Active Directory Health Check

Performing a health check on Active Directory (AD) and Domain Controllers (DC) is crucial for ensuring the reliability and performance of your network. Here’s a step-by-step guide to conducting a thorough health check:

1. Check Domain Controller Status

• Command: dcdiag
• This tool runs various tests on the DC to assess its health and report any issues.

2. Review Event Logs

• Check the Event Viewer for any errors or warnings related to Active Directory.
• Focus on logs under:
  • Windows Logs > System
  • Applications and Services Logs > Directory Service

3. Replication Health

• Command: repadmin /replsummary
• This command summarizes the replication status across all DCs. Look for any errors or high latency.

4. Check DNS Health

• Ensure that your DCs can resolve DNS queries properly.
• Command: nslookup followed by your domain name to test resolution.
• Command: dcdiag /test:dns to perform a DNS health check.

5. Verify Sysvol and Netlogon Shares

• Ensure that the Sysvol and Netlogon shares are available.
• Command: net share to check if these shares are active.

6. Check Active Directory Replication

• Command: repadmin /showrepl
• This shows the replication status for each DC, indicating any issues.

7. Assess Global Catalog Availability

• Ensure at least one Global Catalog server is available.
• Command: Get-ADDomainController -Filter * | Where-Object {$_.IsGlobalCatalog -eq $true} (for PowerShell).

8. Check for FSMO Role Holders

• Ensure that all Flexible Single Master Operation (FSMO) roles are being held by available DCs.
• Command: netdom query fsmo

9. Review Group Policy Health

• Ensure that Group Policies are being applied correctly.
• Command: gpresult /h report.html to generate a report.

10. Perform Security Checks

• Review user and computer accounts for any anomalies.
• Check for expired passwords and accounts that are disabled or locked.

11. Backup and Recovery Validation

• Ensure that you have a current backup of your AD and that you can restore it if needed.

12. Monitor Performance Metrics

• Check CPU, memory usage, and disk space on your DCs.
• Use performance monitoring tools to gather metrics over time.

13. Review Network Configuration

• Ensure there are no network issues affecting communication between DCs and clients.

14. Update and Patch

• Ensure that all domain controllers are updated with the latest security patches and updates.

15. Documentation

• Document your findings, issues resolved, and any steps taken for future reference.

Conclusion

Regularly performing these checks helps maintain a healthy Active Directory environment. Schedule these health checks periodically or after significant changes in your network.

---

For reference few of the replication Commands has given below.

1. repadmin /replsummary
2. repadmin /syncall /e
3. repadmin /syncall /Aped
4. repadmin /kcc *
5. repadmin /showbackup *
6. repadmin /showrepl *
7. repadmin / queue *
8. repadmin /replsummary
9. repadmin /showoutcalls *
10. repadmin /bridgeheads * /verbose
11. repadmin /istg * /verbose
12. repadmin /failcache *
13. repadmin /showtrust *
14. repadmin /bind *
15. dcdiag /c /e /v

For reference few of the Domain Controller Diagnosis Commands has given below.

1. DSQUERY Server -o rdn
2. dcdiag /s:DC01
3. dcdiag /e /v /q
4. dcdiag /s:DC01 /a /test:NetLogons
5. dcdiag.exe /TEST:RidManager /v
6. dcdiag /s:DC01 /a /skip:Replication
7. dcdiag /s:DC01 /u:contosoadmin /p:P@SSwoord
8. dcdiag /s:DC01 /v /f:c:\ps\dcdiag_report.log
9. dcdiag /s:DC01 /a
10. dcdiag /s:DC01 /q
11. dcdiag /s:DC01 /fix
12. DCDiag /Test:DNS /e /v /s:dc01.emx24.local >c:\logs\DcdiagDNSCheck.txt
13. Get-Content c:\logs\DcdiagDNSCheck.txt
14. dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate | /DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:<InternetName>] | /DnsAll] [/f:<LogFile>] [/x:<XMLLog.xml>] [/xsl:<XSLFile.xsl> or <XSLTFile.xslt>] [/s:<DomainController>] [/e] [/v]
15. DCDiag /Test:DNS /e /v /s:dc01.emx24.local /fix