DCDiag is the comprehensive, built-in utility for checking the health of an Active Directory Domain Controller. This command runs 20+ checks against the selected DC including DNS health, replication health, general errors, and more. Here, we'll look at how to use the command effectively and how to read its output.
The DCDiag command has a number of available options and ways it can be run. However, the most common way to run it is with no parameters at all:
Running it like this will cause DCDiag to run the default set of tests against the local server. The default set of tests is fairly extensive, so if you only want to run a specific test, you can use the /test parameter to specify the test to run:
Conversely, you can use the /skip parameter to skip specific tests:
Finally, the other most common option is to use the /s parameter to specify another server to run the tests against. This allows you to run dcdiag remotely against other DCs in the environment. For example, this would run the tests against a server named CONTOSODC2:
Reading the Output
When run without any parameters, the DCDiag command outputs a lot of information that can be hard to decipher. Let's look at a basic example:
In this screenshot, the information in the blue box is the basic setup and core connectivity test. This section will be present whenever you run DCDiag. After that, the tool moves on to the actual DC tests. The sections in green indicate tests that passed successfully, while the red section shows a test that failed.
To help make the results easier to read, you can use a combination of parameters that simplify the output. The /q parameter will hide all tests that passed, leaving only the tests that failed. Additionally, the SystemLog test can sometimes output hundreds of lines of information that may or may not be relevant. Putting it together, using dcdiag /q /skip:systemlog will provide a very easy to read summary of the DC health:
You can see how all of the extra information, including successful tests, is hidden from the output. This makes it easy to focus on the failures.
Now that we can run and understand the output of DCDiag, let's look at some common failures and errors and how to resolve them.
- In the NCSecDesc test, the error message "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set" indicates that the domain hasn't been prepped for read-only domain controllers. If no RODCs are present or are being planned, this error can be safely ignored.
- The SystemLog test will fail if there are any recent errors present in the server's system event log, even if the errors aren't AD related. Due to this, any errors in the event log can cause DCDiag to report a failure for this test. You'll need to review the events reported to understand their severity and relevance.
- The FrsEvent and DFSREvent tests report on errors logged to the File Replication Service and DFS Replication event logs. If these tests fail, check those event logs (within the "Application and Services Logs" section) in event viewer.
- The Replications test checks for recent successful replication in the environment. If this test fails, some detailed information will be provided. For additional information, use the repadmin command and the directory service event log to diagnose further.
- If you get multiple Access Denied errors, ensure you are running CMD as administrator. UAC can prevent DCDiag from having permission for all tests unless it's run with administrator permissions.
- If connectivity or RPC errors are returned and you're targeting another server, ensure that the remote server is accessible from the current server. There could be networking, firewall, or other issues preventing DCDiag from communicating with the remote server.