AD Health Check (Server 2003/ SBS 2003)

IT Lives!

Every once in a while, I am reminded that nothing on the web should really die.  Looking at my server logs, I noticed a number of hits a day looking for my Health Check best practice document for Active Directory.  When I moved from Community Server to wordpress, this one didn’t make the cut as the command syntax had changed for Server 2008, but I neglected to take into account everyone needing to validate their domains before migration or who are not able to do the upgrade for one reason or other.  For you, here is the blog resurrected from the dead!

Active Directory Health Check

This document outlines a basic procedure for validating the health of your Windows Server 2003 domain and is a good practice for iterative maintenance and an excellent pre-check before doing any potentially dangerous domain operations, like migration or update.

Before doing anything that might jeopardize the integrity of your domain, it is important to ensure that there are no outstanding health issues.  While important, doing this kind of check needn’t be horribly complicated or take a lot of time.  It is important to do every time to be sure that you aren’t replicating problems across your forest as you do domain maintenance.  This is especially critical before schema operations and domain migrations.  Using a few simple Microsoft tools in the Windows Resource Kit, the general health of the domain can be validated and much of the risk associated with the projects can be mitigated.

Tools & Resources

DCDiag —  Basic Domain Diagnostics
NetDiag — Domain Controller Network Diagnostics
REPLMon — Replication Monitor
NETDom — Domain and Trust Diagnostics

 Procedure Steps

A number of people have requested that these steps be posted in HTML format as they don’t have Microsoft Project or can’t open the file with their version of the software.  To make this a little bit easier for everyone, here we go:

Domain Controller Health Check

Preparatory Work

Update Server Documentation

Gather Inventory of domain controllers from the ADU&C | Domain Controllers node

Locate current documentation from client on AD structure

Locate current documentation from client of site/ core topology

Document name of every AD domain and Sub-domain

Document name and IP address of every Server

Document all trust relationships


Install Support Tools

On Each Server

Log on to the server with Server Administrator privileges

Insert the windows 2000/2003 disk into the CD drive

Navigate to CD:\\tools\Support Tools

Run Setup.exe

Wait as the Support Tools are installed on the server


              Preparatory Work Completed



Verify Health of the Domain

Create Log Directories for all Diagnostic Files

Create a Logs Directory at the root of C:\ on the server as C:\Logs


Verify DNS function with NSLOOKUP

Drop to a Command Prompt

At the Command Prompt, key in ‘Nslookup’ <enter>

Resolve each replication partner

Resolve every AD domain and Sub-domain

Remediate any failed resolutions\


Verify replication function and topology with REPLMON

Navigate to Start | Programs | Administrative Tools | Support Tools | Replmon

Select the server (<ServerName>) in the Monitored Servers

Select Action | Server | Generate Status Report

When Prompted, specify the file name as c:\Logs\<ServerName> MMDDYYYY.log in the Report Options, select all of the reporting options

Click OK


Verify DC health with DCDIAG /verbose on each domain controller

Drop to a Command Prompt

Key in ‘DCDIAG /s:<ServerName> /v  /c > c:\Logs\ServerName-DCDIAG-MMDDYYYY.log’ <enter>

Wait as the Diagnostic completes

Remediate any errors displayed

Run DCDIAG /s:<ServerName> /fix

Repeat the diagnostic


Verify network connectivity health with NETDIAG /verbose

Drop to a Command Prompt

NETDIAG /v > C:\Logs\<ServerName>-NetDiag-MMDDYYYY.txt

Wait as the diagnostic completes

Remediate any errors displayed

Run Netdiag /fix

Run the NETDIAG diagnostic again


Verify all trusts with NETDOM

Drop to a Command Prompt

At the Command Prompt, key in ‘NetDom query /verify’ <enter>

Verify that all trusts are working and responding to the stored passwords

Remediate all errors before continuing

Repeat for each additional Controller


One thought on “AD Health Check (Server 2003/ SBS 2003)”

  1. Great post! I’ve been searching forever for a step by step list like this. I’d be very interested to see your original Project file in regards to the timings of each activity and the overall project.
    Thanks again!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s