Search This Blog

Saturday, September 19, 2009

Active Directory Health Check tools

It is always a good idea to perform several health check to the existing active directory before doing any potential dangerous domain operation.

In this article, i will explain more on the tools that i have frequently used.

a) DCDiag - Basic Domain Diagnostic which analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting

dcdiag /v /f:dcdiag.log

/v = verbose mode
/f = output to a file
/e = run diagnostic to all domain controller
/fix = fix service principal name (SPN)
/q = report error only

b) Check schema version
Go to registry HKey_Local_Machine\system\CurrentControlSet\services\NTDS\Parameters

The last parameter is the schema version number.

Here is some of the schema version number for your reference
13 -> Windows 2000 Server
30 -> Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003 With Service Pack 2
31 -> Windows Server 2003 R2
44 -> Windows Server 2008 RTM

For more details: -

c) Netdiag - domain controller network diagnostic. It helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network client.
netdiag /v > C:\netdiag.txt

c) dnslint - verify Domain Name System (DNS) records and generate an HTML report.
dnslint /d: This diagnoses potential causes of "lame delegation" and other related DNS problems.

dnslint /ql: This verifies a user-defined set of DNS records on multiple DNS servers.
dnslint /ad: This verifies DNS records specifically used for Active Directory replication.

For more detail:-

d) repadmin -assists administrators in diagnosing replication problems between Windows domain controllers and used for monitoring the relative health of an Active Directory forest.
Famous syntax:- replsummary, showrepl, showrepl /csv, and showvector /latency, syncAll

For more detail:-

e) replmon - GUI which view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication

f) Nslookup - useful tool for dns verification.

g) Netdom
'NetDom query /verify' =verify all trust are working and responding to the stored passwords.
"netdom query fsmo" = identify fsmo server