The Life of Brian

Active Directory, Group Policies, Server Core and the Life of Brian

Email Notifications

Blog Search Form

Go

Recent Posts

Tags

Disclaimer

  • This blog is provided "AS IS" with no warranties, and confers no rights. This blog contains my own views and does not necessarily reflect the view of my employer.
    Locations of visitors to this page
    Add to Technorati Favorites

Sites I Visit

Archives

Active Directory Health Checks for Domain Controllers

I've just written a small article on the common steps that I perform when doing health checks on domain controllers.  AdminPrep is not up right now so I'll post the health check stuff here.  I would love for you to come back here and let me know what else you do when you do health checks on domain controllers.

I get asked over and over about what I do when I'm performing a health check on a domain controller.  Below you will see some of the commands that I use when I need to ensure my domain controllers are still healthy after some sort of change...like patching.

The Event Viewer is always a must.  I look at all the logs before and after the update to the domain controller looking for abnormal events.  With the pre-check I usually go back a month of logs to get more historical data. I then run through a couple command line utilities.  One thing I always do is pipe my commands out to a text document.  This just makes it easier for me to read and also search for failed events.

Dcdiag.exe /v >> c:\temp\pre_dcdiag.txt
This is a must and will always tell you if there is trouble with your DCs and/or services associated with it

Netdiag.exe /v >> c:\temp\pre_Netdiag.txt
This will let me know if there are issues with the networking components on the DC.  This along with the post test also is a quick easy way to ensure the patch I just installed is really installed (just check the top of the log)

Netsh dhcp show server >> c:\temp\pre_dhcp.txt
Some may not do this but I've felt the pain of a DHCP server somehow not being authorized after a patch.  This allows me verify the server count and names.

Repadmin /showreps >> c:\temp\pre_rep_partners.txt
This shows all my replication and if it was successful or not.  Just be aware that Global Catalogs will have more info here than a normal domain controller.

repadmin /replsum /errorsonly >> c:\temp\pre_repadmin_err.txt
This is the one that always takes forever but will let you know who you are having issues replicating with.

After I run and check the pre_ scripts I update my server.  When it is done I run post_ scripts which are the same thing but this allows me to verify them against the scripts earlier.

Hopefully this helps you when you troubleshoot your domain controllers but by no way is this an all encompassing list of things to do.  These are the standard steps I take but I would love to hear what you all do as well. 

Posted: Tue, Jun 3 2008 20:35 by BrianM | with 9 comment(s) |
Filed under: , , ,

Comments

Norm said:

This is exactly the kind of information that admins want.  Clear and concise, it makes being a server admin that much easier!  Thanks Brian!

# June 3, 2008 10:15 PM

Microsoft: Health Checks on Domain Controllers « ICT-Freak said:

Pingback from  Microsoft: Health Checks on Domain Controllers « ICT-Freak

# June 4, 2008 5:56 AM

Aaron said:

Just thought you might want to edit your dcdiag instead of using the > redirection you can use /f:(filename) to log to a file as well you get the added benefit of using /ferr:(filename) to log only the errors.

# July 31, 2008 3:35 PM

Marcos Chacon said:

There is a tool called spotlight on active directory a part of scriptlogic's active directory management solution.

www.scriptlogic.com/.../spotlight-on-active-directory

From my personal experience it's definitely the best and the most visual way for real-time monitoring and diagnostic of active directory perfomance and state. This tool also inludes built-in analysis tests that can track any possible issues on initial stage before they can seriously harm your environment.

# August 14, 2008 10:43 AM

Ranj said:

Any tools on the support tools with server 2003 available. prefer graphical.,

# September 26, 2008 2:52 PM

BrianM said:

The command line tools are from the support tools but known have a GUI.  Microsoft has Replmon but I don't think it is supported any more.  I like the scripts because they run fast and once you know what to look for it really speeds things up.

# September 26, 2008 5:29 PM

DIY Health Check for Domain Controllers | geekEleet said:

Pingback from  DIY Health Check for Domain Controllers | geekEleet

# December 30, 2008 8:10 PM

Steve Sabo said:

I've seen many of these posts regarding ADHC's, no one ever mentions an analysis of the DNS servers to insure they are properly placed and the primary and secondarys are correctly set to resolve to each other, DNSLINT is a good tool for this, especially in child domain environments. A full site to site analysis should be performed as well to make sure sites are contacting the nearest DC. Also I utilize the AD topology mapping tool from Microsoft for a visual map I give my clients. I also run the Microsoft Baseline Security Analyzer and RSOP's for Group policy verification.

I wrote a vb script that reaches out to all the DC's and dumps the tool reports in a common folder, makes it alot easier and it can be run via task scheduler at night.

Hope this helps.

# July 22, 2009 8:56 AM

BrianM said:

Hi Steve,

I totally agree with you on checking DNS as well.  In fact 9 times out of 10 the problem always seems to be something misconfigured in DNS.  I'm in the process of another revision to my health check blog and will ensure there is a portion that deals with DNS.  Feel free to contact me if you have any suggestions.

Brian

# July 22, 2009 9:54 AM