Dcdiag: How to Check Domain Controller Health

In this tutorial, I’ll show you how to use the Dcdiag command line utility to perform a domain controller health Check.

I’ll also show you how to use Dcdiag to test DNS.

Be sure to check the examples section below and I’ll show you the output of a normal domain controller and one that has issues.

Let’s dive right in.

What is Dcdiag

Dcdiag is a Microsoft Windows command line utility that can analyze the state of domain controllers in a forest or enterprise. You can choose to analyze a single domain controller or all DC’s in a forest.

You might be thinking, how well does a command line utility really do at testing and finding issues with domain controllers?

Well it actually does a pretty good job! I was a surprised to find out how many different tests this command actually did.

I counted a total of 30 different tests, and some tests had multiple tests.

So what does Dcdiag actually do? What kinds of tests does it perform?

You can view a list of tests in the command help menu,  run dcdiag /? to see the help menu.

I’ll have to admit the descriptions from the help command are not that helpful. I came across a good blog post by Ned Pyle called What does DCDIag actually do that explains each test in more details. If you are interested in learning exactly what the Dcdiag command does then I recommend you read that post.

How to install Dcdiag

There is a really good chance that you already have the Dcdiag tool  installed.

If you have the AD DS role installed then Dcdiag is already installed. If you have the Remote Server Administration Tools (RSAT) tools installed then you already have Dcdiag installed.

If you want to install it on a system that doesn’t have either of those then you can download the tool from here and install it a Windows XP or later system (hopefully your still not running XP).

How to use Dcdiag (examples)

DCDiag is very easy to use.

There are several different command line switches that can be used with Dcdiag, to view them all just use this command dcdiag /?

Here is an overview of the switches I’ll be using in the examples below.

/s: dcname switch is used to run Dcdiag against a remote server

/v: switch prints more detailed information about each test

/c: switch means comprehensive, this will run all tests including the dns test.

/q: switch will only print errors. This is useful as dcdiag can display a lot of information, if you want to see just the errors then use this switch.

/f: switch is used to redirect the results to a file.

TIP: When running dcdiag it will probably report some errors but this doesn’t necessarily mean you have issues with your domain controllers.  For example, the command will query the system logs on the DC and display errors logs, but they could be errors from a computer or another server. Again this may not be a DC issue. You will just have to review and determine if it’s related or not.

Video Tutorial

If you don’t like video tutorials or want more details, then continue reading the instructions below.

Example 1: Use /s to run against a remote server

This will run all the DC tests against the remote server DC1.

dcdiag /s:DC1

To run this on a local server just leave off the /s:servername

Example 2: Using /v to display more details

The verbose switch will display additional details. It does the same tests as the first example it just displays more details about each test.

dcdiag /s:DC1  /v

Example 3: Using /f to save to a log file

By using the /f you can save the results to a text file.  This is great for logging the results and reviewing at a later time.

dcdiag /s:DC1 /f:c:\it\dcdiag_test.txt

Example 4: Using /a to run against all domain controllers

If you have multiple domain controllers and want to test them all at once, then use this command.  If you have many domain controllers this will be a lot of information displayed, this is where using the /f option would come in handy.

dcdiag /s:DC1 /a

Example 5: Use /q to only display the errors

DCDiag can diplay a lot of information, to remove the noise and only display the errors use this command.

dcdiag /s:DC1 /q

Example 6: Use multiple switches (My favorite)

Here this the commands I like to run. It will run all tests, displays all the details and outputs it to a file.

dcdiag /s:DC1 /c /v /f:c:\it\dcdiag_test.txt

Now that you know how to test your domain controllers I’ll move onto testing DNS. By the way if you use the last example that includes the /c that switch will run all tests including DNS.

How to test DNS with DCDiag

The DNS diagnostics also includes several tests.

Here are the tests that are performed, by default all tests except external name resolution are ran.

/DnsBasic (basic tests, can’t be skipped)
/DnsForwarders (forwarders and root hints tests)
/DnsDelegation (delegations tests)
/DnsDynamicUpdate (dynamic update tests)
/DnsRecordRegistration (records registration tests)
/DnsResolveExtName (external name resolution test)
/DnsAll (includes all tests above)
/DnsInternetName: <internet name> (for test /DnsResolveExtName)

Use the following command to run a DNS test

dcdiag /s:dc1 /test:dns

Example: Dcdiag results from a normal domain controller

Directory Server Diagnosis
Performing initial setup:
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC1
Starting test: Advertising
......................... DC1 passed test Advertising
Starting test: FrsEvent
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
......................... DC1 passed test NetLogons
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: Replications
......................... DC1 passed test Replications
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: Services
......................... DC1 passed test Services
Starting test: SystemLog ......................... DC1 passed test SystemLog Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : ad
Starting test: CheckSDRefDom
......................... ad passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ad passed test CrossRefValidation

Running enterprise tests on : ad.activedirectorypro.com
Starting test: LocatorCheck
......................... ad.activedirectorypro.com passed test LocatorCheck
Starting test: Intersite
......................... ad.activedirectorypro.com passed test Intersite

Example: Failed kdc service and NETLOGON Service

Here is the dcdiag output when the kdc and NETLOGON service is stopped. I used the /q switch to only display the errors

C:\Users\rallen>dcdiag /s:dc2 /q
 Fatal Error:DsGetDcName (DC2) call failed, error 1717
 The Locator could not find the server.
 ......................... DC2 failed test Advertising
 kdc Service is stopped on [DC2]
 NETLOGON Service is stopped on [DC2]
 ......................... DC2 failed test Services
 Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1717
 A Global Catalog Server could not be located - All GC's are down.
 Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1717
 A Primary Domain Controller could not be located.
 The server holding the PDC role is down.
 Warning: DcGetDcName(TIME_SERVER) call failed, error 1717
 A Time Server could not be located.
 The server holding the PDC role is down.
 Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1717
 A Good Time Server could not be located.
 Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1717
 A KDC could not be located - All the KDCs are down.
 ......................... ad.activedirectorypro.com failed test LocatorCheck

That’s it.

Easy right?

DCDiag is a simple yet very powerful tool to check and diagnose domain controllers. I highly recommend that you become familiar with this tool and run it in your environment from time to time.

I hope you enjoyed this article. If you have any questions leave a comment below.

You might also like:
How to Quickly Check FSMO Roles
How to use nslookup to check DNS records

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

4 Comments

  1. Yashwanth u on August 16, 2018 at 5:00 am

    just awesome

    • Robert Allen on August 22, 2018 at 12:33 pm

      Thanks. I hope you found it useful.

  2. joseph on December 2, 2018 at 8:11 pm

    Very Helpful Thank you

    • Robert Allen on December 17, 2018 at 9:50 pm

      No Problem

Leave a Comment