Active directory DCDiag Analysis


To proceed with this task I will use dcdiag tool. The tool can be Downloaded here. Running this tool and analysing the report, will in many cases avoid major problems and allow you to know what you have and the state of your infrastructure. You can see all the dcdiag options in attach.

I usually run dcdiag and save the report to separeted files with the option /f and /ferr.

Run from command line this:

dcdiag /e /v /c /ferr:dcdiag042012error.txt /f:dcdiag042012.txt

There are some tests that should be run separately such as testing DNS.

C:\>dcdiag /e /v /test:DNS /DnsAll /f:dcdiagdns042012.txt
DNS Tests are running and not hung. Please wait a few minutes...

Remember that if DNS does not work properly your Active Directory probably will not function correctly.

With this you will have a “picture” of the state of your Active directory, this is start point to Solve any reported issue. Don’t forget to run other tests to ensure that everything is ok, and that your Active Directory is reliable.

Dcdiag Options.

From Command run C:\>dcdiag /?
Domain Controller Diagnosis
dcdiag.exe /s:<Domain Controller> [/u:<Domain>\<Username> /p:*|<Password>|""]
           [/hqv] [/n:<Naming Context>] [/f:<Log>] [/ferr:<Errlog>] [/x:<XMLLog.
xml>
           [/skip:<Test>] [/test:<Test>]
   /h: Display this help screen
   /s: Use <Domain Controller> as Home Server. Ignored for DcPromo and
       RegisterInDns tests which can only be run locally.
   /n: Use <Naming Context> as the Naming Context to test
       Domains may be specified in Netbios, DNS or DN form.
   /u: Use domain\username credentials for binding.
       Must also use the /p option
   /p: Use <Password> as the password.  Must also use the /u option
   /a: Test all the servers in this site
   /e: Test all the servers in the entire enterprise.  Overrides /a
   /q: Quiet - Only print error messages
   /v: Verbose - Print extended information
   /i: ignore - ignores superfluous error messages.
   /fix: fix - Make safe repairs.
   /f: Redirect all output to a file <Log>, /ferr will redirect error output
       seperately.
   /ferr:<ErrLog> Redirect fatal error output to a seperate file <ErrLog>
   /x:<XMLLog.xml> Redirect xml output to <XMLLog.xml>. Currently works with /te
st:dns option only
   /xsl:<xslfile.xsl or xsltfile.xslt> Adds the processing instructions that ref
erences specified stylesheet. Works with /test:dns /x:<XMLLog.xml> option only
   /c: Comprehensive, runs all tests, including non-default tests but excluding
       DcPromo and RegisterInDNS. Can use with /skip
   /test:<TestName> - Test only this test.  Required tests will still
                      be run.  Do not mix with /skip.
   Valid tests are:
       Connectivity  - Tests whether DCs are DNS registered, pingeable, and
                have LDAP/RPC connectivity.
       Replications  - Checks for timely replication between domain controllers.

       Topology  - Checks that the generated topology is fully connected for
                all DCs.
       CutoffServers  - Check for servers that won't receive replications
                because its partners are down
       NCSecDesc  - Checks that the security descriptosrs on the naming
                context heads have appropriate permissions for replication.
       NetLogons  - Checks that the appropriate logon priviledges allow
                replication to proceed.
       Advertising  - Checks whether each DC is advertising itself, and whether
                it is advertising itself as having the capabilities of a DC.
       KnowsOfRoleHolders  - Check whether the DC thinks it knows the role
                holders, and prints these roles out in verbose mode.
       Intersite  - Checks for failures that would prevent or temporarily
                hold up intersite replication.
       FsmoCheck  - Checks that global role-holders are known, can be
                located, and are responding.
       RidManager  - Check to see if RID master is accessable and to see if
                it contains the proper information.
       MachineAccount  - Check to see if the Machine Account has the proper
                information. Use /RecreateMachineAccount to attempt a repair
                if the local machine account is missing. Use /FixMachineAccount
                if the machine account flags are incorrect
       Services  - Check to see if appropriate DC services are running.
       OutboundSecureChannels  - See if we have secure channels from all of the
                DC's in the domain the domains specified by /testdomain:.
                /nositerestriction will prevent the test from
                being limited to the DC's in the site.
       ObjectsReplicated  - Check that Machine Account and DSA objects have
                replicated. Use /objectdn:<dn> with /n:<nc> to specify an
                additional object to check.
       frssysvol  - This test checks that the file replication system (FRS)
                SYSVOL is ready
       frsevent  - This test checks to see if there are any operation errors
                in the file replication system (FRS).  Failing replication
                of the SYSVOL share, can cause Policy problems.
       kccevent  - This test checks that the Knowledge Consistency Checker
                is completing without errors.
       systemlog  - This test checks that the system is running without errors.
       DcPromo  - Tests the existing DNS infrastructure for promotion to domain
                controller. If the infrastructure is sufficient, the computer
                can be promoted to domain controller in a domain specified in
                <Active_Directory_Domain_DNS_Name>. Reports whether any
                modifications to the existing DNS infrastructure are required.
                Required argument:
                /DnsDomain:<Active_Directory_Domain_DNS_Name>
                One of the following arguments is required:
                /NewForest
                /NewTree
                /ChildDomain
                /ReplicaDC
                If NewTree is specified, then the ForestRoot argument is
                required:
                /ForestRoot:<Forest_Root_Domain_DNS_Name>
       RegisterInDNS  - Tests whether this domain controller can register the
                Domain Controller Locator DNS records. These records must be
                present in DNS in order for other computers to locate this
                domain controller for the <Active_Directory_Domain_DNS_Name>
                domain. Reports whether any modifications to the existing DNS
                infrastructure are required.
                Required argument:
                /DnsDomain:<Active_Directory_Domain_DNS_Name>
       CrossRefValidation  - This test looks for cross-refs that are in some
                way invalid.
       CheckSDRefDom  - This test checks that all application directory
                partitions have appropriate security descriptor reference
                domains.
       VerifyReplicas  - This test verifys that all application directory
                partitions are fully instantiated on all replica servers.
       VerifyReferences  - This test verifys that certain system references
                are intact for the FRS and Replication infrastructure.
       VerifyEnterpriseReferences  - This test verifys that certain system
                references are intact for the FRS and Replication
                infrastructure across all objects in the enterprise
                on each DC.
       CheckSecurityError  - Locates security errors (or those possibly security
 related)
                and performs the initial diagnosis of the problem.
                Optional Arguments:
                /ReplSource:<Source DC> to target a specific source,
                regardless of it's error status.  Need not be a current partner.
       DNS  - This test checks the health of DNS settings
                for the whole enterprise. Sub tests can be run individually
                using the switches below. By default, all tests except
                external name resolution are run)
                /DnsBasic (basic tests, can't be skipped)
                /DnsForwarders (forwarders and root hints tests)
                /DnsDelegation (delegations tests)
                /DnsDynamicUpdate (dynamic update tests)
                /DnsRecordRegistration (records registration tests)
                /DnsResolveExtName (external name resolution test)
                /DnsAll (includes all tests above)
                /DnsInternetName: <internet name> (for test /DnsResolveExtName)
                         (default is www.microsoft.com)
   /skip:<TestName> - Skip the named test.  Required tests will still
                      be run.  Do not mix with /test.
   Tests that can be skipped are:
       Replications  - Checks for timely replication between domain controllers.
       Topology  - Checks that the generated topology is fully connected for
                all DCs.
       CutoffServers  - Check for servers that won't receive replications
                because its partners are down
       NCSecDesc  - Checks that the security descriptosrs on the naming
                context heads have appropriate permissions for replication.
       NetLogons  - Checks that the appropriate logon priviledges allow
                replication to proceed.
       Advertising  - Checks whether each DC is advertising itself, and whether
                it is advertising itself as having the capabilities of a DC.
       KnowsOfRoleHolders  - Check whether the DC thinks it knows the role
                holders, and prints these roles out in verbose mode.
       Intersite  - Checks for failures that would prevent or temporarily
                hold up intersite replication.
       FsmoCheck  - Checks that global role-holders are known, can be
                located, and are responding.
       RidManager  - Check to see if RID master is accessable and to see if
                it contains the proper information.
       MachineAccount  - Check to see if the Machine Account has the proper
                information. Use /RecreateMachineAccount to attempt a repair
                if the local machine account is missing. Use /FixMachineAccount
                if the machine account flags are incorrect
       Services  - Check to see if appropriate DC services are running.
       OutboundSecureChannels  - See if we have secure channels from all of the
                DC's in the domain the domains specified by /testdomain:.
                /nositerestriction will prevent the test from
                being limited to the DC's in the site.
       ObjectsReplicated  - Check that Machine Account and DSA objects have
                replicated. Use /objectdn:<dn> with /n:<nc> to specify an
                additional object to check.
       frssysvol  - This test checks that the file replication system (FRS)
                SYSVOL is ready
       frsevent  - This test checks to see if there are any operation errors
                in the file replication system (FRS).  Failing replication
                of the SYSVOL share, can cause Policy problems.
       kccevent  - This test checks that the Knowledge Consistency Checker
                is completing without errors.
       systemlog  - This test checks that the system is running without errors.
       DcPromo  - Tests the existing DNS infrastructure for promotion to domain
                controller. If the infrastructure is sufficient, the computer
                can be promoted to domain controller in a domain specified in
                <Active_Directory_Domain_DNS_Name>. Reports whether any
                modifications to the existing DNS infrastructure are required.
                Required argument:
                /DnsDomain:<Active_Directory_Domain_DNS_Name>
                One of the following arguments is required:
                /NewForest
                /NewTree
                /ChildDomain
                /ReplicaDC
                If NewTree is specified, then the ForestRoot argument is
                required:
                /ForestRoot:<Forest_Root_Domain_DNS_Name>
       RegisterInDNS  - Tests whether this domain controller can register the
                Domain Controller Locator DNS records. These records must be
                present in DNS in order for other computers to locate this
                domain controller for the <Active_Directory_Domain_DNS_Name>
                domain. Reports whether any modifications to the existing DNS
                infrastructure are required.
                Required argument:
                /DnsDomain:<Active_Directory_Domain_DNS_Name>
       CrossRefValidation  - This test looks for cross-refs that are in some
                way invalid.
       CheckSDRefDom  - This test checks that all application directory
                partitions have appropriate security descriptor reference
                domains.
       VerifyReplicas  - This test verifys that all application directory
                partitions are fully instantiated on all replica servers.
       VerifyReferences  - This test verifys that certain system references
                are intact for the FRS and Replication infrastructure.
       VerifyEnterpriseReferences  - This test verifys that certain system
                references are intact for the FRS and Replication
                infrastructure across all objects in the enterprise
                on each DC.
       CheckSecurityError  - Locates security errors (or those possibly security
 related)
                and performs the initial diagnosis of the problem.
                Optional Arguments:
                /ReplSource:<Source DC> to target a specific source,
                regardless of it's error status.  Need not be a current partner.
       DNS  - This test checks the health of DNS settings
                for the whole enterprise. Sub tests can be run individually
                using the switches below. By default, all tests except
                external name resolution are run)
                /DnsBasic (basic tests, can't be skipped)
                /DnsForwarders (forwarders and root hints tests)
                /DnsDelegation (delegations tests)
                /DnsDynamicUpdate (dynamic update tests)
                /DnsRecordRegistration (records registration tests)
                /DnsResolveExtName (external name resolution test)
                /DnsAll (includes all tests above)
                /DnsInternetName: <internet name> (for test /DnsResolveExtName)
                        (default is www.microsoft.com)
   The following tests are not run by default:
       Topology  - Checks that the generated topology is fully connected for
                all DCs.
       CutoffServers  - Check for servers that won't receive replications
                because its partners are down
       OutboundSecureChannels  - See if we have secure channels from all of the
                DC's in the domain the domains specified by /testdomain:.
                /nositerestriction will prevent the test from
                being limited to the DC's in the site.
       VerifyReplicas  - This test verifys that all application directory
                partitions are fully instantiated on all replica servers.
       VerifyEnterpriseReferences  - This test verifys that certain system
                references are intact for the FRS and Replication
                infrastructure across all objects in the enterprise
                on each DC.
       CheckSecurityError  - Locates security errors (or those possibly security
 related)
                and performs the initial diagnosis of the problem.
                Optional Arguments:
                /ReplSource:<Source DC> to target a specific source,
                regardless of it's error status.  Need not be a current partner.
       DNS  - This test checks the health of DNS settings
                for the whole enterprise. Sub tests can be run individually
                using the switches below. By default, all tests except
                external name resolution are run)
                /DnsBasic (basic tests, can't be skipped)
                /DnsForwarders (forwarders and root hints tests)
                /DnsDelegation (delegations tests)
                /DnsDynamicUpdate (dynamic update tests)
                /DnsRecordRegistration (records registration tests)
                /DnsResolveExtName (external name resolution test)
                /DnsAll (includes all tests above)
                /DnsInternetName: <internet name> (for test /DnsResolveExtName)
                         (default is www.microsoft.com)
        All tests except DcPromo and RegisterInDNS must be run on computers
        after they have been promoted to domain controller.

Hope that this information can be useful.

Advertisements

About rodvars
Been working in IT Services/Consulting for the past 15 years. My main areas of work are planning, development, managing and administration System infrastructures focusing on optimizing user processes, enforcing business security, performance enhancements, high availabilty and infrastucture scalability.

5 Responses to Active directory DCDiag Analysis

  1. noopept says:

    You have mentioned very interesting points! ps nice web site.

  2. Hey there, You have done a fantastic job. I’ll definitely digg it and in my opinion recommend to my friends. I’m sure they will be benefited from this web site.

  3. It’s actually a great and helpful piece of information. I’m satisfied that you just shared this helpful info with us. Please keep us up to date like this. Thanks for sharing.

  4. I enjoy the invaluable information and facts you provide within your articles.

  5. idebenone says:

    You have remarked very interesting points! ps decent site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: