Dcd ag - baixardoc

2/27/12 Dcdiag

1/22echne .mic o of .com/en- /lib a /cc731968(d=p in e , = .10).a p

Dcd agUpdated: July 12, 2010

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, WindowsServer 2008

Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help introubleshooting.

As an end-user reporting program, dcdiag is a command-line tool that encapsulates detailed knowledgeof how to identify abnormal behavior in the system. Dcdiag displays command output at the commandprompt.

Dcdiag consists of a framework for executing tests and a series of tests to verify different functionalareas of the system. This framework selects which domain controllers are tested according to scopedirectives from the user, such as enterprise, site, or single server.

Dcdiag is built into Windows Server 2008 R2 and Windows Server 2008. It is available if you have theActive Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS)server role installed. It is also available if you install the Active Directory Domain Services Tools thatare part of the Remote Server Administration Tools (RSAT). For more information, see How toAdminister Microsoft Windows Client and Server Computers Locally and Remotely1

(http://go.microsoft.com/fwlink/?LinkID=177813).

If Dcdiag takes a long time to run on a computer that runs Windows Server 2008 R2 or Windows 7,install the hotfix in article 9792942 (http://go.microsoft.com/fwlink/?LinkId=196596) in the MicrosoftKnowledge Base.

To use dcdiag, you must run the dcdiag command from an elevated command prompt. To open anelevated command prompt, click S a , right-click Command P omp , and then click R n aadmini a o .

For examples of how to use this command, see Examples.

S nta

Parameters

Pa ame e De c ip ion

/s:<DomainController>

Specifies the name of the server to run the command against. If thisparameter is not specified, the tests are run against the local domaincontroller. This parameter is ignored for DcPromo and RegisterInDns tests,which can be run locally only.

dcdiag [/s:<DomainController ] [/n:<NamingContext ] [/u:<Domain \<UserName /p:{* | <Password | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:<LogFile ] [/c [/skip:<Test ]] [/test:<Test ] [/fix] [{/h | /?}] [/ReplSource:<SourceDomainController ]

2/27/12 Dcdiag


/n:<NamingContext>Uses NamingCon e as the naming context to test. You can specifydomains in NetBIOS, Domain Name System (DNS), or distinguished nameformat.

/u:<Domain>\<UserName>/p:{* | <Password> | ""}

Uses Domain\U e Name. Dcdiag uses the current credentials of the user (orprocess) that is logged on. If alternate credentials are needed, use thefollowing options to provide those credentials for binding with Pa o d asthe password:

Use quotation marks ("") for an empty or null password.

Use the wildcard character (*) to prompt for the password.

/a Tests all the servers on this site.

/e Tests all the servers in the enterprise. Overrides /a.

/q Quiet. Prints only error messages.

/v Verbose. Prints extended information.

/i Ignores superfluous error messages.

/fixAffects the MachineAcco n test only. This parameter causes the test to fixthe Service Principal Names (SPNs) on the Machine Account object of thedomain controller.

/f:<LogFile> Redirects all output to a log file (LogFile).

/c

Comprehensive. Runs all tests except DCPromo and RegisterInDNS, includingnon-default tests. Optionally, you can use this parameter with the /skipparameter to skip specified tests.

The following tests are not run by default:

Topology

CutoffServers

OutboundSecureChannels

{/h | /?} Displays help at the command prompt.

/test:<Test>Runs this test only. The Connectivity test, which you cannot skip, is alsorun. You should not have this parameter in the same command with the/ kip parameter.

2/27/12 Dcdiag


/ReplSource:<SourceDomainController>

Tests the connection between the domain controller on which you run thecommand and the source domain controller. (This parameter is used for theCheckSecurityError test.) So ceDomainCon olle is the DNS name,NetBIOS name, or distinguished name of a real or potential server that willbe the source domain controller for replication, as represented by a real orpotential connection object.

DNS Test S nta

The Dcdiag DNS test uses the following syntax:

DNS Test Parameters

/test:DNS [DNS e ]Performs the specified DNS test. If no test is specified, defaults to /Dn All.

/DnsBasicPerforms basic DNS tests, including network connectivity, DNS client configuration, serviceavailability, and zone existence.

/DnsFor ardersPerforms the /Dn Ba ic tests, and also checks the configuration of forwarders.

/DnsDelegationPerforms the /Dn Ba ic tests, and also checks for proper delegations.

/DnsD namicUpdatePerforms /Dn Ba ic tests, and also determines if dynamic update is enabled in theActive Directory zone.

/DnsRecordRegistrationPerforms the /Dn Ba ic tests, and also checks if the address (A), canonical name (CNAME) andwell-known service (SRV) resource records are registered. In addition, creates an inventoryreport based on the test results.

/DnsResol eE tName [/DnsInternetName:<In e ne Name>]Performs the /Dn Ba ic tests, and also attempts to resolve In e ne Name. If/Dn In e ne Name is not specified, attempts to resolve the name www.microsoft.com. If/Dn In e ne Name is specified, attempts to resolve the Internet name supplied by the user.

/DnsAllPerforms all tests, except for the /DnsResolveExtName test, and generates a report.

/f:<LogFile>Redirects all output to LogFile.

/s:<DomainCon olle >Runs the tests against DomainCon olle . If this parameter is not specified, the tests are run

dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate | /DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:<InternetName ] | /DnsAll] [/f:<LogFile ] [/x:<XMLLog.xml ] [/xsl:<XSLFile.xsl or <XSLTFile.xslt ] [/s:<DomainController ] [/e] [/v]

2/27/12 Dcdiag


No e

against the local domain controller.

/eRuns all tests specified by / e :DNS against all domain controllers in the Active Directory forest.

Run times for DNS tests can be significant in large enterprises when the /e parameter is used.Domain controllers and DNS servers that are offline will increase run time as a result of long-time out periods for RPC and other protocols.

/Verbose. Presents extended information about successful test results, in addition to informationabout errors and warnings. When the / parameter is not used, provides only error and warninginformation. Use the / switch when errors or warnings are reported in the summary table.

/ :<XMLLog. ml>Redirects all output to <XMLLog.xml>. This parameter works only with the / e :dn option.

/ sl:<XSLFile. l> o <XSLTFile. l >Adds the processing instructions that reference the specified stylesheet. This parameter worksonly with / e :dn / :<XMLLog.xml> option.

Dcdiag tests

The tables in this section show tests that you can run by using dcdiag. The tests are grouped into thefollowing categories:

Domain controller tests that you cannot skip

Domain controller tests that you can skip

These tests are grouped into two tables based on whether they run by default.

Non-domain controller tests

Domain controller tests that ou cannot skip

Connec i iChecks if domain controllers are registered in DNS, if they can be pinged and if they have LDAP orremote procedure call (RPC) connectivity.

Domain controller tests that ou can skip

The following table shows tests that run by default.

Replica ionChecks for timely replication and any replication errors between domain controllers.

NCSecDe cChecks that the security descriptors on the naming context heads have appropriate permissionsfor replication.

Ne Logon

2/27/12 Dcdiag


Impo an

Checks that the appropriate logon privileges exist to allow replication to proceed.

Ad e i ingChecks whether each domain controller advertises itself in the roles that it should be capable ofperforming. This test fails if the Netlogon Service has stopped or failed to start.

Kno OfRoleHoldeChecks whether the domain controller can contact the servers that hold the five operationsmaster roles (also known as flexible single master operations or FSMO roles).

In e i eChecks for failures that would prevent or temporarily hold up intersite replication and predictshow long it would take for the Knowledge Consistency Checker (KCC) to recover.

Results of this test are often not valid, especially in atypical site or KCC configurations or atthe Windows Server 2003 forest functional level.

FSMOCheckChecks that the domain controller can contact a Kerberos Key Distribution Center (KDC), a timeserver, a preferred time server, a primary domain controller (PDC), and a global catalog server.This test does not test any of the servers for operations master roles.

RidManageChecks whether the relative identifier (RID) master is accessible and if it contains the properinformation.

MachineAcco nChecks whether the machine account has properly registered and that the services areadvertised. Use the /RecreateMachineAccount parameter to attempt a repair if the local machineaccount is missing. Use the /Fi MachineAcco n parameter if the machine account flags areincorrect.

Se iceChecks whether the appropriate domain controller services are running.

O bo ndSec eChannelChecks that secure channels exist from all of the domain controllers in the domain to the domainsthat are specified by the / e domain parameter. The /no i e e ic ion parameter preventsdcdiag from limiting the test to the domain controllers in the site.

Objec Replica edChecks that the Machine Account and Directory System Agent (DSA) objects have replicated.You can use the /objec dn:dn parameter with the /n:nc parameter to specify an additionalobject to check.

f olChecks that the file replication system (FRS) system volume (SYSVOL) is ready.

f e enChecks to see if there are errors in the file replication system. (Failing replication of the SYSVOLshare can cause policy problems.)

kcce enChecks that the KCC is completing without errors.

2/27/12 Dcdiag


emlogChecks that the system is running without errors.

CheckSDRefDomChecks that all application directory partitions have appropriate security descriptor referencedomains.

Ve if ReplicaChecks that all application directory partitions are fully instantiated on all replica servers.

C o RefValida ionChecks the validity of cross-references.

Ve if Refe enceChecks that certain system references are intact for the FRS and replication infrastructure.

Ve if En e p i eRefe enceChecks that specified system references are intact for the FRS and replication infrastructureacross all objects in the enterprise on each domain controller.

/ kip:<Te >Skips the specified test. You should not specify this parameter in the same command with the/ e parameter. The only test that you cannot skip is Connectivity.

The following table shows tests that do not run by default.

TopologChecks that the KCC has generated a fully connected topology for all domain controllers.

CheckSec i E oReports on the overall health of replication with respect to Active Directory security in domaincontrollers running Windows Server 2003 SP1. You can perform this test against one or all domaincontrollers in an enterprise. When the test finishes, dcdiag presents a summary of the results,along with detailed information for each domain controller tested and the diagnosis of securityerrors that the test reported.

The following argument is optional:

/ReplSo ce:So ceDomainCon olle

This argument checks the ability to create a replication link between a real or potential sourcedomain controller (So ceDomainCon olle ) and the local domain controller.

C offSe eChecks for any server that is not receiving replications because its partners are not running.

DNSIncludes six optional DNS-related tests, as well as the Connectivity test, which runs by default.You can run the tests individually or together. The tests include the following parameters:

/Dn Ba ic

Confirms that essential services are running and available, necessary resource records areregistered, and domain and root zones are present.

/Dn Fo a de

Determines whether recursion is enabled and that any configured forwarders or root hintsare functioning.

2/27/12 Dcdiag


No e

/Dn Delega ion

Confirms that the delegated name server is functioning and checks for broken delegations.

/Dn D manicUpda e

Checks that the Active Directory domain zone is configured to do secure dynamic updatesand register a test record.

/Dn Reco dRegi a ion

Tests the registration of all essential DC Locator records.

/Dn Re ol eE Name

Checks the basic resolution of either an intranet or Internet name.

O bo ndSec eChannelChecks that secure channels exist from all of the domain controllers in the domain to the domainsthat are specified by the / e domain parameter. The /no i e e ic ion parameter preventsdcdiag from limiting the test to the domain controllers in the site.

Ve if ReplicaChecks that all application directory partitions are fully instantiated on all replica servers.

Ve if En e p i eRefe enceChecks that specified system references are intact for the FRS and replication infrastructureacross all objects in the enterprise on each domain controller.

AD DS displays text, such as naming context names and server names, which contains internationalor Unicode characters correctly only if you have installed appropriate fonts and language support onthe test computer.

Non-domain controller tests

DcP omoTests the existing DNS infrastructure for any computer that you want to promote to be a domaincontroller. If the infrastructure is sufficient, you can promote the computer to a domain controllerin the domain specified in the parameter /Dn Domain:Ac i e_Di ec o _Domain_DNS_Name. Thisparameter reports whether any modifications to the existing DNS infrastructure are required. Therequired argument is /Dn Domain:Ac i e_Di ec o _Domain_DNS_Name.

One of the following arguments is required:

/Ne Fo e

/Ne T ee

/ChildDomain

/ReplicaDC

If you specify the /Ne T ee argument, you must also specify the

2/27/12 Dcdiag


No e

/Fo e Roo :Fo e _Roo _Domain_DNS_Name argument.

Regi e InDNSTests whether this domain controller can register the Domain Controller Locator DNS records.These records must be present in DNS for other computers to locate this domain controller forthe Ac i e_Di ec o _Domain_DNS_Name domain. This parameter reports whether anymodifications to the existing DNS infrastructure are required. The required argument is/Dn Domain:Ac i e_Di ec o _Domain_DNS_Name

With the exception of the DcPromo and RegisterInDNS tests, you must promote computers to bedomain controllers before you run tests on them.

Ho to read the output of DNS-enhanced dcdiag

The following steps summarize how to interpret the results provided by DNS-enhanced dcdiag:

1. Run dcdiag test:DNS /e /f:dns.t t. Microsoft recommends always using the / switch to obtainverbose information.

2. Open the report in Notepad or a compatible editor.

3. Scroll to end of the report and read the summary table.

4. Identify servers that returned "warn" or "fail" status for any subtest in the summary table.

5. Review the section of output for that server to see what problem was detected (hint: use theFind command on the Edi menu to search on the string "DC: DC_comp e name" (withoutquotes) to locate the detailed section for a given DC.

6. Resolve problems on DNS clients or DNS server(s) as required.

7. Run dcdiag /test:DNS / /e (or /s:DCName) again to verify the fix. Repeat steps 1 through 6 asrequired until all failures are understood and reconciled.

Warnings and Errors

Dcdiag takes a conservative approach by identifying DNS client or DNS server configurations that maybe problematic, do not conform to best practice configurations, or that dcdiag cannot fully validate.Therefore, the summary and detailed sections of dcdiag may report warnings for DNS configurationsthat are currently functional. Administrators should investigate and validate such configurations whenidentified by dcdiag.

The tables below contain the configurations that can trigger dcdiag to report warnings or errors foreach of the DNS subtests.

Basic

2/27/12 Dcdiag


Wa ning Addi ional info ma ion

Warning: Adapter <adapter name> has dynamicIP address

Static IP addresses are recommended for all DNSservers.

Warning: Adapter <adapter name> has invalidDNS server: <name> <IP address> DNS server may not be reachable.

Warning: No DNS RPC connectivity (error or nonMicrosoft DNS server is running)

Disregard this warning if the DNS server is a BIND orother non-Microsoft DNS server.

Warning: The Active Directory zone on thisDC/DNS server was not found N/A

Warning: Root zone on this DC/DNS server wasfound N/A

E o Addi ional info ma ion

Error: Authentication failed with specifiedcredentials

DCDIAG requires Enterprise Admin credentials to run allthe tests.

Error: No LDAP connectivity N/A

Error: No DS RPC connectivity N/A

Error: No WMI connectivity DNS test requires WMI connectivity to run on theremote computer.

Error: Can't read operating system versionthrough WMI

This might be caused by the lack of a WMI connectionon the remote computer.

Error: <Operating system name> notsupported (this tool is supported onWindows 2000, Windows XP, and WindowsServer 2003 only)

N/A

Error: Open Service Control Manager failed Unable to find whether the service is running or not.

Error: Kdc/netlogon/DNS/dnscache is notrunning Some of the key services are not running.

Error: Can't read network adapter informationthrough WMI N/A

2/27/12 Dcdiag


Error: All DNS servers are invalidDNS servers that the client is pointing to are either notreachable or not a DNS server, or they have invalid IPaddresses.

Error: The A record for this DC was not found

Every domain controller should register a host (A)resource record. Make sure that host (A) records areregistered on all the DNS servers that the client ispointing to.

Error: Enumeration of zones failed to find rootand AD zone N/A

Error: Could not query DNS zones on this DC Make sure that the zone in which the domain controlleris supposed to register is present.

For arder

E o Addi ional info ma ion

Error: Forwarders list has invalidforwarder: <IP address of theforwarder>

Forwarders configured on the DNS server have an invalid IP address orare not a DNS server, or name resolution is not working (that is,cannot resolve forest root domain SRV record if it is a non-rootdomain domain controller).

Error: Both root hints andforwarders are not configured.Please configure eitherforwarders or root hints

Make sure that either forwarders or root hints are configured on theDNS server unless it hosts a root zone.

Error: Root hints list has invalidroot hint server: <IP address ofRoot hint server>

Root hint servers configured on the DNS server have an invalid IPaddress or are not a DNS server, or name resolution is not working(that is, cannot resolve forest root domain SRV record if it is a nonroot domain DC).

Error:<Root hint server Name>IP: <Unavailable> Status:<status of the server>

Configured root hint servers don t have corresponding IP address.Status field will tell you the status of the server

Error:<Root hint server Name>IP: <Unavailable> Status: Arecord not found

Configured root hint servers don t have A record.

Error: Enumeration of Root hintservers failed on <DNS server Couldn t list the root hint servers on the target DNS server.

Dcd ag - baixardoc

Documents

Transcript of Dcd ag - baixardoc