Dcdiag windows server 2019

Active Directory это надежный, но в то же время крайне сложный и критичный сервис, от работоспособности которого зависит работа всей вашей сети. Системный администратор должен постоянно мониторить корректность работы Active Directory. В этой статье мы рассмотрим основные методики, позволяющие вам быстро проверить и диагностировать состояние вашего домена Active Directory, контроллеров домена и репликации.

Проверка состояния контроллеров домена с помощью Dcdiag

Базовая встроенная утилита для проверки состояния контролеров домена – dcdiag.

Чтобы быстро проверить состояние конкретного контроллера домена AD воспользуйтесь командой:

dcdiag /s:DC01

Данная команда выполняет различные тесты указанного контроллера домена и возвращает статус по каждому тесту (Passed| Failed).

Типовые тесты:

• Connectivity – проверяет регистрацию DC в DNS, выполняет тестовые LDAP и RPC подключения;
• Advertising – проверяет роли и сервисы, опубликованные на DC;
  FRSEvent – проверяет наличие ошибок в службе репликации файлов (ошибки репликации SYSVOL);
• FSMOCheck – проверяет, что DC может подключиться к KDC, PDC, серверу глобального каталога;
• MachineAccount — проверяет корректность регистрации учетной записи DC в AD, корректность доверительных отношения с доменом;
• NetLogons – проверка наличие прав на выполнение репликации;
• Replications – проверка статуса репликации между контроллерами домена и наличие ошибок;
• KnowsOfRoleHolders – проверяет доступность контроллеров домена с ролями FSMO;
• Services – проверяет, запущены ли на контроллере домена необходимые службы;
• Systemlog – проверяет наличие ошибок в журналах DC;
• И т.д.

Картинка с сайта: winitpro.ru

Полное описание всех доступных тестов есть здесь.

Помимо стандартных тестов, которые выполняются по-умолчанию, можно выполнить дополнительные проверки контроллера домена:

• Topology – проверяет, что KCC сгенерировал полную топологию для всех DC;
• CheckSecurityError
• CutoffServers – находит DC, который не получает репликацию из-за того, что партнёр недоступен;
• DNS – доступны 6 проверок службы DNS (/DnsBasic, /DnsForwarders, /DnsDelegation, /DnsDymanicUpdate, /DnsRecordRegistration, /DnsResolveExtName)
• OutboundSecureChannels
• VerifyReplicas – проверяет корректность репликации разделов приложения
• VerifyEnterpriseReferences

Например, чтобы проверить корректность работы DNS на всех контроллерах домена, используйте команду:

dcdiag.exe /s:DC01 /test:dns /e /v

Картинка с сайта: winitpro.ru

В результате должна появится сводная таблица по проверкам разрешения имен службой DNS на всех контроллерах (если все ОК, везде должно быть Pass). Если где-то будет указано Fail, нужно выполнить проверку этого теста на указанном DC:

dcdiag.exe /s:DC01 /test:dns /DnsForwarders /v

Чтобы получить расширенную информацию по результатам тестов контроллера домена и сохранить ее в текстовый файл, используйте команду:

dcdiag /s:DC01 /v >> c:\ps\dc01_dcdiag_test.log

Картинка с сайта: winitpro.ru

Следующая команда PowerShell позволяет вывести только информацию о выполненных тестах:

Dcdiag /s:DC01 | select-string -pattern '\. (.*) \b(passed|failed)\b test (.*)'

Картинка с сайта: winitpro.ru

Чтобы получить состояние всех контроллеров домена, используйте:

dcdiag.exe /s:winitpro.ru /a

Если нужно вывести только найденные ошибки, используйте параметр /q:

dcdiag.exe /s:dc01 /q

Картинка с сайта: winitpro.ru

В моем примере утилита обнаружила ошибки репликации:

There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... DC01 failed test DFSREvent

Чтобы утилита dcdiag попробовала автоматически исправить ошибки в Service Principal Names для данной учетной записи DC, используйте параметр /fix:

dcdiag.exe /s:dc01 /fix

Проверка ошибок репликации между контроллерами домена Active Directory

Для проверки репликации в домене используется встроенная утилита repadmin.

Базовая команда проверки репликации:

repadmin /replsum

Картинка с сайта: winitpro.ru

Утилита вернула текущий статус репликации между всеми DC. В идеальном случае значение largest delta не должно превышать 1 час (зависит от топологии и настроек частоты межсайтовых репликаций), а количество ошибок = 0. В моем примере видно, что одна из последних репликаций заняла 14 дней, но сейчас все OK.

Чтобы выполнить проверку для всех DC в домене:

repadmin /replsum *

Проверку межсайтовой репликции можно выполнить так:

repadmin /showism

Для просмотра топологии репликации и найденных ошибках, выполните:

repadmin /showrepl

Данная команда проверит DC и вернет время последней успешной репликации для каждого раздела каталога (last attempt xxxx was successful).

Картинка с сайта: winitpro.ru

Для запуска репликации паролей с обычного контроллера домена на контроллер домена на чтение (RODC) используется ключ /rodcpwdrepl.

Опция /replicate позволяет запустить немедленную репликацию указанного раздела каталога на определенный DC.

Для запуска синхронизации указанного DC со всеми партнерами по репликации, используйте команду

replmon /syncall <nameDC>

Для просмотра очереди репликации:

repadmin /queue

В идеальном случае очередь должна быть пуста:

Картинка с сайта: winitpro.ru

Проверьте время создания последней резервной копии текущего контроллера домена:

Repadmin /showbackup *

Вы также можете проверить состояние репликации с помощью PowerShell. Например, следующая команда выведет все обнаруженные ошибки репликации в таблицу Out-GridView:

Get-ADReplicationPartnerMetadata -Target * -Partition * | Select-Object Server,Partition,Partner,ConsecutiveReplicationFailures,LastReplicationSuccess,LastRepicationResult | Out-GridView

Картинка с сайта: winitpro.ru

Можете дополнительно с помощью Get-Service проверить состояние типовых служб на контроллере домена:

• Active Directory Domain Services (ntds)
• Active Directory Web Services (adws) – именно к этой службе подключаются все командлеты из модуля AD PowerShell
• DNS (dnscache и dns)
• Kerberos Key Distribution Center (kdc)
• Windows Time Service (w32time)
• NetLogon (netlogon)

Get-Service -name ntds,adws,dns,dnscache,kdc,w32time,netlogon -ComputerName dc03

Картинка с сайта: winitpro.ru

Итак, в этой статье мы рассмотрели базовые команды и скрипты, которые можно использовать для диагностики состояния вашего домена Active Directory. Вы можете использовать их во всех поддерживаемых версия Windows Server, в том числе на контроллерах домена в режиме Server Core.

In this guide, we’ll go through a powerful MS Windows utility known as DCDiag. This tool can be used for performing domain controller health checks, testing DNS services, and even fixing errors automatically. The tool is very simple to use but powerful enough to keep all your domain controllers healthy.

Table of Contents

1. What is the DCDiag utility? 
   • How to install DCDiag?
2. What can you do with the DCDiag utility tool? 
3. The DCDiag command syntax.
4. How to run DCDiag?
   • Remote DC health checks.
   • Checking health for all DCs.
5. Using DCDiag to test DNS.
6. Customizing DCDiag results
   • Run DCDiag in quiet mode.
   • Run DCDiag with verbose output
   • Exporting DCDiag results.
7. Additional Functions
   • Fix errors.
   • Specify or skip tests.
8. Conclusion

1. What is the DCDiag Utility?

The DCDiag is a Microsoft Windows diagnostics command-line tool for domain controller health checks and troubleshooting. With the DCDiag, you can run about 30 different health checks on a domain controller and test DNS settings, replication health, errors, and more.

The DCDiag tool can be used to analyze a single or multiple DCs simultaneously within your AD forest or enterprise.

How to Install DCDiag?

It is very likely that if you are running Windows Server, you already have DCDiag installed.

The DCDiag is built into the modern Windows Server versions, including 2012R2, 2016, and 2019. For older versions, you would need to manually install it using the Support Tools package. The utility is available as long as you are running AD DS (Active Directory Domain Services), or AD LDS (Active Directory Lightweight Directory Services). If you want to run the DCDiag from a Windows OS client, you would need to install the RSAT roles on the computer.

2. What can you do with the DCDiag Utility tool?

As mentioned early, there are close to 30 different DCDiag checks. By default, the tool will perform about 22 checks, where 21 of those can be skipped, and the one remaining “connectivity check”, is forced.

The rest of the tests don’t run by default, so you would need to call for the specific test. The most popular among these tests is the DNS check.

Let’s review some of the different checks that DCDiag performs on a Domain Controller

• Connectivity Check It tests whether the domain controllers are reachable, have LDAP/RPC connectivity, and are registered to DNS. This check can’t be skipped.
• Advertising Verify if the Directory System Agent (DSA) is advertising itself.
• CheckSecurityError This DCDiag test looks for security errors or any problem that might be related to security.
• CutoffServrs It looks for servers that are not receiving replications.
• DNS The DNS test checks the health of the DNS and its settings for the entire forest or enterprise.

Картинка с сайта: www.websentra.com

• Intersite Check for failures that would prevent an inter-site replication
• Machine Account Checks the Machine Account to see if it has the proper information. The DCDiag has a “Fix” feature, which affects this test. You can make the test automatically fix SPNs on the MachineAccount object
• ObjectsReplicated Checks whether the Machine Account and DSA objects have successfully replicated
• RegisterInDNS Checks if the directory server can register the DS Locator DNS records
• Topology Tests the connectivity of the topology for all DSAs

3. The DCDiag Command Syntax

The DCDiag is a simple command-line utility. You can run DCDiag on a CMD Prompt or a PowerShell window. Remember to use administrator privileges.

The basic syntax of DCDiag is:

• dcdiag.exe /s:[:] [/u:\ /p:*||””]

Where “/s:” is Domain Controller, and “/u:\ /p” are username and password for the DC.

This basic command-line will return the test results showing the primary test (connectivity test) and any specified test on the domain controller.

To know what can you do with the DCDiag tool along with all its command-line switches, you can start with the help command:

• C:\Windows\System32> dcdiag /?

Картинка с сайта: www.websentra.com

To use any of the following switches, just append it after the “DCDiag” command. A summary of the popular command switches:

• /s <DC name> Run DCDiag test against the specified remote Domain Controller.
• /u <domain\username> use the credentials to connect to a remote DC.
• /p <password> use along with /u to specify the password of the user.
• /a Perform DCDiag tests against all DCs within a site.
• /q (quiet) – Display only error messages.
• /c (comprehensive) tests against the DC including DNS.
• /v (verbose) – display extended information.
• /f (filename) Save the results to the specified filename.

4. How to run DCDiag?

To run a simple DCDiag test on your local DC, type the DCDiag without any switch (or argument).

• C:\Windows\System32>dcdiag.exe

Картинка с сайта: www.websentra.com

Note, that DCDiag detects the current (local) DC, so you don’t have to specify any domain controller or administrative credentials. Of course, this is true as long as you are logged to the local domain controller and with administrator rights.

Remote DC Health Checks

To run diagnostics on a remote DC, you’ll have to specify the name of the DC by appending “/s:<name of DC>,” plus its credentials (username and password). For example:

• C:\Windows\System32>dcdiag.exe /s:dc01ny /u:dc01ny\Administrator /p:pa$$word

When you specify the DC “Directory Server” as in, (/s: <Directory Server>), there are some cases where the home DC specified with /s, will be ignored. The /s switch will ignore DCPromo and the Register in DNS, which are run locally and not for a domain controller.

Картинка с сайта: www.websentra.com

Note that when you enter the /u (username) information, you’ll need to specify the name of the account with domain admin permissions and using the right format: domain/username. For example, the username (Administrator) appended with the domain name (dc01ny): u:dc01ny\Administrator.

Checking health for all DCs

Each AD’s site may contain a collection of DCs that are interconnected to each other. If your AD is divided into sites, then the “/a” switch is very helpful. It allows you to run the DCDiag utility for all DCs within a site, at once.

For example: 

• C:\Windows\System32>dcdiag.exe /s:dc01ny /a

5. Using DCDiag to test DNS

By default, and regardless of whatever you are testing, the DCDiag tool will always check the DNS registration for each domain controller, during the primary connectivity test. Additionally, you may also run very specific DNS tests, including forwarders, registration records tests, and more— all of which will help you troubleshoot DNS issues.

To test DNS and run various diagnostics, use the /test:dns switch. The command syntax is as follow:

• dcdiag /test:DNS

An example? 

• C:\Windows\System32>dcdiag.exe /s:dc01ny /test:dns

By default, the /test:dns will perform all the following basic tests on DNS except, the external name resolution. The DNSBasic test is shown in all DNS results. If no test is specified, the /test:dns switch will default to /DNSall.

1. /DNSBasic The basic DNS test includes network connectivity, DNS client, zones, and service availability.
2. /DnsForwarders Performs the basic test and checks the configuration of DNS forwarders.
3. /DnsDelegation Basic and DNS delegation test.
4. /DnsDynamicUpdate Runs the basic test and checks whether dynamic DNS updates are enabled in AD.
5. /DnsRecordRegistration Performs the /DNSBasic test and checks the registration of resource records (A, CNAME, and SRV).
6. /DnsResolve<Internet Name> Performs the basic DNS tests and attempts to resolve the <Internet name>
7. /DnsResolveExtName <internet name> To test DNS resolution for external names.
8. /DNSAll Perform all above tests, except the /DnsResolveExtName.

A DNS test would look like this:

Картинка с сайта: www.websentra.com

When you run the /test:dns you can also save all results of the output to a log file, using “/f:” for txt, “/x:” for XML, and “/xsl:” for XLS.

6. Customizing DCDiag Results

DCDiag allows you to customize the results by showing you less or more information. You can also export the results for later analysis.

Run DCDiag in quiet mode

The standard output of the DCDiag test is already quite extensive. Anyone skipping through it may easily miss an error message. This is why the “/q” switch becomes quite handy, as it reduces the size of the output by displaying only the error message list.

An example of DCDiag in quiet mode: 

• C:\Windows\System32>dcdiag.exe /s:dc01ny /q

The /q output is filtered only to errors. It looks like this:

Картинка с сайта: www.websentra.com

Run DCDiag with Verbose Output

Run DCDiag with verbose output by appending the /v, verbose switch. With it, you’ll get additional details from the standard output, such as errors, warnings, informational messages, etc. The “/v” switch is the opposite of the “/q” switch. It extends the size of the output.

As mentioned earlier, the DCDiag (without /v) provides enough information to troubleshoot and diagnose any problem in your domain controller, which might be enough in most cases.

An example of the verbose switch: 

• C:\Windows\System32>dcdiag.exe /s:dc01ny /v

The verbose output looks like this.

Картинка с сайта: www.websentra.com

The verbose output is recommended only if you see errors or warnings in the standard summary table and you want to investigate the problem with more details.

Exporting DCDiag Results.

The DCDiag utility tool allows you to export the health check results. All results of the test will be saved into a text file, by appending the “/f” switch to the DCDiag command.

For example:

• C:\Windows\System32>dcdiag.exe /s:dc01ny f:c:\dcdiag_dc01ny_test01.txt

Note that you can customize the name of the log file and save it in any specific folder. You can open the results in notepad or any program that supports .txt files.

Export to XML and XLS? You can also export results to XML or XSL. but this function only works for the /test:dns switch:

For example:

• /test:dns /x<XMLLog.xml> or, /test:dns/x:<XMLLog.xml>

7. Additional Functions

DCDiag also allows you to perform additional functions like fixing issues, which is outside normal diagnosis. You can also customize the running tests, by either specifying a single test or skipping any.

Fix Errors

The DCDiag is a purely diagnostic tool. It runs various tests and only reports back its results. But there is a fantastic switch that attempts to make safe repairs on the reported errors: the /fix switch.

• C:\Windows\System32>dcdiag.exe /s:dc01ny /fix

When you use the /fix switch, you don’t need to specify any additional parameters or attributes. The /f switch only works for the MachineAccount test. It fixes the Service Principal Names (SPNs) on the MachineAccount object of the DC.

A word of caution! Even though the (fix) switch is designed to make safe automatic repairs, it is still making changes to the domain controller. Before using the /f switch, analyze the test results and always perform a backup of the domain controller.

Perform Specific Tests or Skip them

As mentioned earlier, some DCDiag tests do not run by default, so they’ll need to be specified. The (/test:) switch allows you to perform only one test (plus the primary connectivity test). You can either call for one of those tests that don’t run by default or specify a default test if you want to shorten the output.

The syntax for this command is: 

• /test:<TestName>

An example of this switch is when you use it with the DNS test:

• C:\Windows\System32>dcdiag.exe /s:dc01ny /test:dns

Or,

• C:\Windows\System32>dcdiag.exe /s:dc01ny /test:CheckSecurityError 

Additionally, you can make the DCDiag tool exclude specific tests. The (/skip:) switch is helpful when you want to get cleaner results in any manual or automated script test. Do not mix this parameter with the (/test). You can’t apply the skip switch to the Connectivity Test.

The syntax for this command is: 

• /skip:<Test>

An example?

• C:\Windows\System32>dcdiag.exe /s:dc01ny /skip:Replication

Conclusion

The DCDiag is an easy-to-use and simple, yet powerful utility for checking the health of your domain controllers. DCDiag can help you troubleshoot DNS issues, AD replication, and other domain service problems.

To expand your domain controllers’ health checks and monitoring efforts and keep track of other key services like DNS and DHCP, use the SolarWinds Server & Application Monitor (SAM). This tool helps you identify DC issues, extend the visibility of the DC’s performance, prevent replication failures, keep track of failed logins, manage DS files, and a lot more.

Another automated health check system option is ManageEngine ADManager Plus. This system provides a list of reports, which perform health checks on your AD Domain Controllers as they run. The tool also provides a single interface for your multiple AD instances, covering Exchange, SharePoint, and Office 365 as well as your general AD access controls. The service provides standard admin functions and includes a great deal of system maintenance automation.