Using DCDiag to Check Domain Controller Health

DCDiag is an important tool an any Active Directory Administrators toolbox. You can use it for a variety of tasks including, but not limited to, checking the health of your Domain Controllers and testing DNS.

In this article I’m going to show you how to use DCDiag to do a domain controller health check as well as using DCDiag to test DNS.

What Exactly is DCDiag?

DCDiag is a command line tool for Windows that you can run in either Command Prompt or PowerShell to see the results of a variety of tests against your DCs and DNS servers. The tests give you a high level overview of the overall health of your domain between your domain controllers.

Provided you are running Command Prompt or PowerShell on a Domain Controller or a system running RSAT you can access the tool by running: dcdiag or dcdiag.exe.

If you want to see a list of all of command switches you can add to DCDiag when you run it you can use the /h switch when running DCDiag. The descriptions are a bit cryptic so I recommend reading this article on TechNet if you really want to know what each test does and why.

How to Install DCDiag

Any machine that has the AD DS role active will have DCDiag already. By default, you can access DCDiag through the command line on your individual Domain Controllers.

You can also access DCDiag by installing the Remote Server Administration Tools (RSAT) on a workstation or enabling it on Windows Server 2008 R2 through Server 2016 server.

Related: How to Install RSAT on Windows 10

If you really just want DCDiag and not the full admin tool set you can also download it from Microsoft and install it on any Windows 7 or newer workstation.

How to Run DCDiag

As mentioned earlier, DCDiag.exe is a command line tool. To run it you need to open a Command Prompt or PowerShell window as an Admin.

You can then append the dcdiag.exe command with a variety of switches and commands to perform your tests like so:

dcdiag.exe /s:<Directory Server>[:<LDAP Port>] [/u:<Domain>\<Username> /p:*|<Password>|””]

[/hqv] [/n:<Naming Context>] [/f:<Log>] [/x:XMLLog.xml]

[/skip:<Test>] [/test:<Test>]

Here are some example of the switches you can see by typing dcdiag.exe /h:

  • /s:<Directory Server> Runs DCDiag against a remote server. Ignored for DcPromo and RegisterInDns tests which can only be run by running DCDiag locally on a Domain Controller.
  • /n:<Naming Context> Specifies the domain to test if you have multiple. Domains may be specified in Netbios, DNS or DN form.
  • /u:domain\username Specifies credentials for binding. Must also use the /p option below.
  • /p:<Password> Specifies password to use with the /u option above.
  • /a: Tests all the servers in this site.
  • /e: Test all the servers in the entire enterprise.  Overrides /a
  • /q: Only prints error messages.
  • /v: Print extended verbose information
  • /i: Ignores superfluous error messages.
  • /c: Comprehensive, runs all tests, including non-default tests but excluding DcPromo and RegisterInDNS.
  • /fix: Makes safe repairs.
  • /f:<log> Redirects all output to a file separately.
  • /x:<XMLLog.xml> Redirect xml output to a file. Currently works with /test:dns option only.
  • /xsl:<xslfile.xsl or xsltfile.xslt> Adds the processing instructions that references specified stylesheet. Works with /test:dns /x:<XMLLog.xml> option only
  • /test:<TestName> Test only this test.  Required tests will still be run.  Do not mix with /skip.
  • /skip:<TestName> Skip the named test.  Required tests will still be run.  Do not mix with /test.

Let’s use a few of these in some examples.

How to Run DCDiag on a local Domain Controller

Enter the following command into an elevated command prompt or powershell:

dcdiag.exe

How to Run DCDiag on a Remote Server

We can run DCDiag against the remote Domain Controller DomCon1 by running the following command:

dcdiag.exe /s:DomCon1

How to Save DCDiag results to a Log File

We can use the /f: switch to specify a path to log like so:

dcdiag.exe /s:DomCon1 /f:”D:\Logs\dcdiaglog.txt”

How to Run DCDiag Against all Domain Controllers

We use the /a switch to specify all DCs:

dcdiag.exe /s:DomCon1 /a

How to Run DCDiag with Verbose Output to a Log File

We can combine the /v switch with the /f: switch to log verbose test results:

dcdiag.exe /s:DomCon1 /a /v /f:”D:\Logs\dcdiaglog.txt”

We can even throw in the /c switch to run all tests possible (comprehensive).

dcdiag.exe /s:DomCon1 /a /c /v /f:”D:\Logs\dcdiaglog.txt”

How to Run Specific DCDiag Test

To run a specific test use the /test: switch like so:

dcdiag.exe /s:DomCon1 /a /test:Replication

How to Skip Specific DCDiag Test

To skip a test with DCDiag use the /skip: switch

dcdiag.exe /s:DomCon1 /a /skip:Replication

It’s important to not that when using the /test and /skip switches that required tests will still be ran.

Healthy DCDiag Test Output

If you run DCDiag locally on a domain controller that is healthy and part of a domain that is healthy you should see output similar to this:

Directory Server Diagnosis

Performing initial setup:
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DOMCON1
Starting test: Connectivity
…………………… DOMCON1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DOMCON1
Starting test: Advertising
…………………… DOMCON1 passed test Advertising
Starting test: FrsEvent
…………………… DOMCON1 passed test FrsEvent
Starting test: DFSREvent
…………………… DOMCON1 passed test DFSREvent
Starting test: SysVolCheck
…………………… DOMCON1 passed test SysVolCheck
Starting test: KccEvent
…………………… DOMCON1 passed test KccEvent
Starting test: KnowsOfRoleHolders
…………………… DOMCON1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
…………………… DOMCON1 passed test MachineAccount
Starting test: NCSecDesc
…………………… DOMCON1 passed test NCSecDesc
Starting test: NetLogons
…………………… DOMCON1 passed test NetLogons
Starting test: ObjectsReplicated
…………………… DOMCON1 passed test ObjectsReplicated
Starting test: Replications
…………………… DOMCON1 passed test Replications
Starting test: RidManager
…………………… DOMCON1 passed test RidManager
Starting test: Services
…………………… DOMCON1 passed test Services
Starting test: SystemLog
…………………… DOMCON1 passed test SystemLog Starting test: VerifyReferences
…………………… DOMCON1 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
…………………… ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
…………………… ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
…………………… DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
…………………… DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
…………………… Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
…………………… Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
…………………… Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
…………………… Configuration passed test CrossRefValidation

Running partition tests on : ad
Starting test: CheckSDRefDom
…………………… ad passed test CheckSDRefDom
Starting test: CrossRefValidation
…………………… ad passed test CrossRefValidation

Running enterprise tests on : ad.npgdom.com
Starting test: LocatorCheck
…………………… ad.npgdom.com passed test LocatorCheck
Starting test: Intersite
…………………… ad.npgdom.com passed test Intersite

 

How to use DCDiag to Test DNS

As mentioned earlier, DCDiag can be used to test DNS as well. We do this by using the /test: switch. DNS test can only be ran by running dcdiag.exe locally on a domain controller. You cannot mix /test:dns with the /s: switches.

dcdiag.exe /s:DomCon1 /test:DNS

This will run the following tests:

/DnsBasic (basic tests, can’t be skipped)

/DnsForwarders (forwarders and root hints tests)

/DnsDelegation (delegations tests)

/DnsDynamicUpdate (dynamic update tests)

/DnsRecordRegistration (records registration tests)

/DnsResolveExtName (external name resolution test)

/DnsAll (includes all tests above)

/DnsInternetName:<internet name> (for test /DnsResolveExtName)

We can specify a specific test by combining the test name with the above command like so:

dcdiag.exe /s:DomCon1 /test:DNS /DnsForwarders

DCDiag Failed Test SystemLog

It’s important to note that you’re likely to run into warning events when running tests remotely. Tests like the SystemLog will fail unless you run dcdiag.exe from a domain controller.

Hopefully this article cleared things up a bit. Running DCDiag is simple once you understand the syntax and how the different switches relate to eachother.

If running DCDiag isn’t a routine part of standard operating procedures, then take the time now to implement it. It could save you a lot of heartache down the road.

Recommended for You: Solarwinds Server & Application Monitor (SAM)

Know which applications are having issues in your environment before users complain? Know which systems are causing those problems? How about which servers are about to have problems like running out of space or memory?

Automate collection of data and alerting on your applications and servers with Solarwinds Server & Application Monitor so you have these answers.

Get insight into Active Directory, DNS, DHCP, and your Virtual environment without needing to mess with complex templates or knowing a single line of code.

Leave a Reply

Your email address will not be published. Required fields are marked *