How to Configure Windows Server 2019 Active Directory Health Check

How to Configure Windows Server 2019 Active Directory Health Check

Regular Active Directory health checks are essential for maintaining a stable and reliable directory service. AD health issues — replication failures, DNS errors, outdated tombstone lifetimes, FSMO role problems — often develop silently and only surface when critical failures occur. Windows Server 2019 provides built-in tools including DCDiag, Repadmin, and the AD PowerShell module to comprehensively assess the health of your AD environment. This guide covers a systematic approach to AD health checking and how to automate routine assessments.

Running DCDiag for Comprehensive DC Testing

DCDiag is the primary tool for assessing the health of individual domain controllers. Run a full diagnostic against all domain controllers in the domain:

dcdiag /test:all /e /v /c /f:C:ADHealthdcdiag-full.txt

The /e switch tests all DCs in the enterprise (forest-wide). Run targeted tests to quickly identify specific issues:

dcdiag /test:replications /v /f:C:ADHealthrepl-test.txt
dcdiag /test:netlogons /v
dcdiag /test:fsmocheck /v
dcdiag /test:kccevent /v
dcdiag /test:systemlog /v
dcdiag /test:services /v
dcdiag /test:dns /dnsbasic /v

Run DNS-specific tests on all DCs:

dcdiag /test:dns /e /v /f:C:ADHealthdns-test.txt

Checking Replication Health with Repadmin

AD replication health is critical — replication failures mean domain controllers have inconsistent data. Use repadmin to assess replication status:

repadmin /replsummary

View detailed replication partner information for all DCs:

repadmin /showrepl * /csv > C:ADHealthreplication-status.csv

Check for replication errors across all DCs in the forest:

repadmin /showrepl * /errorsonly

View the replication queue (pending replication operations):

repadmin /queue *

Identify domain controllers that are not advertising (not registering SRV records in DNS):

repadmin /showattr * /attrlist:isGlobalCatalogReady,isSynchronized
nltest /dclist:contoso.local

Checking FSMO Role Holders

Verify that all five FSMO roles are held by accessible, healthy domain controllers:

Get-ADDomain contoso.local | Select PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest contoso.local | Select SchemaMaster, DomainNamingMaster
netdom query fsmo

Test connectivity to each FSMO role holder:

$forest = Get-ADForest
$domain = Get-ADDomain

$fsmoHolders = @(
    $forest.SchemaMaster,
    $forest.DomainNamingMaster,
    $domain.PDCEmulator,
    $domain.RIDMaster,
    $domain.InfrastructureMaster
)

foreach ($dc in $fsmoHolders) {
    $result = Test-NetConnection -ComputerName $dc -Port 389 -WarningAction SilentlyContinue
    Write-Output "$dc - LDAP reachable: $($result.TcpTestSucceeded)"
}

Checking AD Services on All Domain Controllers

Verify that critical AD services are running on all DCs. Check the five essential services:

$dcs = (Get-ADDomainController -Filter *).Name
$services = @("NTDS","DNS","KDC","Netlogon","W32Time","DFSR")

foreach ($dc in $dcs) {
    foreach ($svc in $services) {
        $status = Get-Service -ComputerName $dc -Name $svc -ErrorAction SilentlyContinue
        if ($status) {
            Write-Output "$dc | $svc | $($status.Status)"
        } else {
            Write-Output "$dc | $svc | NOT FOUND"
        }
    }
}

Verifying SYSVOL and Netlogon Share Availability

The SYSVOL and Netlogon shares must be available on all DCs for Group Policy and logon scripts to function. Check share availability:

$dcs = (Get-ADDomainController -Filter *).Name
foreach ($dc in $dcs) {
    $sysvol = Test-Path "\$dcSYSVOL"
    $netlogon = Test-Path "\$dcNETLOGON"
    Write-Output "$dc - SYSVOL: $sysvol | NETLOGON: $netlogon"
}

Check DFSR replication health for SYSVOL:

dfsrdiag PollAD
Get-DfsReplicationGroup -GroupName "Domain System Volume" | Get-DfsReplicatedFolder
Get-DfsReplicationGroup -GroupName "Domain System Volume" | Get-DfsrMember | ForEach-Object {
    Get-DfsrMembership -GroupName "Domain System Volume" -ComputerName $_.ComputerName
}

Checking Password Policy and Account Settings

Review the default domain password policy and any Fine-Grained Password Policies:

Get-ADDefaultDomainPasswordPolicy

Get-ADFineGrainedPasswordPolicy -Filter * | Select Name, MinPasswordLength, LockoutThreshold, LockoutDuration, Precedence

Automating Health Checks with a Script

Create a comprehensive automated health check script that runs all the above tests and outputs a summary report:

$reportPath = "C:ADHealthReport_$(Get-Date -Format yyyyMMdd_HHmm).txt"
$output = @()

$output += "=== AD HEALTH REPORT - $(Get-Date) ==="
$output += ""

# Replication summary
$output += "--- Replication Summary ---"
$output += repadmin /replsummary

# DCDiag quick test
$output += ""
$output += "--- DCDiag Summary ---"
$output += dcdiag /test:replications /test:services /test:netlogons /q

# FSMO
$output += ""
$output += "--- FSMO Roles ---"
$domain = Get-ADDomain
$forest = Get-ADForest
$output += "PDC: $($domain.PDCEmulator)"
$output += "RID: $($domain.RIDMaster)"
$output += "Infra: $($domain.InfrastructureMaster)"
$output += "Schema: $($forest.SchemaMaster)"
$output += "DomainNaming: $($forest.DomainNamingMaster)"

$output | Out-File $reportPath -Encoding UTF8
Write-Output "Report saved to $reportPath"

Schedule this script to run daily using Task Scheduler and email the results to the AD operations team. Regular automated health checks catch replication failures, service outages, and DNS errors before they escalate into user-impacting incidents. Maintaining a baseline report makes it easy to spot regressions over time.