Checking Active Directory Domain Controller Health and Replication

Active Directory is a reliable, but complex and critical service, and the operability of the whole enterprise network depends on it. A system administrator should constantly check if Active Directory works correctly. In this article, we will go over the main methods of how to check and diagnose the health of your Active Directory domain, domain controllers, and replication.

How to Check AD Domain Controller Health Using Dcdiag?

Dcdiag is a basic built-in tool to check Active Directory domain controller health. To quickly check the state of an AD domain controller, use the command below:

dcdiag /s:DC01

The command runs different tests against the specified domain controller and returns a state for each test (Passed/Failed).

Typical tests:

• Connectivity – checks if the DC is registered in DNS, establishes test LDAP and RPC connections;
• Advertising – checks roles and services published on the DC;
• FRSEvent – checks if there are any errors of file replication service (SYSVOL replication errors);
• FSMOCheck – checks if the DC can connect to KDC, PDC, and Global Catalog server;
• MachineAccount — checks if the DC account is registered in AD correctly and if the domain trust relationship is correct;
• NetLogons – checks the logon privileges to allow replication to proceed;
• Replications – checks the state of replication between domain controllers and if there are any errors;
• KnowsOfRoleHolders – checks the availability of the domain controllers with FSMO roles;
• Services – checks if services on the domain controllers are running;
• Systemlog – checks if there are any errors in the DC logs;
• Etc.

Besides default tests, you can run additional domain controller checks:

• Topology – checks if KCC has generated full topology for all DCs
• CheckSecurityError
• CutoffServers – finds a DC that is not replicated since its partner is unavailable
• DNS – 6 DNS checks are available (/DnsBasic, /DnsForwarders, /DnsDelegation, /DnsDymanicUpdate, /DnsRecordRegistration, /DnsResolveExtName)
• OutboundSecureChannels
• VerifyReplicas – checks if the application partitions are replicated correctly
• VerifyEnterpriseReferences

For example, to check if DNS is working correctly on all domain controllers, use the following command:

dcdiag.exe /s:DC01 /test:dns /e /v

It will result in a summary table showing test results on how DNS resolves names on all DCs (if it is OK, you will see Pass in every cell). If you see Fail, you need to run this test against the specified DC:

dcdiag.exe /s:DC01 /test:dns /DnsForwarders /v

To get more information from domain controller test results and save it to a text file, use this command:

dcdiag /s:DC01 /v >> c:\ps\dc01_dcdiag_test.log

To get the state of all domain controllers, use:

dcdiag.exe /s:woshub.com /a

If you want to display only the errors you have found, use the /q option:

dcdiag.exe /s:dc01 /q

In my example, the tool has detected some replication errors:

There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... DC01 failed test DFSREvent

To make dcdiag automatically fix the Service Principal Names errors for the DC account, use the /fix option:

dcdiag.exe /s:dc01 /fix

Checking Active Directory Replication Errors Between DCs

The built-in repadmin tool is used to check replication in the Active Directory domain.

Here is the basic command to check AD replication:

repadmin /replsum

The tool has returned the current replication status between all DCs. Ideally, the largest delta value should be less than 1 hour (depends on the AD topology and intersite replication frequency settings), and the number of errors = 0. In my example, you can see that one of the latest replication took 14 days, but now it is OK.

To check replication for all DCs in the domain:

repadmin /replsum *

To test intersite replication:

repadmin /showism

To view the replication topology and errors (if any), run this command:

repadmin /showrepl

The command will check the DCs and return the time and date of the last successful replication for each directory partition (last attempt xxxx was successful).

To run password replication from a writable domain controller to a read-only domain controller (RODC), the /rodcpwdrepl option is used.

The /replicate option starts the replication of the specified directory partition to a specific DC immediately.

To synchronize a specified DC with all its replication partners, use the command below:

replmon /syncall <nameDC>

To view the replication queue:

repadmin /queue

Ideally, the replication queue should be empty.

Check when the latest backup of the current domain controller was created:

Repadmin /showbackup *

You can also check the replication state using PowerShell. For example, the following command will display all replication errors it finds in the Out-GridView table:

Get-ADReplicationPartnerMetadata -Target * -Partition * | Select-Object Server,Partition,Partner,ConsecutiveReplicationFailures,LastReplicationSuccess,LastRepicationResult | Out-GridView

You can also check the state of ADDS basic services on a domain controller using the Get-Service cmdlet:

• Active Directory Domain Services (ntds)
• Active Directory Web Services (adws) – all cmdlets from the AD PowerShell module connect to this service
• DNS (dnscache and dns)
• Kerberos Key Distribution Center (kdc)
• Windows Time Service (w32time)
• NetLogon (netlogon)

Get-Service -name ntds,adws,dns,dnscache,kdc,w32time,netlogon -ComputerName dc01

So, in this article, we have shown basic tools, commands, and PowerShell scripts you can use to diagnose the health of your Active Directory domain. You can use them in all supported Windows Server versions, including the domain controllers running in the Server Core mode.