Using DCDiag to Check Domain Controller Health
DCDiag is an important tool an any Active Directory Administrators toolbox. You can use it for a variety of tasks including, but not limited to, checking the health of your Domain Controllers and testing DNS.
In this article I’m going to show you how to use DCDiag to do a domain controller health check as well as using DCDiag to test DNS.
What Exactly is DCDiag?
DCDiag is a command line tool for Windows that you can run in either Command Prompt or PowerShell to see the results of a variety of tests against your DCs and DNS servers. The tests give you a high level overview of the overall health of your domain between your domain controllers.
Provided you are running Command Prompt or PowerShell on a Domain Controller or a system running RSAT you can access the tool by running: dcdiag or dcdiag.exe.
If you want to see a list of all of command switches you can add to DCDiag when you run it you can use the /h switch when running DCDiag. The descriptions are a bit cryptic so I recommend reading this article on TechNet if you really want to know what each test does and why.
How to Install DCDiag
Any machine that has the AD DS role active will have DCDiag already. By default, you can access DCDiag through the command line on your individual Domain Controllers.
You can also access DCDiag by installing the Remote Server Administration Tools (RSAT) on a workstation or enabling it on Windows Server 2008 R2 through Server 2016 server.
Related: How to Install RSAT on Windows 10
If you really just want DCDiag and not the full admin tool set you can also download it from Microsoft and install it on any Windows 7 or newer workstation.
How to Run DCDiag
As mentioned earlier, DCDiag.exe is a command line tool. To run it you need to open a Command Prompt or PowerShell window as an Admin.
You can then append the dcdiag.exe command with a variety of switches and commands to perform your tests like so:
dcdiag.exe /s:<Directory Server>[:<LDAP Port>] [/u:<Domain>\<Username> /p:*|<Password>|””]
[/hqv] [/n:<Naming Context>] [/f:<Log>] [/x:XMLLog.xml]
[/skip:<Test>] [/test:<Test>]
Here are some example of the switches you can see by typing dcdiag.exe /h:
- /s:<Directory Server> Runs DCDiag against a remote server. Ignored for DcPromo and RegisterInDns tests which can only be run by running DCDiag locally on a Domain Controller.
- /n:<Naming Context> Specifies the domain to test if you have multiple. Domains may be specified in Netbios, DNS or DN form.
- /u:domain\username Specifies credentials for binding. Must also use the /p option below.
- /p:<Password> Specifies password to use with the /u option above.
- /a: Tests all the servers in this site.
- /e: Test all the servers in the entire enterprise. Overrides /a
- /q: Only prints error messages.
- /v: Print extended verbose information
- /i: Ignores superfluous error messages.
- /c: Comprehensive, runs all tests, including non-default tests but excluding DcPromo and RegisterInDNS.
- /fix: Makes safe repairs.
- /f:<log> Redirects all output to a file separately.
- /x:<XMLLog.xml> Redirect xml output to a file. Currently works with /test:dns option only.
- /xsl:<xslfile.xsl or xsltfile.xslt> Adds the processing instructions that references specified stylesheet. Works with /test:dns /x:<XMLLog.xml> option only
- /test:<TestName> Test only this test. Required tests will still be run. Do not mix with /skip.
- /skip:<TestName> Skip the named test. Required tests will still be run. Do not mix with /test.
Let’s use a few of these in some examples.
How to Run DCDiag on a local Domain Controller
Enter the following command into an elevated command prompt or powershell:
dcdiag.exe
How to Run DCDiag on a Remote Server
We can run DCDiag against the remote Domain Controller DomCon1 by running the following command:
dcdiag.exe /s:DomCon1
How to Save DCDiag results to a Log File
We can use the /f: switch to specify a path to log like so:
dcdiag.exe /s:DomCon1 /f:”D:\Logs\dcdiaglog.txt”
How to Run DCDiag Against all Domain Controllers
We use the /a switch to specify all DCs:
dcdiag.exe /s:DomCon1 /a
How to Run DCDiag with Verbose Output to a Log File
We can combine the /v switch with the /f: switch to log verbose test results:
dcdiag.exe /s:DomCon1 /a /v /f:”D:\Logs\dcdiaglog.txt”
We can even throw in the /c switch to run all tests possible (comprehensive).
dcdiag.exe /s:DomCon1 /a /c /v /f:”D:\Logs\dcdiaglog.txt”
How to Run Specific DCDiag Test
To run a specific test use the /test: switch like so:
dcdiag.exe /s:DomCon1 /a /test:Replication
How to Skip Specific DCDiag Test
To skip a test with DCDiag use the /skip: switch
dcdiag.exe /s:DomCon1 /a /skip:Replication
It’s important to not that when using the /test and /skip switches that required tests will still be ran.
Healthy DCDiag Test Output
If you run DCDiag locally on a domain controller that is healthy and part of a domain that is healthy you should see output similar to this:
Directory Server Diagnosis Performing initial setup: * Identified AD Forest. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DOMCON1 Starting test: Connectivity ........................ DOMCON1 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DOMCON1 Starting test: Advertising ........................ DOMCON1 passed test Advertising Starting test: FrsEvent ........................ DOMCON1 passed test FrsEvent Starting test: DFSREvent ........................ DOMCON1 passed test DFSREvent Starting test: SysVolCheck ........................ DOMCON1 passed test SysVolCheck Starting test: KccEvent ........................ DOMCON1 passed test KccEvent Starting test: KnowsOfRoleHolders ........................ DOMCON1 passed test KnowsOfRoleHolders Starting test: MachineAccount ........................ DOMCON1 passed test MachineAccount Starting test: NCSecDesc ........................ DOMCON1 passed test NCSecDesc Starting test: NetLogons ........................ DOMCON1 passed test NetLogons Starting test: ObjectsReplicated ........................ DOMCON1 passed test ObjectsReplicated Starting test: Replications ........................ DOMCON1 passed test Replications Starting test: RidManager ........................ DOMCON1 passed test RidManager Starting test: Services ........................ DOMCON1 passed test Services Starting test: SystemLog ........................ DOMCON1 passed test SystemLog Starting test: VerifyReferences ........................ DOMCON1 passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ........................ ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ........................ ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ........................ DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ........................ DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ........................ Schema passed test CheckSDRefDom Starting test: CrossRefValidation ........................ Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ........................ Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ........................ Configuration passed test CrossRefValidation Running partition tests on : ad Starting test: CheckSDRefDom ........................ ad passed test CheckSDRefDom Starting test: CrossRefValidation ........................ ad passed test CrossRefValidation Running enterprise tests on : ad.npgdom.com Starting test: LocatorCheck ........................ ad.npgdom.com passed test LocatorCheck Starting test: Intersite ........................ ad.npgdom.com passed test Intersite
How to use DCDiag to Test DNS
As mentioned earlier, DCDiag can be used to test DNS as well. We do this by using the /test: switch. DNS test can only be ran by running dcdiag.exe locally on a domain controller. You cannot mix /test:dns with the /s: switches.
dcdiag.exe /s:DomCon1 /test:DNS
This will run the following tests:
/DnsBasic (basic tests, can’t be skipped)
/DnsForwarders (forwarders and root hints tests)
/DnsDelegation (delegations tests)
/DnsDynamicUpdate (dynamic update tests)
/DnsRecordRegistration (records registration tests)
/DnsResolveExtName (external name resolution test)
/DnsAll (includes all tests above)
/DnsInternetName:<internet name> (for test /DnsResolveExtName)
We can specify a specific test by combining the test name with the above command like so:
dcdiag.exe /s:DomCon1 /test:DNS /DnsForwarders
DCDiag Failed Test SystemLog
It’s important to note that you’re likely to run into warning events when running tests remotely. Tests like the SystemLog will fail unless you run dcdiag.exe from a domain controller.
Hopefully this article cleared things up a bit. Running DCDiag is simple once you understand the syntax and how the different switches relate to eachother.
If running DCDiag isn’t a routine part of standard operating procedures, then take the time now to implement it. It could save you a lot of heartache down the road.
Recommended for You: Solarwinds Server & Application Monitor (SAM)
Know which applications are having issues in your environment before users complain? Know which systems are causing those problems? How about which servers are about to have problems like running out of space or memory?
Automate collection of data and alerting on your applications and servers with Solarwinds Server & Application Monitor so you have these answers.
Get insight into Active Directory, DNS, DHCP, and your Virtual environment without needing to mess with complex templates or knowing a single line of code.