Dcdiag

Dcdiag.exe: Domain Controller Diagnostic Tool

This command-line tool analyzes the state of domain controllers in a forest or enterprise

and reports any problems to assist in troubleshooting. As an end-user reporting pro-

gram, Dcdiag encapsulates detailed knowledge of how to identify abnormal behavior in

the system. Dcdiag displays command output at the command line.

Dcdiag consists of a framework for executing tests and a series of tests to verify differ-

ent functional areas of the system. This framework selects which domain controllers are

tested according to scope directives from the user, such as enterprise, site, or single

server.

The Dcdiag command-line tool is included when you install Windows Server 2003 Sup-

port Tools from the product CD or from the Microsoft Download Center

(http://go.microsoft.com/fwlink/?LinkId=100114 ). For more information about how to

install Windows Support Tools, see Install Windows Support Tools

(http://go.microsoft.com/fwlink/?LinkId=62270 ).

Corresponding UI

There is no corresponding user interface (UI) for this tool.

Concepts

All domain controllers in the same domain are peers of one another and any domain

controller can make directory updates.

However, given the way in which directory updates are replicated from one domain con-

troller to another, it is possible that difficulties can arise. For example, if the necessary

domain controllers are not connected by a replication topology, the appropriate domain

controllers do not receive directory updates when replication occurs.

Also, in order for the (Domain Controller) Locator to find a domain controller, it must

have accurate information so that it can properly locate the resource. If a domain con-

troller is incorrectly advertised, the Locator is unable to find it.

http://go.microsoft.com/fwlink/?LinkId=62270

http://go.microsoft.com/fwlink/?LinkId=100114

Dcdiag Syntax

DCDiag SyntaxDCDiag uses the following syntax:

dcdiag/s:DomainController [/n:NamingContext] [/u:Domain\UserName /p:

{* | Password | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:LogFile] [/ferr:ErrLog] [/c

[/skip:Test]] [/test:Test] [/fix] [{/h | /?}] [/ReplSource:SourceDomainCon-

troller]

Parameters/s:DomainController

Uses DomainController as the home server. This parameter is required. It is ignored for DcPromo and RegisterInDns tests which can only be run locally.

/n:NamingContext

Uses NamingContext as the naming context to test. Domains may be spe-cified in NetBIOS, DNS or distinguished name format.

/u:Domain\UserName /p:{* | Password | ""}

Uses Domain\UserNameDCDiag uses the process's or users default creden-tials. If alternate credentials are needed, use the following options to provide those credentials for binding with Password as the password. Use "" for an empty or null password, or the wildcard character (*) to prompt for the pass-word.

/a

Tests all the servers on this site.

/e

Tests all the servers in the entire enterprise. Overrides /a.

/q

Quiet. Prints only error messages.

/v

Verbose. Prints extended information.

/i

Ignores superfluous error messages.

/fix

Only affects the MachineAccount test. It causes the test to fix the SPNs (Ser-vice Principal Names) on the domain controller's Machine Account Object.

/f:LogFile

Redirects all output to LogFile. The /f parameter operates independently of /ferr.

/ferr:ErrLog

Redirects fatal error output to a separate file ErrLog. The /ferr parameter op-erates independently of /f.

/c

Comprehensive. Runs all tests except DCPromo and RegisterInDNS, in-cluding non-default tests. Optionally, can be used with /skip to skip specified tests. The following tests are not run by default: TopologyCutoffServer-sOutboundSecureChannels

{ /h | /?}

Displays a syntax screen at the command prompt.

/test:Test

Runs only this test. The nonskippable test Connectivity is also run. Should not be run in the same command with /skip.NoteAll tests except DcPromo and RegisterInDNS must be run on computers that have been promoted to domain controller.The test CheckSecurityError is available only in the ver-sion of Dcdiag that is included with Windows Support Tools in Win-dows Server 2003 Service Pack 1 (SP1) and must be run on a domain control-ler that is running Windows Server 2003 with SP1.

/ReplSource:SourceDomainController

Option for /test:CheckSecurityError. Tests the connection between the do-main controller on which you run the command and the source domain con-troller. SourceDomainController is the DNS name, NetBIOS name, or distin-guished name of a real or potential "from" server that is represented by a real or potential connection object.

DNS SyntaxThe new DNS tests in Windows Server 2003 SP1 use the following syntax:

dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUp-

date | /DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:Internet-

Name] | /DnsAll] [/f:LogFile] [/ferr:ErrLog] /s:DomainController [/e] [/v]

Parameters/test:DNS [DNS test] Performs the specified DNS test. If no test is specified, defaults to /DnsAll./DnsBasicPerforms basic DNS tests, including network connectivity, DNS client configuration, ser-vice availability, and zone existence./DnsForwardersPerforms the /DnsBasic tests, and also checks the configuration of forwarders./DnsDelegationPerforms the /DnsBasic tests, and also checks for proper delegations./DnsDynamicUpdatePerforms /DnsBasic tests, and also determines if dynamic update is enabled in the Ac-tive Directory zone./DnsRecordRegistrationPerforms the /DnsBasic tests, and also checks if the address (A), canonical name (CNAME) and well-known service (SRV) resource records are registered. In addition, creates an inventory report based on the test results./DnsResolveExtName [/DnsInternetName:InternetName] Performs the /DnsBasic tests, and also attempts to resolve InternetName. If /DnsInter-netName is not specified, attempts to resolve the name www.microsoft.com. If /DnsIn-ternetName is specified, attempts to resolve the Internet name supplied by the user./DnsAllPerforms all tests, except for the DnsResolveExtName test, and generates a report. /f:LogFileRedirects all output to LogFile. The /f parameter operates independently of /ferr. /ferr:ErrLogRedirects fatal error output to a separate file ErrLog. The /ferr parameter operates inde-pendently of /f. /s:DomainControllerRuns the tests against DomainController./eRuns all tests specified by /test:DNS against all domain controllers in the Active Direc-tory forest./vVerbose. Presents extended information about successful test results, in addition to in-formation about errors and warnings. When the /v parameter is not used, provides only error and warning information. Use the /v switch when errors or warnings are reported in the summary table.

Dcdiag Examples

DCDiag Examples

Example 1: A normal DC

In this example, you want to examine the domain controller so you can verify that it is

healthy and functioning properly. Type the following at the command prompt:

C:\Program Files\Support Tools>dcdiag /s:reskit-DC1 \administrator password

Output similar to the following displays:

Domain Controller Diagnosis

Performing initial setup:

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\RESKIT-DC1

Starting test: Connectivity

......................... RESKIT-DC1 passed test Connectivity

Doing primary tests


Starting test: Replications

......................... RESKIT-DC1 passed test Replications

Starting test: NCSecDesc

......................... RESKIT-DC1 passed test NCSecDesc

Starting test: NetLogons

......................... RESKIT-DC1 passed test NetLogons

Starting test: Advertising

......................... RESKIT-DC1 passed test Advertising

Starting test: KnowsOfRoleHolders

......................... RESKIT-DC1 passed test KnowsOfRoleHolders

Starting test: RidManager

......................... RESKIT-DC1 passed test RidManager

Starting test: MachineAccount

......................... RESKIT-DC1 passed test MachineAccount

Starting test: Services

......................... RESKIT-DC1 passed test Services

Starting test: ObjectsReplicated

......................... RESKIT-DC1 passed test ObjectsReplicated

Starting test: frssysvol

......................... RESKIT-DC1 passed test frssysvol

Starting test: kccevent

......................... RESKIT-DC1 passed test kccevent

Starting test: systemlog

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 01:28:25

Event String: The time provider NtpClient is configured to


Time Generated: 12/21/2001 01:40:30



Time Generated: 12/21/2001 01:43:30



Time Generated: 12/21/2001 01:58:46



Time Generated: 12/21/2001 02:02:11



Time Generated: 12/21/2001 02:05:11



Time Generated: 12/21/2001 02:10:51


......................... RESKIT-DC1 failed test systemlog

Running partition tests on : Schema

Starting test: DeadCRTest

......................... Schema passed test DeadCRTest

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration


......................... Configuration passed test DeadCRTest


......................... Configuration passed test CheckSDRefDom

Running partition tests on : RESKIT-DOM


......................... RESKIT-DOM passed test DeadCRTest


......................... RESKIT-DOM passed test CheckSDRefDom

Running enterprise tests on : RESKIT-DOM.reskit.com

Starting test: Intersite

......................... RESKIT-DOM.reskit.com passed test Intersite

Starting test: FsmoCheck

......................... RESKIT-DOM.reskit.com passed test FsmoCheck

Example 2: Failed DNS registration

In this example, you have noticed that one of the DCs is not replicating properly. After

verifying that the DC is operational and can be pinged by IP address, use DCDiag to do

an enterprise check. Type the following at the command prompt:

C:\Program Files\Support Tools>dcdiag /s:reskit-DC1 \administrator password /e











The host 7594898c-8ba4-4496-a01a-b0f2cadd28a6._msdcs.RESKIT-DOM.reskit.-com could not be resolved to an

IP address. Check the DNS server, DHCP, server name, etc

Although the Guid DNS name

(7594898c-8ba4-4496-a01a-b0f2cadd28a6._msdcs.RESKIT-DOM.reskit.com)

couldn't be resolved, the server name

(reskit-DC2.reskit-sib.RESKIT-DOM.reskit.com) resolved

to the IP address (172.26.220.34) and was pingable. Check that the IP

address is registered correctly with the DNS server.

......................... RESKIT-DC2 failed test Connectivity

Doing primary tests



[Replications Check,RESKIT-DC1] A recent replication attempt failed:

From RESKIT-DC2 to RESKIT-DC1

Naming Context: CN=Configuration,DC=RESKIT-DOM,DC=reskit,DC=com

The replication generated an error (1722):

The RPC server is unavailable.

The failure occurred at 2001-12-21 02:19:04.

The last success occurred at 2001-12-21 01:57:43.

1 failures have occurred since the last success.

The source remains down. Please check the machine.
























Time Generated: 12/21/2001 01:28:25



Time Generated: 12/21/2001 01:40:30



Time Generated: 12/21/2001 01:43:30



Time Generated: 12/21/2001 01:58:46



Time Generated: 12/21/2001 02:02:11



Time Generated: 12/21/2001 02:05:11



Time Generated: 12/21/2001 02:10:51



Time Generated: 12/21/2001 02:13:51



Time Generated: 12/21/2001 02:18:58



Time Generated: 12/21/2001 02:21:58




Skipping all tests, because server RESKIT-DC2 is

not responding to directory service requests
















Running partition tests on : reskit-sib


......................... reskit-sib passed test DeadCRTest


......................... reskit-sib passed test CheckSDRefDom






Example 3: Failed Netlogon Service

In this example, the Netlogon Service has failed on one of the domain controllers. To

troubleshoot, type the following command:

C:\Program Files\Support Tools>dcdiag /s:reskit-DC1 \administrator password









Doing primary tests









Fatal Error:DsGetDcName (RESKIT-DC1) call failed, error 1722

The Locator could not find the server.

......................... RESKIT-DC1 failed test Advertising








NETLOGON Service is stopped on [RESKIT-DC1]

......................... RESKIT-DC1 failed test Services









Time Generated: 12/21/2001 01:28:25



Time Generated: 12/21/2001 01:40:30



Time Generated: 12/21/2001 01:43:30



Time Generated: 12/21/2001 01:58:46



Time Generated: 12/21/2001 02:02:11



Time Generated: 12/21/2001 02:05:11



Time Generated: 12/21/2001 02:10:51



Time Generated: 12/21/2001 02:13:51






















Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1717

A Global Catalog Server could not be located - All GC's are down.

Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1717

A Primary Domain Controller could not be located.

The server holding the PDC role is down.

Warning: DcGetDcName(TIME_SERVER) call failed, error 1717

A Time Server could not be located.

The server holding the PDC role is down.

Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1717

A Good Time Server could not be located.

Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1717

A KDC could not be located - All the KDCs are down.

......................... RESKIT-DOM.reskit.com failed test FsmoCheck

Example 4: Unresponsive or inaccessible server

In this example, you have noticed replication problems. To resolve the issue, type the

following at the command line:

C:\Program Files\Support Tools>dcdiag /s:reskit-DC1 \administrator password /e











Server RESKIT-DC2 resolved to this IP address 172.26.220.34,

but the address couldn't be reached(pinged), so check the network.

The error returned was: Error due to lack of resources.

This error more often means that the targeted server is

shutdown or disconnected from the network

......................... RESKIT-DC2 failed test Connectivity

Doing primary tests



[Replications Check,RESKIT-DC1] A recent replication attempt failed:

From RESKIT-DC2 to RESKIT-DC1

Naming Context: CN=Configuration,DC=RESKIT-DOM,DC=reskit,DC=com

The replication generated an error (1722):

The RPC server is unavailable.

The failure occurred at 2001-12-21 02:19:04.

The last success occurred at 2001-12-21 01:57:43.

1 failures have occurred since the last success.

The source remains down. Please check the machine.
























Time Generated: 12/21/2001 01:28:25



Time Generated: 12/21/2001 01:40:30



Time Generated: 12/21/2001 01:43:30



Time Generated: 12/21/2001 01:58:46



Time Generated: 12/21/2001 02:02:11



Time Generated: 12/21/2001 02:05:11



Time Generated: 12/21/2001 02:10:51



Time Generated: 12/21/2001 02:13:51



Time Generated: 12/21/2001 02:18:58




Skipping all tests, because server RESKIT-DC2 is

not responding to directory service requests
















Running partition tests on : reskit-sib


......................... reskit-sib passed test DeadCRTest


......................... reskit-sib passed test CheckSDRefDom






Documents

Dcdiag