How do I know if Active Directory is healthy?
I’m having some Active directory issues, where do I start?
I see these questions asked a lot, and talking someone through some basic troubleshooting steps without having physical/remote access can be fairly time consuming. For that reason I’ve put together a script to collect basic information about the domain controller the script is run on and active directory itself- which is then written to a log file.
The log file is saved onto the current users desktop by default. If you want to save the log file to a share you’d use:
So, what does it do?
System Boot Time - systeminfo | find "System Boot Time:" – Displays boot time, not massively helpful or directly tied with Active Directory but still worth being aware of the last start-up time.
TCP/IP network configuration - IPCONFIG /all – Displays all current TCP/IP network configuration values. This is normally helpful to highlight any DNS server misconfiguration. For example setting them to external public resolvers.
DCDIAG /a – The meat and potatoes, there’s a great article on what it actually does here: http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx. This is currently set to test all domain controllers (/a), you can get more verbose with /v, but I quite like the initial log to be succinct.
Repadmin /replsummary – Will show you an overview of any failures, and for which DC(s). http://technet.microsoft.com/en-us/library/cc835092%28v=ws.10%29.aspx
Repadmin /showrepl – This will let you know if the last replication attempts where successful. http://technet.microsoft.com/en-us/library/cc742066%28v=ws.10%29.aspx
NETDOM Query FSMO – This will return the FSMO role holders, which can be used to confirm that the role holders are still online and functioning. A good article on FSMO roles and what happens if one of them fails can be found here: https://msmvps.com/blogs/acefekay/archive/2011/01/16/active-directory-fsmo-roles-explained.aspx
Nslookup -querytype=srv _gc._tcp.%domain% – Displays all Global Catalogs.
The batch file
You can copy and paste it into your own batch file or download it from here. If you’re running it on a DC prior to Server 2008 you will need to install the Adminpak: Windows Server 2003 Service Pack 2 Administration Tools Pack (adminpak)
Run the batch file, when it has completed notepad will open with the freshly created log. If you need to share this log with someone I suggest using pastie.org, and pasting the (redacted) document.
You may just want to run this as a one off when troubleshooting, or you may want to add this to a scheduled task (If so I’d remove the
notepad %logfile% line off the end). This can be useful for comparisons and to outline when the error(s) / issues began. If your Active directory currently running like a dream, why not take a baseline log…
This script should give you a starting point for diagnosing some of the more common Active Directory issues. I recommend getting familiar with the tools included in the script, learning how to read and make sense of the information and to be aware of other parameters available.