Troubleshooting Tools and Strategies
NetDiag is a command-line, diagnostic tool that helps isolate networking and connectivity problems by performing a series of tests to determine the state of your network client and whether it is functional. These tests and the network status information they expose help network administrators and support personnel identify and isolate network problems. Moreover, because this tool does not require parameters or switches, you can focus on analyzing the output, rather than training users on tool usage.
NetDiag diagnoses network problems by checking all aspects of a client computer's network configuration and connections. Beyond troubleshooting TCP/IP issues, it also examines a client computer's Internet Packet Exchange (IPX) and NetWare configurations.
NetDiag is part of the Support Tools collection on the Windows 2000 operating system CD. For information about NetDiag, see Windows 2000 Support Tools Help. For information about installing and using the Windows 2000 Support Tools and Support Tools Help, see the file Sreadme.doc in the Support\Tools folder of the Windows 2000 operating system CD.
Run NetDiag from a command prompt rather than from Windows Explorer to see the results upon completion of the tests. Because the results fill more than one normal command prompt screen, use the /l switch to log the results to the text file NetDiag.log. The tests take a few minutes to complete.
NetDiag Syntax
The command-line syntax for NetDiag is as follows:
netdiag [[/q|/v|/debug][/l][/d:DomainName][/fix][/dcaccountenum]
[/test:TestName|/skip:TestName]]
No switches or syntax need to be specified, but several are available, primarily to increase or decrease the level of detail in NetDiag reports. These switches are shown in the Table 31.22.
Table 31.22 NetDiag Switches
Switch |
Name |
Function |
|---|---|---|
/q |
Quiet output |
Lists only tests that return errors. |
/v |
Verbose output |
Lists more detail from test data as tests are performed. |
/debug |
Most verbose output |
Lists the most detail from of test data with reasons for success or failure. |
/l |
Log output |
Stores output in NetDiag.log, in the current folder. |
/d:DomainName |
Find DC |
Finds a domain controller in the specified domain. |
/fix |
Fix DNS problems |
Only applies to domain controllers. |
/DCAccountEnum |
Domain Controller Account Enumeration |
Enumerates domain controller computer accounts. |
/test: |
Perform single test |
Runs only the specified test. |
/skip: |
Skip one test |
Skips the specified test. |
TestName |
Test name |
Test specified. For a complete list, see Table 31.23. |
/? |
Help |
Displays this list. |
NetDiag prints the string [FATAL] when it detects a condition that needs to be fixed immediately. The string [WARNING] signals a failure condition that does not require immediate attention.
NetDiag Tests
Run NetDiag whenever a computer is having network problems. The tool tries to diagnose the problem and can even flag problem areas for closer inspection.
NetDiag examines DLL files, output from other tools, and the system registry to find potential problem spots. It checks which network services or functions are enabled and then runs the network configuration tests listed in Table 31.23, in the order presented.
.gif "note-icon")
Note
If the computer is not running one of the network troubleshooting tools listed in Table 31.23, that test is skipped and no results are displayed, not even an acknowledgement that the test was skipped.
Table 31.23 NetDiag Tests
Test Name |
Function |
Details |
|---|---|---|
NDIS |
Network Adapter Status |
Lists the network adapter configuration details, including the adapter name, configuration, media, globally unique identifier (GUID), and statistics. If this test shows an unresponsive network adapter, the remaining tests are aborted. |
IPConfig |
IP Configuration |
Provides most of the TCP/IP information normally obtained from carrying out the ipconfig /all command, pings the DHCP and WINS servers, and checks that the default gateway is on the same subnet as the local computer's IP address. |
Member |
Domain Membership |
Confirms details of the primary domain, including computer role, domain name, domain GUID. Checks that NetLogon service is started, adds the primary domain to the domain list, and queries the primary domain security identifier (SID). |
NetBTTransports |
Transports Test |
Lists NetBT transports managed by the redirector. Prints error information if no NetBT transports are found. |
Autonet |
Autonet Address |
Checks whether any interface is using Automatic Private IP Addressing (APIPA). |
IPLoopBk |
IP Loopback Ping |
Pings the IP loopback address of 127.0.0.1. |
DefGw |
Default Gateway |
Pings all the default gateways for each interface. |
NbtNm |
NetBT Name Test |
Similar to the nbtstat -n command. It checks that the workstation service name <00> equals the computer name. It also checks that the messenger service name <03>, and server service name <20> are present on all interfaces and are not in conflict. |
WINS |
WINS Service Test |
Sends NetBT name queries to all the configured WINS servers. |
Winsock |
Winsock Test |
Uses Windows Sockets WSAEnumProtocols() function to retrieve available transport protocols. |
DNS |
DNS Test |
Checks whether DNS cache service is running, and whether the computer is correctly registered on the configured DNS servers. If the computer is a domain controller, DNS Test checks to see whether all the DNS entries in Netlogon.dns are registered on the DNS server. If the entries are incorrect and the /fix option is on, it tries to reregister the domain controller record on a DNS server. |
Browser |
Redirector and Browser Test |
Checks whether the workstation service is running. Retrieves the transport lists from the redirector and the browser. Checks whether the NetBT transports are in the list from NetBT transports test. Checks whether the browser is bound to all the NetBT transports and whether the computer can send mailslot messages. Tests both via browser and redirector. |
DsGetDc |
DC Discovery Test |
Finds a generic domain controller from directory service, finds the primary domain controller, and then finds a Windows 2000 domain controller. If the tested domain is the primary domain, checks whether the domain GUID stored in Local Security Authority (LSA) is the same as the domain GUID stored in the domain controller. If not, the test returns a fatal error; if the /fix option is used, DsGetDC tries to fix the GUID in LSA. |
DcList |
DC List Test |
Gets a list of domain controllers in the domain from the directory service on an active domain controller. If there is no domain controller information for this domain, tries to get an active domain controller from the directory service (similar to DsGetDc test). Gets the domain controller list from the target domain controller and checks the status of each domain controller. Adds them all the to the list of the tested domain. |
Trust |
Trust Relationship Test |
Tests trust relationships to the primary domain only if the computer is a member workstation, member server, or domain controller. Checks that the primary domain SID is correct and contacts an active domain controller. Connects to the SAM server on the domain controller and uses the domain SID to open the domain to verify that the domain SID is correct. Queries information of the secure channel for the primary domain. If the computer is a backup domain controller, reconnects to the primary domain controller. If the computer is a member workstation or server, sets a secure channel to each domain controller listed for this domain. |
Kerberos |
Kerberos Test |
Tests Kerberos protocols only if the computer is a member computer or domain controller and the user is not logged on to a Windows 2000 domain account and not logged on to a local account. Connects to LSA and looks up the Kerberos package. Gets the ticket cache of the Kerberos package and checks whether the Kerberos package has a ticket for the primary domain and the local computer. |
LDAP |
Lightweight Directory Access Protocol (LDAP) Test |
Run only if the domain controller is running directory services and the computer is a member or domain controller. Tests LDAP on all the active domain controllers found in the domain and creates an LDAP connection block to the domain controller, then searches in the LDAP directory with three types of authentication: unauthenticated, NTLM, and Negotiate. If the /v (verbose) switch is on, prints the details of each entry retrieved. |
Route |
Route test |
Prints the static and persistent entries in the routing table, including a Destination Address, Subnet Mask, Gateway Address, Interface, and Metric. |
NetStat |
NetStat test |
Similar to NetStat tool. Displays statistics of protocols and current TCP/IP network connections. |
Bindings |
Bindings test |
Lists all bindings, including interface name, lower module name, upper module name, whether the binding is currently enabled, and the owner of the binding. |
WAN |
WAN test |
Displays the settings and status of current active remote access connections. |
Modem |
Modem test |
Retrieves all available line devices. Displays the configuration of each line device. |
NetWare |
NetWare test |
Determines whether NetWare is using the directory tree or bindery logon process, determines the default context if NetWare is using the directory tree logon process, and finds the server to which the host attaches itself at startup. |
IPX |
IPX test |
Examines the network's IPX configuration, including frame type, Network ID, RouterMTU, and whether packet burst or source routing are enabled. |
IPSec |
IP Security test |
Checks the current status of the IP Security Policy Agent service. It also reports which IPSec policy (if any) is currently active for the computer. |