Domain Controller Diagnostic Tests

List of tests and descriptions performed by the AD Health Check Tool.

  • Default = 20 tests
  • Comprehensive = 27 tests (takes much longer to complete)

Advertising

Checks whether each DSA is advertising itself, and whether it is advertising itself as having the capabilities of a DSA.

CheckSDRefDom

This test checks that all application directory partitions have appropriate security descriptor reference domains.

CheckSecurityError

Locates security errors (or those possibly security related) and performs the initial diagnosis of the problem. *Comprehensive only*

Connectivity

Tests whether DSAs are DNS registered, respond to ping, and have LDAP/RPC connectivity.

CrossRefValidation

This test looks for cross-refs that are in some way invalid.

CutoffServers

Check for servers that won’t receive replications because its partners are down. *Comprehensive only*

DNS

This test checks the health of DNS settings for the domain environment. *Comprehensive & DNS Only*

FrsEvent

This test checks to see if there are any operation errors in the file replication system (FRS).

DFSREvent

This test checks to see if there are any operation errors in the DFS.

SysVolCheck

This test checks that the SYSVOL is ready.

LocatorCheck FSMO Roles

Checks that global role-holders are known, can be located, and are responding.

Intersite

Checks for failures that would prevent or temporarily hold up intersite replication.

KccEvent

This test checks that the Knowledge Consistency Checker is completed without errors.

KnowsOfRoleHolders

Check whether the DSA thinks it knows the role holders, and prints these roles out in verbose mode.

MachineAccount

Check to see if the Machine Account has the proper information.

NCSecDesc

Checks that the security descriptors on the naming context heads have appropriate permissions for replication.

NetLogons

Checks that the appropriate logon privileges allow replication to proceed.

ObjectsReplicated

Check that Machine Account (AD only) and DSA objects have been replicated.

OutboundSecureChannels

Tests if there are secure channels from all the DC’s in the domain. *Comprehensive only*

Replications

Checks for timely replication between directory servers.

RidManager

Check to see if RID master is accessible and to see if it contains the proper information.

Services

Check to see if appropriate supporting services are running.

SystemLog

This test checks that the system is running without errors.

Topology

Checks that the generated topology is fully connected for all DSAs. *Comprehensive only*

VerifyEnterpriseReferences

This test verifies that certain system references are intact for the FRS and Replication infrastructure across all objects in the enterprise on each DSA. *Comprehensive only*

VerifyReferences

This test verifies that certain system references are intact for the FRS and Replication infrastructure.

VerifyReplicas

This test verifies that all application directory partitions are fully instantiated on all replica servers. *Comprehensive only*

Next Steps

In this guide, you learned about the diagnostic tests used by the Health Check Tool.

In the next guide, you will learn how to run the Health Check on your domain controllers

Test Domain Controllers

The AD Pro Toolkit simplifies Active Directory management and saves hours of manual work. Download Free Trial.