How to Configure Windows Server 2016 Active Directory Health Check
Maintaining a healthy Active Directory environment on Windows Server 2016 is essential for reliable authentication, Group Policy application, and resource access across the organisation. A proactive health check routine helps identify replication failures, DNS misconfigurations, lingering objects, and SYSVOL inconsistencies before they escalate into user-impacting outages. This tutorial covers the built-in tools available to assess and validate Active Directory health, including DCDiag, Repadmin, and PowerShell cmdlets.
Running DCDiag
DCDiag is the primary diagnostic tool for Active Directory domain controllers. It performs a comprehensive series of tests covering connectivity, replication, FSMO roles, services, and more. Run it on each domain controller to get a complete picture:
dcdiag /v /c /s:DC01 /f:C:Logsdcdiag_DC01.txtThe /v flag provides verbose output, /c runs all tests, /s targets a specific domain controller, and /f saves results to a file for later review. After the run, search the output file for any FAILED or WARNING entries:
Select-String -Path "C:Logsdcdiag_DC01.txt" -Pattern "FAILED|WARNING"Pay particular attention to the Replications, KccEvent, SysVolCheck, and NetLogons tests, as failures in these areas commonly cause authentication and policy problems.
Checking Replication Health with Repadmin
Replication failures are among the most common causes of AD inconsistency. Use Repadmin to show the replication summary across all domain controllers in the forest:
repadmin /replsummaryTo see the detailed replication status including last attempt and last success times:
repadmin /showreplForce immediate replication of all partitions between all partners:
repadmin /syncall /AdePCheck for replication errors across the entire environment:
repadmin /showrepl * /csv | ConvertFrom-Csv | Where-Object {$_."Number of Failures" -gt 0}Verifying DNS Health
Active Directory depends entirely on DNS. Verify that the SRV records required for Kerberos, LDAP, and the Kerberos password change service are registered correctly:
dcdiag /test:dns /vManually verify key SRV records:
nslookup -type=SRV _ldap._tcp.contoso.com
nslookup -type=SRV _kerberos._tcp.contoso.comCheck whether each domain controller has registered its A record in DNS:
Resolve-DnsName -Name DC01.contoso.com -Type ASYSVOL and NETLOGON Share Validation
SYSVOL holds Group Policy templates and logon scripts. If it is inconsistent or missing, policies will not apply. Check whether the shares are accessible:
net share | findstr /I "sysvol netlogon"Verify DFSR (the replication mechanism for SYSVOL on 2016) is healthy:
dfsrdiag ReplicationState /Member:DC01Checking Active Directory Services
Several Windows services must be running for AD to function. Verify them with PowerShell:
$services = @('ADWS','DNS','DFS','DFSR','Kdc','LanmanServer','LanmanWorkstation','Netlogon','W32Time')
Get-Service -Name $services | Select-Object Name, Status, StartTypeAny service that is stopped and set to Automatic should be investigated and restarted if appropriate.
Using the AD Best Practices Analyzer
Windows Server 2016 includes a Best Practices Analyzer (BPA) that checks your AD DS configuration against Microsoft’s recommended practices:
Invoke-BpaModel -ModelId Microsoft/Windows/DirectoryServices
Get-BpaResult -ModelId Microsoft/Windows/DirectoryServices | Where-Object {$_.Severity -ne "Information"} | Format-List Title, Severity, Problem, Impact, ResolutionChecking for Tombstoned and Lingering Objects
Lingering objects occur when a domain controller is offline for longer than the tombstone lifetime (default 180 days) and then brought back online. Check for them:
repadmin /removelingeringobjects DC01 DC02 DC=contoso,DC=com /advisory_modeRunning with /advisory_mode reports what would be removed without making changes, allowing you to review before committing the cleanup.
Regular health checks should be scheduled as an automated task and the outputs reviewed weekly. Catching problems early—especially replication lag and DNS misconfigurations—prevents cascading failures that can affect the entire organisation.
