Thursday, May 15, 2014

AD Health Checks for Domain Controllers

I recently had a request from a customer to provide some reports on how well their AD replication was working.  I found these come in helpful during routine maintenance or for specific requests on health checks.

Hope these help.

Dcdiag.exe /v >> c:\temp\pre_dcdiag.txt
This is a must!  It will always tell you if there is trouble with your DCs and/or services associated with it.

Netdiag.exe /v >> c:\temp\pre_Netdiag.txtThis will let you know if there are issues with the networking components on the DC.

Netsh dhcp show server >> c:\temp\pre_dhcp.txtYou may not want to do this but I've ran into issues with a DHCP server somehow not being authorized after a patch.  This allows me verify the server count and names.

Repadmin /showreps >> c:\temp\pre_rep_partners.txtThis shows all replication and if it was successful or not.  Be aware that Global Catalogs will have more info than a normal domain controller.

repadmin /replsum /errorsonly >> c:\temp\pre_repadmin_err.txtThis command takes a while to run but will let you know which server are having issues replicating.

Update 04/08/15:  Below is the text you can put into a script file that will dump everything you need into one text file for you to use for troubleshooting.  The commands above are great if that's all you need but now I use this script to grab it all at once.

@Echo Off
ECHO Running AD Health Checks - Notepad will open after completion
ECHO This Command Prompt will close after you close Notepad
set logfile=%userprofile%\Desktop\ADHealth.txt
echo You can share this log using http://pastie.org/pastes/new > %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Finds system boot time
echo System Boot Time ------------------------------------------------------------- >> %logfile%
systeminfo | find "System Boot Time:" >> %logfile%
systeminfo | find "System Up Time:" >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Displays all current TCP/IP network configuration values
echo IPCONFIG ------------------------------------------------------------- >> %logfile%
ipconfig /all >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Analyse the state of domain controllers in a forest and reports any problems to assist in troubleshooting
echo DCDIAG ------------------------------------------------------------- >> %logfile%
dcdiag /a >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM The replsummary operation quickly summarizes the replication state and relative health
echo Replsummary ------------------------------------------------------------- >> %logfile%
repadmin /replsummary >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Displays the replication partners for each directory partition on the specified domain controller
echo Showrepl ------------------------------------------------------------- >> %logfile%
repadmin /showrepl >> %logfile%
echo. >> %logfile%
echo. >> %logfile%
REM Query FSMO roles
echo NETDOM Query FSMO ------------------------------------------------------------- >> %logfile%
netdom query fsmo >> %logfile%
REM Query Global Catalogs
echo List Global Catalogs ------------------------------------------------------------- >> %logfile%
for /f "tokens=2" %%a in ('systeminfo ^| findstr Domain:') do set domain=%%a
nslookup -querytype=srv _gc._tcp.%domain% >> %logfile%
notepad %logfile%

Discover FSMO Roles Using PowerShell

Working with a rather confusing AD setup recently and trying to remove a dead domain controller I needed a quick way to identify which machines had the FSMO roles.
Just run the following commands:
Get-ADForest  | Format-Table SchemaMaster,DomainNamingMaster
Get-ADDomain | Format-Table PDCEmulator,RIDMaster,InfrastructureMaster
This gives a nice quick output as to where the roles reside and allows you to capture them as needed.

If you want to manage the roles with PS the command to move the roles is Move-ADDirectoryServerOperationMasterRole and it can be used in a variety of ways.
To transfer all 5 of the FSMO roles simply run the following command in PowerShell:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster
To shorten the command line syntax you can use role numbers in place of the role names.  The following list details the role number for each of the five FSMO roles.
  • PDC Emulator – 0
  • RID Master – 1
  • Infrastructure Master – 2
  • Schema Master – 3
  • Domain Naming Master – 4
So if you wanted to transfer all 5 FSMO roles using numbers instead you would run the following command in PowerShell:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4
Now in my case since the DC was gone permanently I had to seize the roles using the –Force parameter.  This is the PowerShell command I ran to seize the roles:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Force
Of course I could have used the short version:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_Name” –OperationMasterRole 0,1,2,3,4 -force
If you are just transferring or seizing a single role you will run the same command with just the name(s) or number(s) of the role(s) you want to move.  These commands can be run from any Windows Server 2008 R2 or newer as well as Windows 7 or newer with RSAT tools installed.

This is a little better than running all over the AD tools to get everything moved over.

Good luck.