How to Check Active Directory Health?

Active Directory is a complicated IT system (even if when AD consists of primary domain controllers and one AD site only). It is critical for an administrator to be able to swiftly verify Active Directory health and resolve issues. In this post, we’ll look at several typical commands for checking the status of AD, as well as finding and fixing potential issues.

DCDiag is a useful tool for checking the health of domain controllers. Open a command prompt as an administrator on any domain controller and run the command:

dcdiag /e /v /q

This command checks the health of domain controllers and Active Directory in general. Only errors that demand the attention of a domain administrator will be listed in this report.

Then you need to check the DNS servers’ health (we use the PowerShell console for this):

DCDiag /Test:DNS /e /v /s:dc01.test.com >c:\ps\DcdiagDNStest.txt

Then, in the report that appears, click:

get-content c:\ps\DcdiagDNStest.txt

If the DNS service is working properly, PASS should be written all over the “Summary of DNS test results” area.

If there are errors in the report, try to fix them manually. If you cannot manually fix DNS errors, try fixing them using the dcdiag command with the fix parameter:

DCDiag /Test:DNS /e /v /s:dc01.test.com /fix

Then on all domain controllers run the command:

ipconfig /registerdns

After checking DCs and DNS, you need to check the health of Active Directory replication. Log in to any DC and check replication with the command:

repadmin /replsum

If the largest delta for any DC is less than 1 hour and replication fails = 0, then there are no replication problems in your domain.

Any DC with the ADDS role has access to the dcdiag and repadmin utilities. RSAT must be installed on your Windows 10 desktop if you wish to use these features.

If you find replication issues, use the command to receive comprehensive information about them:

repadmin /showreps


This command will reveal which naming contexts are not replicated in Active Directory.

To quickly check replication on a specific DC, run the following command. Use the wildcard option to check replication on all DCs (this may take a long time):

repadmin /replsummary [DCname|wildcard]

Check USN records:

repadmin /showutdvec

If you need to force synchronization of a specific domain controller with other replication participants, run the command:

replmon /syncall DC01

Next, be sure to check the time synchronization on the domain controllers with the command:

 w32tm /monitor

NTP offset should be around 0 for all DCs. If not, check the time synchronization in the Active Directory domain.

Verify if all domain controllers have SYSVOL and Netlogon folders published as network shares. These folders are needed to apply and replicate Group Policy Objects. The list of shared folders on a DC can be displayed with the command:

net share

Now check if Netlogons is working correctly in Active Directory:

dcdiag /test:netlogons

If everything is fine with Netlogon, “passed test” should be specified for all tests.

It is still necessary to verify that all assigned policies have been implemented. Using the gpresult command, you can do it on any machine in the domain.

Leave a Reply

Your email address will not be published. Required fields are marked *




Enter Captcha Here :