Domain Controller Health Check Guide

In this guide, we’ll go through a powerful MS Windows utility known as DCDiag. This tool can be used for performing domain controller health checks, testing DNS services, and even fixing errors automatically. The tool is very simple to use but powerful enough to keep all your domain controllers healthy.

Table of Contents

1. What is the DCDiag utility? 
   • How to install DCDiag?
2. What can you do with the DCDiag utility tool? 
3. The DCDiag command syntax.
4. How to run DCDiag?
   • Remote DC health checks.
   • Checking health for all DCs.
5. Using DCDiag to test DNS.
6. Customizing DCDiag results
   • Run DCDiag in quiet mode.
   • Run DCDiag with verbose output
   • Exporting DCDiag results.
7. Additional Functions
   • Fix errors.
   • Specify or skip tests.
8. Conclusion

1. What is the DCDiag Utility?

The DCDiag is a Microsoft Windows diagnostics command-line tool for domain controller health checks and troubleshooting. With the DCDiag, you can run about 30 different health checks on a domain controller and test DNS settings, replication health, errors, and more.

The DCDiag tool can be used to analyze a single or multiple DCs simultaneously within your AD forest or enterprise.

How to Install DCDiag?

It is very likely that if you are running Windows Server, you already have DCDiag installed.

The DCDiag is built into the modern Windows Server versions, including 2012R2, 2016, and 2019. For older versions, you would need to manually install it using the Support Tools package. The utility is available as long as you are running AD DS (Active Directory Domain Services), or AD LDS (Active Directory Lightweight Directory Services). If you want to run the DCDiag from a Windows OS client, you would need to install the RSAT roles on the computer.

2. What can you do with the DCDiag Utility tool?

As mentioned early, there are close to 30 different DCDiag checks. By default, the tool will perform about 22 checks, where 21 of those can be skipped, and the one remaining “connectivity check”, is forced.

The rest of the tests don’t run by default, so you would need to call for the specific test. The most popular among these tests is the DNS check.

Let’s review some of the different checks that DCDiag performs on a Domain Controller

• Connectivity Check It tests whether the domain controllers are reachable, have LDAP/RPC connectivity, and are registered to DNS. This check can’t be skipped.
• Advertising Verify if the Directory System Agent (DSA) is advertising itself.
• CheckSecurityError This DCDiag test looks for security errors or any problem that might be related to security.
• CutoffServrs It looks for servers that are not receiving replications.
• DNS The DNS test checks the health of the DNS and its settings for the entire forest or enterprise.

• Intersite Check for failures that would prevent an inter-site replication
• Machine Account Checks the Machine Account to see if it has the proper information. The DCDiag has a “Fix” feature, which affects this test. You can make the test automatically fix SPNs on the MachineAccount object
• ObjectsReplicated Checks whether the Machine Account and DSA objects have successfully replicated
• RegisterInDNS Checks if the directory server can register the DS Locator DNS records
• Topology Tests the connectivity of the topology for all DSAs

3. The DCDiag Command Syntax

The DCDiag is a simple command-line utility. You can run DCDiag on a CMD Prompt or a PowerShell window. Remember to use administrator privileges.

The basic syntax of DCDiag is:

• dcdiag.exe /s:[:] [/u:\ /p:*||””]

Where “/s:” is Domain Controller, and “/u:\ /p” are username and password for the DC.

This basic command-line will return the test results showing the primary test (connectivity test) and any specified test on the domain controller.

To know what can you do with the DCDiag tool along with all its command-line switches, you can start with the help command:

• C:\Windows\System32> dcdiag /?

To use any of the following switches, just append it after the “DCDiag” command. A summary of the popular command switches:

• /s <DC name> Run DCDiag test against the specified remote Domain Controller.
• /u <domain\username> use the credentials to connect to a remote DC.
• /p <password> use along with /u to specify the password of the user.
• /a Perform DCDiag tests against all DCs within a site.
• /q (quiet) – Display only error messages.
• /c (comprehensive) tests against the DC including DNS.
• /v (verbose) – display extended information.
• /f (filename) Save the results to the specified filename.

4. How to run DCDiag?

To run a simple DCDiag test on your local DC, type the DCDiag without any switch (or argument).

• C:\Windows\System32>dcdiag.exe

Note, that DCDiag detects the current (local) DC, so you don’t have to specify any domain controller or administrative credentials. Of course, this is true as long as you are logged to the local domain controller and with administrator rights.

Remote DC Health Checks

To run diagnostics on a remote DC, you’ll have to specify the name of the DC by appending “/s:<name of DC>,” plus its credentials (username and password). For example:

• C:\Windows\System32>dcdiag.exe /s:dc01ny /u:dc01ny\Administrator /p:pa$$word

When you specify the DC “Directory Server” as in, (/s: <Directory Server>), there are some cases where the home DC specified with /s, will be ignored. The /s switch will ignore DCPromo and the Register in DNS, which are run locally and not for a domain controller.

Note that when you enter the /u (username) information, you’ll need to specify the name of the account with domain admin permissions and using the right format: domain/username. For example, the username (Administrator) appended with the domain name (dc01ny): u:dc01ny\Administrator.

Checking health for all DCs

Each AD's site may contain a collection of DCs that are interconnected to each other. If your AD is divided into sites, then the “/a” switch is very helpful. It allows you to run the DCDiag utility for all DCs within a site, at once.

For example: 

• C:\Windows\System32>dcdiag.exe /s:dc01ny /a

5. Using DCDiag to test DNS

By default, and regardless of whatever you are testing, the DCDiag tool will always check the DNS registration for each domain controller, during the primary connectivity test. Additionally, you may also run very specific DNS tests, including forwarders, registration records tests, and more— all of which will help you troubleshoot DNS issues.

To test DNS and run various diagnostics, use the /test:dns switch. The command syntax is as follow:

• dcdiag /test:DNS

An example? 

• C:\Windows\System32>dcdiag.exe /s:dc01ny /test:dns

By default, the /test:dns will perform all the following basic tests on DNS except, the external name resolution. The DNSBasic test is shown in all DNS results. If no test is specified, the /test:dns switch will default to /DNSall.

1. /DNSBasic The basic DNS test includes network connectivity, DNS client, zones, and service availability.
2. /DnsForwarders Performs the basic test and checks the configuration of DNS forwarders.
3. /DnsDelegation Basic and DNS delegation test.
4. /DnsDynamicUpdate Runs the basic test and checks whether dynamic DNS updates are enabled in AD.
5. /DnsRecordRegistration Performs the /DNSBasic test and checks the registration of resource records (A, CNAME, and SRV).
6. /DnsResolve<Internet Name> Performs the basic DNS tests and attempts to resolve the <Internet name>
7. /DnsResolveExtName <internet name> To test DNS resolution for external names.
8. /DNSAll Perform all above tests, except the /DnsResolveExtName.

A DNS test would look like this:

When you run the /test:dns you can also save all results of the output to a log file, using “/f:” for txt, “/x:” for XML, and “/xsl:” for XLS.

6. Customizing DCDiag Results

DCDiag allows you to customize the results by showing you less or more information. You can also export the results for later analysis.

Run DCDiag in quiet mode

The standard output of the DCDiag test is already quite extensive. Anyone skipping through it may easily miss an error message. This is why the “/q” switch becomes quite handy, as it reduces the size of the output by displaying only the error message list.

An example of DCDiag in quiet mode: 

• C:\Windows\System32>dcdiag.exe /s:dc01ny /q

The /q output is filtered only to errors. It looks like this:

Run DCDiag with Verbose Output

Run DCDiag with verbose output by appending the /v, verbose switch. With it, you’ll get additional details from the standard output, such as errors, warnings, informational messages, etc. The “/v” switch is the opposite of the “/q” switch. It extends the size of the output.

As mentioned earlier, the DCDiag (without /v) provides enough information to troubleshoot and diagnose any problem in your domain controller, which might be enough in most cases.

An example of the verbose switch: 

• C:\Windows\System32>dcdiag.exe /s:dc01ny /v

The verbose output looks like this.

The verbose output is recommended only if you see errors or warnings in the standard summary table and you want to investigate the problem with more details.

Exporting DCDiag Results.

The DCDiag utility tool allows you to export the health check results. All results of the test will be saved into a text file, by appending the “/f” switch to the DCDiag command.

For example:

• C:\Windows\System32>dcdiag.exe /s:dc01ny f:c:\dcdiag_dc01ny_test01.txt

Note that you can customize the name of the log file and save it in any specific folder. You can open the results in notepad or any program that supports .txt files.

Export to XML and XLS? You can also export results to XML or XSL. but this function only works for the /test:dns switch:

For example:

• /test:dns /x<XMLLog.xml> or, /test:dns/x:<XMLLog.xml>

7. Additional Functions

DCDiag also allows you to perform additional functions like fixing issues, which is outside normal diagnosis. You can also customize the running tests, by either specifying a single test or skipping any.

Fix Errors

The DCDiag is a purely diagnostic tool. It runs various tests and only reports back its results. But there is a fantastic switch that attempts to make safe repairs on the reported errors: the /fix switch.

• C:\Windows\System32>dcdiag.exe /s:dc01ny /fix

When you use the /fix switch, you don't need to specify any additional parameters or attributes. The /f switch only works for the MachineAccount test. It fixes the Service Principal Names (SPNs) on the MachineAccount object of the DC.

A word of caution! Even though the (fix) switch is designed to make safe automatic repairs, it is still making changes to the domain controller. Before using the /f switch, analyze the test results and always perform a backup of the domain controller.

Perform Specific Tests or Skip them

As mentioned earlier, some DCDiag tests do not run by default, so they’ll need to be specified. The (/test:) switch allows you to perform only one test (plus the primary connectivity test). You can either call for one of those tests that don’t run by default or specify a default test if you want to shorten the output.

The syntax for this command is: 

• /test:<TestName>

An example of this switch is when you use it with the DNS test:

• C:\Windows\System32>dcdiag.exe /s:dc01ny /test:dns

Or,

• C:\Windows\System32>dcdiag.exe /s:dc01ny /test:CheckSecurityError 

Additionally, you can make the DCDiag tool exclude specific tests. The (/skip:) switch is helpful when you want to get cleaner results in any manual or automated script test. Do not mix this parameter with the (/test). You can't apply the skip switch to the Connectivity Test.

The syntax for this command is: 

• /skip:<Test>

An example?

• C:\Windows\System32>dcdiag.exe /s:dc01ny /skip:Replication

Conclusion

The DCDiag is an easy-to-use and simple, yet powerful utility for checking the health of your domain controllers. DCDiag can help you troubleshoot DNS issues, AD replication, and other domain service problems.

To expand your domain controllers' health checks and monitoring efforts and keep track of other key services like DNS and DHCP, use the SolarWinds Server & Application Monitor (SAM). This tool helps you identify DC issues, extend the visibility of the DC’s performance, prevent replication failures, keep track of failed logins, manage DS files, and a lot more.

Another automated health check system option is ManageEngine ADManager Plus. This system provides a list of reports, which perform health checks on your AD Domain Controllers as they run. The tool also provides a single interface for your multiple AD instances, covering Exchange, SharePoint, and Office 365 as well as your general AD access controls. The service provides standard admin functions and includes a great deal of system maintenance automation.

Domain Controller Health Check FAQs