Export (0) Print
Expand All

Dcdiag Remarks

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

DCDiag Remarks

Two DCDiag tests are new in Windows Server 2003 Service Pack 1 (SP1):

  • DNS: Checks the health of Domain Name System (DNS) settings for the enterprise.

  • CheckSecurityError: Locates security errors or errors that might be related to security problems, and performs initial diagnosis of the problems.

CheckSecurityError must be run on a domain controller running Windows Server 2003 with SP1. Both tests can be run against domain controllers running Windows 2000 Server with Service Pack 3 (SP3) or a later service pack, Windows Server 2003 with no service pack installed, and Windows Server 2003 with SP1.

DCDiag Tests

The following are tests that can be run using DCDiag. The tests are divided into three categories: Domain Controller tests that cannot be skipped, Domain Controller tests that can be skipped, and Non-Domain Controller tests. The tests that can be skipped are further divided into those that run by default and those that do not.

Domain Controller tests that cannot be skipped

Connectivity
Tests whether domain controllers are DNS registered, can be pinged, and have LDAP/RPC connectivity.

Domain Contoller tests that can be skipped

Tests run by default

Replications
Checks for timely replication and any replication errors between domain controllers.

NCSecDesc
Checks that the security descriptors on the naming context heads have appropriate permissions for replication.

NetLogons
Checks that the appropriate logon privileges exist to allow replication to proceed.

Advertising
Checks whether each domain controller is advertising itself in the roles it should be capable of. This test fails if the Netlogon Service has stopped or failed to start.

KnowsOfRoleHolders
Checks whether the domain controller can contact the servers that hold the five operations master roles (also know as flexible single master operations or FSMO roles).

Intersite
Checks for failures that would prevent or temporarily hold up intersite replication and tries to predict how long it will take before the KCC is able to recover.

CautionCaution
Results of this test are often not valid, especially in atypical site or KCC configurations or at the Windows Server 2003 forest functional level.

FSMOCheck
Checks that the domain controller can contact a KDC, a Time Server, a Preferred Time Server, a PDC, and a Global Catalog server. This test does not test any of the servers for operations master roles.

RidManager
Checks whether the RID master is accessible and to see if it contains the proper information.

MachineAccount
Checks whether the machine account has properly registered and the services are advertised. Use /RecreateMachineAccount to attempt a repair if the local machine account is missing. Use /FixMachineAccount if the machine account flags are incorrect.

Services
Checks whether the appropriate domain controller services are running.

OutboundSecureChannels
Checks that secure channels exist from all of the domain controllers in the domain to the domains specified by /testdomain. The /nositerestriction parameter prevents the test from being limited to the domain controllers in the site.

ObjectsReplicated
Checks that Machine Account and DSA objects have replicated. Use /objectdn:dn with /n:nc to specify an additional object to check.

frssysvol
This test checks that the file replication system (FRS) SYSVOL is ready.

frsevent
This test checks to see if there are errors in the file replication system. Failing replication of the SYSVOL share can cause policy problems.

kccevent
This test checks that the Knowledge Consistency Checker is completing without errors.

systemlog
This test checks that the system is running without errors.

CheckSDRefDom
This test checks that all application directory partitions have appropriate security descriptor reference domains.

VerifyReplicas
This test verifies that all application directory partitions are fully instantiated on all replica servers.

CrossRefValidation
This test verifies the validity of cross-references.

VerifyReferences
This test verifies that certain system references are intact for the FRS and Replication infrastructure.

VerifyEnterpriseReferences
This test verifies that certain system references are intact for the FRS and Replication infrastructure across all objects in the enterprise on each domain controller.

/skip: Test
Skips the specified test. Should not be run in the same command with /test. The only test that cannot be skipped is Connectivity.

Tests not run by default

Topology
Checks that the KCC has generated a fully connected topology for all domain controllers.

CheckSecurityError
On domain controllers running Windows Server 2003 with SP1, reports on the overall health of replication with respect to Active Directory security. May be performed against one or all domain controllers in an enterprise. When the test has completed, DCDiag presents a summary of the results, along with detailed information for each domain controller tested and the diagnosis of security errors that are encountered.

The following argument is optional:

/ReplSource:SourceDomainController

to check the ability to create a replication link between a real or potential source domain controller (SourceDomainController) and the local domain controller.

CutoffServers
Checks for any server that is not receiving replications because its partners are down.

DNS
New in Windows Server 2003 SP1. Includes six optional DNS-related tests, as well as the /connectivity test, which runs by default. The tests can be run individually or all at once. The tests include the following:

  • /DnsBasic to confirm that essential services are running and available, necessary resource records are registered, and domain and root zones are present.

  • /DnsForwarders to determine whether recursion is enabled and that any configured forwarders or root hints are functioning.

  • /DnsDelegation to confirm that the delegated name server is function and to check for broken delegations.

  • /DnsDymanicUpdate to verify that the Active Directory domain zone is configured for secure dynamic updates and to perform registration of a test record.

  • /DnsRecordRegistration to test the registration of all essential DC Locator records.

  • /DnsResolveExtName to verify basic resolution of either an intranet or Internet name.

OutboundSecureChannels
Checks that secure channels exist from all of the domain controllers in the domain to the domains specified by /testdomain. The /nositerestriction parameter prevents the test from being limited to the domain controllers in the site.

VerifyReplicas
This test verifies that all application directory partitions are fully instantiated on all replica servers.

VerifyEnterpriseReferences
This test verifies that certain system references are intact for the FRS and Replication infrastructure across all objects in the enterprise on each domain controller.

noteNote
Text (for example, naming context names and server names) containing international or unicode characters will be displayed correctly only if appropriate fonts and language support are loaded on the test computer.

Non-Domain Controller tests

DcPromo
Tests the existing DNS infrastructure for promotion to domain controller. If the infrastructure is sufficient, the computer can be promoted to domain controller in a domain specified in /DnsDomain:Active_Directory_Domain_DNS_Name. It reports whether any modifications to the existing DNS infrastructure are required. Required argument: /DnsDomain:Active_Directory_Domain_DNS_Name One of the following arguments is required:

/NewForest

/NewTree

/ChildDomain

/ReplicaDC

If NewTree is specified, the ForestRoot argument is required: /ForestRoot:Forest_Root_Domain_DNS_Name

RegisterInDNS
Tests whether this domain controller can register the Domain Controller Locator DNS records. These records must be present in DNS in order for other computers to locate this domain controller for the Active_Directory_Domain_DNS_Name domain. It reports whether any modifications to the existing DNS infrastructure are required. Required argument: /DnsDomain:Active_Directory_Domain_DNS_Name

noteNote
All tests except DcPromo and RegisterInDNS must be run on computers after they have been promoted to domain controller.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft