Search This Blog

Saturday, September 19, 2009

Active Directory Health Check tools

It is always a good idea to perform several health check to the existing active directory before doing any potential dangerous domain operation.

In this article, i will explain more on the tools that i have frequently used.

a) DCDiag - Basic Domain Diagnostic which analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting

Format:-
dcdiag /v /f:dcdiag.log

/v = verbose mode
/f = output to a file
/e = run diagnostic to all domain controller
/s
/fix = fix service principal name (SPN)
/q = report error only

b) Check schema version
Go to registry HKey_Local_Machine\system\CurrentControlSet\services\NTDS\Parameters

The last parameter is the schema version number.

Here is some of the schema version number for your reference
13 -> Windows 2000 Server
30 -> Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003 With Service Pack 2
31 -> Windows Server 2003 R2
44 -> Windows Server 2008 RTM

For more details: -http://support.microsoft.com/kb/556086/en-us?spid=3198

c) Netdiag - domain controller network diagnostic. It helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network client.
Format:-
netdiag /v > C:\netdiag.txt

c) dnslint - verify Domain Name System (DNS) records and generate an HTML report.
Format:-
dnslint /d: This diagnoses potential causes of "lame delegation" and other related DNS problems.

dnslint /ql: This verifies a user-defined set of DNS records on multiple DNS servers.
dnslint /ad: This verifies DNS records specifically used for Active Directory replication.

For more detail:- http://support.microsoft.com/kb/321045

d) repadmin -assists administrators in diagnosing replication problems between Windows domain controllers and used for monitoring the relative health of an Active Directory forest.
Famous syntax:- replsummary, showrepl, showrepl /csv, and showvector /latency, syncAll

For more detail:-http://technet.microsoft.com/en-us/library/cc773062(WS.10).aspx

e) replmon - GUI which view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication

f) Nslookup - useful tool for dns verification.

g) Netdom
Format:-
'NetDom query /verify' =verify all trust are working and responding to the stored passwords.
"netdom query fsmo" = identify fsmo server
Posted by Lai Yoong Seng at 3:01 PM
Labels: