Active Directory Health Check

This blog post outlines a basic procedure for validating the health of your domain and is a good practice for iterative maintenance and an excellent pre-check before doing any potentially dangerous domain operations.

Before doing anything that might jeopardies the integrity of your domain, it is important to ensure that there are no outstanding health issues.  While important, doing this kind of check needn’t be horribly complicated or take a lot of time.  It is important to do every time to be sure that you aren’t replicating problems across your forest as you do domain maintenance.  This is especially critical before schema operations and domain migrations.  Using a few simple Microsoft tools in the Windows Resource Kit, the general health of the domain can be validated and much of the risk associated with the projects can be mitigated.

         Tools & Resources

DCDiag —  Basic Domain Diagnostics
NetDiag — Domain Controller Network Diagnostics
REPLMon — Replication Monitor
NETDom — Domain and Trust Diagnostics

 Procedure Steps

Domain Controller Health Check

Preparatory Work

Update Server Documentation

Gather Inventory of domain controllers from the ADU&C | Domain Controllers node

Locate current documentation from client on AD structure

Locate current documentation from client of site/ core topology

Document name of every AD domain and Sub-domain

Document name and IP address of every Server

Document all trust relationships

Install Support Tools


Log on to the server with Server Administrator privileges

Insert the windows 2000/2003 disk into the CD drive

Navigate to CD:\\tools\Support Tools

Run Setup.exe

Preparatory Work Completed


Verify Health of the Domain

Create Log Directories for all Diagnostic Files

Create a Logs Directory at the root of C:\ on the server as C:\Logs

Verify DNS function with NSLOOKUP

Drop to a Command Prompt

At the Command Prompt, key in ‘Nslookup’ <enter>

Resolve each replication partner

Resolve every AD domain and Sub-domain

Fix any failed resolutions

Verify replication function and topology with REPLMON


Navigate to Start | Programs | Administrative Tools | Support Tools | Replmon

Select the server (<ServerName>) in the Monitored Servers

Select Action | Server | Generate Status Report

When Prompted, specify the file name as c:\Logs\<ServerName>-DDMMYYYY.log

in the Report Options, select all of the reporting options

Click OK

Verify DC health with DCDIAG /verbose on each domain controller


Drop to a Command Prompt

Key in ‘DCDIAG /s:<ServerName> /v  /c > c:\Logs\ServerName-DCDIAG-DDMMYYYY.log’ <enter>

Wait as the Diagnostic completes

Fix any errors displayed

Run DCDIAG /s:<ServerName> /fix

Repeat the diagnostic

Verify network connectivity health with NETDIAG /verbose


Drop to a Command Prompt

NETDIAG /v > C:\Logs\<ServerName>-NetDiag-DDMMYYYY.txt

Wait as the diagnostic completes

Fix any errors displayed

Run Netdiag /fix

Run the NETDIAG diagnostic again

Verify all trusts with NETDOM


Open a  Command Prompt

Type in ‘NetDom query /verify’ <enter>

Verify that all trusts are working and responding to the stored passwords

Fix all errors before continuing

Repeat for each additional Controller

As a last point ALWAYS run a backup before completing any form of AD work and if not and it all goes wrong, expect your P45, and rightly so.
More great resource blog’s HERE
This entry was posted in Active Directory. Bookmark the permalink.

1 Response to Active Directory Health Check

  1. Health says:

    Good Idea.. Thanks

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s