Active Directory Health Check


This post will simply focus on simple tasks we can perform to verify Active Directory Domain Services (AD DS) installation. Successfully completing the requirements of each verification task will provide a strong indication of a healthy, operational domain controller.

1. Verify Server IP maps to a subnet:

– Click on Start -> Administrative Tools -> Active Directory Sites and Services

– Expand the Sites container, and then click the Subnets container. In the right pane, you will notice no subnet object.

– We need to create one for the server subnet. Right-click on subnet -> New sebnet….

– Enter IP subnet of the server / prefix length, select Default-First-Site-Name. Use an IP subnet calculator online, put in the values in IP address and Subnet mask to calculate the subnet address. For example, IP Address of server is 172.16.1.5 mask 255.255.255.0 so prefix will be /24. For knowledge purpose if server IP was 172.16.1.5 mask 255.255.252.0 then prefix will be /22.

– Click OK. Notice in the site column (right pane) that the value corresponds to the site name on the left pane which has the Domain Controller as a member.

2. Verify presence of  Active Directory child object:

– Click on Start -> Administrative Tools -> Active Directory Sites and Services

– Expand the Sites container -> Default-First-Site-Name -> Servers container, and then expand the server object. Verify that the child object “NTDS Settings” is present.

3. Check SYSVOL and Netlogon Shares:

Before we verify the SYSVOL and Netlogon shares, first lets check that the following services Netlogon and Distributed File System (DFS) Replication services are started properly.- Click on Start -> Administrative Tools -> Services

– Ensure the following services are Started and set to Automatic “DFS Replication and Netlogon. If a service is stopped, click Restart.

– Next to verify that the SYSVOL tree has the sysvol and scripts shared folders, click on Start -> Run, type CMD and press OK. Type the command “net share” without the quote and press enter. From the result look for the following “C:\Windows\SYSVOL\sysvol (SYSVOL share)” and “C:\Windows\SYSVOL\sysvol\\SCRIPTS (NETLOGON share).

– We need to verify the right permissions are set for the SYSVOL replication. From the command prompt, type the following command “dcdiag /test:netlogons” without the quote and press enter. From the result look for the messages “passed test Connectivity and passed test Netlogons“. If non of this passed, then there are steps you need to take to reapply the default SYSVOL security settings.

4. Verify DNS Registration and TCP/IP Connectivity:

– Open up the command prompt, type the following command without the quote “dcdiag /test:dns” and press enter. Please wait for the test to complete as it takes some time depending on environment.

– Scroll to the end of the result and verify the status. As you can see all other checks passed except for Forwarder, reason been that I did not setup DNS forwarder. If DNS forwarder is not configured, then all queries are sent using the default root hint. In this case there was no internet access on this server for the test to query external DNS servers.

– I have enabled internet access on this server and run the command again. As you can see from the result, all test passed. Please note that if you do not get pass then you need to troubleshoot the problem else you’ll run into DNS issues later. Adding the switch /v will display more useful information.

5. Verify the Domain Computer Account for the New Domain Controller:

This test will simply verify if the domain controller computer account is registered properly and that the Service Principal Names (SPNs) are advertised.

– Open up the command prompt, type the following command without the quote “dcdiag /test:MachineAccount” and press enter. The result should show the following “<computername> passed test MachineAccount“. Adding the switch /v will display more useful information.

6. Verify the Availability of the Operations Masters:

This is the most important test and any failed result must be addressed immediately.

– Click on Start -> Run, type CMD and press OK or simply open the command prompt from Start -> All Programs -> Accessories. At the command prompt type the following command “dcdiag /s:<DomainControllerName> /test:knowsofroleholders /v” where <DomainControllerName> is the name of any existing domain controller in the domain. The verbose option provides a detailed list of the operations masters that were tested. Near the bottom of the screen, a message confirms that the test succeeded. If you use the verbose option, look carefully at the bottom part of the displayed output. The test confirmation message appears immediately after the list of operations masters.

– To ensure that the operations masters are functioning properly and available on the network, type the following command “dcdiag /s:<DomainControllerName> /test:fsmocheck” and then press ENTER. If you add the verbose switch ” /v”, this will provide a detailed list of the operations masters that were tested as well as other important servers, such as global catalog servers and time servers. See test result at the bottom of your screen, a message confirms that the test succeeded.

Note: If these tests fail, do not attempt any additional steps until you fix the problem that prevents the location of operations masters and you can verify that they are functioning properly

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: