Active Directory is a crucial part of any Windows network. It stores all of the information about your users, computers, and resources, and it helps to keep everything running smoothly. To ensure that Active Directory is healthy, there are a number of commands and tools that you can use to check its status.

In this blog, we will explore some of the most useful commands and tools for checking Active Directory health. We will also discuss how you can use these commands and tools to troubleshoot many problems that you encounter.

1. repadmin: This command is used to diagnose and manage replication issues. For example, you can use it to check the replication status for all domain controllers in the forest, force replication from one domain controller to another, or display a replication summary for a specific domain controller.
   • To check the replication status for all domain controllers in the forest, run the following command:
     • repadmin /showrepl
   • To force replication from a source domain controller to a destination domain controller, run the following command:
     • repadmin /replicate <SourceDC> <DestinationDC> <NamingContext>
   • For example, to force replication from the domain controller named DC1 to the domain controller named DC2, you would run the following command:
     • repadmin /replicate DC1 DC2 DC=Users,DC=muralipalla,DC=com
   • To display a replication summary for a specific domain controller, run the following command:
     • repadmin /replsum /bysrc /bydest /sort:delta
   • For example, to display a replication summary for the domain controller named DC1, you would run the following command:
     • repadmin /replsum /bysrc /bydest /sort:delta DC1
2. dcdiag: This command is used to diagnose domain controller issues. It can be used to run a comprehensive diagnostic test, or specific tests related to advertising and DNS registration.
   • To run a comprehensive domain controller diagnostic test, run the following command:
     • dcdiag /v
   • To run specific tests related to advertising and DNS registration, run the following commands:
     • dcdiag /test:advertising
     • dcdiag /test:registerindns
3. nltest: This command is used to test network connectivity and trust relationships. For example, you can use it to verify the trust relationship between two domains, or check the secure channel between a workstation and a domain controller.
   • To verify the trust relationship between two domains, run the following command:
     • nltest /sc_verify:<DomainName>
   • For example, to verify the trust relationship between the domain named contoso.com and the domain named fabrikam.com, you would run the following command:
     • nltest /sc_verify:muralipalla.com
   • To check the secure channel between a workstation and a domain controller, run the following command:
     • nltest /sc_query:<DomainName>
   • For example, to check the secure channel between a workstation named W1, you would run the following command:
     • nltest /sc_query:muralipalla.com
4. replication status PowerShell cmdlets: There are a number of PowerShell cmdlets that can be used to get replication status for Active Directory. For example, you can use the Get-ADReplicationPartnerMetadata cmdlet to get replication status for all domain controllers, or the Get-ADReplicationFailure cmdlet to check replication status for a specific domain controller.
   • To get replication status for all domain controllers, run the following command:
     • Get-ADReplicationPartnerMetadata -Scope Domain | Select-Object Server, LastReplicationSuccess
   • To check replication status for a specific domain controller, run the following command:
     • powershell Get-ADReplicationFailure -Target <DCName>
   • For example, to check replication status for the domain controller named DC1, you would run the following command:
     • powershell Get-ADReplicationFailure -Target DC1
5. Event Viewer: The Event Viewer can be used to review event logs for Active Directory-related issues. For example, you can view replication-related events in the Event Viewer.
6. DCDIAG /TEST:DNS: This command can be used to check the DNS configuration and health. It can be used to run a comprehensive DNS test, or specific tests related to DNS record registration.
7. DFSRDIAG: This command is used to diagnose DFS Replication issues. It can be used to display the state of DFS Replication on a server.
   • To display the state of DFS Replication on a server, run the following command:
     • dfsrdiag /State:<ServerName>
   • For example, to display the state of DFS Replication on the server named FS1, you would run the following command:
     • dfsrdiag /State:FS1
8. NETDOM: This command can be used to manage Active Directory domain membership. For example, you can use it to reset the secure channel password on a domain member.
   • To reset the secure channel password on a domain member, run the following command:
     • netdom resetpwd /server:<DCName> /userd:<Domain>\<AdminUser> /passwordd:*
   • For example, to reset the secure channel password on the workstation named W1, which is a member of the domain named contoso.com, you would run the following command:
     • netdom resetpwd /server:DC1 /userd:MuraliPalla\Administrator /passwordd:*
9. ADSIEdit.msc: This is an advanced tool for managing Active Directory objects and attributes. It can be used to view and edit Active Directory objects, and to troubleshoot Active Directory problems.
10. Ntdsutil: This command-line tool can be used to perform a variety of tasks related to Active Directory, including backing up and restoring Active Directory, creating and managing domain trusts, and troubleshooting Active Directory problems.
11. Netdiag: This command-line tool can be used to diagnose network connectivity issues. It can be used to test the connectivity between two computers, or to check the connectivity between a computer and a network resource.