Active Directory Health Check Tool
Easily Check the health of Active Directory, diagnose issues, check DNS and event logs.

Key Features
Here are the advantages of using the domain controller health check tool.
Automated Email Reports
Get daily or weekly automated email reports on the health of your domain controllers. Click on the scheduler, configure the email settings, and a task.
Check Domain Controller Health
The Active Directory monitoring tool runs a total of 27 tests on each domain controller. You can choose between basic, comprehensive, and DNS-only tests.
Export Report
Reports can be exported by clicking on the export button and selecting either CSV or HTML.
Check DNS Server Health
You can select DNS Only to check the health of your DNS server. This only tests the DNS if your domain controller is a DNS server.
Find Domain Controller Issues
Failed tests are highlighted in red, click on a failed test to see details. This makes it very easy to review why a test failed and for quick diagnosis.
Monitor Event Logs
This tool will collect logs from each domain controller and display the latest critical and warning level logs.
Diagnose Replication Issues
If you have multiple domain controllers it’s critical that replication is working. The health monitor tool checks replication and will display a fail if it does not pass the test.
How to Guide
The Active Directory Health Check Tool is very easy to use. Follow the steps below.
Step 1: Select Domain Controllers
Click the “Select Domain Controllers” button to select the domain controllers you want to test.

Step 2: Select options and click Run
Select test options. See the test descriptions below.
Default = 20 tests
Comprehensive = 27 tests
DNS Only = tests DNS servers
Include Event logs = Includes errors and warnings from the selected domain controllers.

Step 3: Review Test Results
For each test that fails, you can click on that failed test to see the logs. This will provide more details on why the test failed and will help you troubleshoot domain controller issues.
Review Event Logs
In the test options, you can also include the domain controller event logs. This will collect the errors and warnings from each DC. This should be reviewed on a regular basis.

Automate Email Reports
To send automated email reports you need to configure the email settings and then add a scheduled task.

Active Directory Diagnostic Tests
Below is a list of tests that the health monitor tool runs.
Advertising
Checks whether each DSA is advertising itself, and whether it is advertising itself as having the capabilities of a DSA.
CheckSDRefDom
This test checks that all application directory partitions have appropriate security descriptor reference domains.
CheckSecurityError
Locates security errors (or those possibly security related) and performs the initial diagnosis of the problem. *Comprehensive only*
Connectivity
Tests whether DSAs are DNS registered, respond to ping, and have LDAP/RPC connectivity.
CrossRefValidation
This test looks for cross-refs that are in some way invalid.
CutoffServers
Check for servers that won’t receive replications because its partners are down. *Comprehensive only*
DNS
This test checks the health of DNS settings for the domain environment. *Comprehensive & DNS Only*
FrsEvent
This test checks to see if there are any operation errors in the file replication system (FRS).
DFSREvent
This test checks to see if there are any operation errors in the DFS.
SysVolCheck
This test checks that the SYSVOL is ready.
LocatorCheck FSMO Roles
Checks that global role-holders are known, can be located, and are responding.
Intersite
Checks for failures that would prevent or temporarily hold up intersite replication.
KccEvent
This test checks that the Knowledge Consistency Checker is completed without errors.
KnowsOfRoleHolders
Check whether the DSA thinks it knows the role holders, and prints these roles out in verbose mode.
MachineAccount
Check to see if the Machine Account has the proper information.
NCSecDesc
Checks that the security descriptors on the naming context heads have appropriate permissions for replication.
NetLogons
Checks that the appropriate logon privileges allow replication to proceed.
ObjectsReplicated
Check that Machine Account (AD only) and DSA objects have been replicated.
OutboundSecureChannels
Tests if there are secure channels from all the DC’s in the domain. *Comprehensive only*
Replications
Checks for timely replication between directory servers.
RidManager
Check to see if RID master is accessible and to see if it contains the proper information.
Services
Check to see if appropriate supporting services are running.
SystemLog
This test checks that the system is running without errors.
Topology
Checks that the generated topology is fully connected for all DSAs. *Comprehensive only*
VerifyEnterpriseReferences
This test verifies that certain system references are intact for the FRS and Replication infrastructure across all objects in the enterprise on each DSA. *Comprehensive only*
VerifyReferences
This test verifies that certain system references are intact for the FRS and Replication infrastructure.
VerifyReplicas
This test verifies that all application directory partitions are fully instantiated on all replica servers. *Comprehensive only*
Try The Health Check Tool For FREE
Join thousands of IT professionals using the Bulk User Creation Tool to automate the process of account management and enjoy greater freedom over your time.
