Post

Active Directory DC Health Check and Replication

Posted Updated
By
5 min read
Active Directory DC Health Check and Replication
-GENERAL COMMANDS

dcdiag
dcdiag /s:Guler.com
dcdiag /s:Guler.com /v >> c:\dcdiag_test.log
#The command runs different tests against the specified domain controller and returns a state for each test (Passed/Failed)

Dcdiag /s:Guler.com | select-string -pattern '\. (.*) \b(passed|failed)\b test (.*)'
#Display summary information only

dcdiag /v /test:FrsEvent /s:anatolia
#Detailed Event monitor

dcdiag.exe /s:guler.com /a
#To get the state of all domain controllers, use

dcdiag.exe /s:anatolia /q
#If you want to display only the errors you have found, use the /q option

dcdiag /s:anatolia /v
#Run DCDiag with Verbose Output

dcdiag /s:anatolia /fix
#There is a great switch that tries to do safe repairs on found errors: the /fix switch.

Some Typical tests it will do:

  • Connectivity – checks if the DC is registered in DNS, establishes test LDAP and RPC connections;
  • Advertising – checks roles and services published on the DC;
  • FRSEvent – checks if there are any errors of file replication service (SYSVOL replication errors);
  • FSMOCheck – checks if the DC can connect to KDC, PDC, and Global Catalog server;
  • MachineAccount — checks if the DC account is registered in AD correctly and if the domain trust relationship is correct;
  • NetLogons – checks the logon privileges to allow replication to proceed;
  • Replications – checks the state of replication between domain controllers and if there are any errors;
  • CrossRefValidation - Checks the validity of cross-references for domains.
  • RidManager - Checks whether the RID manager is accessible or not.
  • KnowsOfRoleHolders – checks the availability of the domain controllers with FSMO roles;
  • Services – checks if services on the domain controllers are running;
  • Systemlog – checks if there are any errors in the DC logs;
  • Etc.
  • Topology – checks if KCC has generated full topology for all DCs
  • CheckSecurityError
  • Intersite Check for failures that would prevent an inter-site replication
  • CutoffServers – finds a DC that is not replicated since its partner is unavailable
  • DNS – 6 DNS checks are available (/DnsBasic/DnsForwarders/DnsDelegation/DnsDymanicUpdate/DnsRecordRegistration/DnsResolveExtName)
  • OutboundSecureChannels
  • VerifyReplicas – checks if the application partitions are replicated correctly
  • VerifyEnterpriseReferences

You can find a full description of all available dcdiag tests here.

Troubleshoot Active Directory Replication Errors Between DC 's

-REPLICATION 

repadmin /replsum
#Here is the basic command to check AD replication

repadmin /replsum *
#To check replication for all DC' s in the domain

repadmin /showreps
#It provides a detailed view of the replication status.

repadmin /showrepl
#To view the replication topology and errors (if any), run this command
#The command will check the DCs and return the time and date of the last successful replication for each directory partition

repadmin /showrepl *
#To display additional replication info, use this command

repadmin /rodcpwdrepl
#To run password replication from a writable domain controller to a read-only domain controller (RODC)

repadmin /showrepl dc* /verbose /all /intersite
#displaying detailed information

repadmin /syncall /AdeP
#To quickly initiate and synchronize replications between all domain controllers

Repadmin /syncall anatolia /A /e /P
#Synchronize with all replication partners on the domain controller

repadmin /syncall guler.com
#To synchronize a specified DC with all its replication partners, use the command below

repadmin /queue
#To view the replication queue (Ideally, the replication queue should be empty)

Repadmin /showbackup *
#Check when the latest backup of the current domain controller was created

Using DCDiag to test DNS

-DNS CHECKING

dcdiag /test:dns
dcdiag /s:anatolıa /test:dns
#By default, /test:dns performs all of the following basic tests on DNS, except for external name resolution.

dcdiag /test:dns
#The basic DNS test includes network connectivity, DNS client, zones, and service availability.

dcdiag /s:guler.com /test:dns /e /v
#For example, to check if DNS is working correctly on all domain controllers, use the following command

dcdiag /DnsForwarders
#Performs the basic test and checks the configuration of DNS forwarders.

dcdiag /DnsDelegation
#Basic and DNS delegation test.

dcdiag /DnsDynamicUpdate
#Runs the basic test and checks whether dynamic DNS updates are enabled in AD

dcdiag /DnsRecordRegistration
#Performs the /DNSBasic test and checks the registration of resource records (A, CNAME, and SRV).

dcdiag /DnsResolve<Internet Name>
#Performs the basic DNS tests and attempts to resolve the <Internet name>

dcdiag /DnsResolveExtName
#<internet name> To test DNS resolution for external names.

dcdiag /DNSAll
#Perform all above tests, except the /DnsResolveExtName.

Active Directory Port List & Active Directory Replikasyonu için Gerekli Port Listesi:

TCP ve UDP 25: SMTP (Çoğaltma)
TCP ve UDP 53: DNS (Ad Çözme, Güven, Kullanıcı ve Bilgisayar Kimlik Doğrulama)
TCP ve UDP 88: Kerberos (Kullanıcı ve Bilgisayar Kimlik Doğrulama, Orman Düzeyi Güven)
TCP 135: RPC, EPM (Çoğaltma)
TCP ve UDP 137: NetBIOS Ad Çözümleme, NetBIOS Oturum Hizmeti, Kullanıcı ve Bilgisayar Kimlik Doğrulama, DFS, Grup İlkesi, NetLogon, NetBIOS Datagram Hizmeti
UDP 138: NetBIOS Datagram Hizmeti, DFS, Grup İlkesi, DFSN, NetLogon
TCP 139: NetBIOS Oturum Hizmeti, Kullanıcı ve Bilgisayar Kimlik Doğrulama, Çoğaltma, DFSN
TCP ve UDP 389: LDAP (Dizin, Çoğaltma, Kullanıcı ve Bilgisayar Kimlik Doğrulama, Grup İlkesi, Güven)
TCP 445: SMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc (Çoğaltma, Kullanıcı ve Bilgisayar Kimlik Doğrulama, Grup İlkesi, Güven)
TCP 636: LDAP SSL (Dizin, Çoğaltma, Kullanıcı ve Bilgisayar Kimlik Doğrulama, Grup İlkesi, Güven)
TCP 9389: SOAP (AD DS Web Hizmetleri)
TCP 3268: LDAP GC (Dizin, Çoğaltma, Kullanıcı ve Bilgisayar Kimlik Doğrulama, Grup İlkesi, Güven)
TCP 3269: LDAP GC SSL (Dizin, Çoğaltma, Kullanıcı ve Bilgisayar Kimlik Doğrulama, Grup İlkesi, Güven)
TCP 5722: DFSR (SYSVOL), RPC (Dosya Çoğaltma)
UDP 123: Windows Saati (Windows Saati, Güven)
TCP ve UDP 464: Kerberos (Çoğaltma, Kullanıcı ve Bilgisayar Kimlik Doğrulama, Güven)
UDP Dinamik: DCOM, RPC, EPM, FRS, DRSUAPI, NetLogonR, SamR (Grup İlkesi)
TCP 9389: AD DS Web Hizmetleri (SOAP)
UDP 137: NetBIOS Ad Çözümleme, NetBIOS Oturum Hizmeti, Kullanıcı ve Bilgisayar Kimlik Doğrulama, Çoğaltma
TCP 139: NetBIOS Oturum Hizmeti, Kullanıcı ve Bilgisayar Kimlik Doğrulama, Çoğaltma, DFSN

Faydalı olması dileğiyle – Hope it’s useful

Active Directory
This post is licensed under CC BY 4.0 by the author.