To check the health of Active Directory use the following command:

Start > Run > cmd > dcdiag | find /i "test "

Note the space character after the word ‘test’.

C:\>dcdiag | find /i "test "
......................... myserver passed test Connectivity
......................... myserver failed test Advertising
......................... myserver passed test FrsEvent
......................... myserver passed test DFSREvent
......................... myserver passed test SysVolCheck
......................... myserver passed test KccEvent
......................... myserver passed test KnowsOfRoleHolders
......................... myserver passed test MachineAccount
......................... myserver failed test NCSecDesc
......................... myserver failed test NetLogons
......................... myserver passed test ObjectsReplicated
......................... myserver failed test Replications
......................... myserver passed test RidManager
......................... myserver passed test Services
......................... myserver failed test SystemLog
......................... myserver passed test VerifyReferences
......................... ForestDnsZones passed test CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
......................... Schema passed test CheckSDRefDom
......................... Schema passed test CrossRefValidation
......................... Configuration passed test CheckSDRefDom
......................... Configuration passed test CrossRefValidation
......................... mydomain passed test CheckSDRefDom
......................... mydomain passed test CrossRefValidation
......................... mydomain.com passed test LocatorCheck
......................... mydomain.com passed test Intersite

C:\>dcdiag | find /i "test "
......................... myserver passed test Connectivity
......................... myserver passed test Advertising
......................... myserver passed test FrsEvent
......................... myserver passed test DFSREvent
......................... myserver passed test SysVolCheck
......................... myserver passed test KccEvent
......................... myserver passed test KnowsOfRoleHolders
......................... myserver passed test MachineAccount
......................... myserver failed test NCSecDesc
......................... myserver passed test NetLogons
......................... myserver passed test ObjectsReplicated
......................... myserver passed test Replications
......................... myserver passed test RidManager
......................... myserver passed test Services
......................... myserver failed test SystemLog
......................... myserver passed test VerifyReferences
......................... ForestDnsZones passed test CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
......................... Schema passed test CheckSDRefDom
......................... Schema passed test CrossRefValidation
......................... Configuration passed test CheckSDRefDom
......................... Configuration passed test CrossRefValidation
......................... mydomain passed test CheckSDRefDom
......................... mydomain passed test CrossRefValidation
......................... mydomain.com passed test LocatorCheck
......................... mydomain.com passed test Intersite

Warnings and/or errors related to Active Directory Replication are often present in Event Viewer’s System Log.  This is why ‘SystemLog’ appears ‘failed’ at times.  ‘NsSecDesc’ is supposed to return ‘failed’ at all times unless you have a Read-Only Domain Controller (RODC) in your network (Microsoft KB967482).  As such, both items can safely be ignored; in this case Active Directory is in a healthy state.

Site Replication and DNS are components to investigate first in situations where Active Directory is not healthy.

To investigate Site Replication, you can use the following command:

repadmin /showreps

An unhealthy Active Directory may be resolved by checking the system date/time, restarting Replication and/or DNS services, restarting the server or alternatively by demoting and promoting a server worst case.

Call the script “backup_daily.cmd” and run it on weekdays.  You don’t have to run it each day; you can run it only on saturdays or every other day; you decide.  It will save data in the following folders:

1_Monday
2_Tuesday
3_Wednesday
4_Thursday
5_Friday
6_Saturday
7_Sunday

Each time the script is run, the appropriate weekday folder will be overwritten.

Note: You will need a longer term backup job as well, as after 1 week you can no longer restore files you deleted more than a week ago.

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: If site uses multiple HDDs for backup rotation:           ::
::   - only connect one HDD at a time to retain drive letters::
::   - make sure they all are assigned the same drive letter ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

@echo off
SETLOCAL

:::::::::::::
:: Weekdays ::
::::::::::::::

for /f "tokens=1" %%i in ('date /t') do set shortday=%%i
if %shortday% == Mon set today=1_Monday
if %shortday% == Tue set today=2_Tuesday
if %shortday% == Wed set today=3_Wednesday
if %shortday% == Thu set today=4_Thursday
if %shortday% == Fri set today=5_Friday
if %shortday% == Sat set today=6_Saturday
if %shortday% == Sun set today=7_Sunday

::::::::::::::::::::
:: Site Variables ::
::::::::::::::::::::

set usb=F:
set dest=%usb%\Backup\%today%
set switches=/E /NP /NFL /tee /R:1 /W:1 /MIR /COPYALL
set robocopy=%windir%\system32\robocopy.exe

::::::::::::::::::::
:: Initialization ::
::::::::::::::::::::

if not exist "%usb%"  exit
if not exist "%dest%" md "%dest%"

:::::::::::::
:: Backup  ::
:::::::::::::

"%robocopy%" "c:\folder1" "%dest%\folder1" %switches% /LOG:"%dest%\backup_folder1.log"
"%robocopy%" "c:\folder2" "%dest%\folder2" %switches% /LOG:"%dest%\backup_folder2.log"
"%robocopy%" "c:\folder3" "%dest%\folder3" %switches% /LOG:"%dest%\backup_folder3.log"

:End
ENDLOCAL
:Exit