How to verify active directory is functioning correctly

Posted on 2012-08-17
Last Modified: 2012-09-10

One of my customers, who has a small network of 80 users at one site lost power for almost 12 hours (this happened overnight).

The customer has two Domain Controllers, each with a copy of the Global catalogue and a distribution of the FSMO roles amongst themselves. These are windows 2003  standard server edition with SP2.

Since the  with two Domain were off for quite a while, I would like to verify that after bringing the m up that AD is functioning correctly.

Initially I brought them on-line and there were some errors, but a reboot of both servers seemed to fix most of the problem.

The only error I seem to be encountering is that some of the computer accounts need to be reset (net logon errors in the event viewer).

Can someone suggest some steps to perform to ensure that AD is indeed running correctly?

Thanks in advance!

Question by:mbudman
    LVL 23

    Expert Comment

    by:Nagendra Pratap Singh
    You should check the replication first.

    This is an old site but will tell you the details well.

    Of course there may be other issues and you need to check the system logs and install a UPS with graceful shutdown feature.
    LVL 13

    Assisted Solution

    Hi you should check the replication between the two domain controllers. Can you do the following?

    To verify replication is functioning

    1. Open a Command Prompt.

    2. Type the following command, and then press Enter:
        dcdiag /test:replications
        For this set of tests, the /v option is available. However, it does not display any significant additional information. Messages indicate that the connectivity and replications tests passed.

    To verify that the proper permissions are set for replication, type the following command and then press Enter:

    1. dcdiag /test:netlogons

    2. Messages indicate that the connectivity and netlogons tests passed.

    You can also do a health check of the Active Directory if you don't trust the eventviewer.

    You can read all the appropriate commands in this link:
    LVL 39

    Accepted Solution

    If you wish you may go through an article on my blog for that at

    there are a lot of steps but they will give you full overview for that

    LVL 5

    Expert Comment

    Agreed with npsingh123.  Replication will be the most important...  But it wouldn't be the first thing I'd check.

    Run a "dcdiag" against the domain controllers and check to see that all the tests pass.  If anything pops up, it's usually safe to run "dcdiag /fix" to get rid of the most obvious errors (if any).

    Once that's complete, then I'd move into the replication checks, and make sure there aren't any errors there.  From a command line, "repadmin" will be your friend here. - Where in your context, it would be "repadmin /showrepl".  Note any errors (again, if any).

    DCs being offline usually isn't cause for any alarm - unless that "offline" time turns into "months" - where the DC objects would be "tombstoned".  A few hours of down-time shouldn't do anything detrimental to your environment.
    LVL 3

    Expert Comment

    Login to your Windows server using a remote desktop application or by directly logging in via console.

    Open a command prompt.

    Run the following command: repadmin /replsummary
    LVL 1

    Author Comment

    I ran the netdiag command and I got the following error repeatedly.

    Can someone provide an explanation as I am not certain how to proceed.



    An Error Event occured.  EventID: 0x0000168E
                Time Generated: 08/17/2012   04:45:12
                Event String: The dynamic registration of the DNS record

    '_ldap._tcp.<<domain_name>>.com. 600 IN SRV 0 100 389 <<companydomaincontroller>>.com.'

     failed on the following DNS server:  

    DNS server IP address: <UNAVAILABLE>

    Returned Response Code (RCODE): 0

    Returned Status Code: 0  

    For computers and users to locate this domain

    controller, this record must be registered in



    Determine what might have caused this failure,

    resolve the problem, and initiate registration of

    the DNS records by the domain controller. To

    determine what might have caused this failure,

    run DCDiag.exe. You can find this program on the

    Windows Server 2003 installation CD in

    Support\Tools\ To learn more about

    DCDiag.exe, see Help and Support Center. To
    nltest.exe /dsregdns
    initiate registration of the DNS records by  this

    domain controller, run 'nltest.exe /dsregdns'

    from the command prompt on the domain  controller

    or restart Net Logon service. Nltest.exe is

    available in the Microsoft Windows  Server

    Resource Kit CD.

      Or, you can manually add this record to DNS,

    but it is not recommended.  


    Error Value: %%10065

    LVL 13

    Expert Comment

    It seems you are likely having DNS issues. Your Primary DC is failing Domain membership.
    Try doing a dcdiag /test:dns on both servers and run a netdiag /fix see if issue is resolved.
    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    Looks like there is issue with DNS server, maybe it is unreachable/broken or was removed

    Please run on a DC in command-line

    dcdiag /e /c /v /f:c:\dcdiag.log

    Open in new window

    and attach this file for analyze here, please

    LVL 1

    Author Comment


    Here is one of the main errors:




          Starting test: frsevent
             * The File Replication Service Event log test
             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.
             An Error Event occured.  EventID: 0xC0003500
                Time Generated: 08/17/2012   06:54:27
                (Event String could not be retrieved)
             ......................... DC1 failed test frsevent
    LVL 13

    Expert Comment

    Well this is not good. Because both DC's were out. You can't migratie the sysvol to the other server.

    I would suggest taking a look at this kb: how you can rebuild the SYSVOL tree and its content in a domain.
    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    OK, that looks like DNS issue might be in your environment that's why SYSVOL is not replicating. However, please try to do non-authoritative SYSVOL restoration on DC1 using D2 burflag accordingly to MS article at

    and check if SYSVOL started its replication

    LVL 1

    Author Closing Comment

    Thank you for your assistance.

    Everything seems to check out.



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now