Domain Controller Diagnostics Tool (dcdiag.exe)

Domain Controller Diagnostics Tool ...

Updated: February 17, 2010

Applies To: Windows Server 2003 with SP1

What does DCDiag.exe do?

This command-line tool analyzes the state of one or all domain controllers in a forest and reports any problems to assist in troubleshooting. DCDiag.exe consists of a variety of tests that can be run individually or as part of a suite to verify domain controller health.

Tool location

The DCDiag command-line tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install Windows Support Tools, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?LinkId=62270).

Tool requirements

Except as noted below, all commands in DCDiag can be run on Windows XP Professional and Windows Server 2003 family (member servers and domain controllers).
The new DCDIAG /TEST:DNS command can validate DNS health of Windows 2000 Server (SP3 or later) or Windows Server 2003 family domain controllers when run from the console of Windows XP or Windows Server 2003 member computers or Windows Server 2003 domain controllers.

Who does this feature apply to?

This feature is of interest to the following audiences:

DNS administrators
Domain controller administrators
DCDiag.exe users

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

There are two significant improvements to DCDiag in Windows Server 2003 Service Pack 1:

DCDIAG /TEST:DNS to validate DNS health.
DCDIAG /CheckSecurityError to detect security configurations that can cause Active Directory replication to fail.

The details of these new enhancements are described below.

New DNS diagnostic tests

Detailed description

DCDiag.exe has been enhanced for Windows Server 2003 Service Pack 1 to include new DNS functionality for reporting on the overall DNS health of domain controllers. There are seven new DNS-related tests that can be run individually or simultaneously. These tests may be performed on one or all domain controllers in an Active Directory forest. When the tests have completed, DCDiag.exe presents a summary of the results, along with detailed information for each domain controller tested.

Note
The new DNS tests require Enterprise Admin credentials. The new DNS tests can be run only against Windows 2000 Server (SP3 or later) or Windows Server 2003 family domain controllers.

Note

The new DNS tests require Enterprise Admin credentials.

The new DNS tests can be run only against Windows 2000 Server (SP3 or later) or Windows Server 2003 family domain controllers.

Command line syntax

Windows Server 2003 SP1 dcdiag uses the same basic syntax as previous versions of dcdiag. The syntax for running the new DNS tests is as follows:

Parameter	Description
`/test:DNS`	Performs all seven subtests except the `/DnsInternetName` test against the scoped set of domain controllers. The most common DCDIAG command line arguments are `DCDIAG /TEST:DNS /V /S:`DCNAME to run the six default DNS subtests against a single domain controller (DC) or `DCDIAG /TEST:DNS /V /E` to run the six default DNS subtests against all DCs in the console computer's test forest. `DCDIAG /TEST:DNS` is identical to the `/DnsAll` command when individual subtests are not defined.
`/test:DNS [DNS test]`	Performs the specified DNS test. If no test is specified, defaults to `/DnsAll`.
`/DnsBasic`	Performs basic DNS tests, including network connectivity, DNS client configuration, service availability, and zone existence.
`/DnsForwarders`	Performs the `/DnsBasic` tests, and also checks the configuration of forwarders.
`/DnsDelegation`	Performs the `/DnsBasic` tests, and also checks for proper delegations.
`/DnsDynamicUpdate`	Performs the `/DnsBasic` tests, and also determines whether dynamic update is enabled in the Active Directory zone.
`/DnsRecordRegistration`	Performs the `/DnsBasic` tests, and also checks whether the A, CNAME, and well-known SRV records are registered. In addition, creates an inventory report based on results.
`/DnsResolveExtName [/DnsInternetName:` InternetName `]`	Performs the `/DnsBasic` tests, and also attempts to resolve a sample intranet or Internet Name. If `/DnsInternetName` is not specified, then the command attempts to resolve the name www.microsoft.com. If `/DnsInternetName` is specified, then the command attempts to resolve the Internet name supplied by the user.
`/DnsAll`	Performs all tests, except for the `DnsResolveExtName` test`,` and generates a report.
`/f:` Logfile	Redirects output to the log file supplied by the user.
`/ferr:` Logerr	Redirects fatal error output to a separate log file.
`/s:` DCName	Specifies the domain controller against which to run the tests.
`/e`	All tests specified by `/test:DNS` are run against all domain controllers in the Active Directory forest.
`/v`	Verbose. Presents information about successful test results, in addition to information about errors and warnings. (When the `/v` parameter is not used, only error and warning information is presented.) Microsoft recommends using the `/v` switch when errors or warnings are reported in the summary table

Enterprise DNS Infrastructure Test (/e)

When /test:DNS is run in conjunction with the /e parameter, all tests specified by test:/DNS are run against all domain controllers in the Active Directory forest.

Note
Run times for DNS tests can be significant in large enterprises when the `/e` parameter is used. Domain controllers and DNS servers that are offline will increase run time due to long time out periods for RPC and other protocols.

Connectivity test

The connectivity test is a mandatory test and runs automatically before any other dcdiag test is run.
The connectivity test determines whether domain controllers are registered in DNS, can be pinged, and have LDAP/RPC connectivity.
If the connectivity test fails on a given controller, no other tests are run against that domain controller.

Note
The connectivity test has not been changed in SP1, but is included in this document for reference.

Basic DNS Test (/DnsBasic)

The basic DNS test confirms that the following essential services are running and available on domain controllers tested by dcdiag:
- DNS client service
- Netlogon service
- KDC service
- DNS Server service (if DNS is installed on the domain controller)
The basic DNS test confirms network connectivity for each domain controller by confirming that DNS servers on all adapters are reachable.
The basic DNS test confirms that the A record of each domain controller is registered on at least one of the DNS servers configured on the client.
If a domain controller is running the DNS Server service, the basic DNS test confirms that the Active Directory domain zone and SOA record for the Active Directory domain zone are present.
The basic DNS test checks whether the root (.) zone is present.

Forwarder test (/DnsForwarders)

Note
This test runs only if the domain controller being tested is running the Microsoft DNS Server service.

The forwarder test determines whether recursion is enabled.
If forwarders or root hints are configured, the forwarder test confirms that all forwarders or root hints on the DNS server are functioning, and also confirms that the _ldap._tcp.<Forest root domain> DC Locator record is resolved. (Resolution of the _ldap_tcp.<Forest root domain> DC Locator record is not attempted for forwarders or root hints configured on the forest root domain controller.)

Delegation test (/DnsDelegation)

Note
This test runs only if the domain controller being tested is running the Microsoft DNS Server service.

The delegation test confirms that the delegated name server is a functioning DNS Server.
The delegation test checks for broken delegations by ensuring that all NS records in the Active Directory domain zone in which the target domain controller resides have corresponding glue A records.

Dynamic Update Test (/DnsDynamicUpdate)

The dynamic update test confirms that the Active Directory domain zone is configured for secure dynamic update and performs registration of a test record (_dcdiag_test_record). The test record is subsequently deleted.

Record Registration Test (/DnsRecordRegistration)

The record registration test verifies the registration of all essential DC Locator records on all DNS Servers configured on each adapter of the domain controllers. This test returns the following records.

Record	Description
CNAME GUID	The GUID registered as the canonical name (CNAME) of the DNS server.
A	The host address (A) resource record. Maps a DNS domain name to an Internet Protocol (IP) version 4 32-bit address.
LDAP SRV	The service locator (SRV) resource record for the LDAP service.
GC SRV	The service locator (SRV) resource record for the global catalog (GC) server.
PDC SRV	The service locator (SRV) resource record for the primary domain controller (PDC).

External Name Resolution Test (/DnsResolveExtName)

Note
The external name resolution test is run only if specified explicitly (using `/DnsResolveExtName`); it is not run as part of `/DnsAll`.

The external name resolution test verifies basic resolution of external DNS from a given client, using a sample Internet name (www.microsoft.com), or user-provided Internet name.
The external name resolution test cannot resolve external Internet names in an environment where a proxy server is being used.
You can test name resolution using either intranet or Internet names.
To resolve a user-provided Internet or intranet name (rather than the default name of www.microsoft.com), the /DnsInternetName parameter must be used.

How to read the output of DNS enhanced dcdiag

The following steps summarize how to interpret the results provided by DNS-enhanced dcdiag:

Run dcdiag test:DNS /e /f:dns.txt. Microsoft recommends always using the /v switch to obtain verbose information.
Open the report in Notepad or a compatible editor.
Scroll to end of the report and read the summary table.
Identify servers that returned "warn" or "fail" status for any subtest in the summary table.
Review the section of output for that server to see what problem was detected (hint: use the Find command on the Edit menu to search on the string "DC: DC_computername" (without quotes) to locate the detailed section for a given DC.
Resolve problems on DNS clients or DNS server(s) as required.
Run dcdiag /test:DNS /v /e (or /s:DCName) again to verify the fix. Repeat steps 1 through 6 as required until all failures are understood and reconciled.

Warnings and Errors

Dcdiag takes a conservative approach by identifying DNS client or DNS server configurations that may be problematic, do not conform to best practice configurations, or that dcdiag cannot fully validate. Therefore, the summary and detailed sections of dcdiag may report warnings for DNS configurations that are currently functional. Administrators should investigate and validate such configurations when identified by dcdiag.

The tables below contain the configurations that can trigger dcdiag to report warnings or errors for each of the DNS subtests.

Basic

Warning	Additional information
Warning: Adapter <adapter name> has dynamic IP address	Static IP addresses are recommended for all DNS servers.
Warning: Adapter <adapter name> has invalid DNS server: <name> <IP address>	DNS server may not be reachable.
Warning: No DNS RPC connectivity (error or non Microsoft DNS server is running)	Disregard this warning if the DNS server is a BIND or other non-Microsoft DNS server.
Warning: The Active Directory zone on this DC/DNS server was not found	N/A
Warning: Root zone on this DC/DNS server was found	N/A

Error	Additional information
Error: Authentication failed with specified credentials	DCDIAG requires Enterprise Admin credential to run all the tests.
Error: No LDAP connectivity	N/A
Error: No DS RPC connectivity	N/A
Error: No WMI connectivity	DNS test requires WMI connectivity to run on the remote computer.
Error: Can't read operating system version through WMI	This might be caused by the lack of a WMI connection on the remote computer.
Error: <Operating system name> not supported (this tool is supported on Windows 2000, Windows XP, and Windows Server 2003 only)	N/A
Error: Open Service Control Manager failed	Unable to find whether the service is running or not.
Error: Kdc/netlogon/DNS/dnscache is not running	Some of the key services are not running.
Error: Can't read network adapter information through WMI	N/A
Error: All DNS servers are invalid	DNS servers that the client is pointing to are either not reachable, not a DNS server, or have invalid IP addresses.
Error: The A record for this DC was not found	Every DC should register an A record. Make sure A records are registered on all the DNS servers the client is pointing to.
Error: Enumeration of zones failed to find root and AD zone	N/A
Error: Could not query DNS zones on this DC	Make sure that the zone in which the DC is supposed to register is present.

Forwarder

Error	Additional information
Error: Forwarders list has invalid forwarder: <IP address of the forwarder>	Forwarders configured on the DNS server have an invalid IP address or are not a DNS server, or name resolution is not working (that is, cannot resolve forest root domain SRV record if it is a non-root domain DC).
Error: Both root hints and forwarders are not configured. Please configure either forwarders or root hints	Make sure either forwarders or root hints are configured on the DNS server unless it hosts root zone.
Error: Root hints list has invalid root hint server: <IP address of Root hint server>	Root hint servers configured on the DNS server have invalid IP address or are not a DNS server, or name resolution not working (that is, cannot resolve forest root domain SRV record if it is a non root domain DC).
Error:<Root hint server Name> IP: <Unavailable> Status:<status of the server>	Configured root hint servers don’t have corresponding IP address. Status field will tell you the status of the server
Error:<Root hint server Name> IP: <Unavailable> Status: A record not found	Configured root hint servers don’t have A record.
Error: Enumeration of Root hint servers failed on <DNS server name>	Couldn’t list the root hint servers on the target DNS server.

Delegation

Warning	Additional information
Warning: DNS server: <DnsServer name> IP: <Ipaddress> Failure: Missing glue A record	The configured delegation is missing glue A record.

Error	Additional information
DNS server: <Server name> IP:<IP address> Error: Broken delegation -verbose	Delegation is configured but the name server is not responding.
DNS server: <Server name> IP:<IP address> Error: Broken delegated domain <Delegated domain name> -non-verbose	N/A
Error: Failed to enumerate the records at the zone root on the server	N/A

DynamicUpdate

Warning	Additional information
Warning: Dynamic update is enabled on the zone but not secure <zone name>	Secure dynamic updates are recommended.
Warning: Failed to add test record _dcdiag_test_record with error <error code> in zone <zone name>	Test adds a dummy record dynamically
Warning: Failed to delete test record _dcdiag_test_record with error <error code> in zone zone <zone name>	Deletes the added record as well.

Error	Additional information
Error: Dynamic update is not enabled on the zone <zone name>	Dynamic update is not enabled on the Active Directory zone so client cannot register its records.

Record registration

Warning	Additional Information
Warning: Missing DC SRV record at DNS server <record name>	Ignore the error if `DNSAvoidRegisterRecord` registry key or its Group Policy has been configured to prevent registration of this record.
Warning: Missing GC SRV record at DNS server <record name>	Ignore the error if `DNSAvoidRegisterRecord` registry key or its Group Policy has been configured to prevent registration of this record.
Warning: Missing PDC SRV record at DNS server <record name>	Ignore the error if `DNSAvoidRegisterRecord` registry key or its Group Policy has been configured to prevent registration of this record.
Warning: Record Registrations not found in some network adapters	N/A

Error	Additional information
Error: Missing A record at DNS server <DNS Server IP address> : <A record name>	DC hasn’t registered its A record on the specified DNS server.
Error: Missing CNAME record at DNS server <DNS Server IP address> : <CNAME record name>	DC hasn’t registered its CNAME record on the specified DNS server.
Error: Missing DC SRV record at DNS server <DNS Server IP address> : <SRV record name>	DC hasn’t registered its DC SRV record on the specified DNS server.
Error: Missing GC SRV record at DNS server <DNS Server IP address> : <SRV record name>	DC hasn’t registered its GC SRV record on the specified DNS server.
Error: Missing PDC SRV record at DNS server <DNS Server IP address> : <SRV record name>	DC hasn’t registered specified PDC SRV record on the specified DNS server. All these records can be registered by stopping and starting the netlogon service.
Error: Record registrations cannot be found for all the network adapters	If there are multiple network adaptors the test checks whether all the records are present on all the DNS servers configured on each adaptor. This error occurs if the record registration is missing on the DNS server.

External name resolution

Error	Additional information
Error: Internet name <name> cannot be resolved	Specified Internet name cannot be resolved. Make sure the proxy client, servers, root hints, and forwarders are configured properly.

Enterprise DNS infrastructure tests

Warning	Additional information
Warning: Neither forwarders nor root hints are configured from subordinate domain to parent domain	Forwarder or root hints need to be configured in the DNS servers of either the parent or subordinate domains that are hosting the authoritative zones for their respective domain to enable name resolution to work.

Error	Additional information
Error: Delegation is not configured on the parent domain	Delegation should be configured from parent to subordinate domain.
Error: Delegation is present but the glue record is missing	Delegation is configured but the name servers are missing their glue record.
Error: Forwarders are misconfigured from parent domain to subordinate domain	Forwarders must be configured from subordinate domain to parent domain.
Error: Root hints are misconfigured from parent domain to subordinate domain	Root hints must be configured from subordinate domain to parent domain.
Error: Forwarders are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details)	Forwarders configured have an invalid IP address or are not a valid DNS server, or name resolution is not working (cannot resolve forest root domain SRV record if it is in the non-root domain).
Error: Root hints are configured from subordinate to parent domain but some of them failed DNS server tests (See DNS servers section for error details)	Root hints configured have an invalid IP address or are not a valid DNS server, or name resolution is not working.

Examples:

The following examples illustrate the use of Windows Server 2003 SP1 dcdiag. You should replace the parameters in italics with those appropriate for your environment:

To run all DNS tests on a single domain controller in non-verbose mode:

Dcdiag /test:DNS /s:TargetDCName /f:LogFileName
To run all DNS tests on a single domain controller in verbose mode:

Dcdiag /test:DNS /s:TargetDCName /v /f:LogFileName
To run all DNS tests on an entire forest in non-verbose mode:

Dcdiag /test:DNS /e /f:LogFileName
To run all DNS tests on an entire forest in verbose mode:

Dcdiag /test:DNS /v /e /f:LogFileName
To run the DNS basic test on a single domain controller:

Dcdiag /test:DNS /DnsBasic /s:TargetDCName /f:LogFileName
To run the DNS forwarders test on a single domain controller:

Dcdiag /test:DNS /DnsForwarders /s:TargetDCName /f:LogFileName
To run the DNS delegation test on a single domain controller:

Dcdiag /test:DNS /DnsDelegation /s:TargetDCName /f:LogFileName
To run the DNS dynamic update test on a single domain controller:

Dcdiag /test:DNS /DnsDynamicUpdate /s:TargetDCName /f:LogFileName
To run the DNS record registration test on a single domain controller:

Dcdiag /test:DNS /DnsRecordRegistration /s:TargetDCName /f:LogFileName
To resolve a sample Internet or intranet name:

Dcdiag /test:DNS /DnsResolveExtName /DnsInternetName:InternetName /f: LogFileName

Note
When an individual test is run, the `/DnsBasic` tests are run by default before running the individual test specified. If no individual test is specified, all DNS tests (except `/DnsResolveName`) are run by default.

Note

When an individual test is run, the /DnsBasic tests are run by default before running the individual test specified.

If no individual test is specified, all DNS tests (except /DnsResolveName) are run by default.

New Active Directory replication security tests

Detailed description

DCDiag.exe has been enhanced for Windows Server 2003 Service Pack 1 to include new functionality to identify security configurations that can cause Active Directory replication to fail.

The new CheckSecurityError test may be performed on one or all domain controllers in an Active Directory forest. The test performs the following operations:

Checks for the availability of a Key Distribution Center (KDC) in both the destination and source domain controller's domains.
Verifies that the destination DC can transmit and receive sufficiently large UDP-formatted packets (used by Kerberos).
Verifies that system clock of the destination DC is no more than 5 minutes different from the system time of the KDC in the destination and source domain, and the source DC.
Confirms that the root of each naming context on the source domain controller is configured with the necessary permission.
Confirms that the source and destination DC computer accounts are not disabled, are trusted for delegation, and contain all required service principal names.

When the test has completed, DCDiag.exe presents a summary of the results for each domain controller tested and the diagnosis of the security errors encountered

This test can be run from the command-line using the following syntax:

Dcdiag /test:CheckSecurityError

Optionally, you can add the switch /ReplSource:SourceDC to the command to identify a specific domain controller as a source in a replication attempt. The domain controller specified in the /replsource: parameter does not need to be a current source domain controller that the domain controller being tested currently replicates from (one that the destination domain controller currently has an inbound connection object from).This test will collect information from the domain controller, key distribution center (KDC) source and destination servers, and Active Directory.

Note
`Dcdiag /test:CheckSecurityError` can be executed on the console of a member computer (using the `/e` or `/s:`servername commands) as well as a domain controller. For best results, run `Dcdiag /test:CheckSecurityError` on the console of each domain controller that is failing inbound Active Directory replication due to a suspected security error.

Why is this change important?

If replication is not working and the error is a security error (such as "Access Denied", "The target account name is incorrect", or "The RPC server is unavailable") there are many different factors that could be causing the issue. This test automates the diagnosis by looking at the most common sources of these errors and reporting them so that you can resolve the issue.