|When dealing with any Active Directory related issue, checking the health of the domain is a common first step. AD domain health can be broken down into two main parts - the status of the individual DCs and the stability of the replication. Here, we'll cover how to check each of these.
Domain Controller Status
Whether you're investigating a possible issue with a DC, or ensuing a newly-promoted server is healthy, there are some quick steps you can take to check the status of a domain controller. Here are the basics to look at:
- Browse to the server's UNC path (\\myserver1), and check for the NETLOGON and SYSVOL share. If these are missing, check the "File Replication Service" or "DFS Replication" logs in Event Viewer. Incomplete sysvol replication is the most common cause of this issue, and errors related to that will show up in these logs.
- Check the "Directory Service" log in Event Viewer and look for any errors or warnings from the past few days. Oftentimes, any errors in here will be self-explanatory. Some are insignificant and can be ignored, while others are critical issues that need attention.
- Run "dcdiag /q" in command prompt and look for any listed issues. The "/q" switch will suppress any successful tests from being output - only failures will show. This means that if there are no issues, no output will be displayed. If there are issues, look into and resolve them. Some listed failures are expected in certain circumstances. Some examples are:
- "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set" This error indicates that the domain hasn't been prepped for read-only domain controllers. If no RODCs are present or are being planned, this error can be safely ignored. Source
- The SystemLog test will report a failure for any error or warning that’s in the system event log. As a result, failures of the SystemLog test aren't always related to AD issues.
AD Replication Status
In a multi-master database like Active Directory, successful replication is critically important. The command line tool "repadmin" is the best way to check the replication status quickly. There are two ways to run it:
- "repadmin /showrepl" will show you the inbound replication status of the current DC. If there are any issues with inbound replication from its configured partners, they will be clearly listed.
- "repadmin /replsum" displays a summary of the replication of the entire forest. Since this reaches out to every DC in the domain, it can take a long time to run in larger environments. Look for the "fails" column to be 0. Any entries that aren't 0 indicate an issue that needs more investigation. Check the Directory Service log first on any DC that needs to be looked at.