Moje knowledge base, pro Vás i pro mne. Také spousta blbin okolo.

Active Directory Health Check

21.03.2016 14:33

From time to time its worth running a health check on your Active Directory to make sure everything is running smoothly. We occasionally get a support questions that after some investigation boil down to an issue with the domain. Below we’ve listed some common areas to check and commands you can run to make sure your domain is healthy.

– Event Viewer
– Domain Controller Diagnostics Tool (Dcdiag.exe)
– Network Diagnostics Tool (Netdiag.exe)
– Defragmentation

Event logs

Checking the Event Viewer is the first place to visit, make sure you re-check the logs after you make any changes. Check the Event Viewer logs for the following areas DFS Replication, Directory Service and DNS servers. Abnormal errors related to Active Directory services will be shown here, some common errors event are:

· Replication lingering(event ids 1388,1988,2042)

· Replication DNS lookup problems (event ids 1925,2087,2088)

· Replication connectivity problems (event id 1925)

· Replication topology problem (event id 1311)

Domain controllers diagnostic (DCDiag)

We can use DCDIAG to analyse each domain controller in the forest and report back any problems ( ).

Command: Dcdiag.exe /v >> c:\dcdiag.txt
Description: Runs all tests in Verbose mode. Use >> to write the results to a file for easy reading.

Command: dcdiag /test:dns
Description: Test to validate DNS health.

Command: dcdiag /e
Description: Run a test on every domain controller from your enterprise.

Command: dcdiag /q
Description: Reports only detected errors.

Command: dcdiag /s: name of the server.
Description: Run dcdiag against a specified domain controller.

Network Diagnostics Tool (Netdiag.exe)

NetDiag is a command-line tool that performs a nnumber of network connectivity related tests.

Command: Netdiag.exe /v >> c:\netdiag.txt
Description: Run the command on each DC to check for network related issues.


First lets check replication is working, replication status can be checked with repadmin command ( This command is used to detect Active Directory replication problems between domain controllers from the same forest/domain, there are several arguments we can use.

Command: repadmin /showrepl
Description: Run this command too view all replication, it will show successes and errors.

Command: repadmin /replsummary
Description: List domain controllers that have issues with Active Directory replication.

Command: repadmin /replicate
Description: Force Active Directory domain controller replication.

Command: repadmin /kcc
Description: Force Active Directory domain controller to check its inbound replication topology and generate missing connections.


Active Directory relies on a correctly configured DNS infrastructure. DNS issues can be checked using the DNSLint tool. DNSLint is a command line utility for troubleshooting common DNS problems ( ). There are three arguments that allow us to verify the DNS is working correctly.

Command: dnslint /ad
Description: Check DNS records used by Active Directory replication. This command should be followed by the IP address of an Active Directory domain controller.

Command: dnslint /d
Description: This argument checks causes of lame delegation. The domain name that you test can be a name that is registered for use on the Internet or a name that is used in a private namespace. When you test domain names on a private network, or domain names registered on the Internet that are more than two levels deep, you must use the /s option must be used.

Command: dnslint /ql
Description: Check a used-defined set of DNS records. Use this switch to test the DNS records from a text file. The full path for the file is required in order to run this command.