PowerShell Script to Monitor Active Directory Health

By Zubair Alexander

- On April 16, 2018

The author of the script has updated the script in 2021. If you're using version 1, the new version (ADHealthCheckV2) is available here. I have been using PowerShell to view the status of Active Directory Directory Services (AD DS) components, such as NTDS, Netlogon, DNS, etc. I was looking to automate the process somewhat and get notification if any of these services had stopped. I ran into a handy PowerShell script written by Microsoft MVP Sukhija Vikas for Microsoft TechNet. You can find the script in the PowerShell gallery under Active Directory Health Check. If you're not interested in the Package Details, File List, and the Version History, you can go directly to the script download here. The script checks the following AD DS components.

Pings all the Domain Controllers in the forest
Verifies that the Netlogon service is running
Verifies that the NTDS service is running
Verifies that the DNS service is running
Runs the DCdiag Netlogons test to ensure the appropriate logon privileges allow replication to proceed
Runs the DCdiag Replications test to check for timely replication between directory servers
Runs the DCdiag Services test to see if appropriate supporting services are running
Runs the DCdiag Advertising test to check whether each DSA is advertising itself, and whether it is advertising itself as having the capabilities of a DSA
Runs the DCdiag FSMOCheck test on the Domain Controllers that hold the FSMO roles and the enterprise tests on the domain itself

Required Modifications

The script requires very little modifications. You only have to change the following entries in red.

$smtphost = "smtp.labtest.com"
$from = "DoNotReply@labtest.com"
$to = "Sukhija@labtest.com"

For example, if your domain is Contoso.com, your email is Admin@Contoso.com, and your SMTP host is smtp.contoso.com, you will make the following changes.

$smtphost = "smtp.contoso.com"
$from = "DoNotReply@contoso.com"
$to = "Admin@contoso.com"

You can also change the timeout if it's necessary. The script is set to time out in 60 seconds. It can be downloaded free of charge, and you can pretty much do anything with it, subject to the inclusion of the following notice in all copies of the software.

Step-by-Step Instructions

The script is really easy to run, but if you don't have much experience with PowerShell, or scripts in general, then here are the steps you can use to run this Active Directory Health Check script.

Download the Active Directory Health Check PowerShell script.
Extract the zip file.
Edit the ADHealthCheckV2.ps1 file in Notepad and replace the three parameters listed in red with your own domain parameters in the Required Modifications section above.
Run the tests from a computer that is not a Domain Controller. Make sure that any tools that are used in the script are installed on that computer (e.g., DCdiag).
Login to a Windows computer with Domain Admin credentials (or use Run As command).
Start PowerShell command prompt with administrative credentials.
Run the ADHealthCheckV2.bat batch file.
You will see the report generated as an HMTL file in the same directory where you copied the batch file and the PowerShell script.

NOTE: You can schedule the batch file (ADHealthCheckV2.bat) to run daily (or on a different schedule) and get regular emails to make sure the AD DS is healthy. You can also customize the script to add additional tests to fit your needs. Here's what an Active Directory Health Check sample report looks like.

As you can see in the sample report, NTDS is not running on DC2 in the Contoso domain and some of the DCdiag tests have failed. Obviously, this requires troubleshooting the issues on DC2. Updated: September 2, 2021 I 've updated the article with links to the new version (ADHealthCheckV2) of the script.

Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background.