Dsdiag

Applies To: Windows Server 2003 R2

Dsdiag

Analyzes the state of the Active Directory directory service, or the Active Directory Application Mode (ADAM) directory service, and reports any problems, to assist in troubleshooting. Dsdiag provides detailed information about how to identify abnormal behavior in the system.

Dsdiag consists of a framework for running tests and a series of tests to verify different functional areas of the system. This framework selects which directory services are tested, according to scope directives from the user.

Note

Some Dsdiag tests apply only to Active Directory.

  • Syntax

  • Examples

  • Formatting legend

Syntax

dsdiag /s:adamserver [/n:NamingContext] [/u:Domain\UserName /p:{* | Password | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:LogFile] [/ferr:ErrLog] [/c [/skip:Test]] [/test:Test][/d][/fix] [{/h | /?}]

Parameters

  • ****/s:adamserver
    Uses adamserver as the home server. This parameter is required.
  • /n: Partition
    Uses Partition as the application directory partition to test. Domains may be specified in network basic input/output system (NetBIOS), Domain Name System (DNS), or distinguished name formats.
  • /u:Domain\UserName /p:{* | Password | ""}
    Uses Domain\UserName credentials for binding, with Password as the password. Use "" for an empty or null password, or use * to prompt for the password.
  • /a
    Tests all the servers on this site.
  • /e
    Tests all the servers in the entire enterprise. Overrides /a.
  • /q
    (Quiet) Prints only error messages.
  • /v
    (Verbose) Prints extended information.
  • /d
    (Debug) Prints configuration information for the entire enterprise, and displays verbose output information. This parameter can be useful for discovering detailed information about a directory server.
  • /i
    Ignores superfluous error messages.
  • /fix
    Only affects the MachineAccount test. This parameter causes the test to repair the service principal names (SPNs) on the machine account object of the directory server.
  • ****/f:LogFile
    Redirects all output to LogFile. The /f parameter operates independently of /ferr.
  • ****/ferr:ErrLog
    Redirects fatal error output to a separate file called ErrLog. The /ferr parameter operates independently of /f.
  • /c
    (Comprehensive) Runs all tests except DcPromo and RegisterInDNS, including nondefault tests. Optionally, this parameter can be used with /skip to skip specified tests. The following tests are not run by default: TopologyCutoffServersOutboundSecureChannels
  • ****/skip:Test
    Skips the specified test. This parameter must be used with /c. This parameter should not be run in the same command with /test. The only test that cannot be skipped is Connectivity.
  • ****/test:Test
    Runs only this test. The nonskippable test Connectivity is also run. This parameter should not be run in the same command with /skip.

    Note

    All tests except DcPromo and RegisterInDNS must be run on computers that have been promoted to directory server.

Valid tests are as follows:

  • Connectivity
    Tests whether directory servers are DNS registered, can be pinged, and have Lightweight Directory Access Protocol/remote procedure call (LDAP/RPC) connectivity.
  • Replications
    Checks for timely replication and any replication errors between directory servers.
  • Topology
    Checks that Knowledge Consistency Checker (KCC) has generated a fully connected topology for all directory servers.
  • CutoffServers
    Checks for any servers that are not receiving replications because their partners are not available.
  • NCSecDesc
    Checks that the security descriptors on the application directory partition heads have appropriate permissions for replication.
  • NetLogons
    Checks that the appropriate logon privileges exist to allow replication to proceed.
  • Advertising
    Checks whether each directory server is advertising itself in the roles it should be capable of fulfilling. This test fails if the Net Logon service has stopped or failed to start.
  • KnowsOfRoleHolders
    Checks whether the directory server can contact the servers that hold the five operations master (also known as flexible single master operations, or FSMO) roles.
  • Intersite
    Checks for failures that would prevent or temporarily hold up intersite replication, and tries to predict how long it will take before the KCC is able to recover. Caution
    • Results of this test are often not valid.
  • FSMOCheck
    Checks that the directory server can contact a Key Distribution Center (KDC), Time Server, Preferred Time Server, primary directory server (primary domain controller (PDC)), and global catalog server. This test does not test any of the servers for operations master roles.
  • RidManager
    Checks whether the RID master is accessible and if it contains the proper information.
  • MachineAccount
    Checks whether the machine account is properly registered and the services are advertised.
  • Services
    Checks whether the appropriate directory server services are running.
  • OutboundSecureChannels
    Checks that secure channels exist from all the directory servers in the domain to the domains that are specified by /testdomain. The /nositerestriction parameter prevents the test from being limited to the directory servers in the site.
  • ObjectsReplicated
    Checks that Machine Account and DSA objects have replicated. Use **/objectdn:**dn with **/n:**nc to specify an additional object to check.
  • frssysvol
    Checks that File Replication service (FRS) SYSVOL is ready.
  • kccevent
    Checks that KCC is completing without errors.
  • systemlog
    Checks that the system is running without errors.
  • DcPromo
    This command does not apply to ADAM.
  • RegisterInDNS
    This commmand does not apply to ADAM.
  • DeadCRTest
    Looks for cross-references that appear to be left over from a failed creation of an application directory partition.
  • CheckSDRefDom
    Checks that all application directory partitions have appropriate security descriptor reference domains.
  • VerifyReplicas
    Verifies that all application directory partitions are fully instantiated on all replica servers.
  • CrossRefValidation
    Verifies the validity of cross-references.
  • VerifyReferences
    Verifies that certain system references are intact for the FRS and Replication infrastructure.
  • VerifyEnterpriseReferences
    Verifies that certain system references are intact for the FRS and Replication infrastructure across all objects in the enterprise on each directory server.
  • {/h** | /?}**
    Displays a syntax screen at the command prompt.

Examples

Example 1: A normal ADAM instance

To examine an ADAM instance to verify that it is healthy and functioning properly, type the following at the command prompt:

dsdiag /s:adam1 /u:cohovineyard\administrator /p:password

Output similar to the following appears:

Directory Service Diagnosis

Performing initial setup:

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\adam1

Starting test: Connectivity

......................... adam1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\adam1

Starting test: Replications

......................... adam1 passed test Replications

Starting test: NCSecDesc

......................... adam1 passed test NCSecDesc

Starting test: NetLogons

......................... adam1 passed test NetLogons

Starting test: Advertising

......................... adam1 passed test Advertising

Starting test: KnowsOfRoleHolders

......................... adam1 passed test KnowsOfRoleHolders

Starting test: RidManager

......................... adam1 passed test RidManager

Starting test: MachineAccount

......................... adam1 passed test MachineAccount

Starting test: Services

......................... adam1 passed test Services

Starting test: ObjectsReplicated

......................... adam1 passed test ObjectsReplicated

Starting test: frssysvol

......................... adam1 passed test frssysvol

Starting test: kccevent

......................... adam1 passed test kccevent

Starting test: systemlog

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 01:28:25

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 01:40:30

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 01:43:30

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 01:58:46

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 02:02:11

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 02:05:11

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 02:10:51

Event String: The time provider NtpClient is configured to

......................... adam1 failed test systemlog

Running partition tests on : Schema

Starting test: DeadCRTest

......................... Schema passed test DeadCRTest

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration

Starting test: DeadCRTest

......................... Configuration passed test DeadCRTest

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Running partition tests on : cohovineyard

Starting test: DeadCRTest

......................... cohovineyard passed test DeadCRTest

Starting test: CheckSDRefDom

......................... cohovineyard passed test CheckSDRefDom

Running enterprise tests on : cohovineyard.reskit.com

Starting test: Intersite

......................... cohovineyard.reskit.com passed test Intersite

Starting test: FsmoCheck

......................... cohovineyard.reskit.com passed test FsmoCheck

Example 2: Unresponsive or inaccessible server

To resolve replication problems, type the following at the command line:

dsdiag /s:adam1 /u:cohovineyard\administrator /p:password /e

Output similar to the following appears:

Directory Service Diagnosis

Performing initial setup:

Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\adam1

Starting test: Connectivity

......................... adam1 passed test Connectivity

Testing server: Default-First-Site-Name\RESKIT-DC2

Starting test: Connectivity

Server RESKIT-DC2 resolved to this IP address 172.26.220.34,

but the address couldn't be reached(pinged), so check the network.

The error returned was: Error due to lack of resources.

This error more often means that the targeted server is

shutdown or disconnected from the network

......................... RESKIT-DC2 failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\adam1

Starting test: Replications

[Replications Check,adam1] A recent replication attempt failed:

From RESKIT-DC2 to adam1

Naming Context: CN=Configuration,DC=cohovineyard,DC=reskit,DC=com

The replication generated an error (1722):

The RPC server is unavailable.

The failure occurred at 2001-12-21 02:19:04.

The last success occurred at 2001-12-21 01:57:43.

1 failures have occurred since the last success.

The source remains down. Please check the machine.

......................... adam1 passed test Replications

Starting test: NCSecDesc

......................... adam1 passed test NCSecDesc

Starting test: NetLogons

......................... adam1 passed test NetLogons

Starting test: Advertising

......................... adam1 passed test Advertising

Starting test: KnowsOfRoleHolders

......................... adam1 passed test KnowsOfRoleHolders

Starting test: RidManager

......................... adam1 passed test RidManager

Starting test: MachineAccount

......................... adam1 passed test MachineAccount

Starting test: Services

......................... adam1 passed test Services

Starting test: ObjectsReplicated

......................... adam1 passed test ObjectsReplicated

Starting test: frssysvol

......................... adam1 passed test frssysvol

Starting test: kccevent

......................... adam1 passed test kccevent

Starting test: systemlog

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 01:28:25

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 01:40:30

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 01:43:30

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 01:58:46

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 02:02:11

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 02:05:11

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 02:10:51

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 02:13:51

Event String: The time provider NtpClient is configured to

An Error Event occured. EventID: 0xC25A001D

Time Generated: 12/21/2001 02:18:58

Event String: The time provider NtpClient is configured to

......................... adam1 failed test systemlog

Testing server: Default-First-Site-Name\RESKIT-DC2

Skipping all tests, because server RESKIT-DC2 is

not responding to directory service requests

Running partition tests on : Schema

Starting test: DeadCRTest

......................... Schema passed test DeadCRTest

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration

Starting test: DeadCRTest

......................... Configuration passed test DeadCRTest

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Running partition tests on : cohovineyard

Starting test: DeadCRTest

......................... cohovineyard passed test DeadCRTest

Starting test: CheckSDRefDom

......................... cohovineyard passed test CheckSDRefDom

Running partition tests on : reskit-sib

Starting test: DeadCRTest

......................... reskit-sib passed test DeadCRTest

Starting test: CheckSDRefDom

......................... reskit-sib passed test CheckSDRefDom

Running enterprise tests on : cohovineyard.reskit.com

Starting test: Intersite

......................... cohovineyard.reskit.com passed test Intersite

Starting test: FsmoCheck

......................... cohovineyard.reskit.com passed test FsmoCheck

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output