Partager via


Dcdiag Remarks

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

DCDiag Remarks

Two DCDiag tests are new in Windows Server 2003 Service Pack 1 (SP1):

  • DNS: Checks the health of Domain Name System (DNS) settings for the enterprise.

  • CheckSecurityError: Locates security errors or errors that might be related to security problems, and performs initial diagnosis of the problems.

CheckSecurityError must be run on a domain controller running Windows Server 2003 with SP1. Both tests can be run against domain controllers running Windows 2000 Server with Service Pack 3 (SP3) or a later service pack, Windows Server 2003 with no service pack installed, and Windows Server 2003 with SP1.

DCDiag Tests

The following are tests that can be run using DCDiag. The tests are divided into three categories: Domain Controller tests that cannot be skipped, Domain Controller tests that can be skipped, and Non-Domain Controller tests. The tests that can be skipped are further divided into those that run by default and those that do not.

Domain Controller tests that cannot be skipped

  • Connectivity
    Tests whether domain controllers are DNS registered, can be pinged, and have LDAP/RPC connectivity.

Domain Contoller tests that can be skipped

Tests run by default

  • Replications
    Checks for timely replication and any replication errors between domain controllers.
  • NCSecDesc
    Checks that the security descriptors on the naming context heads have appropriate permissions for replication.
  • NetLogons
    Checks that the appropriate logon privileges exist to allow replication to proceed.
  • Advertising
    Checks whether each domain controller is advertising itself in the roles it should be capable of. This test fails if the Netlogon Service has stopped or failed to start.
  • KnowsOfRoleHolders
    Checks whether the domain controller can contact the servers that hold the five operations master roles (also know as flexible single master operations or FSMO roles).
  • Intersite
    Checks for failures that would prevent or temporarily hold up intersite replication and tries to predict how long it will take before the KCC is able to recover.

    Warning

    Results of this test are often not valid, especially in atypical site or KCC configurations or at the Windows Server 2003 forest functional level.

  • FSMOCheck
    Checks that the domain controller can contact a KDC, a Time Server, a Preferred Time Server, a PDC, and a Global Catalog server. This test does not test any of the servers for operations master roles.
  • RidManager
    Checks whether the RID master is accessible and to see if it contains the proper information.
  • MachineAccount
    Checks whether the machine account has properly registered and the services are advertised. Use /RecreateMachineAccount to attempt a repair if the local machine account is missing. Use /FixMachineAccount if the machine account flags are incorrect.
  • Services
    Checks whether the appropriate domain controller services are running.
  • OutboundSecureChannels
    Checks that secure channels exist from all of the domain controllers in the domain to the domains specified by /testdomain. The /nositerestriction parameter prevents the test from being limited to the domain controllers in the site.
  • ObjectsReplicated
    Checks that Machine Account and DSA objects have replicated. Use **/objectdn:**dn with **/n:**nc to specify an additional object to check.
  • frssysvol
    This test checks that the file replication system (FRS) SYSVOL is ready.
  • frsevent
    This test checks to see if there are errors in the file replication system. Failing replication of the SYSVOL share can cause policy problems.
  • kccevent
    This test checks that the Knowledge Consistency Checker is completing without errors.
  • systemlog
    This test checks that the system is running without errors.
  • CheckSDRefDom
    This test checks that all application directory partitions have appropriate security descriptor reference domains.
  • VerifyReplicas
    This test verifies that all application directory partitions are fully instantiated on all replica servers.
  • CrossRefValidation
    This test verifies the validity of cross-references.
  • VerifyReferences
    This test verifies that certain system references are intact for the FRS and Replication infrastructure.
  • VerifyEnterpriseReferences
    This test verifies that certain system references are intact for the FRS and Replication infrastructure across all objects in the enterprise on each domain controller.
  • ****/skip:Test
    Skips the specified test. Should not be run in the same command with /test. The only test that cannot be skipped is Connectivity.

Tests not run by default

  • Topology
    Checks that the KCC has generated a fully connected topology for all domain controllers.
  • CheckSecurityError
    On domain controllers running Windows Server 2003 with SP1, reports on the overall health of replication with respect to Active Directory security. May be performed against one or all domain controllers in an enterprise. When the test has completed, DCDiag presents a summary of the results, along with detailed information for each domain controller tested and the diagnosis of security errors that are encountered. The following argument is optional: **/ReplSource:**SourceDomainController to check the ability to create a replication link between a real or potential source domain controller (SourceDomainController) and the local domain controller.
  • CutoffServers
    Checks for any server that is not receiving replications because its partners are down.
  • DNS
    New in Windows Server 2003 SP1. Includes six optional DNS-related tests, as well as the /connectivity test, which runs by default. The tests can be run individually or all at once. The tests include the following:
    • /DnsBasic to confirm that essential services are running and available, necessary resource records are registered, and domain and root zones are present.

    • /DnsForwarders to determine whether recursion is enabled and that any configured forwarders or root hints are functioning.

    • /DnsDelegation to confirm that the delegated name server is function and to check for broken delegations.

    • /DnsDymanicUpdate to verify that the Active Directory domain zone is configured for secure dynamic updates and to perform registration of a test record.

    • /DnsRecordRegistration to test the registration of all essential DC Locator records.

    • /DnsResolveExtName to verify basic resolution of either an intranet or Internet name.

  • OutboundSecureChannels
    Checks that secure channels exist from all of the domain controllers in the domain to the domains specified by /testdomain. The /nositerestriction parameter prevents the test from being limited to the domain controllers in the site.
  • VerifyReplicas
    This test verifies that all application directory partitions are fully instantiated on all replica servers.
  • VerifyEnterpriseReferences
    This test verifies that certain system references are intact for the FRS and Replication infrastructure across all objects in the enterprise on each domain controller.

Note

Text (for example, naming context names and server names) containing international or unicode characters will be displayed correctly only if appropriate fonts and language support are loaded on the test computer.

Non-Domain Controller tests

  • DcPromo
    Tests the existing DNS infrastructure for promotion to domain controller. If the infrastructure is sufficient, the computer can be promoted to domain controller in a domain specified in **/DnsDomain:**Active_Directory_Domain_DNS_Name. It reports whether any modifications to the existing DNS infrastructure are required. Required argument: **/DnsDomain:**Active_Directory_Domain_DNS_Name One of the following arguments is required: /NewForest /NewTree /ChildDomain /ReplicaDC If NewTree is specified, the ForestRoot argument is required: **/ForestRoot:**Forest_Root_Domain_DNS_Name
  • RegisterInDNS
    Tests whether this domain controller can register the Domain Controller Locator DNS records. These records must be present in DNS in order for other computers to locate this domain controller for the Active_Directory_Domain_DNS_Name domain. It reports whether any modifications to the existing DNS infrastructure are required. Required argument: **/DnsDomain:**Active_Directory_Domain_DNS_Name

Note

All tests except DcPromo and RegisterInDNS must be run on computers after they have been promoted to domain controller.

See Also

Concepts

Dcdiag Overview
Dcdiag Syntax
Dcdiag Examples
Alphabetical List of Tools
Spcheck Overview
Nltest Overview
Netdom Overview
Netdiag Overview
Netcap Overview
Httpcfg Overview
Dnslint Overview
Dnscmd Overview
Dhcploc Overview
Browstat Overview