Keep an eye on Active Directory (AD) health with commands that are built into Windows Server. Show
@VPN_News UPDATED: July 25, 2022 Active Directory is coordinated by domain controllers. These controllers are essential to the smooth running of your AD implementations. Therefore, it is important to know how to check on their statuses. A health check for Active Directory domain controllers can be performed with native Microsoft tools that cost nothing. However, there are some skills you need to acquire in order to carry out the check. We will show you how. RepadminThe first tool that you need in order to check up on your domain controllers is called repadmin. This is a command that is built into Windows Server, so you don’t need to download or install any software in order to use it. All of the domains in a forest need to be coordinated through replication. The repadmin utility lets you check on how that process is faring by accessing a summary report from repadmin. This is available through the command repadmin /replsumary. In the output of the summary, you will be able to see that all of your domain controllers are replicating properly. The largest replication delta means the longest time gap that occurred between replications for that domain controller. You can also see in the output if any replication activities failed. You can get more detail of the replication activity of each domain controller with the command repadmin /showrepl. To limit the output to just the information for one domain controller, put its label at the end of the showrepl option, such as repadmin /showrepl DC1. The showrepl option will display the neighbors (replication partners) that update the domain controller. You can home in on the replication errors if any were reported in the summary output by specifying the /errorsonly option, eg. repadmin /showrepl /errorsonly. If one of your domain controllers is out of date, you can command an immediate replication run with the option repadmin /syncall. Name the domain controller that needs to be updated in the repadmin command. This command should be run on the server that hosts the AD domain. For example, to update domain controller DC2 immediately, you would use repadmin /syncall dc2. There is a long list of options that can be added to the end of this command. To see them all, enter repadmin /syncall /?. To see the full list of repadmin commands, type repadmin /?. Services-check in PowerShellAccess PowerShell to see that the Active Directory Domain services are running properly. These are the six services to look at:
In order to check that these four services are all running, use the following two lines:
Although this is a complicated request to write, the output is very straightforward, you should just get a report that each of these services is running. DCDiag (dcdiag.exe)A key tool that you need in order to keep tabs on your AD domain controllers is called DCDiag, or dcdiag.exe. This also covers issues around replication. As well as this, it can check on DNS servers and other essential services. The command is bundled in with the Remote Server Administration Tools (RAST) and it is also included with the AD DS role. DCDiag is able to run 30 different tests on your Active Directory domain controllers and their supporting services. Among these tests are:
It is possible to see all of the test categories available in dcdiag.exe by issuing the command dcdiag /h. How to run DCDiag testsThe dcdiag.exe program makes operating tests very easy. You don’t need to issue a command for each test. Instead, one short dcdiag.exe request launches a group of tests. Some guides tell you that you have to name the dcdiag program in full in order to run it, typing dcdiag.exe. However, this is not necessary – typing dcdiag is enough. There are two formats to running the command depending on whether you want to query the domain controller that is resident on the host on which you run the command or on a DC that is hosted on a remote server. If you want to test a remote domain controller, you put its name immediately after the command with the /s: switch; if you are examining the local domain controller, you leave that bit out. It is also possible to specify a username and password for a remote domain controller account. The label for the account name is /u: and for the password is /p. So, an example of a command to test a remote domain controller could be:
To run tests on a local domain controller, you would just need to type in
The good news is that this one command runs a battery of tests. There is a list of individual test names that you can run individually. DCDiag optionsDCDiag options go after the command and an optional identifier for a remote domain controller. You can get a list of them by entering dcdiag /? Or dcdiag /h. Here is the list:
It isn’t necessary to add any options to the command; DCDiag can be run alone, without any further keywords, just the command name itself. Running specific tests with DCDiag (dcdiag.exe)The straightforward dcdiag command runs a battery of tests. It is possible to just run one of these tests or a category of tests. For example, DNS-related tests are all grouped under the test name DNS. To run these tests on a local server, you just need to enter:
This command will run a suite of tests:
As well as running a group of tests, the /test option can launch individual tests. So, in the DNS option above, the user could also choose to just run the DnsBasic package with the command:
DCDiag (dcdiag.exe) is a very useful tool but be aware that some tests can take a long time to run. Especially if you use the /e option to test the entire system, don’t expect to see a report straight away. Those administrating the system for a large company with many inter-connected sites that share an AD structure should launch the command and then go to lunch while waiting for a response. SummaryBy using Repadmin, a PowerShell services check, and DCDiag, you can get a very good view of your AD structure. However, despite the great services of these free utilities, you will still be using manual methods to maintain a complicated IT system. Active Directory is vital for effective system security but it can be difficult to visualize and manage. Consider an automated tool instead. You should check out ManageEngine ADManager Plus and the SolarWinds Active Directory Monitoring tool for some good automated AD management tools. Domain Controller Health Check FAQsHow do I run a domain controller diagnostic?For an Active Directory domain controller check, run the dcdiag command in a Command Prompt window with Administrator privileges. Typing the command by itself gives you a test on the local domain controller. You can also examine a remote domain controller by adding the option /s:<DC_name> where <DC_name is the domain controller that you want to test. How can I tell if Active Directory is functioning properly?Run dcdiag to check on the status of Active Directory. This tool provides 30 tests on domain controllers. You have to run it in a Command Prompt window that has been run as Administrator. How do I check global catalog health?Check on the status of the global catalog for Active Directory by opening a Command Prompt window as Administrator and running use dsquery server -isgc. Another option you should implement is to run the command dcdiag / v /c /d /e for a full status report. How do I check Active Directory status?Windows 10. Click the windows button and type advanced, it should take you to system properties.. Look under the Computer name, domain, and workgroup settings for this entry: Domain: ad.uillinois.edu. (means you are connected to the campus UOFI Active Directory). How do I find Active Directory domain Services?From the “Administrative Tools” menu, select “Active Directory Domains and Trusts” or “Active Directory Users and Computers“. Right-click the root domain, then select “Properties“. Under the “General” tab, the “Domain functional level” and “Forest functional level” is displayed on the screen.
What are the commands used in Active Directory?In this article. How do I check my DC health status?How to check the health of your Active Directory. Make sure that domain controllers are in sync and that replication is ongoing. ... . Make sure that all the dependency services are running properly. ... . Use the Domain Controller Diagnostic tool (DCDiag) to check various aspects of a domain controller. ... . Detect unsecure LDAP binds.. |