This article outlines key steps to assess the health of your Active Directory, including event log monitoring, GPO management, domain controller health checks, user account management, and security audits.
Active Directory (AD) is the backbone of most enterprise IT infrastructures, managing users, groups, computers and permissions. Because of its central role, ensuring your Active Directory is healthy is critical to avoid service disruptions, security issues and operational inefficiencies. A proactive approach to AD health checks can help you identify problems before they become big issues.
In this article we’ll go through several steps to help you check your Active Directory health.
| Step | What to Check | Tools/Commands | Key Things to Look For |
|---|---|---|---|
| 1. Check Replication Health | Ensure AD changes replicate correctly across DCs. | repadmin /replsummary dcdiag /test:replications | Replication delays/failures Unreachable DCs Errors/warnings in replication |
| 2. Test DNS Functionality | Verify DNS services that AD relies on. | dcdiag /test:DNS nslookup <DC name> | DNS lookup failures/timeouts Incorrect/missing DNS records Misconfigured DNS zones |
| 3. Monitor AD Services | Confirm required AD services are running. | services.msc | Stopped/paused services Services restarting frequently Errors in event logs |
| 4. Event Log Monitoring | Detect AD, DNS, and system issues through logs. | Event Viewer: - Directory Service - DNS Server - System logs | Critical errors/warnings Kerberos/authentication failures Replication error events (e.g., 1311) Suspicious activity (failed logons, GPO changes) |
| 5. Test Authentication & Logon | Verify user login and GPO application. | klist Manual logins gpresult /r | Login failures Group policy not applied Authentication delays/errors |
| 6. Check Domain Controller Health | Run full DC diagnostics. | dcdiag | Failed tests/errors Warnings about replication or DNS issues |
| 7. Check SYSVOL & Group Policy Replication | Ensure SYSVOL shares and policies replicate correctly. | net share dfsrdiag pollad DFSR Event Logs | SYSVOL not shared/replicated GPOs not applying DFS Replication errors |
| 8. Ensure Security Updates | Verify DCs are patched and secured. | Windows Update Security policies/firewalls | Missing security updates Weak/misconfigured security settings |
One of the core functions of Active Directory is replication, where changes made on one Domain Controller (DC) are copied to other DCs to ensure consistency across the network. If replication fails, it can lead to outdated or inconsistent information across your AD environment, causing login failures or inconsistent permissions.
1. Repadmin: This command-line tool is one of the best ways to check replication status.
To check replication status between domain controllers, run:This will show you the current replication status and any failures or delays.
repadmin /replsummary2. DCDiag: This tool is used to test the health of Domain Controllers. You can use it to run various diagnostic tests, including replication checks.
Run the following to check general health of your DCs:
dcdiag /test:replicationsReplication delays or failures.
Non-functioning or unreachable domain controllers.
Warning or error messages related to replication issues.
Active Directory relies heavily on DNS for its operations. If DNS is not working, AD might not work as expected, causing login problems, service disruptions or even domain wide failures. Make sure your DNS settings are correct and DNS servers are replicating correctly.
Dcdiag: The DCDiag tool can also test DNS health.
To run a DNS test, use:
dcdiag /test:DNS
Nslookup: This tool can help check whether the domain controllers are resolving correctly.
To check the DNS records for your domain controllers, use:This should return the IP address and DNS records related to that DC.
nslookup <domain controller name>
DNS lookup failures or timeouts.
Incorrect or missing DNS records for domain controllers.
Misconfigured DNS zones or delegation.
Several services must be running on your domain controllers for Active Directory to work. These include Kerberos Key Distribution Center (KDC), Netlogon, Active Directory Domain Services (AD DS) and more.
On the domain controller, open services.msc and confirm that all critical services are operational. In particular, ensure the following are running:
Active Directory Domain Services
Kerberos Key Distribution Center
Netlogon
DNS Server (if the domain controller also hosts DNS)
Stopped or paused services.
Services that are restarting frequently or generating errors in event logs.
Event logs can give you insight into the health of Active Directory and show you issues that may not be apparent from a high level check.
Directory Service logs (Event Viewer > Applications and Services Logs > Directory Service) contain AD-related events such as replication errors, authentication issues, and more.
DNS Server logs (Event Viewer > Applications and Services Logs > Microsoft > Windows > DNS-Server) are important to monitor for DNS-related issues.
System logs (Event Viewer > Windows Logs > System) to look for critical system-related errors.
Repeated error codes or critical warnings.
Kerberos authentication failures or user logon issues.
Replication related error events (e.g. event ID 1311).
Regularly review event logs: Scrutinize security, application and system logs on domain controllers. Look for critical errors, warnings and suspicious activities.
Use event log management tools: Tools like Microsoft’s Event Viewer or third party SIEM solutions can help filter, analyze and alert on critical events.
Focus on specific events: Pay attention to events related to:
Account Lockouts: Frequent lockouts could mean brute force attacks.
Failed Logon Attempts: Monitor for unusual patterns in failed logon attempts.
Group Policy Changes: Track changes to critical Group Policy Objects (GPOs).
Replication Issues: Identify and resolve replication problems between domain controllers.
Active Directory’s main job is user authentication. Make sure users can authenticate and group policies are applied correctly.
Use the Klist tool to check Kerberos ticket cache:
klist
This will show you the tickets that have been granted for the user or machine. If there are issues, the Kerberos tickets may not be issued correctly.
Perform a manual test to make sure users can log in to the domain. Try logging in to several workstations with different user accounts to verify authentication is working correctly.
Group Policy Results: Run the gpresult command to verify group policies are applied correctly to users and computers:
gpresult /r
User login failures.
Group policy application issues.
Delays or errors in authentication.
The DCDiag tool is a full diagnostic tool that checks the overall health of your domain controllers. It tests AD’s key components including DNS, replication and more.
To run a full test on a domain controller:
dcdiagThis will run several tests and output the results and point out any issues with a specific domain controller.
Failing tests or errors in any of the tests.
Warnings that indicate potential issues like replication problems or DNS misconfigurations.
The SYSVOL folder contains important files for Group Policy, scripts and other domain wide settings. If replication fails between domain controllers Group Policy won’t be applied correctly.
Net Share: Run the following command on each domain controller to ensure SYSVOL is shared:
net shareDFSR (Distributed File System Replication): Check SYSVOL replication health with DFSR diagnostics:
dfsrdiag polladEvent Logs: Check SYSVOL replication issues in the DFS Replication logs (Event Viewer > Applications and Services Logs > DFS Replication).
SYSVOL not shared or not replicated correctly.
Group Policy not being applied due to replication issues.
Active Directory’s security is important and making sure your domain controllers are up to date with the latest security patches is critical to prevent vulnerabilities.
All domain controllers have the latest security updates installed.
Your AD infrastructure is protected by proper firewall and security policies.
Keeping your AD environment healthy is crucial for smooth operations, security and performance. Here are some best practices to keep your AD infrastructure in shape:
Review GPOs regularly: Periodically audit and verify GPOs are applied correctly and consistently across all domain controllers.
Test in a lab first: Before deploying any changes to production, always test in a lab environment to identify issues.
Use Group Policy Management Console (GPMC): Use GPMC to manage, troubleshoot and document GPOs. It’s a central place for all your Group Policy tasks.
Monitor for unexpected changes: Implement change tracking and auditing to monitor GPO changes. Investigate any unauthorized or unexpected changes ASAP to ensure policy integrity.
Monitor server performance: Monitor domain controller performance by CPU usage, memory, disk space and network traffic. This will help you identify resource bottlenecks before they affect AD services.
Check for disk space: Ensure there’s enough free space on system drives, especially system partition and the volume where AD database (NTDS.DIT) and logs are stored.
Monitor replication: Regularly verify replication is happening between all domain controllers. Use repadmin to identify replication issues or delays.
Back up regularly: Implement a full backup strategy to back up all domain controllers, including system state. Verify backups periodically to ensure they can be restored in case of failure.
Review user accounts: Regularly audit user accounts, especially those with elevated privileges. Disable or delete inactive accounts and ensure user account info is up to date.
Strong password policies: Enforce password policies that require strong, complex passwords with specific length and composition rules. Also, require regular password changes to mitigate security risks.
Use multi-factor authentication (MFA): Use MFA for all administrative accounts and other sensitive user accounts to add an extra layer of security and reduce unauthorized access.
Run security audits: Run AD environment security assessments regularly to find and fix potential vulnerabilities. Audits help ensure security policies are being enforced.
Use security tools: Use security scanning tools like Microsoft Baseline Security Analyzer (MBSA) or third-party vulnerability scanners to scan your AD infrastructure for known vulnerabilities and configuration issues.
Fix identified vulnerabilities: Fix any security vulnerabilities found during audits. Make sure all systems are up-to-date with the latest patches and updates.
Apply security updates: Make sure all critical security updates and patches for Windows Server and AD components are applied in a timely manner to protect your environment from known threats.
Run regular maintenance tasks: Run AD database file defragmentation, clean up temp files and optimize system performance to avoid performance degradation over time.
Stay current: Stay current with the latest security advisories, best practices and feature updates from Microsoft. This will help you stay ahead of the threats and optimize your AD.
Checking your Active Directory regularly is key to having a stable, secure and efficient IT environment. By using tools like Repadmin, DCDiag and Event Viewer you can find issues early, avoid downtime and make sure AD services are running smoothly. Remember, proactive monitoring and maintenance is key to keeping your AD healthy.
Regular checks are crucial. Daily or weekly monitoring of critical areas is recommended.
Common issues include replication problems, account lockouts, GPO conflicts, performance bottlenecks, and security vulnerabilities.
A healthy AD ensures smooth user operations, secure access to resources, and overall business continuity.