How to use DCDiag to check Domain Controllers

The Domain Controllers are the backbone of your network. They allow you to organize your network, and manage your users, computers and other resources. So it’s important that your domain controllers run without any problems, and that is where the DCDiag tool comes in.

DCDiag, which stands for Domain Controller Diagnostic Tool, is a built-in command-line utility that allows you to diagnose the health of your domain controllers.

In this article, we are going to take a look at the DCDiag tool, how to use it and I will give you some useful examples to monitor the health of your domain controllers.

Using DCDiag

DCDiag is a built-in tool on domain controllers. To use it you will only need to open PowerShell with administrative rights. We can also use the tool on other servers or computers to check out the health of our domain controllers. For this, you will need to install the Remote Server Administration Tools (RSAT) feature.

You can install RSAT through the Settings > Apps > Optional Features pages or by using the following PowerShell command:

Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

DCDiag commands

Before we are going to take a look at some useful DCDiag examples, let’s first take a look at the syntax of the tool. The tool can do a lot, but using the right commands will make it easier to find and diagnose any problems.

If you run the command dcdiag without any parameter, then it will run the 21 default tests against the local domain controller. This will generate a pretty long output in the console, which can be a bit overwhelming.

So the basic commands that you will need to know are:

/s:<name-of-domaincontroller>Specifies the server to run the command against.
If not specified, then the test are run against the
local domain controller
/u:<Domain>\<UserName> /p:<Password>Specifies the username and password to use for connecting to the server. Use * for password to get a prompt to enter it.
/qOutputs only the errors
/cComprehensive test, including DNS test
/aRun tests on all domain controllers
/f:<LogFile>Redirects the results to the specified file
/test:<Test>Run only the specified test
/ReplSource:<SourceDomainController>Tests the connection between the local and source domain controller.
dcdiag commands

DCDiag Examples

Now we understand how the tool works, let’s take a look at a couple of examples on how to use it. We are going to start with a basic test, simply run dcdiag on the local server or specifically the domain controller when you run it from another computer:


# Or when running it from another computer
dcdiag /s:la-srv-dc01


Quickly check the health of all your Domain Controllers with this free script. View the results in the PowerShell console or export to HTML

This will run the 21 default tests on the domain controller and show you which tests are passed and which failed. I prefer to use the command line switch /q show it only outputs the errors. This makes it easier to analyze the results:

# Run test against la-srv-dc01 and show only the errors
dcdiag /s:la-srv-dc01 /q

Using Credentials

DCDiag requires administrative access to do all the tests. When you run the command from your workstation you will need to supply the domain admin credentials. For this, we will be using the /u and /p switch. For the password, you can type it in plain text in the command. But better is to use * instead, so you get a prompt to enter the password.

# Run test against la-srv-dc01 and show only the errors and use supplied credentials
dcdiag /s:la-srv-dc01 /q /u:lazyadmin\administrator /p:*

Test All Domain Controllers

When you have multiple domain controllers (you should have atleast two), then you can also run the DCDiag against all of them at once. In this case, I really recommend showing only the errors:

# Run default tests against all domain controllers
dcdiag /q /e

Output to File

All command line output can be redirected to a text file, using the default redirect output operator >. But the DCDiag tool also has a command line switch to redirect the result to a file:

# Default redirect output operator:
dcdiag /s:la-srv-dc01 /q > c:\temp\testdc.txt

# Using the built-in switch:
dcdiag /s:la-srv-dc01 /q /f:c:\temp\testdc.txt

Check FSMO Roles

The tool runs a lot of tests by default, but sometimes you want to run a specific test only. To do this you will need to use the command line switch /test: followed by the test name that you want to run.

For example, to check the FSMO Roles (read more about FSMO in this article), you can use the command below:

dcdiag /test:FSMOCheck

DCDiag Test Replication

The DCDiag tool can also be used to check the replication between your domain controllers. To this, you can run the test replications using the /test: switch. Note that there is also a dedication replication diagnostics tool that you can use, repadmin.

dcdiag /test:Replications

DCDiag Test DNS

DNS is a vital part of your domain network. Any problems or misconfiguration in your DNS can have a big impact on how your domain controllers and Active Directory are running (or even working at all..). This is why DNS configuration diagnostics is also part of the DCDiag tool.

DNS tests are not part of the default test, so you will have to run them separately. The reason for this is that the DNS test can really take a couple of minutes, especially when you are running the tests against multiple domain controllers.

There are a couple of DNS tests that we can run. The DnsBasic test is always included.

/test:DNSRuns all the tests
/DnsBasicTest network connectivity, DNS client configuration, service availability, and zone existence.
/DnsAllChecks if the address (A), canonical name (CNAME), and well-known service (SRV) resource records are registered
/DnsForwardersChecks the configuration of forwarders
/DnsDelegationChecks for proper delegations
/DnsDynamicUpdateDetermines if dynamic update is enabled in the Active Directory zone
/DnsRecordRegistrationChecks if the address (A), canonical name (CNAME) and well-known service (SRV) resource records are registered
DcDiag DNS Test

Good to know is that we can still use the basic switches, like /s to connect to another server or /f to export the results to a file. One that is extra is the /x switch, which will export the results to an XML file.

To run the DNS Basic test you will need to specify the /test:DNS and the /DnsBasic:

dcdiag /test:DNS /DnsBasic
dcdiag test dns

After the DCDiag DNS Test is completed you will see a summary of results at the end of the output. In the example below we can see that only the Auth was successful, but even the basic DNS test failed:

domain controller testing

If look at the results above, we can see that the three DNS servers, which were configured in on the Domain Controller were not found.

Running other DNS Tests

To run the other DNS test you will need to specify the /test:DNS and then the test that you want to run. Keep in mind that the basic DNS test is always performed by DcDiag and that the test can really take a couple of minutes.

So if you want to run the DNS Forwarders test, then you will need to use the following command:

dcdiag /test:DNS /DnsDynamicUpdate

Fixing DCDiag Failed Test Advertising

This error indicates that the NTP Time server is not running on the domain controller. This should be running all domain controllers. If the service is not running, or when there is a problem with it, then you will get the error that the domain controller is not advertising as a time server.

dcdiag fix

This problem can easily be fixed by resetting the w32tm service using the steps below:

w32tm /unregister
net stop w32time
w32tm /register
net start w32time
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time

If you run the command DCDiag again, you will see that the problem is resolved.

Wrapping Up

Keeping an eye on your domain controllers’ health is important for the stability of your network. With DCDiag we can monitor all the vital parts and easily diagnose any potential issues on the domain controllers.

I recommend running the tool atleast once a month to make sure that everything is running as it should. If you have just promoted or demote a domain controller, then it’s extra important that you run the tool the first couple of days.

Also make sure that you check out this domain controller health report script, which you can easily schedule to run every week.

I hope you found this article helpful, if you have any questions or tips regarding DCDiag, please leave a comment below.

Leave a Comment