The Domain Controllers are the backbone of your network. They allow you to organize your network, and manage your users, computers and other resources. So it’s important that your domain controllers run without any problems, and that is where the DCDiag tool comes in.
DCDiag, which stands for Domain Controller Diagnostic Tool, is a built-in command-line utility that allows you to diagnose the health of your domain controllers.
In this article
In this article, we are going to take a look at the DCDiag tool, how to use it and I will give you some useful examples to monitor the health of your domain controllers.
Using DCDiag
DCDiag is a built-in tool on domain controllers. To use it you will only need to open PowerShell with administrative rights. We can also use the tool on other servers or computers to check out the health of our domain controllers. For this, you will need to install the Remote Server Administration Tools (RSAT) feature.
You can install RSAT through the Settings > Apps > Optional Features pages or by using the following PowerShell command:
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
DCDiag commands
Before we are going to take a look at some useful DCDiag examples, let’s first take a look at the syntax of the tool. The tool can do a lot, but using the right commands will make it easier to find and diagnose any problems.
If you run the command dcdiag without any parameter, then it will run the 21 default tests against the local domain controller. This will generate a pretty long output in the console, which can be a bit overwhelming.
So the basic commands that you will need to know are:
| Command | Description |
|---|---|
| /s:<name-of-domaincontroller> | Specifies the server to run the command against. If not specified, then the test are run against the local domain controller |
/u:<Domain>\<UserName> /p:<Password> | Specifies the username and password to use for connecting to the server. Use * for password to get a prompt to enter it. |
| /q | Outputs only the errors |
| /c | Comprehensive test, including DNS test |
| /a | Run tests on all domain controllers |
/f:<LogFile> | Redirects the results to the specified file |
/test:<Test> | Run only the specified test |
| /ReplSource:<SourceDomainController> | Tests the connection between the local and source domain controller. |
DCDiag Examples
Now we understand how the tool works, let’s take a look at a couple of examples on how to use it. We are going to start with a basic test, simply run dcdiag on the local server or specifically the domain controller when you run it from another computer:
dcdiag # Or when running it from another computer dcdiag /s:la-srv-dc01
Tip
Quickly check the health of all your Domain Controllers with this free script. View the results in the PowerShell console or export to HTML
This will run the 21 default tests on the domain controller and show you which tests are passed and which failed. I prefer to use the command line switch /q show it only outputs the errors. This makes it easier to analyze the results:
# Run test against la-srv-dc01 and show only the errors dcdiag /s:la-srv-dc01 /q
Using Credentials
DCDiag requires administrative access to do all the tests. When you run the command from your workstation you will need to supply the domain admin credentials. For this, we will be using the /u and /p switch. For the password, you can type it in plain text in the command. But better is to use * instead, so you get a prompt to enter the password.
# Run test against la-srv-dc01 and show only the errors and use supplied credentials dcdiag /s:la-srv-dc01 /q /u:lazyadmin\administrator /p:*
Test All Domain Controllers
When you have multiple domain controllers (you should have atleast two), then you can also run the DCDiag against all of them at once. In this case, I really recommend showing only the errors:
# Run default tests against all domain controllers dcdiag /q /e
Output to File
All command line output can be redirected to a text file, using the default redirect output operator >. But the DCDiag tool also has a command line switch to redirect the result to a file:
# Default redirect output operator: dcdiag /s:la-srv-dc01 /q > c:\temp\testdc.txt # Using the built-in switch: dcdiag /s:la-srv-dc01 /q /f:c:\temp\testdc.txt
Check FSMO Roles
The tool runs a lot of tests by default, but sometimes you want to run a specific test only. To do this you will need to use the command line switch /test: followed by the test name that you want to run.
For example, to check the FSMO Roles (read more about FSMO in this article), you can use the command below:
dcdiag /test:FSMOCheck
DCDiag Test Replication
The DCDiag tool can also be used to check the replication between your domain controllers. To this, you can run the test replications using the /test: switch. Note that there is also a dedication replication diagnostics tool that you can use, repadmin.
dcdiag /test:Replications
DCDiag Test DNS
DNS is a vital part of your domain network. Any problems or misconfiguration in your DNS can have a big impact on how your domain controllers and Active Directory are running (or even working at all..). This is why DNS configuration diagnostics is also part of the DCDiag tool.
DNS tests are not part of the default test, so you will have to run them separately. The reason for this is that the DNS test can really take a couple of minutes, especially when you are running the tests against multiple domain controllers.
There are a couple of DNS tests that we can run. The DnsBasic test is always included.
| Command | Description |
|---|---|
| /test:DNS | Runs all the tests |
| /DnsBasic | Test network connectivity, DNS client configuration, service availability, and zone existence. |
| /DnsAll | Checks if the address (A), canonical name (CNAME), and well-known service (SRV) resource records are registered |
| /DnsForwarders | Checks the configuration of forwarders |
| /DnsDelegation | Checks for proper delegations |
| /DnsDynamicUpdate | Determines if dynamic update is enabled in the Active Directory zone |
| /DnsRecordRegistration | Checks if the address (A), canonical name (CNAME) and well-known service (SRV) resource records are registered |
Good to know is that we can still use the basic switches, like /s to connect to another server or /f to export the results to a file. One that is extra is the /x switch, which will export the results to an XML file.
To run the DNS Basic test you will need to specify the /test:DNS and the /DnsBasic:
dcdiag /test:DNS /DnsBasic
After the DCDiag DNS Test is completed you will see a summary of results at the end of the output. In the example below we can see that only the Auth was successful, but even the basic DNS test failed:
If look at the results above, we can see that the three DNS servers, which were configured in on the Domain Controller were not found.
Running other DNS Tests
To run the other DNS test you will need to specify the /test:DNS and then the test that you want to run. Keep in mind that the basic DNS test is always performed by DcDiag and that the test can really take a couple of minutes.
So if you want to run the DNS Forwarders test, then you will need to use the following command:
dcdiag /test:DNS /DnsDynamicUpdate
Fixing DCDiag Failed Test Advertising
This error indicates that the NTP Time server is not running on the domain controller. This should be running all domain controllers. If the service is not running, or when there is a problem with it, then you will get the error that the domain controller is not advertising as a time server.
This problem can easily be fixed by resetting the w32tm service using the steps below:
w32tm /unregister net stop w32time w32tm /register net start w32time w32tm /config /syncfromflags:domhier /update net stop w32time net start w32time
If you run the command DCDiag again, you will see that the problem is resolved.
Wrapping Up
Keeping an eye on your domain controllers’ health is important for the stability of your network. With DCDiag we can monitor all the vital parts and easily diagnose any potential issues on the domain controllers.
I recommend running the tool atleast once a month to make sure that everything is running as it should. If you have just promoted or demote a domain controller, then it’s extra important that you run the tool the first couple of days.
Also make sure that you check out this domain controller health report script, which you can easily schedule to run every week.
I hope you found this article helpful, if you have any questions or tips regarding DCDiag, please leave a comment below.
