Testing the health of your local domain controller can be an extremely important task, especially when problems with Active Directory arise. Let’s look at an important tool in the toolbelt for Active Directory administrators called DCDiag. It allows admins to check domain controller health and other metrics to ensure everything works properly in Active Directory Domain Services (AD DS).
Table of Contents
Common Active Directory Errors and Issues
Note the following common Active Directory errors and issues that can happen over time with Active Directory Domain Services environments.
Replication Delays: Sometimes, there can be a delay or failure in replicating data between domain controllers. This ensures that all controllers have the latest directory information
DNS Configuration Errors: Proper DNS setup is vital for Active Directory operations. Misconfigurations or errors in DNS might prevent domain controllers from locating each other or processing user requests efficiently.
Failed Trust Relationships: Trust relationships between domains are crucial for resource sharing in larger organizations. Failures could indicate potential security or access issues.
Operational Domain Controller Issues: A non-responsive or down domain controller can affect network operations, causing potential service interruptions or delays.
Global Catalog Unavailability: Global Catalog servers are essential for various tasks like searching and login operations. Issues connecting to global catalogs can cause disruptions in these processes.
Inconsistencies in Group Policy: There might be failures in propagating or applying group policies across domain controllers, leading to inconsistent user experiences or potential security loopholes.
Time Synchronization Discrepancies: Proper time synchronization between servers is essential for token generation and validation processes. Discrepancies in time across domain controllers can affect authentication and other time-sensitive operations.
Service Status Anomalies: Essential services like the NetLogon, Kerberos, and more, need to be operational for Active Directory to function smoothly. If these services aren’t running as expected, it could lead to authentication challenges and other operational problems.
Security Descriptor Anomalies: Security descriptors ensure that directory objects have the right permissions. Issues related to these descriptors might result in unauthorized access or unexpected access denied errors.
Directory Database Integrity Concerns: The directory databases’ health and integrity on domain controllers must be maintained. Any signs of data inconsistency or corruption can affect directory operations and services.
What is DCDiag?
The DCDiag is a command line tool can be used to perform initial required tests. It performs a domain controller health check for Active Directory domain controllers, DNS servers, AD replication, and other ADDS infrastructure services. This utility is built into the modern Windows Server 2019/2016/2012R2 versions (in previous versions of Windows Server, the DCDiag utility must be installed manually from the Support Tools package). If you want to run DCDiag on client OS versions (Windows 11/10/8.1), you need to install the Remote Server Administration Tools (RSAT) pack on your computer.
The DcDiag utility can perform up to 30 different tests related to the AD domain infrastructure, DNS, FSMO roles, run DCDiag with verbose output, etc. Let us briefly list the main tests of the DCDiag utility.
DCDiag commands
|
DCDiag commands (test) |
Test description |
|
Advertising |
Checks if the domain controller is correctly reporting itself and its role as the operations master. This test fails if the NetLogon service is not running. |
|
CheckSDRefDom |
Verifies the correctness of the reference domain security descriptors for each section of the program directories. |
|
Connectivity |
Checks DNS registration for each domain controller; sends a test echo packet to each domain controller and verifies LDAP connections to each domain controller, and RPC connections. |
|
CrossRefValidation |
Checks the correctness of cross-references for domains. |
|
RRSSysvol |
Checks readiness status for FRS SYSVOL. |
|
FRSEvent |
Checks for replication errors in the file replication service, which may indicate problems with SYSVOL replication and, thus, the integrity of copies of GPO objects. |
|
FSMOCheck |
Check the global catalog server, primary domain controller, preferred time server, and KDC. |
|
Intersite |
Checks for errors that may interfere with normal replication between AD sites. Microsoft warns that sometimes this test may not be accurate. |
|
KnowsOfRoleHolders |
Checks the ability to connect domain controllers to all five FSMO role holders. |
|
MachineAccount |
Verifies the correctness of the registration of the account of the target computer and the correctness of the service announcements of this computer. |
|
NCSecDesc |
Verifies permissions for replication in security descriptors for naming context headers. |
|
NetLogons |
Verifies the registration permissions that allow registration for each domain controller. |
|
ObjectsReplicated |
Verifies the replication of the directory server agent and computer account objects. |
|
OutboundSecureChannels |
Checks the presence of secure channels between all domain controllers in the domain. |
|
Replications |
Checks replication between domain controllers and reports all replication errors. |
|
RidManager |
Checks the operability and availability of the RID master. |
|
Services |
Verifies the health of all services required for the operation of the ADDS on the specified domain controller. |
|
VerifyEnterpriseReferences |
Checks the validity of the system links of the file replication service for all objects on all domain controllers in the forest. |
|
VerifyReferences |
Checks the validity of the file replication service system references for all objects on the specified domain controller. |
|
VerifyReplicas |
Checks the validity of all sections of the application directory on all servers involved in the replication. |
|
Topology |
Checks if the KCC generates the correct topology for all domain controllers. |
|
CutoffServers |
Checks if there are replication servers without a partner. |
|
DNS |
Includes six additional DNS (see below). |
|
DcPromo |
Checks the DNS infrastructure for any computer that you want to promote to a domain controller. If the infrastructure meets the requirements, you can install the ADDS domain controller role on the computer. |
DCDiag syntax
The general syntax of the DcDiag utility is:
dcdiag [/s:<DomainController>] [/n:<NamingContext>] [/u:<Domain>\<UserName> /p:{* | <Password> | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:<LogFile>] [/c [/skip:<Test>]] [/test:<Test>] [/fix] [{/h | /?}] [/ReplSource:<SourceDomainController>]
Useful Examples of DcDiag Command
It is recommended to run the DcDiag test on the domain controller itself, and not remotely. For example, let’s run a check on a DC01 domain controller:
dcdiag /s:DC01
Hint. Note that you are likely to encounter warning events when running DcDiag tests remotely. Tests such as SystemLog will fail unless you run dcdiag.exe locally on a domain controller.
All 30 tests for the specified domain controller are run when you run the tool without specifying parameters. In our example, it is clear that all tests passed successfully (Starting test: …. passed test). It means that everything is fine on this DC.
The test results will show Passed if the test was successful and DcDiag found no errors. The Failed message will appear next to the check name if an error is found.
General health check
DcDiag allows you to perform a quick general health test of Active Directory and domain controllers. To check all DCs in the domain, use the /e parameter. The following command will only list errors that require the AD administrator’s attention:
dcdiag /e /v /q
Specific tests
You can perform a specific AD test only by specifying its name, for example:
dcdiag /s:DC01 /a /test:NetLogons
Testing the RID master
You can test the health of the RID master FSMO owner in the domain:
Dcdiag.exe /TEST:RidManager /v
Performing a specific test from the checklist
Or you can exclude a specific test from the checklist:
dcdiag /s:DC01 /a /skip:Replication
Specifying credentials
When launching the DcDiag tool remotely, you need to specify the credentials with the domain admin privileges:
dcdiag /s:DC01 /u:contosoadmin /p:P@SSwoord
Saving the results to a file
In order to display the extended information and save the test results to files, use the command:
dcdiag /s:DC01 /v /f:c:\ps\dcdiag_report.log
Testing all domain controllers in the current site
To test all domain controllers in the current Active Directory site, run the command:
dcdiag /s:DC01 /a
Remove extra information
If you want to remove the extra information from the test results to display only the errors found, use the /q parameter (if no errors were found, the command will return nothing):
dcdiag /s:DC01 /q
Fixing errors with DCDIag
Some trivial errors can be fixed with DcDiag by itself. To do this, use the /fix switch:
dcdiag /s:DC01 /fix
Testing active directory domain controllers using dcdiag
Using the DNS tests, you can perform primary tests testing server name resolution service in AD. For example, to run all DNS tests for a specific domain controller and export the result to a text file:
DCDiag /Test:DNS /e /v /s:dc01.theitbros.com >c:\logs\DcdiagDNSCheck.txt
Open the resulting DNS test log file:
Get-Content c:\logs\DcdiagDNSCheck.txt
The result of each DNS test is listed in a column under the “Summary of DNS test results” section. In this example, all DNS tests passed successfully (PASS), except for the DNS forwarding test (FAIL):
You can only run certain DNS tests:
dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate | /DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:<InternetName>] | /DnsAll] [/f:<LogFile>] [/x:<XMLLog.xml>] [/xsl:<XSLFile.xsl> or <XSLTFile.xslt>] [/s:<DomainController>] [/e] [/v]
|
/DnsBasic |
Basic DNS tests, connectivity, DNS client configuration, service availability, presence of a domain zone |
|
/DnsForwarders |
DnsBasic Tests and DNS Forwarding |
|
/DnsDelegation |
DnsBasic Tests and delegation verification |
|
/DnsDynamicUpdate |
Tests DnsBasic and checks if dynamic update is enabled for an Active Directory zone |
|
/DnsRecordRegistration |
DnsBasic tests and also checks if A records, CNAMEs, and SRV services are registered. In addition, an inventory report is generated based on the test results. |
|
/DnsResolveExtName **[/DnsInternetName:<**InternetName>] |
DnsBasic tests and resolves the InternetName. If DnsInternetName is not specified, the tool attempts to resolve www.microsoft.com address. If DnsInternetName is specified, it resolves the specified InternetName. |
For example, you need to fix some common DNS errors automatically. Use the following command to fix any errors found in the DNS service on the specified domain controller:
DCDiag /Test:DNS /e /v /s:dc01.theitbros.com /fix
Hint. DNS errors on a domain controller are often the source of the Error 1722 the RPC server is unavailable (RPC_S_SERVER_UNAVAILABLE) issue in an Active Directory domain.
Frequently Asked Questions
What is DCDiag?
DCDiag is a command-line tool designed for Active Directory Domain Services (ADDS) infrastructure. It assists administrators in performing an in-depth health check on domain controllers. This ensures the health of Active Directory services and verifies elements like DNS servers, AD replication, and more.
How do you initiate a DCDiag test on a local domain controller?
Launching a DCDiag test is straightforward. From an elevated command prompt, you can type the dcdiag command to start testing the local domain controller. If you need verbose output, run DCDiag with verbose options using the /v switch.
Why are DNS tests pivotal when using DCDiag?
DNS is integral to the functionality of an Active Directory. DCDiag performs DNS testing to verify things like basic DNS tests, checking if resource records are registered, ensuring dynamic updates for an active directory zone, and the DNS client configuration service.
How can I discern the health of my primary domain controller among multiple domain controllers?
To focus on the primary domain controller’s health, the DCDiag tool can be directed using specific parameters. To check domain controller health, use the command dcdiag /s:<YourPDCName>. This ensures that the health check is specific to your primary domain controller.
Can it check connectivity between domain controllers?
Absolutely. The DCDiag tool offers a test connectivity feature. This test ensures that domain controllers can communicate effectively, especially vital when dealing with multiple domain controllers within an enterprise.
What should I keep in mind when interpreting the test results from DCDiag?
After running DCDiag, review the results. While “Passed” indicates a successful test, “Failed” flags potential issues. But remember, not all error messages are emergencies. Some error messages don’t necessarily indicate a problem.
Can DCDiag diagnose replication errors?
Yes, it can. Using DCDiag, administrators can test replications to ensure that domain data is consistently replicated across all the servers. DCDiag will flag replication errors, enabling admins to intervene.
How is DCDiag as a tool for enterprise tests?
DCDiag is a good tool for both small and enterprise environments. Whether it’s testing server default first site or running partition tests, DCDiag ensures that your Active Directory infrastructure is healthy.
Absolutely. With features like dcdiag DNS test DCDiag is an excellent tool to diagnose DNS. If DNS misconfigurations exist on a domain controller, DCDiag is effective at flagging them, ensuring your Active Directory is problem-free.
Wrapping up
Working with Active Directory and troubleshooting issues can be challenging. But with tools like DCDiag, it gets easier. As we have seen, this tool helps verify everything is working right, whether you’re looking at local domain controllers or remote AD DS environments.
With DCDiag, you can quickly check DNS settings, connectivity, and verify there are no other issues in the environment, like replication problems. It helps admins ensure everything is running smoothly and avoid larger problems down the line.
