To check the health of Active Directory use the following command:
Start > Run > cmd > dcdiag | find /i "test "
Note the space character after the word ‘test’.
Examples
Unhealthy myserver.mydomain.com
C:\>dcdiag | find /i "test " ......................... myserver passed test Connectivity ......................... myserver failed test Advertising ......................... myserver passed test FrsEvent ......................... myserver passed test DFSREvent ......................... myserver passed test SysVolCheck ......................... myserver passed test KccEvent ......................... myserver passed test KnowsOfRoleHolders ......................... myserver passed test MachineAccount ......................... myserver failed test NCSecDesc ......................... myserver failed test NetLogons ......................... myserver passed test ObjectsReplicated ......................... myserver failed test Replications ......................... myserver passed test RidManager ......................... myserver passed test Services ......................... myserver failed test SystemLog ......................... myserver passed test VerifyReferences ......................... ForestDnsZones passed test CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom ......................... Schema passed test CheckSDRefDom ......................... Schema passed test CrossRefValidation ......................... Configuration passed test CheckSDRefDom ......................... Configuration passed test CrossRefValidation ......................... mydomain passed test CheckSDRefDom ......................... mydomain passed test CrossRefValidation ......................... mydomain.com passed test LocatorCheck ......................... mydomain.com passed test Intersite
Healthy myserver.mydomain.com
C:\>dcdiag | find /i "test " ......................... myserver passed test Connectivity ......................... myserver passed test Advertising ......................... myserver passed test FrsEvent ......................... myserver passed test DFSREvent ......................... myserver passed test SysVolCheck ......................... myserver passed test KccEvent ......................... myserver passed test KnowsOfRoleHolders ......................... myserver passed test MachineAccount ......................... myserver failed test NCSecDesc ......................... myserver passed test NetLogons ......................... myserver passed test ObjectsReplicated ......................... myserver passed test Replications ......................... myserver passed test RidManager ......................... myserver passed test Services ......................... myserver failed test SystemLog ......................... myserver passed test VerifyReferences ......................... ForestDnsZones passed test CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom ......................... Schema passed test CheckSDRefDom ......................... Schema passed test CrossRefValidation ......................... Configuration passed test CheckSDRefDom ......................... Configuration passed test CrossRefValidation ......................... mydomain passed test CheckSDRefDom ......................... mydomain passed test CrossRefValidation ......................... mydomain.com passed test LocatorCheck ......................... mydomain.com passed test Intersite
Warnings and/or errors related to Active Directory Replication are often present in Event Viewer’s System Log. This is why ‘SystemLog’ appears ‘failed’ at times. ‘NsSecDesc’ is supposed to return ‘failed’ at all times unless you have a Read-Only Domain Controller (RODC) in your network (Microsoft KB967482). As such, both items can safely be ignored; in this case Active Directory is in a healthy state.
Site Replication and DNS are components to investigate first in situations where Active Directory is not healthy.
To investigate Site Replication, you can use the following command:
repadmin /showreps
An unhealthy Active Directory may be resolved by checking the system date/time, restarting Replication and/or DNS services, restarting the server or alternatively by demoting and promoting a server worst case.
Easy.