The Sysadmins

How do I know if Active Directory is healthy?

I’m having some Active directory issues, where do I start?

I see these questions asked a lot, and talking someone through some basic troubleshooting steps without having physical/remote access can be fairly time consuming. For that reason I’ve put together a script to collect basic information about the domain controller the script is run on and active directory itself- which is then written to a log file.

The log file is saved onto the current users desktop by default. If you want to save the log file to a share you’d use:

set logfile=\\server\share\ADHealth\ADHealth.txt

So, what does it do?

System Boot Time - systeminfo | find "System Boot Time:" – Displays boot time, not massively helpful or directly tied with Active Directory but still worth being aware of the last start-up time.

TCP/IP network configuration - IPCONFIG /all – Displays all current TCP/IP network configuration values. This is normally helpful to highlight any DNS server misconfiguration. For example setting them to external public resolvers.

DCDIAG /a – The meat and potatoes, there’s a great article on what it actually does here: http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx. This is currently set to test all domain controllers (/a), you can get more verbose with /v, but I quite like the initial log to be succinct.

Repadmin /replsummary – Will show you an overview of any failures, and for which DC(s). http://technet.microsoft.com/en-us/library/cc835092%28v=ws.10%29.aspx

Repadmin /showrepl – This will let you know if the last replication attempts where successful. http://technet.microsoft.com/en-us/library/cc742066%28v=ws.10%29.aspx

NETDOM Query FSMO – This will return the FSMO role holders, which can be used to confirm that the role holders are still online and functioning. A good article on FSMO roles and what happens if one of them fails can be found here: https://msmvps.com/blogs/acefekay/archive/2011/01/16/active-directory-fsmo-roles-explained.aspx

Nslookup -querytype=srv _gc._tcp.%domain% – Displays all Global Catalogs.

The batch file

You can copy and paste it into your own batch file or download it from here. If you’re running it on a DC prior to Server 2008 you will need to install the Adminpak: Windows Server 2003 Service Pack 2 Administration Tools Pack (adminpak)

@Echo Off
ECHO Running AD Health Checks - Notepad will open after completion
ECHO You can share this log using http://pastie.org/pastes/new
ECHO This Command Prompt will close after you close Notepad
ECHO https://blog.thesysadmins.co.uk
set logfile=%userprofile%\Desktop\ADHealth.txt
echo You can share this log using http://pastie.org/pastes/new > %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Finds system boot time
echo System Boot Time ------------------------------------------------------------- >> %logfile%
systeminfo | find "System Boot Time:" >> %logfile%
systeminfo | find "System Up Time:" >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Displays all current TCP/IP network configuration values
echo IPCONFIG ------------------------------------------------------------- >> %logfile%
ipconfig /all >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Analyse the state of domain controllers in a forest and reports any problems to assist in troubleshooting
echo DCDIAG ------------------------------------------------------------- >> %logfile%
dcdiag /a >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM The replsummary operation quickly summarizes the replication state and relative health
echo Replsummary ------------------------------------------------------------- >> %logfile%
repadmin /replsummary >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Displays the replication partners for each directory partition on the specified domain controller
echo Showrepl ------------------------------------------------------------- >> %logfile%
repadmin /showrepl >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Query FSMO roles
echo NETDOM Query FSMO ------------------------------------------------------------- >> %logfile%
netdom query fsmo >> %logfile%
REM Query Global Catalogs
echo List Global Catalogs ------------------------------------------------------------- >> %logfile%
for /f "tokens=2" %%a in ('systeminfo ^| findstr Domain:') do set domain=%%a
nslookup -querytype=srv _gc._tcp.%domain% >> %logfile%
notepad %logfile%

Run the batch file, when it has completed notepad will open with the freshly created log. If you need to share this log with someone I suggest using pastie.org, and pasting the (redacted) document.

You may just want to run this as a one off when troubleshooting, or you may want to add this to a scheduled task (If so I’d remove the notepad %logfile% line off the end). This can be useful for comparisons and to outline when the error(s) / issues began. If your Active directory currently running like a dream, why not take a baseline log…

This script should give you a starting point for diagnosing some of the more common Active Directory issues. I recommend getting familiar with the tools included in the script, learning how to read and make sense of the information and to be aware of other parameters available.