In this post we are going to take a look at domain controller health administration and some checks that we can do to monitor it.

This can get overlooked as other fires can take over and focus attention away from it.

As administrators it is a good idea to keep an eye out on the health of your Active Directory environment since it’s the foundation layer. Don’t neglect it!

This guide will help you to keep up with the health of your Active Directory environment in a simple way.

Items To Check On

Checking Error Logs
Know where your roles are – know the lay of the land
Replication – Repadmin
Orphaned objects – Old servers/computers in Directory – Causes more error logs – Peruse DNS records and remove any servers that have been decommissioned
Domain Controllers
DNS Services & Servers
Sites & Services – Subnets Defined (not single site / or all pointed to one)
Time Services – out of sync 5 mins have issues
Best Practice Analyzer

Signs That Active Directory Needs Attention

User logon issues. Some can login, some cannot, location issues
AD objects not available in domain controllers (e.g users, groups, computers, OU’s, etc)
Long delays during user login
Continuous errors on DC logs Sysvol / DFRS
Certain computers getting policies and others are not – Look for inconsistencies

Windows Server Built-in Tools

Using Repadmin

Using DCDiag

Using Best Practice Analyzer

Windows Server
Active Directory

Automating The Process

Setting review periods. (Monthly/Quarterly)
Check health before and after all major AD mods (changes/adds/removes)


This command line provides diagnostic features to troubleshoot domain system configurations.

This command can be used to:

  • Get a list of domain controllers
  • Force a remote shutdown
  • Query the status of a trust
  • Test trust relationships and the state of domain controller replication

Getting Domain Information

To get domain information use the following command:

nltest /dsgetdc:<enter domain here>

Domain Trust Health Check nltest command line

So for example if the domain is

The command then would be: nltest /

The expected output would look like this:

So we get a lot of information about the domain from a high overview. This can be really helpful