Domain Controller Diagnostics Tool (dcdiag.exe)
Applies To: Windows Server 2003 with SP1
What does DCDiag.exe do?
This command-line tool analyzes the state of one or all domain controllers in a forest and reports any problems to assist in troubleshooting. DCDiag.exe consists of a variety of tests that can be run individually or as part of a suite to verify domain controller health.
Tool location
The DCDiag
command-line tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install Windows Support Tools, see Install Windows Support Tools (https://go.microsoft.com/fwlink/?LinkId=62270).
Tool requirements
Except as noted below, all commands in
DCDiag
can be run on Windows XP Professional and Windows Server 2003 family (member servers and domain controllers).The new
DCDIAG /TEST:DNS
command can validate DNS health of Windows 2000 Server (SP3 or later) or Windows Server 2003 family domain controllers when run from the console of Windows XP or Windows Server 2003 member computers or Windows Server 2003 domain controllers.
Who does this feature apply to?
This feature is of interest to the following audiences:
DNS administrators
Domain controller administrators
DCDiag.exe users
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
There are two significant improvements to DCDiag in Windows Server 2003 Service Pack 1:
DCDIAG /TEST:DNS
to validate DNS health.DCDIAG /CheckSecurityError
to detect security configurations that can cause Active Directory replication to fail.
The details of these new enhancements are described below.
New DNS diagnostic tests
Detailed description
DCDiag.exe has been enhanced for Windows Server 2003 Service Pack 1 to include new DNS functionality for reporting on the overall DNS health of domain controllers. There are seven new DNS-related tests that can be run individually or simultaneously. These tests may be performed on one or all domain controllers in an Active Directory forest. When the tests have completed, DCDiag.exe presents a summary of the results, along with detailed information for each domain controller tested.
Note
The new DNS tests require Enterprise Admin credentials. The new DNS tests can be run only against Windows 2000 Server (SP3 or later) or Windows Server 2003 family domain controllers.
Command line syntax
Windows Server 2003 SP1 dcdiag
uses the same basic syntax as previous versions of dcdiag
. The syntax for running the new DNS tests is as follows:
Dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate | /DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:
InternetName] | /DnsAll] [/f:
Logfile] [/ferr:
Logerr] /S:
DCName[/e] [/v]
Parameter | Description |
---|---|
|
Performs all seven subtests except the |
|
Performs the specified DNS test. If no test is specified, defaults to |
|
Performs basic DNS tests, including network connectivity, DNS client configuration, service availability, and zone existence. |
|
Performs the |
|
Performs the |
|
Performs the |
|
Performs the |
|
Performs the |
|
Performs all tests, except for the |
|
Redirects output to the log file supplied by the user. |
|
Redirects fatal error output to a separate log file. |
|
Specifies the domain controller against which to run the tests. |
|
All tests specified by |
|
Verbose. Presents information about successful test results, in addition to information about errors and warnings. (When the |
Enterprise DNS Infrastructure Test (/e)
- When
/test:DNS
is run in conjunction with the/e
parameter, all tests specified bytest:/DNS
are run against all domain controllers in the Active Directory forest.
Note
Run times for DNS tests can be significant in large enterprises when the /e
parameter is used. Domain controllers and DNS servers that are offline will increase run time due to long time out periods for RPC and other protocols.
Connectivity test
The connectivity test is a mandatory test and runs automatically before any other
dcdiag
test is run.The connectivity test determines whether domain controllers are registered in DNS, can be pinged, and have LDAP/RPC connectivity.
If the connectivity test fails on a given controller, no other tests are run against that domain controller.
Note
The connectivity test has not been changed in SP1, but is included in this document for reference.
Basic DNS Test (/DnsBasic)
The basic DNS test confirms that the following essential services are running and available on domain controllers tested by
dcdiag
:DNS client service
Netlogon service
KDC service
DNS Server service (if DNS is installed on the domain controller)
The basic DNS test confirms network connectivity for each domain controller by confirming that DNS servers on all adapters are reachable.
The basic DNS test confirms that the A record of each domain controller is registered on at least one of the DNS servers configured on the client.
If a domain controller is running the DNS Server service, the basic DNS test confirms that the Active Directory domain zone and SOA record for the Active Directory domain zone are present.
The basic DNS test checks whether the root (.) zone is present.
Forwarder test (/DnsForwarders)
Note
This test runs only if the domain controller being tested is running the Microsoft DNS Server service.
The forwarder test determines whether recursion is enabled.
If forwarders or root hints are configured, the forwarder test confirms that all forwarders or root hints on the DNS server are functioning, and also confirms that the _ldap._tcp.<Forest root domain> DC Locator record is resolved. (Resolution of the _ldap_tcp.<Forest root domain> DC Locator record is not attempted for forwarders or root hints configured on the forest root domain controller.)
Delegation test (/DnsDelegation)
Note
This test runs only if the domain controller being tested is running the Microsoft DNS Server service.
The delegation test confirms that the delegated name server is a functioning DNS Server.
The delegation test checks for broken delegations by ensuring that all NS records in the Active Directory domain zone in which the target domain controller resides have corresponding glue A records.
Dynamic Update Test (/DnsDynamicUpdate)
- The dynamic update test confirms that the Active Directory domain zone is configured for secure dynamic update and performs registration of a test record (_dcdiag_test_record). The test record is subsequently deleted.
Record Registration Test (/DnsRecordRegistration)
The record registration test verifies the registration of all essential DC Locator records on all DNS Servers configured on each adapter of the domain controllers. This test returns the following records.
Record Description CNAME GUID
The GUID registered as the canonical name (CNAME) of the DNS server.
A
The host address (A) resource record. Maps a DNS domain name to an Internet Protocol (IP) version 4 32-bit address.
LDAP SRV
The service locator (SRV) resource record for the LDAP service.
GC SRV
The service locator (SRV) resource record for the global catalog (GC) server.
PDC SRV
The service locator (SRV) resource record for the primary domain controller (PDC).
External Name Resolution Test (/DnsResolveExtName)
Note
The external name resolution test is run only if specified explicitly (using /DnsResolveExtName
); it is not run as part of /DnsAll
.
The external name resolution test verifies basic resolution of external DNS from a given client, using a sample Internet name (www.microsoft.com), or user-provided Internet name.
The external name resolution test cannot resolve external Internet names in an environment where a proxy server is being used.
You can test name resolution using either intranet or Internet names.
To resolve a user-provided Internet or intranet name (rather than the default name of www.microsoft.com), the
/DnsInternetName
parameter must be used.
How to read the output of DNS enhanced dcdiag
The following steps summarize how to interpret the results provided by DNS-enhanced dcdiag
:
Run
dcdiag test:DNS /e /f:dns.txt
. Microsoft recommends always using the/v
switch to obtain verbose information.Open the report in Notepad or a compatible editor.
Scroll to end of the report and read the summary table.
Identify servers that returned "warn" or "fail" status for any subtest in the summary table.
Review the section of output for that server to see what problem was detected (hint: use the Find command on the Edit menu to search on the string "
DC:
DC_computername" (without quotes) to locate the detailed section for a given DC.Resolve problems on DNS clients or DNS server(s) as required.
Run
dcdiag /test:DNS /v /e
(or/s:
DCName) again to verify the fix. Repeat steps 1 through 6 as required until all failures are understood and reconciled.
Warnings and Errors
Dcdiag
takes a conservative approach by identifying DNS client or DNS server configurations that may be problematic, do not conform to best practice configurations, or that dcdiag
cannot fully validate. Therefore, the summary and detailed sections of dcdiag
may report warnings for DNS configurations that are currently functional. Administrators should investigate and validate such configurations when identified by dcdiag
.
The tables below contain the configurations that can trigger dcdiag
to report warnings or errors for each of the DNS subtests.
Basic
Warning | Additional information |
---|---|
Warning: Adapter <adapter name> has dynamic IP address |
Static IP addresses are recommended for all DNS servers. |
Warning: Adapter <adapter name> has invalid DNS server: <name> <IP address> |
DNS server may not be reachable. |
Warning: No DNS RPC connectivity (error or non Microsoft DNS server is running) |
Disregard this warning if the DNS server is a BIND or other non-Microsoft DNS server. |
Warning: The Active Directory zone on this DC/DNS server was not found |
N/A |
Warning: Root zone on this DC/DNS server was found |
N/A |
Error | Additional information |
---|---|
Error: Authentication failed with specified credentials |
DCDIAG requires Enterprise Admin credential to run all the tests. |
Error: No LDAP connectivity |
N/A |
Error: No DS RPC connectivity |
N/A |
Error: No WMI connectivity |
DNS test requires WMI connectivity to run on the remote computer. |
Error: Can't read operating system version through WMI |
This might be caused by the lack of a WMI connection on the remote computer. |
Error: <Operating system name> not supported (this tool is supported on Windows 2000, Windows XP, and Windows Server 2003 only) |
N/A |
Error: Open Service Control Manager failed |
Unable to find whether the service is running or not. |
Error: Kdc/netlogon/DNS/dnscache is not running |
Some of the key services are not running. |
Error: Can't read network adapter information through WMI |
N/A |
Error: All DNS servers are invalid |
DNS servers that the client is pointing to are either not reachable, not a DNS server, or have invalid IP addresses. |
Error: The A record for this DC was not found |
Every DC should register an A record. Make sure A records are registered on all the DNS servers the client is pointing to. |
Error: Enumeration of zones failed to find root and AD zone |
N/A |
Error: Could not query DNS zones on this DC |
Make sure that the zone in which the DC is supposed to register is present. |
Forwarder
Error | Additional information |
---|---|
Error: Forwarders list has invalid forwarder: <IP address of the forwarder> |
Forwarders configured on the DNS server have an invalid IP address or are not a DNS server, or name resolution is not working (that is, cannot resolve forest root domain SRV record if it is a non-root domain DC). |
Error: Both root hints and forwarders are not configured. Please configure either forwarders or root hints |
Make sure either forwarders or root hints are configured on the DNS server unless it hosts root zone. |
Error: Root hints list has invalid root hint server: <IP address of Root hint server> |
Root hint servers configured on the DNS server have invalid IP address or are not a DNS server, or name resolution not working (that is, cannot resolve forest root domain SRV record if it is a non root domain DC). |
Error:<Root hint server Name> IP: <Unavailable> Status:<status of the server> |
Configured root hint servers don’t have corresponding IP address. Status field will tell you the status of the server |
Error:<Root hint server Name> IP: <Unavailable> Status: A record not found |
Configured root hint servers don’t have A record. |
Error: Enumeration of Root hint servers failed on <DNS server name> |
Couldn’t list the root hint servers on the target DNS server. |
Delegation
Warning | Additional information |
---|---|
Warning: DNS server: <DnsServer name> IP: <Ipaddress> Failure: Missing glue A record |
The configured delegation is missing glue A record. |
Error | Additional information |
---|---|
DNS server: <Server name> IP:<IP address> Error: Broken delegation -verbose |
Delegation is configured but the name server is not responding. |
DNS server: <Server name> IP:<IP address> Error: Broken delegated domain <Delegated domain name> -non-verbose |
N/A |
Error: Failed to enumerate the records at the zone root on the server |
N/A |
DynamicUpdate
Warning | Additional information |
---|---|
Warning: Dynamic update is enabled on the zone but not secure <zone name> |
Secure dynamic updates are recommended. |
Warning: Failed to add test record _dcdiag_test_record with error <error code> in zone <zone name> |
Test adds a dummy record dynamically |
Warning: Failed to delete test record _dcdiag_test_record with error <error code> in zone zone <zone name> |
Deletes the added record as well. |
Error | Additional information |
---|---|
Error: Dynamic update is not enabled on the zone <zone name> |
Dynamic update is not enabled on the Active Directory zone so client cannot register its records. |
Record registration
Warning | Additional Information |
---|---|
Warning: Missing DC SRV record at DNS server <record name> |
Ignore the error if |
Warning: Missing GC SRV record at DNS server <record name> |
Ignore the error if |
Warning: Missing PDC SRV record at DNS server <record name> |
Ignore the error if |
Warning: Record Registrations not found in some network adapters |
N/A |
Error | Additional information |
---|---|
Error: Missing A record at DNS server <DNS Server IP address> : <A record name> |
DC hasn’t registered its A record on the specified DNS server. |
Error: Missing CNAME record at DNS server <DNS Server IP address> : <CNAME record name> |
DC hasn’t registered its CNAME record on the specified DNS server. |
Error: Missing DC SRV record at DNS server <DNS Server IP address> : <SRV record name> |
DC hasn’t registered its DC SRV record on the specified DNS server. |
Error: Missing GC SRV record at DNS server <DNS Server IP address> : <SRV record name> |
DC hasn’t registered its GC SRV record on the specified DNS server. |
Error: Missing PDC SRV record at DNS server <DNS Server IP address> : <SRV record name> |
DC hasn’t registered specified PDC SRV record on the specified DNS server. All these records can be registered by stopping and starting the netlogon service. |
Error: Record registrations cannot be found for all the network adapters |
If there are multiple network adaptors the test checks whether all the records are present on all the DNS servers configured on each adaptor. This error occurs if the record registration is missing on the DNS server. |
External name resolution
Error | Additional information |
---|---|
Error: Internet name <name> cannot be resolved |
Specified Internet name cannot be resolved. Make sure the proxy client, servers, root hints, and forwarders are configured properly. |
Enterprise DNS infrastructure tests
Warning | Additional information |
---|---|
Warning: Neither forwarders nor root hints are configured from subordinate domain to parent domain |
Forwarder or root hints need to be configured in the DNS servers of either the parent or subordinate domains that are hosting the authoritative zones for their respective domain to enable name resolution to work. |
Error | Additional information |
---|---|
Error: Delegation is not configured on the parent domain |
Delegation should be configured from parent to subordinate domain. |
Error: Delegation is present but the glue record is missing |
Delegation is configured but the name servers are missing their glue record. |
Error: Forwarders are misconfigured from parent domain to subordinate domain |
Forwarders must be configured from subordinate domain to parent domain. |
Error: Root hints are misconfigured from parent domain to subordinate domain |
Root hints must be configured from subordinate domain to parent domain. |
Error: Forwarders are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details) |
Forwarders configured have an invalid IP address or are not a valid DNS server, or name resolution is not working (cannot resolve forest root domain SRV record if it is in the non-root domain). |
Error: Root hints are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details) |
Root hints configured have an invalid IP address or are not a valid DNS server, or name resolution is not working. |
Examples:
The following examples illustrate the use of Windows Server 2003 SP1 dcdiag
. You should replace the parameters in italics with those appropriate for your environment:
To run all DNS tests on a single domain controller in non-verbose mode:
Dcdiag /test:DNS /s:
TargetDCName/f:
LogFileNameTo run all DNS tests on a single domain controller in verbose mode:
Dcdiag /test:DNS /s:
TargetDCName/v /f:
LogFileNameTo run all DNS tests on an entire forest in non-verbose mode:
Dcdiag /test:DNS /e /f:
LogFileNameTo run all DNS tests on an entire forest in verbose mode:
Dcdiag /test:DNS /v /e /f:
LogFileNameTo run the DNS basic test on a single domain controller:
Dcdiag /test:DNS /DnsBasic /s:
TargetDCName/f:
LogFileNameTo run the DNS forwarders test on a single domain controller:
Dcdiag /test:DNS /DnsForwarders /s:
TargetDCName/f:
LogFileNameTo run the DNS delegation test on a single domain controller:
Dcdiag /test:DNS /DnsDelegation /s:
TargetDCName/f:
LogFileNameTo run the DNS dynamic update test on a single domain controller:
Dcdiag /test:DNS /DnsDynamicUpdate /s:
TargetDCName/f:
LogFileNameTo run the DNS record registration test on a single domain controller:
Dcdiag /test:DNS /DnsRecordRegistration /s:
TargetDCName/f:
LogFileNameTo resolve a sample Internet or intranet name:
Dcdiag /test:DNS /DnsResolveExtName /DnsInternetName:
InternetName/f:
LogFileName
Note
When an individual test is run, the /DnsBasic
tests are run by default before running the individual test specified. If no individual test is specified, all DNS tests (except /DnsResolveName
) are run by default.
New Active Directory replication security tests
Detailed description
DCDiag.exe has been enhanced for Windows Server 2003 Service Pack 1 to include new functionality to identify security configurations that can cause Active Directory replication to fail.
The new CheckSecurityError
test may be performed on one or all domain controllers in an Active Directory forest. The test performs the following operations:
Checks for the availability of a Key Distribution Center (KDC) in both the destination and source domain controller's domains.
Verifies that the destination DC can transmit and receive sufficiently large UDP-formatted packets (used by Kerberos).
Verifies that system clock of the destination DC is no more than 5 minutes different from the system time of the KDC in the destination and source domain, and the source DC.
Confirms that the root of each naming context on the source domain controller is configured with the necessary permission.
Confirms that the source and destination DC computer accounts are not disabled, are trusted for delegation, and contain all required service principal names.
When the test has completed, DCDiag.exe presents a summary of the results for each domain controller tested and the diagnosis of the security errors encountered
This test can be run from the command-line using the following syntax:
Dcdiag /test:CheckSecurityError
Optionally, you can add the switch /ReplSource:
SourceDC to the command to identify a specific domain controller as a source in a replication attempt. The domain controller specified in the /replsource:
parameter does not need to be a current source domain controller that the domain controller being tested currently replicates from (one that the destination domain controller currently has an inbound connection object from).This test will collect information from the domain controller, key distribution center (KDC) source and destination servers, and Active Directory.
Note
Dcdiag /test:CheckSecurityError
can be executed on the console of a member computer (using the /e
or /s:
servername commands) as well as a domain controller. For best results, run Dcdiag /test:CheckSecurityError
on the console of each domain controller that is failing inbound Active Directory replication due to a suspected security error.
Why is this change important?
If replication is not working and the error is a security error (such as "Access Denied", "The target account name is incorrect", or "The RPC server is unavailable") there are many different factors that could be causing the issue. This test automates the diagnosis by looking at the most common sources of these errors and reporting them so that you can resolve the issue.