Active Directory Health Checks

Brian W. McCann, I get asked over and over about what I do when I'm performing a health check on a domain controller. Below you will see some of the commands that I use when I need to ensure my domain controllers are still healthy after some sort of change...like patching.

The Event Viewer is always a must. I look at all the logs before and after the update to the domain controller looking for abnormal events. With the pre-check I usually go back a month of logs to get more historical data. I then run through a couple command line utilities. One thing I always do is pipe my commands out to a text document. This just makes it easier for me to read and also search for failed events.

Dcdiag.exe /v >> c:\temp\pre_dcdiag.txt
This is a must and will always tell you if there is trouble with your DCs and/or services associated with it

Netdiag.exe /v >> c:\temp\pre_Netdiag.txt
This will let me know if there are issues with the networking components on the DC. This along with the post test also is a quick easy way to ensure the patch I just installed is really installed (just check the top of the log)

Netsh dhcp show server >> c:\temp\pre_dhcp.txt
Some may not do this but I've felt the pain of a DHCP server somehow not being authorized after a patch. This allows me verify the server count and names.

Repadmin /showreps >> c:\temp\pre_rep_partners.txt
This shows all my replication and if it was successful or not. Just be aware that Global Catalogs will have more info here than a normal domain controller.

repadmin /replsum /errorsonly >> c:\temp\pre_repadmin_err.txt
This is the one that always takes forever but will let you know who you are having issues replicating with.

After I run and check the pre_ scripts I update my server. When it is done I run post_ scripts which are the same thing but this allows me to verify them against the scripts earlier.