Domain Controller Diagnostics Tool (dcdiag.exe)

Applies To:Windows Server 2003 with SP1
What does DCDiag.exe do?
This command-linetool analyzes thestate of one or all domain controllers in a forestand reports any problems to assist in
troubleshooting. DCDiag.execonsists of a variety of tests that can berun individually or as part of a suiteto verify domain
controller health.
Tool location
The DCDiag command-linetool is included when you install Windows Server 2003 SupportTools from the product CD or from
the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=100114).For moreinformation about how to install
Windows SupportTools, seeInstall Windows SupportTools (http://go.microsoft.com/fwlink/?LinkId=62270).
Tool requirements
Exceptas noted below,all commands in DCDiag can berun on Windows XP Professional and Windows Server 2003
family (member servers and domain controllers).
The new DCDIAG /TEST:DNS command can validate DNS health of Windows 2000 Server (SP3 or later) or Windows
Server 2003 family domain controllers when run from theconsole of Windows XP or Windows Server 2003 member
computers or Windows Server 2003 domain controllers.
Who does this feature apply to?
This featureis of interest to thefollowing audiences:
DNS administrators
Domain controller administrators
DCDiag.exe users
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Therearetwo significant improvements to DCDiag in Windows Server 2003 Service Pack 1:
DCDIAG /TEST:DNS to validate DNS health.
DCDIAG /CheckSecurityError to detect security configurations that can cause Active Directory replication to fail.
The details of these new enhancements are described below.
New DNS diagnostic tests
Detailed description
DCDiag.exe has been enhanced for Windows Server 2003 Service Pack 1 to include new DNS functionality for reporting on the
overall DNS health of domain controllers.Thereareseven new DNS-related tests that can berun individually or
simultaneously.Thesetests may be performed on one or all domain controllers in an Active Directory forest.When thetests
havecompleted, DCDiag.exe presents a summary of theresults,along with detailed information for each domain controller
tested.
Note
The new DNS tests requireEnterprise Admin credentials.
The new DNS tests can berun only against Windows 2000 Server (SP3 or later) or Windows Server 2003 family domain
controllers.
Command line syntax
Windows Server 2003 SP1 dcdiag uses thesame basic syntaxas previous versions of dcdiag.Thesyntax for running the new
DNS tests is as follows:
Dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate | /DnsRecordRegistration |
/DnsResolveExtName [/DnsInternetName: InternetName ] | /DnsAll] [/f: Logfile ] [/ferr: Logerr ] /S: DCName [/e]
[/v]
Parameter Description
/test:DNS Performs all seven subtests except the /DnsInternetName testagainst thescoped set of domain
controllers.The most common DCDIAG command linearguments are DCDIAG /TEST:DNS /V
/S:DCNAME to run thesix default DNS subtests againsta single domain controller (DC) or DCDIAG
/TEST:DNS /V /E to run thesix default DNS subtests againstall DCs in theconsolecomputer’s test
forest. DCDIAG /TEST:DNS is identical to the /DnsAll command when individual subtests are not
defined.
/test:DNS [DNS test] Performs thespecified DNS test. If no test is specified, defaults to /DnsAll.
/DnsBasic Performs basic DNS tests, including network connectivity, DNS client configuration, service
availability,and zoneexistence.
/DnsForwarders Performs the /DnsBasic tests,and also checks theconfiguration of forwarders.
/DnsDelegation Performs the /DnsBasic tests,and also checks for proper delegations.
/DnsDynamicUpdate Performs the /DnsBasic tests,and also determines whether dynamic updateis enabled in the Active
Directory zone.
/DnsRecordRegistration Performs the /DnsBasic tests,and also checks whether the A, CNAME,and well-known SRV records
areregistered. In addition,creates an inventory report based on results.
/DnsResolveExtName
[/DnsInternetName:
InternetName ]
Performs the /DnsBasic tests,and also attempts to resolvea sampleintranet or Internet Name. If
/DnsInternetName is not specified, then thecommand attempts to resolvethe name
http://www.microsoft.com. If /DnsInternetName is specified, then thecommand attempts to resolvethe
Internet namesupplied by the user.
/DnsAll Performs all tests,except for the DnsResolveExtName test, and generates a report.
/f: Logfile Redirects output to thelog filesupplied by the user.
/ferr: Logerr Redirects fatal error output to a separatelog file.
/s: DCName Specifies the domain controller against which to run thetests.
/e All tests specified by /test:DNS arerun againstall domain controllers in the Active Directory forest.
/v Verbose. Presents information about successful test results, in addition to information abouterrors
and warnings. (When the /v parameter is not used, only error and warning information is
presented.) Microsoft recommends using the /v switch when errors or warnings arereported in the
summary table
Enterprise DNS Infrastructure Test (/e)
When /test:DNS is run in conjunction with the /e parameter,all tests specified by test:/DNS arerun againstall domain
controllers in the Active Directory forest.
Note
Run times for DNS tests can besignificant in largeenterprises when the /e parameter is used. Domain controllers and DNS
servers thatare offline will increaserun time dueto long time out periods for RPC and other protocols.
Connectivity test
Theconnectivity test is a mandatory testand runs automatically beforeany other dcdiag test is run.
Theconnectivity test determines whether domain controllers areregistered in DNS,can be pinged,and haveLDAP/RPC
connectivity.
If theconnectivity test fails on a given controller, no other tests arerun against that domain controller.
Note
Theconnectivity test has not been changed in SP1, but is included in this document for reference.
Basic DNS Test (/DnsBasic)
The basic DNS test confirms that thefollowing essential services arerunning and available on domain controllers tested
by dcdiag:
DNS client service
Netlogon service
KDC service
DNS Server service(if DNS is installed on the domain controller)
The basic DNS test confirms network connectivity for each domain controller by confirming that DNS servers on all
adapters arereachable.
The basic DNS test confirms that the A record of each domain controller is registered on at least one of the DNS servers
configured on theclient.
If a domain controller is running the DNS Server service, the basic DNS test confirms that the Active Directory domain
zoneand SOA record for the Active Directory domain zoneare present.
The basic DNS test checks whether theroot (.) zoneis present.
Forwarder test (/DnsForwarders)
Note
This test runs only if the domain controller being tested is running the Microsoft DNS Server service.
Theforwarder test determines whether recursion is enabled.
If forwarders or root hints areconfigured, theforwarder test confirms thatall forwarders or root hints on the DNS server
arefunctioning,and also confirms that the_ldap._tcp. DC Locator record is resolved. (Resolution of
the_ldap_tcp. DC Locator record is notattempted for forwarders or root hints configured on the
forest root domain controller.)
Delegation test (/DnsDelegation)
Note
This test runs only if the domain controller being tested is running the Microsoft DNS Server service.
The delegation test confirms that the delegated nameserver is a functioning DNS Server.
The delegation test checks for broken delegations by ensuring thatall NS records in the Active Directory domain zonein
which thetarget domain controller resides havecorresponding glue A records.
Dynamic Update Test (/DnsDynamicUpdate)
The dynamic updatetest confirms that the Active Directory domain zoneis configured for secure dynamic updateand
performs registration of a test record (_dcdiag_test_record).Thetest record is subsequently deleted.
Record Registration Test (/DnsRecordRegistration)
Therecord registration testverifies theregistration of all essential DC Locator records on all DNS Servers configured on
each adapter of the domain controllers.This test returns thefollowing records.
Record Description
CNAME
GUID
The GUID registered as thecanonical name(CNAME) of the DNS server.
A The hostaddress (A) resourcerecord. Maps a DNS domain nameto an Internet Protocol (IP) version 4 32-
bitaddress.
LDAP SRV Theservicelocator (SRV) resourcerecord for theLDAP service.
GC SRV Theservicelocator (SRV) resourcerecord for the global catalog (GC) server.
PDC SRV Theservicelocator (SRV) resourcerecord for the primary domain controller (PDC).
External Name Resolution Test (/DnsResolveExtName)
Note
Theexternal nameresolution test is run only if specified explicitly (using /DnsResolveExtName); it is not run as part of
/DnsAll.
Theexternal nameresolution testverifies basic resolution of external DNS from a given client, using a sampleInternet
name(www.microsoft.com), or user-provided Internet name.
Theexternal nameresolution test cannot resolveexternal Internet names in an environment wherea proxy server is
being used.
You can test nameresolution using either intranet or Internet names.
To resolvea user-provided Internet or intranet name(rather than the default name of http://www.microsoft.com), the
/DnsInternetName parameter must be used.
How to read the output of DNS enhanced dcdiag
Thefollowing steps summarize how to interpret theresults provided by DNS-enhanced dcdiag:
1. Run dcdiag test:DNS /e /f:dns.txt. Microsoft recommends always using the /v switch to obtain verboseinformation.
2. Open thereport in Notepad or a compatibleeditor.
3. Scroll to end of thereportand read thesummary table.
4. Identify servers that returned “warn” or “fail” status for any subtest in thesummary table.
5. Review thesection of output for that server to see what problem was detected (hint: usetheFind command on theEdit
menu to search on thestring “DC: DC_computername” (without quotes) to locatethe detailed section for a given DC.
6. Resolve problems on DNS clients or DNS server(s) as required.
7. Run dcdiag /test:DNS /v /e (or /s:DCName) again to verify thefix. Repeat steps 1 through 6 as required until all
failures are understood and reconciled.
Warnings and Errors
Dcdiag takes a conservativeapproach by identifying DNS client or DNS server configurations that may be problematic, do not
conform to best practiceconfigurations, or that dcdiag cannot fully validate.Therefore, thesummary and detailed sections of
dcdiag may report warnings for DNS configurations thatarecurrently functional. Administrators should investigateand
validatesuch configurations when identified by dcdiag.
Thetables below contain theconfigurations that can trigger dcdiag to report warnings or errors for each of the DNS subtests.
Basic
Warning Additional information
Warning: Adapter has dynamic IP address Static IP addresses arerecommended for all DNS servers.
Warning: Adapter has invalid DNS server:

DNS server may not bereachable.
Warning: No DNS RPC connectivity (error or non Microsoft
DNS server is running)
Disregard this warning if the DNS server is a BIND or other nonMicrosoft
DNS server.
Warning:The Active Directory zone on this DC/DNS server
was not found
N/A
Warning: Root zone on this DC/DNS server was found N/A
Error Additional information
Error: Authentication failed with specified credentials DCDIAG requires Enterprise Admin credential to run all the
tests.
Error: No LDAP connectivity N/A
Error: No DS RPC connectivity N/A
Error: No WMI connectivity DNS test requires WMI connectivity to run on theremote
computer.
Error: Can’t read operating system version through WMI This might becaused by thelack of a WMI connection on
theremotecomputer.
Error: not supported (this tool is
supported on Windows 2000,Windows XP,and Windows
Server 2003 only)
N/A
Error: Open Service Control Manager failed Unableto find whether theserviceis running or not.
Error: Kdc/netlogon/DNS/dnscacheis not running Some of thekey services are not running.
Error: Can’t read network adapter information through WMI N/A
Error: All DNS servers areinvalid DNS servers that theclient is pointing to areeither not
reachable, nota DNS server, or haveinvalid IP addresses.
Error:The A record for this DC was not found Every DC should register an A record. Makesure A records
areregistered on all the DNS servers theclient is pointing
to.
Error:Enumeration of zones failed to find rootand AD zone N/A
Error: Could not query DNS zones on this DC Makesurethat thezonein which the DC is supposed to
register is present.
Forwarder
Error Additional information
Error:Forwarders list has invalid
forwarder:
Forwarders configured on the DNS server havean invalid IP address or are nota
DNS server, or nameresolution is not working (that is,cannot resolveforest root
domain SRV record if it is a non-root domain DC).
Error: Both root hints and forwarders are
not configured. Pleaseconfigureeither
forwarders or root hints
Makesureeither forwarders or root hints areconfigured on the DNS server unless it
hosts root zone.
Error: Root hints list has invalid root hint
server:
Root hint servers configured on the DNS server haveinvalid IP address or are nota
DNS server, or nameresolution not working (that is,cannot resolveforest root
domain SRV record if it is a non root domain DC).
Error: IP:
Status:
Configured root hint servers don’t havecorresponding IP address.Status field will
tell you thestatus of theserver
Error: IP:
Status: A record not
found
Configured root hint servers don’t have A record.
Error:Enumeration of Root hint servers
failed on
Couldn’t list theroot hint servers on thetarget DNS server.
Delegation
Warning Additional information
Warning: DNS server: IP: Failure: Missing glue
A record
Theconfigured delegation is missing glue A
record.
Error Additional information
DNS server: IP: Error: Broken delegation -verbose Delegation is configured but the name
server is not responding.
DNS server: IP: Error: Broken delegated domain
-non-verbose
N/A
Error:Failed to enumeratetherecords at thezoneroot on theserver N/A
DynamicUpdate
Warning Additional information
Warning: Dynamic updateis enabled on thezone but not secure Secure dynamic updates are
recommended.
Warning:Failed to add test record _dcdiag_test_record with error in zone

Testadds a dummy record
dynamically
Warning:Failed to deletetest record _dcdiag_test_record with error in zone
zone
Deletes theadded record as well.
Error Additional information
Error: Dynamic updateis notenabled on thezone

Dynamic updateis notenabled on the Active Directory zoneso client
cannot register its records.
Record registration
Warning Additional Information
Warning: Missing DC SRV record at DNS
server
Ignoretheerror if DNSAvoidRegisterRecord registry key or its Group Policy has
been configured to prevent registration of this record.
Warning: Missing GC SRV record at DNS
server
Ignoretheerror if DNSAvoidRegisterRecord registry key or its Group Policy has
been configured to prevent registration of this record.
Warning: Missing PDC SRV record at DNS
server
Ignoretheerror if DNSAvoidRegisterRecord registry key or its Group Policy has
been configured to prevent registration of this record.
Warning: Record Registrations not found
in some network adapters
N/A
Error Additional information
Error: Missing A record at DNS server
:
DC hasn’t registered its A record on thespecified DNS server.
Error: Missing CNAME record at DNS
server :

DC hasn’t registered its CNAME record on thespecified DNS server.
Error: Missing DC SRV record at DNS
server :

DC hasn’t registered its DC SRV record on thespecified DNS server.
Error: Missing GC SRV record at DNS
server :

DC hasn’t registered its GC SRV record on thespecified DNS server.
Error: Missing PDC SRV record at DNS
server :

DC hasn’t registered specified PDC SRV record on thespecified DNS server. All these
records can beregistered by stopping and starting the netlogon service.
Error: Record registrations cannot be
found for all the network adapters
If thereare multiple network adaptors thetest checks whether all therecords are
present on all the DNS servers configured on each adaptor.This error occurs if the
record registration is missing on the DNS server.
External name resolution
Error Additional information
Error: Internet name
cannot beresolved
Specified Internet namecannot beresolved. Makesurethe proxy client, servers, root hints,
and forwarders areconfigured properly.
Enterprise DNS infrastructure tests
Warning Additional information
Warning: Neither forwarders nor root
hints areconfigured from subordinate
domain to parent domain
Forwarder or root hints need to beconfigured in the DNS servers of either the
parent or subordinate domains thatare hosting theauthoritativezones for their
respective domain to enable nameresolution to work.
Error Additional information
Error: Delegation is not configured on the parent
domain
Delegation should beconfigured from parent to subordinate domain.
Error: Delegation is present but the gluerecord is
missing
Delegation is configured but the nameservers are missing their glue
record.
Error:Forwarders are misconfigured from parent
domain to subordinate domain
Forwarders must beconfigured from subordinate domain to parent
domain.
Error: Root hints are misconfigured from parent
domain to subordinate domain
Root hints must beconfigured from subordinate domain to parent
domain.
Error:Forwarders areconfigured from subordinateto
parent domain but some of them failed DNS server
tests (See DNS servers section for error details)
Forwarders configured havean invalid IP address or are nota valid
DNS server, or nameresolution is not working (cannot resolveforest
root domain SRV record if it is in the non-root domain).
Error: Root hints areconfigured from subordinateto
parent domain but some of them failed DNS server
tests (See DNS servers section for error details)
Root hints configured havean invalid IP address or are nota valid
DNS server, or nameresolution is not working.
Examples:
Thefollowing examples illustratethe use of Windows Server 2003 SP1 dcdiag. You should replacethe parameters in italics
with thoseappropriatefor your environment:
To run all DNS tests on a single domain controller in non-verbose mode:
Dcdiag /test:DNS /s:TargetDCName /f:LogFileName
To run all DNS tests on a single domain controller in verbose mode:
Dcdiag /test:DNS /s:TargetDCName /v /f:LogFileName
To run all DNS tests on an entireforest in non-verbose mode:
Dcdiag /test:DNS /e /f:LogFileName
To run all DNS tests on an entireforest in verbose mode:
Dcdiag /test:DNS /v /e /f:LogFileName
To run the DNS basic test on a single domain controller:
Dcdiag /test:DNS /DnsBasic /s:TargetDCName /f:LogFileName
To run the DNS forwarders test on a single domain controller:
Dcdiag /test:DNS /DnsForwarders /s:TargetDCName /f:LogFileName
To run the DNS delegation test on a single domain controller:
Dcdiag /test:DNS /DnsDelegation /s:TargetDCName /f:LogFileName
To run the DNS dynamic updatetest on a single domain controller:
Dcdiag /test:DNS /DnsDynamicUpdate /s:TargetDCName /f:LogFileName
To run the DNS record registration test on a single domain controller:
Dcdiag /test:DNS /DnsRecordRegistration /s:TargetDCName /f:LogFileName
To resolvea sampleInternet or intranet name:
Dcdiag /test:DNS /DnsResolveExtName /DnsInternetName:InternetName /f: LogFileName
Note
When an individual test is run, the /DnsBasic tests arerun by default beforerunning theindividual test specified.
If no individual test is specified,all DNS tests (except /DnsResolveName) arerun by default.
New Active Directory replication security tests
Detailed description
DCDiag.exe has been enhanced for Windows Server 2003 Service Pack 1 to include new functionality to identify security
configurations that can cause Active Directory replication to fail.
The new CheckSecurityError test may be performed on one or all domain controllers in an Active Directory forest.Thetest
performs thefollowing operations:
Checks for theavailability of a Key Distribution Center (KDC) in both the destination and source domain controller’s
domains.
Verifies that the destination DC can transmitand receivesufficiently large UDP-formatted packets (used by Kerberos).
Verifies that system clock of the destination DC is no morethan 5 minutes different from thesystem time of the KDC in
the destination and source domain,and thesource DC.
Confirms that theroot of each naming context on thesource domain controller is configured with the necessary
permission.
Confirms that thesourceand destination DC computer accounts are not disabled,aretrusted for delegation,and contain
all required service principal names.
When thetest has completed, DCDiag.exe presents a summary of theresults for each domain controller tested and the
diagnosis of thesecurity errors encountered
This test can berun from thecommand-line using thefollowing syntax:
Dcdiag /test:CheckSecurityError
Optionally,you can add theswitch /ReplSource:SourceDC to thecommand to identify a specific domain controller as a source
in a replication attempt.The domain controller specified in the /replsource: parameter does not need to bea current source
domain controller that the domain controller being tested currently replicates from (onethat the destination domain controller
currently has an inbound connection object from).This test will collect information from the domain controller,key distribution
center (KDC) sourceand destination servers,and Active Directory.
Note
Dcdiag /test:CheckSecurityError can beexecuted on theconsole of a member computer (using the /e or /s:servername
commands) as well as a domain controller.For best results, run Dcdiag /test:CheckSecurityError on theconsole of each
domain controller that is failing inbound Active Directory replication dueto a suspected security error.
Why is this change important?
If replication is not working and theerror is a security error (such as “Access Denied”, “Thetargetaccount nameis incorrect”, or
“The RPC server is unavailable”) thereare many different factors that could becausing theissue.This testautomates the
diagnosis by looking at the most common sources of theseerrors and reporting them so thatyou can resolvetheissue.