How to Verify Active Directory Health in Microsoft Exchange Server 2010

Microsoft Exchange Server 2010 is so tightly integrated with Active Directory that even the slightest AD issue will cause all kinds of Exchange problems. It’s important that one of the first things you do is check the health of Active Directory.

I’m logged into this Windows 7 box with the Administrator account.

This is the Domain Administrator with the domain admin rights, enterprise admin rights and the Administration Tools. The tools were installed and added to this box.

I could do this from this machine, a Domain Controller or something else. I want to go into the command prompt and use some of the command‑line utilities that get installed along with the Administration Tools.

The first one is dcdiag

This will check the health of your Domain Controllers.

I’ll use the /e option to do a scan on the Domain Controllers throughout the entire forest (dcdiag /e). This scans everything, so in a larger environment, this might take some time. You can use the /a option to scan just the local site (dcdiag /a). Following that, since I’m not on a Domain Controller right now, I’ll use the /s option and tell it that I want this tool to run against dc1 initially (/s:dc1.uss.local).

When I hit Enter, you’ll see it run a series of checks and do all kinds of things.

This one’s still running, and finally, it’s gone through and it looks like everything pretty much passed.

If I scroll back up to the top, my connectivity tests look good. If I scroll down all this output, mostly everything has passed.

It passed here, and passed here. I can keep scrolling down. This all looks good.

If I have a lot of Domain Controllers, this could take time to let it run and then go through all of this output.

A better option is to output all of this data to an external file, which is what I’ll show. I’ll clear this out and run it one more time.

I’ll up‑arrow back to my previous command. I’ll use the redirection operator and send the output out to a file called dcdiag.txt.

This way, it will run the checks and output the information to this text file. Then, I can do a search in that file using either notepad or any other text editor of my choice.

Now the output is in the dcdiag.txt file.

It’s the same output we saw at the command prompt, but now that it’s in a file, I can do a Control F and look for errors, or look for the word fail. It’s a quicker method than sitting in the command prompt and going through and viewing all of this information.

That all looks good. I’ll clear this.

The next thing that I want to do is check my replication health and look for any problems using Repadmin.exe.

Repadmin.exe is a utility that’s installed along with the Administration Tools.

We’ll run it with replsummary and use an asterisk as a wild card, repadmin /replsummary *

It could take a while with a large environment, but we’re looking for any failures, fails

No failures, so that’s good. Any errors would be reported here as well for each site, or each server.

This output is completely clean, I don’t have any replication issues. If I did, it would be important for me to stop here, go through my Active Directory environment, or get with my AD people and make sure this is all clean and the servers are all talking.

The last thing that we want to do is run another tool, DNSLint.exe. If you look at some of the documentation you might just try to run this, you’ll get an error that it’s not found.

Unlike Dcdiag and Repadmin, this tool is not installed along with the Administration Tools.

You’ll need to go out to the Internet to a KB article on the Microsoft Support site.

KB article 321045 has a description of the DNSLint utility and a download link for the DNSlint.exe package.

Download this EXE and extract the utility to a folder. I put this out on my C drive right here and it’s just a command line utility.

Once I’ve downloaded it and extracted it, I can run that command prompt and use DNSLint and cd to the DNSLint folder.

The syntax for this one would be /ad to specify a domain controller IP address. I’ll use DC1 in my environment, the IP address for that.

That’ll do a /s and, again, I need to give it an IP address of a DNS server. I’ll use the same server in both cases.

This utility outputs a very useful HTML-based report.

The HTML report is color coded to show warnings and errors. This looks good. It ran and checked the DNS records on DC1 and DC2.

Everything looks like it’s passed and looks good. Scroll down to the bottom, and you’ll see a legend that explains the color coding.

Of course, red is for errors, and yellow is for warnings.

In the output of this report those will be reflected here. As mentioned earlier, make sure that this comes back clean, no errors in DNS, no replication issues, and your DC Services all report successful back from Dcdiag.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: