Check a Domain Controller Configuration with the DCDiag Tool
How do I use the DCDiag tool to check a domain controller configuration?
After promoting a server to a domain controller (DC), or when you’re experiencing some problems with Active Directory – and suspecting a DC configuration issue – the dcdiag.exe command-line tool can be extremely useful.
There are 27 basic tests, including checking registration of DNS records, name resolution, AD replication, and Flexible Single Master Operations (FSMO) roles. If your DC fails any of the tests, it likely indicates a problem. To run the tool locally on a Windows Server 2012 DC, open an elevated PowerShell prompt, type dcdiag, and press ENTER.
Useful DCDiag switches
To run DCDiag against a remote DC, specify the /s:<dcname> switch and replace <dcname> with the name of your DC. If necessary, you can also specify a username and password when executing dcdiag against the remote DC.
Read the Best Personal and Business Tech without Ads
Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.
/s:<dc name> /u:<domain name>\<username> /p:<password>
Typing an asterisk (*) instead of your password in the command above will generate an additional prompt where you can enter the password for the specified user separately and the text will be hidden.
The /c switch initiates more thorough testing, most notably more comprehensive DNS testing. Before running dcdiag, especially if the DNS test results are of particular interest, you might want to flush the DC’s local DNS cache to ensure that any results the tool returns are resolved from a DNS server. The cache can be cleared by running ipconfig /flushdns.
The /v switch gives verbose output which can be useful when you need more information for troubleshooting purposes.
Useful as DCDiag is, sometimes it reports tests as failed when there may not be any problem. This is more likely to occur if you are running DCDiag from Windows Server 2012 against a variety of different versions of Windows Server. For instance, the FrsEvent test reads the event log for the file replication service, but access to the event log is blocked by default by Windows firewall in later versions of Windows Server. For a full list of potential issues with dcdiag tests, see Microsoft’s page on DCDIAG.EXE /E or /A or /C expected errors.