The DCDiag tool can be used to diagnose the health of Active Directory domain controllers, DNS servers, AD replication, and other ADDS infrastructure services. This utility is built into the modern Windows Server 2019/2016/2012R2 versions (in previous versions of Windows Server, the DCDiag utility must be installed manually from the Support Tools package). If you want to run DCDiag on client OS versions (Windows 11/10/8.1), you need to install the Remote System Administration Tool (RSAT) pack on your computer.
The DcDiag utility can perform up to 30 different tests related to the AD domain infrastructure, DNS, FSMO roles, etc. Let us briefly list the main tests of the DCDiag utility:
DCDiag commands (test) |
Test description |
Advertising |
Checks if the domain controller is correctly reporting itself and its role as the operations master. This test fails if the NetLogon service is not running. |
CheckSDRefDom |
Verifies the correctness of the reference domain security descriptors for each section of the program directories. |
Connectivity |
Checks DNS registration for each domain controller; sends a test echo packet to each domain controller and verifies LDAP connections to each domain controller, and RPC connections. |
CrossRefValidation |
Checks the correctness of cross-references for domains. |
RRSSysvol |
Checks readiness status for FRS SYSVOL. |
FRSEvent |
Checks for replication errors in the file replication service, which may indicate problems with SYSVOL replication and, thus, the integrity of copies of GPO objects. |
FSMOCheck |
Check the global catalog server, primary domain controller, preferred time server, and KDC. |
Intersite |
Checks for errors that may interfere with normal replication between AD sites. Microsoft warns that sometimes this test may not be accurate. |
KnowsOfRoleHolders |
Checks the ability to connect domain controllers to all five FSMO role holders. |
MachineAccount |
Verifies the correctness of the registration of the account of the target computer and the correctness of the service announcements of this computer. |
NCSecDesc |
Verifies permissions for replication in security descriptors for naming context headers. |
NetLogons |
Verifies the registration permissions that allow registration for each domain controller. |
ObjectsReplicated |
Verifies the replication of the directory server agent and computer account objects. |
OutboundSecureChannels |
Checks the presence of secure channels between all domain controllers in the domain. |
Replications |
Checks replication between domain controllers and reports all replication errors. |
RidManager |
Checks the operability and availability of the RID master. |
Services |
Verifies the health of all services required for the operation of the ADDS on the specified domain controller. |
VerifyEnterpriseReferences |
Checks the validity of the system links of the file replication service for all objects on all domain controllers in the forest. |
VerifyReferences |
Checks the validity of the file replication service system references for all objects on the specified domain controller. |
VerifyReplicas |
Checks the validity of all sections of the application directory on all servers involved in the replication. |
Topology |
Checks if the KCC generates the correct topology for all domain controllers. |
CutoffServers |
Checks if there are replication servers without a partner. |
DNS |
Includes six additional DNS (see below). |
DcPromo |
Checks the DNS infrastructure for any computer that you want to promote to a domain controller. If the infrastructure meets the requirements, you can install the ADDS domain controller role on the computer. |
The general syntax of the DcDiag utility is:
dcdiag [/s:<DomainController>] [/n:<NamingContext>] [/u:<Domain>\<UserName> /p:{* | <Password> | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:<LogFile>] [/c [/skip:<Test>]] [/test:<Test>] [/fix] [{/h | /?}] [/ReplSource:<SourceDomainController>]
Useful Examples of DcDiag Command
It is recommended to run the DcDiag test on the domain controller itself, and not remotely. For example, let’s run a check on a DC01 domain controller:
dcdiag /s:DC01
Hint. Note that you are likely to encounter warning events when running DcDiag tests remotely. Tests such as SystemLog will fail unless you run dcdiag.exe locally on a domain controller.
When you run the tool without specifying parameters, all 30 tests for the specified domain controller are run. In our example, it is clear that all tests passed successfully (Starting test: …. passed test). It means that everything is fine on this DC.
The test results will show Passed if the test was successful and DcDiag found no errors. If an error is found, the Failed message will appear next to the check name.
DcDiag allows you to perform a quick general health test of Active Directory and domain controllers. To check all DCs in the domain, use the /e parameter. The following command will only list errors that require the AD administrator’s attention:
dcdiag /e /v /q
You can perform a specific AD test only by specifying its name, for example:
dcdiag /s:DC01 /a /test:NetLogons
or test the health of the RID master FSMO owner in the domain:
Dcdiag.exe /TEST:RidManager /v
Or you can exclude a specific test from the checklist:
dcdiag /s:DC01 /a /skip:Replication
When launching the DcDiag tool remotely, you need to specify the credentials with the domain admin privileges:
dcdiag /s:DC01 /u:contosoadmin /p:P@SSwoord
In order to display the extended information and save the test results to files, use the command:
dcdiag /s:DC01 /v /f:c:\ps\dcdiag_report.log
To test all domain controllers in the current Active Directory site, run the command:
dcdiag /s:DC01 /a
If you want to remove the extra information from the test results to display only the errors found, use the /q parameter (if no errors were found, the command will return nothing):
dcdiag /s:DC01 /q
Some trivial errors can be fixed with DcDiag by itself. To do this, use the /fix switch:
dcdiag /s:DC01 /fix
How to Test Active Directory DNS with DcDiag?
You can check the health of your name resolution service in AD using the DNS tests. For example, to run all DNS tests for a specific domain controller and export the result to a text file:
DCDiag /Test:DNS /e /v /s:dc01.theitbros.com >c:\logs\DcdiagDNSCheck.txt
Open the resulting DNS test log file:
Get-Content c:\logs\DcdiagDNSCheck.txt
The result of each DNS test is listed in a column under the “Summary of DNS test results” section. In this example, all DNS tests passed successfully (PASS), except for the DNS forwarding test (FAIL):
You can only run certain DNS tests:
dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate | /DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:<InternetName>] | /DnsAll] [/f:<LogFile>] [/x:<XMLLog.xml>] [/xsl:<XSLFile.xsl> or <XSLTFile.xslt>] [/s:<DomainController>] [/e] [/v]
/DnsBasic |
Basic DNS tests, connectivity, DNS client configuration, service availability, presence of a domain zone |
/DnsForwarders |
DnsBasic Tests and DNS Forwarding |
/DnsDelegation |
DnsBasic Tests and delegation verification |
/DnsDynamicUpdate |
Tests DnsBasic and checks if dynamic update is enabled for an Active Directory zone
|
/DnsRecordRegistration |
DnsBasic tests and also checks if A records, CNAMEs, and SRV services are registered. In addition, an inventory report is generated based on the test results. |
/DnsResolveExtName **[/DnsInternetName:<**InternetName>] |
DnsBasic tests and resolves the InternetName. If DnsInternetName is not specified, the tool attempts to resolve www.microsoft.com address. If DnsInternetName is specified, it resolves the specified InternetName. |
For example, you need to automatically fix some common DNS errors. Use the following command to fix any errors found in the DNS service on the specified domain controller:
DCDiag /Test:DNS /e /v /s:dc01.theitbros.com /fix
Hint. DNS errors on a domain controller are often the source of the Error 1722 the RPC server is unavailable (RPC_S_SERVER_UNAVAILABLE) issue in an Active Directory domain.