Active Directory (AD) is a reliable yet complex and critical service that underpins the functionality of an entire corporate network. Therefore, system administrators must regularly monitor the health of domain controllers and AD replication. This article explores essential methods for checking and diagnosing the health of an Active Directory domain, its domain controllers, and the replication process.
You can purchase original Windows Server product keys from our store from 10.80 €
Download Windows Server installers from our catalog.
Checking Domain Controller Health with Dcdiag
The primary tool for checking domain controller health is dcdiag.
To quickly assess the health of a specific AD domain controller, use the command:
dcdiag /s:DC01
This command runs various tests on the domain controller and returns a status for each test (Passed|Failed). Key tests include:
– Connectivity — checks connectivity to DNS, LDAP, and RPC.
– Advertising — verifies the roles and services published on the DC.
– FRSEvent — checks for file replication (SYSVOL) errors.
– FSMOCheck — verifies the availability of servers with FSMO roles.
– MachineAccount — checks the domain controller’s account.
– NetLogons — verifies permissions for replication.
– Replications — checks the replication status between controllers.
– KnowsOfRoleHolders — verifies the availability of domain controllers with FSMO roles.
– Services — checks whether required services are running on the domain controller.
– Systemlog — checks for errors in system logs.
In addition to the default tests, you can perform extended checks on a domain controller, such as:
– Topology — verifies that the KCC has generated a complete topology for all DCs.
– CheckSecurityError
– CutoffServers — identifies DCs not receiving replication due to unavailable partners.
– VerifyReplicas — checks the correctness of application partition replication.
– VerifyEnterpriseReferences
– OutboundSecureChannels
– DNS — includes six DNS service checks (/DnsBasic, /DnsForwarders, /DnsDelegation, /DnsDynamicUpdate, /DnsRecordRegistration, /DnsResolveExtName).
To run extended checks, for example, to verify the DNS service on all DCs, use:
dcdiag.exe /s:DC01 /test:dns /e /v
This produces a summary table of DNS name resolution checks across all domain controllers (if all is well, all results should show Pass). If any test shows Fail, run a targeted check for that test on the specified DC:
dcdiag.exe /s:DC01 /test:dns /DnsForwarders /v
To save test results to a text file for further analysis, use:
dcdiag /s:DC01 /v >> c:\ps\dc01_dcdiag_test.log
To display only test result information using PowerShell, run:
Dcdiag /s:DC01 | select-string -pattern '\. (.*) \b(passed|failed)\b test (.*)'
To check the health of all domain controllers, use:
dcdiag.exe /s:winitpro.ru /a
To display only errors found, run:
dcdiag.exe /s:dc01 /q
If errors are detected, such as SYSVOL replication issues, you can attempt to automatically fix them with:
dcdiag.exe /s:dc01 /fix
Checking Replication Errors Between Active Directory Domain Controllers
To check replication in the domain, use the built-in repadmin tool.
The basic command to check replication status is:
repadmin /replsum
This command provides a summary of replication status across all domain controllers. Ideally, the largest delta should not exceed 1 hour (depending on replication frequency settings), and the error count should be 0. In our example, one of the last replications took 14 days, but the current status is OK.
To check replication across all DCs, run:
repadmin /replsum *
To check inter-site replication, use:
repadmin /showism
To view the replication topology and potential errors, run:
repadmin /showrepl
This command returns the time of the last successful replication for each directory partition. For detailed information, use:
repadmin /showrepl *
To initiate password replication from a standard domain controller to a Read-Only Domain Controller (RODC), use the /rodcpwdrepl switch.
The /replicate option allows immediate replication of a specified directory partition to a specific DC.
To synchronize a specified DC with all its replication partners, use:
repadmin /syncall
To view the replication queue, run:
repadmin /queue
In a healthy state, the replication queue should be empty.
You can also check the time of the last domain controller backup:
repadmin /showbackup *
To check replication status using PowerShell, for example, to display all detected replication errors in a table, run:
Get-ADReplicationPartnerMetadata -Target * -Partition * | Select-Object Server,Partition,Partner,ConsecutiveReplicationFailures,LastReplicationSuccess,LastReplicationResult | Out-GridView
You can use a custom script to check AD replication health. The script generates an HTML file and can send it to a specified email address using the Send-MailMessage cmdlet.
Additionally, you can check the status of typical services on a domain controller, such as ADDS, DNS, and NetLogon:
Get-Service -name ntds,adws,dns,dnscache,kdc,w32time,netlogon -ComputerName dc03
Regularly checking the health of domain controllers and Active Directory replication is a critical task that helps identify issues early and prevent AD failures. The dcdiag and repadmin tools provide convenient methods for diagnosing and resolving errors in the domain, ensuring network stability.
