Active Directory health check

By | June 7, 2020

I am going to list down some key areas which need to be covered in any Active Directory health check:

Replication health:
A healthy replication is important for any Active Directory infrastructure. All domain controllers in the infrastructure need to be aware of every change to the Active Directory database.

There are tools and techniques we can use to identify the replication issues between Active Directory domain controllers. Repadmin.exe is a Microsoft-built tool which can be used to diagnose Active Directory replication issues.

Since Windows Server 2008, it has come built into the operating system, and it can be used if the AD DS role is installed. This tool needs to run as Enterprise Admin. If it runs as Domain Admin, it can only be used to review domain-level replications:

Repadmin /showrepl

The preceding command will display the status of the last inbound replication of the Active Directory partition. This will only list the replication status of the domain controller this command executes from.

The /replicate parameter can be used to trigger a replication between the
domain controllers to see the real-time results:
Repadmin /replicate DC=admin,DC=com

If you need to check the replication status of a specific domain controller, you can use a command similar to the following. The DC-03 section of the
command can be replaced by the name of the domain controller:
Repadmin /showrepl DC-03

The following commands will initiate full replication of all the changes from DC-01 to DC-03:
Repadmin /replicate DC=admin,DC=com /full

The /replsummary parameter can be used to see the summary of the replication status of all domain controllers:
Repadmin /replsummary

The following command will only list the domain controllers which have
replication issues with partners:
Repadmin /replsummary /errorsonly

Event Viewer:
Event Viewer can also be used to evaluate the replication health of the Active Directory environment. There are certain event IDs you can use to
filter the data. You can find these events under Event Viewer | Application and Service Logs | Directory Services.

Domain controller health:
In the previous section, we had to evaluate the replication health and the next step is to check the health of domain controllers. Similar to Repadmin, Microsoft has tools which can be used for this task.

The Dcdiag.exe tool can be used to run predefined tests to evaluate the health of the domain controllers:
Dcdiag /e
This command will test the domain controllers in the forest:
Dcdiag /s:DC-03
The preceding command will run the test on domain controller DC-03.

Instead of running all the tests, the following command will run only a replication test on DC-03:
Dcdiag /test:replications /s:REBEL-SDC-03

It will run tests to check Active Directory services on the local domain controller:
Dcdiag /test:Services

DNS health:
We cannot talk about Active Directory health without healthy DNS infrastructure. Active Directory heavily depends on DNS functionalities. To start with, I prefer to review the DNS server-related events in domain controllers. It can access the DNS logs from
Event Viewer | Application and Service Logs | DNS Server:

The Dcdiag utility can also be used to test the DNS health:
Dcdiag /test:DNS /DNSBasic

The preceding command will run the basic DNS check to ensure DNS services are running, resource records are registered, and DNS zones are presented.

The following command will test if the DNS forwarders are functioning properly:
Dcdiag /test:DNS /DnsForwarders

The following command will test the registration of DC locator records:
Dcdiag /test:DNS /DnsRecordRegistration

Leave a Reply

Your email address will not be published. Required fields are marked *