This blog post outlines a basic procedure for validating the health of your domain and is a good practice for iterative maintenance and an excellent pre-check before doing any potentially dangerous domain operations.
Before doing anything that might jeopardies the integrity of your domain, it is important to ensure that there are no outstanding health issues. While important, doing this kind of check needn’t be horribly complicated or take a lot of time. It is important to do every time to be sure that you aren’t replicating problems across your forest as you do domain maintenance. This is especially critical before schema operations and domain migrations. Using a few simple Microsoft tools in the Windows Resource Kit
, the general health of the domain can be validated and much of the risk associated with the projects can be mitigated.
Tools & Resources
DCDiag — Basic Domain Diagnostics
NetDiag — Domain Controller Network Diagnostics
REPLMon — Replication Monitor
NETDom — Domain and Trust Diagnostics
Procedure Steps
Domain Controller Health Check
Preparatory Work
Update Server Documentation
Gather Inventory of domain controllers from the ADU&C | Domain Controllers node
Locate current documentation from client on AD structure
Locate current documentation from client of site/ core topology
Document name of every AD domain and Sub-domain
Document name and IP address of every Server
Document all trust relationships
Install Support Tools
Server
Log on to the server with Server Administrator privileges
Insert the windows 2000/2003 disk into the CD drive
Navigate to CD:\\tools\Support Tools
Run Setup.exe
Preparatory Work Completed
Verify Health of the Domain
Create Log Directories for all Diagnostic Files
Create a Logs Directory at the root of C:\ on the server as C:\Logs
Verify DNS function with NSLOOKUP
Drop to a Command Prompt
At the Command Prompt, key in ‘Nslookup’ <enter>
Resolve each replication partner
Resolve every AD domain and Sub-domain
Fix any failed resolutions
Verify replication function and topology with REPLMON
<ServerName>
Navigate to Start | Programs | Administrative Tools | Support Tools | Replmon
Select the server (<ServerName>) in the Monitored Servers
Select Action | Server | Generate Status Report
When Prompted, specify the file name as c:\Logs\<ServerName>-DDMMYYYY.log
in the Report Options, select all of the reporting options
Click OK
Verify DC health with DCDIAG /verbose on each domain controller
<ServerName>
Drop to a Command Prompt
Key in ‘DCDIAG /s:<ServerName> /v /c > c:\Logs\ServerName-DCDIAG-DDMMYYYY.log’ <enter>
Wait as the Diagnostic completes
Fix any errors displayed
Run DCDIAG /s:<ServerName> /fix
Repeat the diagnostic
Verify network connectivity health with NETDIAG /verbose
<ServerName>
Drop to a Command Prompt
NETDIAG /v > C:\Logs\<ServerName>-NetDiag-DDMMYYYY.txt
Wait as the diagnostic completes
Fix any errors displayed
Run Netdiag /fix
Run the NETDIAG diagnostic again
Verify all trusts with NETDOM
<ServerName>
Open a Command Prompt
Type in ‘NetDom query /verify’ <enter>
Verify that all trusts are working and responding to the stored passwords
Fix all errors before continuing
Repeat for each additional Controller
Jason Whitaker 
Good Idea.. Thanks