DCDiag: How to Check Domain Controller Health using Powershell. DCDiag is a powerful command line tool used to diagnose problems with domain controllers in a Microsoft Windows Active Directory environment. We use it to check the health of domain controllers, identify errors or inconsistencies, and troubleshoot replication issues. DCDiag also helps administrators detect and resolve problems with DNS configuration, SYSVOL replication, and other critical services required for Active Directory to function correctly.
We examine DCDiag, a potent Microsoft Windows tool. We use it to test DNS services, evaluate the health of domain controllers, and even automatically correct mistakes. Although relatively simple, the tool is strong enough to maintain all our domain controllers’ health.
Shall we start with article DCDiag: How to Check Domain Controller Health using Powershell
DCDiag: How to Check Domain Controller Health using Powershell
Installing the DCDiag Tool
If we are running Windows Server, we should have DCDiag installed. Microsoft built DCDiag into the modern Windows Server versions, from 2012R2 and later versions.
Purpose of the DCDiag Tool
The purpose of DCDiag is to diagnose and troubleshoot issues with domain controllers in a Windows Server environment. It is a command-line tool that performs a wide range of health checks on a domain controller, including tests to DNS, replication, LDAP, security analysing a single or multiple DCs simultaneously within our AD forest or enterprise. Let’s go over a few of the various tests DCDiag does on a domain controller:
- Connectivity tests – DCDiag checks if domain controller is connected to the network and can communicate with other domain controllers.
- DNS tests – reviews whether the domain controller resolves and registers the DNS correctly.
- Replication tests – tests whether the domain controller replicates accurately with other domain controllers.
- Trust tests – DCDiag checks whether the domain controller trusts other domains and whether other domains trust the domain controller.
- LDAP tests – checks whether LDAP queries work properly on the domain controller.
- Kerberos tests – DCDiag checks whether Kerberos authentication works correctly on the domain controller.
- SYSVOL tests – DCDiag checks whether SYSVOL replication works correctly on the domain controller.
- Global Catalog tests – DCDiag checks whether the DC is acting as a Global Catalog server and whether Global Catalog queries are working correctly.
DCDiag Tool Overview
Well, with article DCDiag: How to Check Domain Controller Health using Powershell is a simple command line utility. We run DCDiag on a CMD Prompt or a PowerShell window. Remember to use administrator privileges.
The basic syntax of DCDiag is as follows:
dcdiag.exe /s:[:] [/u:\ /p:*||””]
Wherein:
- /s – The Domain Controller
- /u:\ – The Username
- \p:* – The Password
This basic command line returns the test results showing the primary (connectivity) test and any specified test on the domain controller. To learn how to use DCDiag command along with all its switches, let’s start with the help command:
dcdiag /?
DCDiag Switch Parameters
To use any of the following switches, append it after the DCDiag command. A summary of the popular command switches:
- /s <ServerName> – Specifies the server’s name to test. If no server name is specified, DCDiag tests the local computer.
- /v – Provides verbose output and additional information about the tests performed.
- /test:<TestName> – Specifies the name of the test to run. We run multiple tests by specifying multiple /test switches.
- /e – Performs a comprehensive set of tests on the specified domain controller.
- /fix – Attempts to fix any problems found during the tests.
- /f:<LogFileName> – Specifies the log file’s name to create.
- /c – Specifies that DCDiag should only perform the tests required for advertising the domain controller’s services.
- /skip:<TestName> – Skips the specified test.
- /l:<LogFileName> – Specifies the log file name to append to rather than overwriting.
- /q – Specifies quiet mode, which suppresses the display of informational messages.
- /test:DNS – Runs DNS tests on the specified domain controller.
- /test:KCC – Runs KCC tests on the specified domain controller.
- /test:Replications – Runs replication tests on the specified dc.
- /test:Advertising – Runs advertising tests on the specified dc.
- /test:Services – Runs service tests on the specified dc.
Above are some of the most used DCDiag command line switches, but many more options are available. We can see a complete list of switches and their definitions by running the help command above.
Try Our Active Directory Health DC Reporting Tool
Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.
Running DCDiag and Use Cases
To run DCDiag, type the DCDiag command without any switches to do a basic DCDiag test on our local DC (or argument).
dcdiag.exe
Since DCDiag automatically identifies the current (local) DC, neither a domain controller nor administrative credentials are required. In the following section, we discuss multiple use cases using DCDiag’s switch parameters.
Remote DC Health Checks
We must add the /s: switch to the end of the name of the DC and its credentials to run diagnostics on a remote DC (username and password). For instance:
dcdiag.exe /s:dc01 /u:dc01\Administrator /p:password
The DCPromo and the Register in DNS, which are locally executed and not for a domain controller, will not be affected by the /s switch.
Note that when we enter the /u (username) information, we must specify the account name with domain admin permissions and use the correct format: domain/username. So, for example, we append the username (Administrator) with the domain name (dc01): /u:dc01\Administrator.
Checking Health for all DCs
We interconnect each AD site that may contain a collection of DCs to each other. The /a switch is beneficial if we divide the AD into sites. It allows us to run the DCDiag utility simultaneously for all site DCs:
dcdiag.exe /s:dc01 /a
Using DCDiag to Test DNS
No matter what we are testing, the DCDiag tool always checks each domain controller’s DNS registration during the primary connectivity test by default. Also, we might conduct specific DNS tests, such as forwarders, registration records, and others, all of which aid in investigating DNS problems. To test DNS, use the command below:
dcdiag.exe /s:dc01 /test:dns
The following fundamental tests runs by default except for the external name resolution. All DNS results display the DNSBasic test. If there is no value, the /test:dns switch automatically default to /DNSall. Here are some DNS-specific tests that we call when using the DCDiag tool:
- /DNSBasic – Checks if the domain controller’s DNS server is configured correctly and resolves names.
- /DnsDelegation – Tests, if DNS delegations are configured correctly for the domain controller.
- /DnsForwarders – Checks whether DNS forwarders are configured correctly for the domain controller.
- /DnsDynamicUpdate – Checks, whether the domain controller performs dynamic updates to DNS.
- /DnsRecordRegistration – Tests, if domain controller’s DNS registration is up-to-date and accurate.
These tests ensure a domain controller’s DNS configuration is correct and functioning properly. If DCDiag finds any issues during these tests, DCDiag addresses them promptly to avoid potential problems with Active Directory and other network services. A DNS test should look like this:
Customizing DCDiag Results
DCDiag allows us to customize the results by showing us less or more information. Also export the results for later analysis. Here are some examples on how we customize DCDiag reporting.
Run DCDiag in Quiet Mode
The quiet /q switch becomes quite handy, reducing the output size by displaying only the error message list. Here is an example of DCDiag in quiet mode:
dcdiag.exe /s:dc01 /q
The output with the /q is filtered only to errors which looks like this:
Run DCDiag with Verbose Output
By adding the /v verbose flag, run DCDiag with verbose output. It provide us with more information about our daily tasks, such as errors, warnings, informational messages, etc. The /v switch is the quiet /q switch’s opposite.
As previously noted, the DCDiag (without /v) provides sufficient details to identify and resolve any issue with our domain controller, which may be enough in most circumstances. Here is an example of the snippet with the verbose switch:
dcdiag.exe /s:dc01 /v
The output with the /v switch should look like this:
We only recommend the verbose output if we see warnings or errors in the standard summary table and want to investigate the problem in more detail.
Exporting DCDiag Results
The DCDiag utility tool allows us to export the health check results. For example, we save all the test results into a text file by appending the /f switch to the DCDiag command. For example:
dcdiag.exe /s:dc01 f:c:\dcdiag_dc01_test01.txt
Note that we customize the log file’s name and save it in any specific folder. We open the results in notepad or any program that supports .txt files.
We also export results to XLSX or XML. However, this function only works for the /test:dns switch:
dcdiag.exe /test:dns /x or, /test:dns/x:
The DCDiag is solely a diagnostic instrument. Therefore, it performs different tests and exclusively provides its findings. The /fix switch, however, is a terrific switch that tries to remedy the stated issues safely.
dcdiag.exe /s:dc01 /fix
We don’t need to provide more parameters or characteristics when using the /fix switch. For the MachineAccount test only, the /f switch is functional. It fixes the MachineAccount object of the DC’s Service Principal Names (SPNs).
Note: Even though DCDiag designs the (fix) switch to make safe automatic repairs, it still changes the domain controller. As a result, examine the test results before using the /f switch, and always create a backup of the DC.
Using DCDiag with PowerShell
There is no DCDiag counterpart in Windows PowerShell. However, we use DCDiag in PowerShell by running the dcdiag.exe command with the appropriate parameters using the Invoke-Expression or Invoke-Command cmdlets. Here’s an example of how to use DCDiag in PowerShell to run the DNS tests:
Invoke-Expression "dcdiag.exe /test:DNS /v"
In this example, we used the Invoke-Expression cmdlet to run the dcdiag.exe command with the /test:DNS parameter to run the DNS tests and the /v parameter to provide verbose output. Of course, we can replace /test:DNS with any other DCDiag test we want to run. Alternatively, we use the Invoke-Command cmdlet to run DCDiag on a remote computer.
Here’s another example:
Invoke-Command -ComputerName "ServerName" -ScriptBlock { dcdiag.exe /test:DNS /v }
In the previous example, we used the -ScriptBlock parameter with Invoke-Command to specify the code we wanted to run on the remote computer. The -ScriptBlock parameter takes a script block, essentially a block of code enclosed in braces {}.
When we use Invoke-Command with the -ScriptBlock parameter, we execute the script block on the remote computer specified with the -ComputerName parameter, and the script block returns the output to the local computer. Using the -ScriptBlock parameter with Invoke-Command is a powerful way to execute commands or scripts on remote computers. It helps manage large numbers of computers in a network environment, just like how we used the DCDiag tool.
Thank you for reading DCDiag: How to Check Domain Controller Health using Powershell. We shall conclude the article now.
DCDiag: How to Check Domain Controller Health using Powershell Conclusion
In conclusion, DCDiag is an essential tool for administrators who manage Active Directory environments. Providing a comprehensive suite of health checks for domain controllers helps administrators diagnose and troubleshoot issues easily. The ability to perform detailed tests related to DNS, replication, LDAP, security, and more makes DCDiag a valuable tool for ensuring the health and stability of domain controllers and the Active Directory environment.
By incorporating DCDiag into regular maintenance and monitoring routines, administrators help prevent more severe issues from occurring and ensure that their Active Directory environment remains secure and reliable.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- Easy Setup
- Full Access to Enterprise Plan