First published on TechNet on Mar 22, 2011
Hi folks, Ned here again. I recently wrote a KB article about some expected DCDIAG.EXE behaviors . This required reviewing DCDIAG.EXE as I wasn’t finding anything deep in TechNet about the “Services” test that had my interest. By the time I was done, I had found a dozen other test behaviors I had never known existed. While we have documented the version of DCDIAG that shipped with Windows Server 2008 – sometimes with excellent specificity, like Justin Hall’s article about the DNS tests – mostly it’s a black box and you only find out what it tests when the test fails. Oh, we have help of course: just run DCDIAG /? to see it. But it’s help written by developers. Meaning you get wording like this:
Advertising
Checks whether each DSA is advertising itself, and whether it is advertising itself as having the capabilities of a DSA.
So, it checks each DSA (whatever that is) to see if it’s advertising (whatever that means). The use of an undefined acronym is an especially nice touch, as even within Microsoft, DSA could mean:
Naturally, this brings out my particular brand of irritation. What follows is the result of my compulsion to understand. I’m not documenting every last switch in DCDIAG, just the tests. I am only documenting Windows Server 2008 R2 SP1 behavior – I have no idea where the source code is for the ancient Support Tools version of DCDIAG and you aren’t paying me enough here to find it :-). The Windows Server 2008 RTM through Windows Server 2008 R2 SP1 versions are nearly identical except for bug fixes:
KB2401600 The Dcdiag.exe VerifyReferences test fails on an RODC that is running Windows Server 2008 R2
http://support.microsoft.com/default.aspx?scid=kb;en-US;2401600
KB979294 The Dcdiag.exe tool takes a long time to run in Windows Server 2008 R2 and in Windows 7
http://support.microsoft.com/default.aspx?scid=kb;EN-US;979294
KB978387 FIX: The connectivity test that is run by the Dcdiag.exe tool fails together with error code 0x621
http://support.microsoft.com/default.aspx?scid=kb;EN-US;978387
Everything I describe below you can discover and confirm yourself with careful examination of network captures and logging, to include the public functions being used – but why walk when you can ride? Using /v can also provide considerable details on some tests. No internal source code is described nor do I show any special hidden functionality.
For info on all the network protocols I list out – or if you run into network errors when using DCDIAG – see Service overview and network port requirements for the Windows Server system . I went pretty link-happy in general in this post to help people using it as a reference; that way if you just look at your one little test it has all the info you need. I don’t always call out name resolution being tested because it is implicit; it’s also testing TCP, UDP, and IP.
Finally: this post is more of a reference than my usual lighthearted fare. Do not operate heavy machinery while reading.
This tests general connectivity and responsiveness of a DC, to include:
The DNS test can be satisfied out of the client cache so restarting the DNS client service locally is advisable when running DCDIAG to guarantee a full test of name resolution. For example:
Net stop "dns client" & net start "dns client" & dcdiag /test:verifyreplicas /s:DC-01
The initial tests cannot be skipped.
The initial tests use ICMP , LDAP , DNS , and RPC on the network.
Editorial note: Blocking ICMP will prevent DCDIAG from working. While blocking ICMP is highly recommended at the Internet-edge of your network, internally blocking ICMP traffic mainly just leads to administrative headaches like breaking legacy group policy , breaking black hole router detection ( or leading to highly inefficient MTU sizes due to lack of a discovery option ), and breaking troubleshooting tools like ping.exe or tracert.exe . It creates an illusion of security; there are a great many other easy ways for a malicious internal user to locate computers.
This test validates that the public DsGetDcName function used by computers to locate domain controllers will correctly locate any DCs specified with in the command line with the /s , /a , or /e parameter. It checks that the server successfully reports itself with DS_Flags for:
Note that “advertising” is not the same as “working”. For instance, if the KDC service is stopped the Advertising test will fail since the flag returned from DsGetDcName will not include KDC. But if port 88 over TCP and UDP are blocked on a firewall, the Advertising test will pass – even though the KDC is not going to be able to answer requests for Kerberos tickets.
This test is done using RPC over SMB (using a Netlogon named pipe) to the DC plus LDAP to locate the DCs site information.
This test validates that your application partition cross reference objects (located in “ cn=partitions,cn=configuration,dc=<forest root domain> ”) contain the correct domain names in their msDS-SDReferenceDomain attributes. The test uses LDAP.
I find no history of anyone ever seeing the error message that can be displayed here.
The test uses LDAP .
This test does a variety of checks around the security components of a DC like Kerberos. For it to be more specifically useful you should provide /replsource: <some partner DC> as the default checks are not as comprehensive.
This test:
When the /replsource is added, a few more tests happen. The partner is checked for all of the above also, then:
These tests are performed using LDAP , RPC , RPC over SMB , and ICMP .
No matter what you specify for tests, this always runs as part of Initial Required Tests .
This test retrieves a list of naming contexts (located in “ cn=partitions,cn=configuration,dc=<forest root domain> ”) with their cross references and then validates them, similar to the CheckSDRefDom test above. It is looking at the nCName , dnsRoot, nETBIOSName, and systemFlags attributes to:
The test uses LDAP .
Tests the AD replication topology to ensure there are no DCs without working connection objects between partners. Any servers that cannot replicate inbound or outbound from any DCs are considered “cut off”. It uses the function DsReplicaSyncAll to do this which means this “test” actually triggers replication on the DCs so use with caution if you are the owner of crud WAN links that you keep clean with schedules, and certainly consider this before using /e .
This test is rather misleading in its help description; if it cannot contact a server that is actually unavailable to LDAP on the network then it gives no error or test results, even if the /v parameter is specified. You have to notice that there is no series of “analyzing the alive system replication topology” or “performing upstream (of target) analysis” messages being printed for a cutoff server. However, the Connectivity test will fail if the server is unreachable so it’s a wash.
The test uses RPC .
The DCpromo test is one of the two oddballs in DCDIAG (the other is ‘DNS’). It is designed to test how well a DCPROMO would proceed if you were to run it on the server where DCDIAG is launched. It also has a number of required switches for each kind of promotion operation. All of the tests are against the server specified first in the client DNS settings. It tests:
The test uses DNS on the network.
This series of enterprise-wide DNS tests are already well documented here:
http://technet.microsoft.com/en-us/library/cc731968(WS.10).aspx
The tests use DNS , RPC , and WMI protocols.
This test validates the File Replication Service’s health by reading (and printing, if using /v ) FRS event log warning and error entries from the past 24 hours. It’s possible this service won’t be running or installed on Windows Server 2008 or later if SYSVOL has been migrated to DFSR . On Windows Server 2008, some events may be misleading as they may refer to custom replica sets and not necessarily SYSVOL; on Windows Server 2008 R2, however, FRS can be used for SYSVOL only.
By default, remote connections to the event log are disabled by the Windows Server 2008/R2 firewall rules so this test will fail. KB2512643 covers enabling those rules to allow the test to succeed.
The test uses RPC , specifically with the EventLog Remoting Protocol .
This test validates the Distributed File System Replication service’s health by reading (and printing, if using /v ) DFSR event log warning and error entries from the past 24 hours. It’s possible this service won’t be running or installed on Windows Server 2008 if SYSVOL is still using FRS; on Windows Server 2008 R2 the service is always present on DCs. While this ostensibly tests DFSR-enabled SYSVOL , any errors within custom DFSR replication groups would also appear here, naturally.
By default, remote connections to the event log are disabled by the Windows Server 2008/R2 firewall rules so this test will fail. KB2512643 covers enabling those rules to allow the test to succeed.
The test uses RPC , specifically with the EventLog Remoting Protocol .
This test reads the DCs Netlogon SysvolReady registry key to validate that SYSVOL is being advertised:
HKEY_Local_Machine\System\CurrentControlSet\Services\Netlogon\Parameters
SysvolReady=1
The value name has to exist with a value of 1 to pass the test. This test will work with either FRS or DFSR -replicated SYSVOLs. It doesn’t check if the SYSVOL and NELOGON shares are actually accessible, though ( CheckSecurityError does that).
The test uses RPC over SMB (through a named pipe to WinReg ).
This test validates that DCLocator queries return the five “capabilities” that any DC must know of to operate correctly.
If not hosting one, the DC will refer to another DC that can satisfy the request; this means that you must carefully examine this under /v to make sure a server you thought was supposed to be holding a capability actually is correctly returned. If no DC answers or if the queries return errors then the test will fail.
The tests use RPC over SMB with the standard DsGetDcName DCLocator queries.
This test uses Directory Replication Service (DRS) functions to check for conditions that would prevent inter-site AD replication within a specific site or all sites:
KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
You must be careful with this test’s command-line arguments and always provide /a or /e . Not providing a site means that the test runs but skips actually testing anything (you can see this under /v ).
All tests use RPC over the network to test the replication aspects and will make registry connections (RPC over SMB to WinReg) to check for those NTDS settings override entries . LDAP is also used to locate connection info.
This test queries the Knowledge Consistency Checker on a DC for KCC errors and warnings generated in the Directory Services event log during the last 15 minutes. This 15 minute threshold is irrespective of the Repl topology update period (secs) registry value on the DC.
By default, remote connections to the event log are disabled by the Windows Server 2008/R2 firewall rules so this test will fail. KB2512643 covers enabling those rules to allow the test to succeed.
The test uses RPC , specifically with the EventLog Remoting Protocol .
This test returns the DC's knowledge of the five Flexible Single Master Operation (FSMO) roles. The test does not inherently check all DCs knowledge for consistency, but using the /e parameter would provide data sufficient to allow comparison.
The test uses RPC to return DSListRoles within the Directory Replication Service (DRS) functions.
This test checks if:
This test also mentions two repair options:
This test uses LDAP and RPC over SMB .
This test checks permissions on all the naming contexts (such as Schema, Configuration, etc.) on the source DC to validate that replication and connectivity will work between DCs. It makes sure that “Enterprise Domain Controllers” and “Administrators” groups have the correct minimum permissions. This is the same performed test within CheckSecurityError .
The test uses LDAP .
This test is designed to:
Both of these tests are also performed by CheckSecurityError .
The tests use SMB and RPC over SMB (through named pipes).
This test verifies that replication of a few key objects and attributes has occurred and displays up-to-dateness info if replication is stale. By default the two objects validated are:
This test is not valuable unless run with /e or /a as it just asks the DC about itself when those are not specified. Using /v will give more details on objects thought to be stale based on version.
You can also specify arbitrary objects to test with /objectdn /n , which can be useful after creating a “canary” object to validate replication.
The tests are done using RPC with Directory Replication Service (DRS) functions.
This test is designed to check external trusts. It will not run by default and will fail even when provided correct /testdomain parameters, validating the secure channel with NLTEST.EXE , and using a working external trust . It does state that the secure channel is valid but then mistakenly reports that there are no working trust objects. I’ll update this post when I find out more. This test should not be used.
Validates many of the same aspects as the Dcpromo test. It requires the /dnsdomain switch to specify a domain that would be the target of registration; this can be a different domain than the current primary one. It specifically verifies:
The test uses DNS on the network.
This test checks all AD replication connection objects for all naming contexts on specified DC(s) to see:
The tests are done with LDAP and RPC using DsReplicaGetInfo .
This test validates that the RID Master FSMO role holder:
This role must be online and accessible for DCs to be able to create security principals (users, computers, and groups) as well as for further DCs to be promoted within a domain.
This test validates that various AD-dependent services are running, accessible, and set to specific start types:
(If target is Windows Server 2008 or later)
(If using SMTP-based AD replication)
These are the “real” service names listed in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services. If this test is specified when targeting Windows Server 2003 DCs it is expected to fail on RpcSs. See KB2512643 .
The test uses RPC and the Service Control Manager remote protocol.
This test validates the System Event Log’s health by reading and printing entries from the past 60 minutes (stopping at computer startup timestamp if less than 60 minutes). Errors and warnings will be printed, with no evaluation done of them being expected or not – this is left to the DCDIAG user.
By default, remote connections to the event log are disabled by the Windows Server 2008/R2 firewall rules so this test will fail. KB2512643 covers enabling those rules to allow the test to succeed.
The test uses RPC , specifically with the EventLog Remoting Protocol .
This test checks that a server has a fully-connected AD replication topology. This test must be explicitly run. It checks:
The test uses DsReplicaSyncAll with the flag of DS_REPSYNCALL_DO_NOT_SYNC. Meaning that the test analyzes and validates replication topology without actually replicating changes. The test does not validate the availability of replication partners – having a partner offline will not cause failures in this test. This does not test if the schedule is completely closed, preventing replication; to see those active replication results, use tests Replications or CutoffServers .
This test verifies computer reference attributes for all DCs, including:
Note that the two DFSR tests are only performed if domain functional level is Windows Server 2008 or higher. This means there will be an expected failure if DFSR has not been migrated to SYSVOL as the test does not actually care if FRS is still in use.
The test uses LDAP . The DCS are not all individually contacted, only the specified DCs are contacted.
This test verifies computer reference attributes for a single DC, including:
This is similar to the VerifyEnterpriseRefrences test except that it does not check partition cross references or all other DC objects.
The test uses LDAP .
This test verifies that the specified server does indeed host the application partitions specified by its crossref attributes in the partitions container. It operates exactly like CheckSDRefDom except that it does not show output data and validates hosting.
This test uses LDAP .
That’s all folks.
- Ned “that was seriously un-fun to write” Pyle
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.