My first car was a white Honda Civic 2004 model (I loved that little beast). After I bought the car, I saw little rust spots on the bonnet. I took it to a paint shop and the man who checked it said that it needed a fresh coat of paint. So I agreed and got it done. After a few months, I started to see some bubbles again on the bonnet. I took it back to the shop, as I had 6 months warranty for the job they had done. They said they would redo the paint. But guess what--after a few months, again the same issue. I did not want to waste my time any more and I took it to another place which specialized in paint jobs. When I explained the issues, the engineers there performed some tests and said that they needed to remove the whole paint and apply anti-rust first. So they did that and applied the paint layers over it. After that, there were no more bubbles on the bonnet. Just applying a new coat of paint didn't fix the issue. It was only a waste of time and money.
If Active Directory infrastructure has got existing issues related to its core operations (such as replications, DNS, and site links), then those need to be identified and fixed before migration. Otherwise, they will not allow the objectives of the migration to be achieved. There is no specific, predefined sequence for Active Directory health checks. You can have your own checklist which covers the evaluation of each Active Directory components health. I am going to list down some key areas which need to be covered in any Active Directory health check:
- Replication health: A healthy replication is important for any Active Directory infrastructure. All domain controllers in the infrastructure need to be aware of every change to the Active Directory database. There are tools and techniques we can use to identify the replication issues between Active Directory domain controllers. Repadmin.exe is a Microsoft-built tool which can be used to diagnose Active Directory replication issues. Since Windows Server 2008, it has come built into the operating system, and it can be used if the AD DS role is installed. This tool needs to run as Enterprise Admin. If it runs as Domain Admin, it can only be used to review domain-level replications:
Repadmin /showrepl
The preceding command will display the status of the last inbound replication of the Active Directory partition. This will only list the replication status of the domain controller this command executes from.
If you need to check the replication status of a specific domain controller, you can use a command similar to the following. The REBEL-SDC-03 section of the command can be replaced by the name of the domain controller:
Repadmin /showrepl REBEL-SDC-03
The /replicate parameter can be used to trigger a replication between the domain controllers to see the real-time results:
Repadmin /replicate REBEL-SDC-03.rebeladmin.com
REBEL-PDC-01.rebeladmin.com DC=rebeladmin,DC=com
The preceding command will initiate replication of the rebeladmin naming context from REBEL-PDC-01 to REBEL-SDC-03.
The following commands will initiate full replication of all the changes from REBEL-PDC-01 to REBEL-SDC-03:
Repadmin /replicate REBEL-SDC-03.rebeladmin.com
REBEL-PDC-01.rebeladmin.com DC=rebeladmin,DC=com /full
The /replsummary parameter can be used to see the summary of the replication status of all domain controllers:
Repadmin /replsummary
The preceding command will provide a summary of all the domain controllers in the infrastructure:
The following command will only list the domain controllers which have replication issues with partners:
Repadmin /replsummary /errorsonly
- Event Viewer: Event Viewer can also be used to evaluate the replication health of the Active Directory environment. There are certain event IDs you can use to filter the data. You can find these events under Event Viewer | Application and Service Logs | Directory Services.
I have listed down some key event IDs which will show the replication problems:
| Event ID | Cause |
| 1925 | The attempt to establish a replication link for a writable directory partition failed. This can be caused by network issues, domain controller failures, or DNS issues. |
| 1988 | The local domain controller has attempted to replicate an object from a source domain controller that is not present on the local domain controller because it may have been deleted and already garbage-collected. Replication will not proceed for this directory partition with this partner until the situation is resolved. This happens when a domain controller is down for a long time (more than the tombstone lifetime) before being brought back online. It could then have non-existing objects (lingering objects). They need to be cleaned to initiate the replication again. |
| 2087 | AD DS could not resolve the DNS hostname of the source domain controller to an IP address, and replication failed. This will show up in the destination domain controller when it cannot resolve the DNS name for its source domain controller. If DNS lookup fails in the first place, it will also try FQDN and NetBIOS to resolve the name. It will prevent replication until it's been resolved. |
| 2088 | AD DS could not resolve the DNS host name of the source domain controller to an IP address, but replication succeeded. In this situation, destination domain controller failed to resolve the source name using DNS lookup but it was able to connect to it using the FQDN or NetBIOS name. |
| 1311 | The replication configuration information in AD DS does not accurately reflect the physical topology of the network. This usually occurs due to misconfiguration of Active Directory site links. It may have wrong subnets assigned. |
- Domain controller health: In the previous section, we had to evaluate the replication health and the next step is to check the health of domain controllers. Similar to Repadmin, Microsoft has tools which can be used for this task.
The Dcdiag.exe tool can be used to run predefined tests to evaluate the health of the domain controllers:
Dcdiag /e
This command will test the domain controllers in the forest:
Dcdiag /s:REBEL-SDC-03
The preceding command will run the test on domain controller REBEL-SDC-03.
Instead of running all the tests, the following command will run only a replication test on REBEL-SDC-03:
Dcdiag /test:replications /s:REBEL-SDC-03
It will run tests to check Active Directory services on the local domain controller:
Dcdiag /test:Services
- DNS health: We cannot talk about Active Directory health without healthy DNS infrastructure. Active Directory heavily depends on DNS functionalities.
To start with, I prefer to review the DNS server-related events in domain controllers. It can access the DNS logs from Event Viewer | Application and Service Logs | DNS Server:
The Dcdiag utility can also be used to test the DNS health:
Dcdiag /test:DNS /DNSBasic
The preceding command will run the basic DNS check to ensure DNS services are running, resource records are registered, and DNS zones are presented.
The following command will test if the DNS forwarders are functioning properly:
Dcdiag /test:DNS /DnsForwarders
The following command will test the registration of DC locator records:
Dcdiag /test:DNS /DnsRecordRegistration