

dcdiag /s:DC01 /a

To check all DCs in the domain, use the /e parameter.

If you want to remove the extra information from the test results to display only the errors found, use the /q parameter (if no errors were found, the command will return nothing):

dcdiag /s:DC01 /q

dcdiag commands dcdiag test

Some trivial errors can be fixed with dcdiag by itself. To do this, use the /fix switch:

dcdiag /s:DC01 /fix
Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)
READ ALSO  Configure NTP Time Sync Using Group Policy

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.