Active Directory
Health Check Tool

Advertising

Checks if each domain controller advertises itself correctly and checks whether it is advertising itself as having the capabilities of a DSA.  

DNS

This test checks the health of your DNS Server settings for your domain such as network connectivity, DNS client configuration, service availability, zone existence, DNS forwarders configuration, DNS delegation, DNS Dynamice Update, DNS record registration, DNS resolve tests and more.

NCSecDesc

Checks that the security descriptors on the naming context heads have appropriate permissions for replication.

KccEvent

This test checks that the Knowledge Consistency (KCC) Checker is completIing without any errors.

Services

Checks to ensure the required domain controller services are running or failing.

NetLogons

Checks that the required logon privileges exist to allow replication to proceed.

CrossRefValidation

This test checks the validity of cross-references.

CutoffServers

Checks for any server that is not receiving replications because its partners are not running.

CheckSecurityError

Detects security errors on your domain controllers (or those possibly security related) and performs the initial diagnosis of the problem along with detailed information for each domain controller.

Intersite

Checks for failures that would prevent or temporarily hold up intersite replication and predicts how long it would take for the Knowledge Consistency Checker (KCC) to recover.

CheckSDRefDom

This test checks all DC application directory partitions have the appropriate security descriptor reference domains.

Connectivity

Checks if your domain controllers are registered in your DNS zone for the domain, if they respond to ping and if they have LDAP or remote procedure call (RPC) connectivity between each other.

SysVolCheck

This test checks that the SYSVOL status is ready and has passed a number of checks.

Replications

Checks for timely replication and any replication errors between your domain controllers.

ObjectsReplicated

Checks that Machine Account (AD only) and Directory System Agent (DSA) objects have been replicated.

RidManager

Checks if the relative identifier (RID) master is accessible and if it contains the correct information.

Topology

Checks if the Knowledge Consistency Checker (KCC) has generated a fully connected topology for all domain controllers.

MachineAccount

Checks if the machine account has been properly registered and that the services are being advertised.

FSMOCheck (LocatorCheck)

Checks your domain controllers can contact a Kerberos Key Distribution Center (KDC), a time server, a preferred time server, a primary domain controller (PDC), and a global catalog server.

OutboundSecureChannels

This test checks if there are secure channels from all the domain controllers in your domain.

VerifyEnterpriseReferences

This test verifies that specified system references are intact for the FRS and Replication infrastructure across all objects in the enterprise on each domain controller (DC).

KnowsOfRoleHolders

Checks whether your domain controllers can contact the DCs that hold the five operations master roles in your domain (also known as flexible single master operations or FSMO roles).

VerifyReplicas

Checks all DC application directory partitions are fully instantiated on all replica servers in your domain.

VerifyReferences

Checks that specific system references are intact for the file replication system (FRS) and replication infrastructure.

FrsEvent

Checks to see if there are errors in the file replication system (FRS). (Failing replication of the SYSVOL share can cause policy problems.)

DFSREvent

This test checks to see if there are any operation errors in the DFS replication between domain controllers.