Check a Domain Controller Configuration with the DCDiag Tool
How do I use the DCDiag tool to check a domain controller configuration?
After promoting a server to a domain controller (DC), or when you’re experiencing some problems with Active Directory – and suspecting a DC configuration issue – the dcdiag.exe command-line tool can be extremely useful.
There are 27 basic tests, including checking registration of DNS records, name resolution, AD replication, and Flexible Single Master Operations (FSMO) roles. If your DC fails any of the tests, it likely indicates a problem. To run the tool locally on a Windows Server 2012 DC, open an elevated PowerShell prompt, type dcdiag, and press ENTER.
Useful DCDiag switches
To run DCDiag against a remote DC, specify the /s:<dcname> switch and replace <dcname> with the name of your DC. If necessary, you can also specify a username and password when executing dcdiag against the remote DC.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
/s:<dc name> /u:<domain name>\<username> /p:<password>
Typing an asterisk (*) instead of your password in the command above will generate an additional prompt where you can enter the password for the specified user separately and the text will be hidden.
The /c switch initiates more thorough testing, most notably more comprehensive DNS testing. Before running dcdiag, especially if the DNS test results are of particular interest, you might want to flush the DC’s local DNS cache to ensure that any results the tool returns are resolved from a DNS server. The cache can be cleared by running ipconfig /flushdns.
The /v switch gives verbose output which can be useful when you need more information for troubleshooting purposes.
Useful as DCDiag is, sometimes it reports tests as failed when there may not be any problem. This is more likely to occur if you are running DCDiag from Windows Server 2012 against a variety of different versions of Windows Server. For instance, the FrsEvent test reads the event log for the file replication service, but access to the event log is blocked by default by Windows firewall in later versions of Windows Server. For a full list of potential issues with dcdiag tests, see Microsoft’s page on DCDIAG.EXE /E or /A or /C expected errors.