PowerShell Script to Monitor Active Directory Health
The author of the script has updated the script in 2021. If you’re using version 1, the new version (ADHealthCheckV2) is available here.
I have been using PowerShell to view the status of Active Directory Directory Services (AD DS) components, such as NTDS, Netlogon, DNS, etc. I was looking to automate the process somewhat and get notification if any of these services had stopped. I ran into a handy PowerShell script written by Microsoft MVP Sukhija Vikas for Microsoft TechNet.
You can find the script in the PowerShell gallery under Active Directory Health Check. If you’re not interested in the Package Details, File List, and the Version History, you can go directly to the script download here. The script checks the following AD DS components.
- Pings all the Domain Controllers in the forest
- Verifies that the Netlogon service is running
- Verifies that the NTDS service is running
- Verifies that the DNS service is running
- Runs the DCdiag Netlogons test to ensure the appropriate logon privileges allow replication to proceed
- Runs the DCdiag Replications test to check for timely replication between directory servers
- Runs the DCdiag Services test to see if appropriate supporting services are running
- Runs the DCdiag Advertising test to check whether each DSA is advertising itself, and whether it is advertising itself as having the capabilities of a DSA
- Runs the DCdiag FSMOCheck test on the Domain Controllers that hold the FSMO roles and the enterprise tests on the domain itself
Required Modifications
The script requires very little modifications. You only have to change the following entries in red.
- $smtphost = “smtp.labtest.com“
- $from = “DoNotReply@labtest.com“
- $to = “Sukhija@labtest.com“
For example, if your domain is Contoso.com, your email is Admin@Contoso.com, and your SMTP host is smtp.contoso.com, you will make the following changes.
- $smtphost = “smtp.contoso.com“
- $from = “DoNotReply@contoso.com“
- $to = “Admin@contoso.com“
You can also change the timeout if it’s necessary. The script is set to time out in 60 seconds. It can be downloaded free of charge, and you can pretty much do anything with it, subject to the inclusion of the following notice in all copies of the software.
Step-by-Step Instructions
The script is really easy to run, but if you don’t have much experience with PowerShell, or scripts in general, then here are the steps you can use to run this Active Directory Health Check script.
- Download the Active Directory Health Check PowerShell script.
- Extract the zip file.
- Edit the ADHealthCheckV2.ps1 file in Notepad and replace the three parameters listed in red with your own domain parameters in the Required Modifications section above.
- Run the tests from a computer that is not a Domain Controller. Make sure that any tools that are used in the script are installed on that computer (e.g., DCdiag).
- Login to a Windows computer with Domain Admin credentials (or use Run As command).
- Start PowerShell command prompt with administrative credentials.
- Run the ADHealthCheckV2.bat batch file.
- You will see the report generated as an HMTL file in the same directory where you copied the batch file and the PowerShell script.
NOTE: You can schedule the batch file (ADHealthCheckV2.bat) to run daily (or on a different schedule) and get regular emails to make sure the AD DS is healthy. You can also customize the script to add additional tests to fit your needs.
Here’s what an Active Directory Health Check sample report looks like.
As you can see in the sample report, NTDS is not running on DC2 in the Contoso domain and some of the DCdiag tests have failed. Obviously, this requires troubleshooting the issues on DC2.
Updated: September 2, 2021
I ‘ve updated the article with links to the new version (ADHealthCheckV2) of the script.
| Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background. |
Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.
Hi, Monitor Active Directory Health PowerShell script is working fine on Windows 2K8R2 and W2K12 R2 servers but it is not in Windows 2016 server.
Could you please help me to get AD health report from Windows Server 2016.
Hi Zubair,
The link provided no longer working as it was archived by Microsoft, https://docs.microsoft.com/en-us/teamblog/technet-gallery-retirement. It would be kind of you to re-share the script copy again.
Regards,
SR
@Suresh: I’ve emailed you the script.
I too would appreciate a copy of this script. Thanks!
@Butch: The link to the script should be in your Inbox.
Hey Zubair, Could you please help me with the script. Thanks in Advance…!
@Pika: The link is on its way. Good luck!
Hi Zubair – Could I possibly get a copy or link to the script as well?
@Justin: I sent you a link. Good luck.
Hi Zubair, I have a root domain and child domain infrastructure. However, when I run the script it gets the AD health of root domain controllers which I dont want. Can you please help me with such script that removes the root domain health checks and only perform for child domain domain controllers?
Hi Joy, I just updated the article with the new version of the script. I haven’t had a chance to try the new version. You can try ADHealthCheckV2 and, if necessary, reach out to the author of the script MVP Sukhija Vikas at https://www.powershellgallery.com/profiles/VikasSukhija, or post your question on the Directory Services forum at https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverDS.
Hi, when i run the script I had the following error :(Im runnig th script in WS2012)
Send-MailMessage : The remote name could not be resolved: ‘smtp.jules.com’
At C:\script\AD_HEALT_COMPLETO.ps1:328 char:1
+ Send-MailMessage -SmtpServer $Smtphost -From $from -To $EmailReport – …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpExcept
ion
+ FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage
Coul you help e with that? what should I do?
@Julio: You are apparently not hosting your messaging server on your own network. That’s why it’s unable to resolve the remote name for your SMTP server for your domain. Your email service provider is Symantec Connect. Please contact them for the name of your SMTP server and use that in the script.
Can you please share the script copy? I can’t find it in the link given in this article.
@Adhitthyan: You’ll find the script at https://github.com/VikasSukhija/Downloads/blob/master/ADHealthCheckV2/ADHealthCheckV2.ps1.
Thank you Zubair Alexander
I think we can download the health report in specific path because we don’t have the SMTP server and I don’t want to provide the SMTP details. I just need the html report.
Regards
Sayed Nayeem