Active Directory

Check a Domain Controller Configuration with the DCDiag Tool

How do I use the DCDiag tool to check a domain controller configuration?

After promoting a server to a domain controller (DC), or when you’re experiencing some problems with Active Directory – and suspecting a DC configuration issue – the dcdiag.exe command-line tool can be extremely useful.

There are 27 basic tests, including checking registration of DNS records, name resolution, AD replication, and Flexible Single Master Operations (FSMO) roles. If your DC fails any of the tests, it likely indicates a problem. To run the tool locally on a Windows Server 2012 DC, open an elevated PowerShell prompt, type dcdiag, and press ENTER.

Check DC config with DCDIAG

Useful DCDiag switches

To run DCDiag against a remote DC, specify the /s:<dcname> switch and replace <dcname> with the name of your DC. If necessary, you can also specify a username and password when executing dcdiag against the remote DC.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

​/s:<dc name> /u:<domain name>\<username> /p:<password>

Typing an asterisk (*) instead of your password in the command above will generate an additional prompt where you can enter the password for the specified user separately and the text will be hidden.

The /c switch initiates more thorough testing, most notably more comprehensive DNS testing. Before running dcdiag, especially if the DNS test results are of particular interest, you might want to flush the DC’s local DNS cache to ensure that any results the tool returns are resolved from a DNS server. The cache can be cleared by running ipconfig /flushdns.

The /v switch gives verbose output which can be useful when you need more information for troubleshooting purposes.

Failed tests

Useful as DCDiag is, sometimes it reports tests as failed when there may not be any problem. This is more likely to occur if you are running DCDiag from Windows Server 2012 against a variety of different versions of Windows Server. For instance, the FrsEvent test reads the event log for the file replication service, but access to the event log is blocked by default by Windows firewall in later versions of Windows Server. For a full list of potential issues with dcdiag tests, see Microsoft’s page on DCDIAG.EXE /E or /A or /C expected errors.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: