Guy recommends:
Install a ticket-based help desk
system from SolarWinds.
Custom Search
Windows Server 2003 - DCDiag Tutorial
Windows Server 2003 - DCDiag TutorialDCDiag is one of those command line utilities that you should turn to when you
have a Windows Server 2003 problem.& As a source of Active Directory clues, DCDiag comes second only to the Event Logs.& You may have guessed that the DC in DCDiag means domain controller.Even if your Active Directory
appears to be running smoothly, it is still worth
running DCDiag, if only to learn about the components of a healthy operating system.& For example DCDiag shows the existence of the knowledge consistency checker (kccevent).Tutorial Topics for DCDiag
Preparing to install or migrate to Exchange 2003.
Checking FSMO roles.
Troubleshooting Group Policy.
Investigating Active Directory not replicating frssysvol error.
Running down Kerberos authentication problems.
Resetting the Directory Service Administrator's password.
Fixing a servers Service Principle Name (SPN) error.
With DCDiag it's not so much installing, as getting a copy from the Window Server 2003 Support tools.& I could not help noticing that after I installed Windows Server 2003 SP1, there was a new
DCDiag with twice the file size.& It reported to be version 5.2..& Intrigued, I checked the old version and found it was 5.2.3790.0 (no 1830).& Further research revealed that indeed, the
new ve as DNS is always a worry whenever there is an Active Directory problem, I was pleased to see Microsoft added extra DNS health checks in the latest version of DCDiag.& (See bottom of this page
for a free copy of DCDiag.)
I have to admit that at first I had no idea that DCDiag had switches.& Whilst I should have known that Microsoft would provide switches, I had no idea that there were so many.& I will let you into
another secret, I have never before know the /v (verbose) to be of any use.& My point is that many utilities have this switch and normally I avoid it, but in the case of DCDiag the /v is a little gem,
which I use at every opportunity.
/q& From the sublime /v you could go to the ridiculous /q which only report errors./s As always, '/s specifies the server, or in this case, the Domain Controller./fix
Fixes Service Principal Names (SPN)& problems./f:logfile.txt Slightly confusing given that there is also a /fix switch.& It works like the re-direct pipe (& filename.txt).& Personally, I copy and paste from the command prompt, but if you
are more organized, then use /f:filename to output to a file./test: Confession time.& I gave up with the /test, I just could not get it to filter the dns tests as advertised.& I
consoled my self that you can always get the information by running the full test and just reading the parts that are of interest.& However, I got the /test switch working perfectly with NetDiag,
therefore, is it
me or have Microsoft made a documentation error?
Guy Recommends:& A Free Trial of the Network Performance Monitor
SolarWinds'
will help you discover what's happening on your network.& This
utility will also guide you thr the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems.& Its second best feature is the ability to monitor the health of individual VMware
virtual machines.& If you are interested in troubleshooting, and creating network maps, then I recommend that you
give this Network Performance Monitor a try.
&***Searching...ldap_search_s(ld, &DC=cp,DC=com&, 2, &(cn=a*)&, attrList, 0, &msg)Result &0&: (null)Matched DNs: Getting 24 entries:&& Dn:
CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com2& objectClass: 1& cn: a86fe12a-0f62-4e2a-b271-d27f601f8182; 1& distinguishedName:
CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC= 1& name: a86fe12a-0f62-4e2a-b271-d27f601f8182; 1& canonicalName: cp.com/System/DomainUpdates/Operations/a86fe12a-0f62-4e2a-b271-d27f601f8182;
&& Dn: CN=abc3-455d-9ff7-b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com2& objectClass: 1& cn: abc3-455d-9ff7-b6; 1&
distinguishedName: CN=abc3-455d-9ff7-b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC= 1& name: abc3-455d-9ff7-b6; 1& canonicalName: cp.com/System/DomainUpdates/Operations/abc3-455d-9ff7-b6;
&& Dn: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={3B-4A81-99D0-B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com2& objectClass: packageR
1& cn: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9; 1& distinguishedName: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={3B-4A81-99D0-B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=
1& name: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9; 1& canonicalName: cp.com/System/Policies/{3B-4A81-99D0-B5B06B8AD999}/Machine/Class Store/Packages/ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9; &&
Dn: CN=ababbed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com3& objectClass: categoryR 1& cn: ababbed-ac94-a65c89516e84;
1& distinguishedName: CN=ababbed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC= 1& name: ababbed-ac94-a65c89516e84; 1& canonicalName:
cp.com/System/Default Domain Policy/AppCategories/ababbed-ac94-a65c89516e84; && Dn: CN=Account Operators,CN=Builtin,DC=cp,DC=com2& objectClass: 1& cn: Account O
1& description: Members can administer domain use 1& distinguishedName: CN=Account Operators,CN=Builtin,DC=cp,DC= 1& name: Account O 1& canonicalName:
cp.com/Builtin/Account O && Dn: CN=Administrator,CN=Users,DC=cp,DC=com4& objectClass: organizationalP 1& cn: A 1& description: Built-in account
for administering the computer/ 1& distinguishedName: CN=Administrator,CN=Users,DC=cp,DC= 1& name: A 1& canonicalName: cp.com/Users/A && Dn: CN=Administrators,CN=Builtin,DC=cp,DC=com
2& objectClass: 1& cn: A 1& description: Administrators have complete and unrestricted access to the computer/ 1& distinguishedName: CN=Administrators,CN=Builtin,DC=cp,DC=
1& name: A 1& canonicalName: cp.com/Builtin/A
Tutorial Leaning Points1) DCDiag has several useful switches.& Actually the switches are an example of horses for courses, for example, if you only want to report on errors, then
enter /q.& However if you want chapter and verse then /v is your best bet.2)
Use the output as an opportunity to investigate services, for example 'The File Replication Service SYSVOL'.& any problem with the frssysvol could alert you to Group Policy problems.
Guy Recommends: SolarWinds Network Topology Mapper (NTM)
NTM will produce a neat diagram of your network topology.& But that's
create an inventory of the hardware and software
of your machines and network devices.& Other neat features include dynamic
update for when you add new devices to your network.& I also love the ability to export
the diagrams
to Microsoft Visio.
Finally, Guy bets that if you test drive the Network Topology
Mapper then you will
find a device on your network that you had forgotten about, or someone else
installed without you realizing!
Download your 14 day free trial of
If you like this page then please share it with your friends
See more Windows tools&二次元同好交流新大陆
扫码下载App
汇聚2000万达人的兴趣社区下载即送20张免费照片冲印
扫码下载App
温馨提示！由于新浪微博认证机制调整，您的新浪微博帐号绑定已过期，请重新绑定！&&|&&
LOFTER精选
网易考拉推荐
用微信&&“扫一扫”
将文章分享到朋友圈。
用易信&&“扫一扫”
将文章分享到朋友圈。
一：DcDiag工具语法格式
　　DcDiag.exe
/s:&Domain Controller&
[/u:&Domain&\&Username&
/p:*|&Password&|""]
&&&&&&&&&&&&&&&[/hqv]
[/n:&Naming Context&]
[/f:&Log&]
[/ferr:&Errlog&]
&&&&&&&&&&&&&&&[/skip:&Test&]
[/test:&Test&]
二：主要参数说明：
　　/s:Domain Controller - 指定测试的DC，默认测试本机。
　　/n:Naming Context - 指定测试时关联的名称上下文。似乎只能使用域名称上下文，无法测试Schema,Configration等名称上下文。
　　　　　　　　　　 域名称上下文可以使用域的DNS名称，NetBios名称或DN名称。
　　/u:Domain\Username /p: - 用指定的帐号密码连接DC，此时该帐号的密码为显示密码。
　　 如：DcDiag&/u:\administrator
/p:1qa2ws3ed
- 测试当前站点所有DC
　　/e - 测试整个企业(整个林)中所有DC的状况
　　/q - 只显示错误信息
- 显示详细检测报告　
　　/i - 忽略多余的错误信息
&&&&&&&/fix
- 仅对 MachineAccount 测试有影响。此参数会使测试过程对目录服务器的计算机帐户对象上的服务主体名称 (SPN)
- 将信息报告输出到指定的文件
　　/ferr - 将致命错误输出重定向指定的文件
- 诊断除 DcPromo 和 RegisterInDNS 之外的所有测试项目，包括非默认的测试。
　 　　非默认测试项包括：拓扑，对方服务器是否关闭，安全通道输出范围以及DNS动态注册等。
　　/skip:Test -　指定不进行诊断的测试项，必须与/c配合使用。
　　/test:Test
-&&只运行单一测试项，但连通测试不跳过
　　　　　具体测试项有：
　　　　　　　Connectivity -
连通性。测试DC是否在DNS中登记注册，Ping测试以及LDAP/RPC的可用性。
　　　　　　　Replications - 检测DC之间的复制情况
　　　　　　　Topology - 检查KCC是否为所有DC生成完整的链接拓扑
　　　　　　　CutoffServers - 检查因复制伙伴不可用而没有接受到的复制的DC
　　　　　　　NCSecDesc - 检查在名称上下文头中的安全描述符是否有适当的复制权限
　　　　　　　NetLogon - 检查是否有进行复制的适当登录权限
　　　　　　　Advertising －　检查每个DC是否已公告它自己能够执行的角色。如果 Net Logon
服务停止或未能启动，则此测试将失败。
　　　　　　　KnowsOfRoleHolders － 检查DC是否可以与FSMO操作主机正常联系
　　　　　　　Intersite - 检查会阻止或暂时中止站点间复制的故障，并尝试预测 KCC
能够恢复之前需要的时间。
　　　　　　　FSMOCheck - 检查DC是否能联系密钥发行中心 (KDC)、时间服务器、首选时间服务器、主目录服务器（主域控制器
(PDC)）和全局编录服务器。
　　　　　　　RidManager - 检查是否可访问 RID 主机，以及 RID 主机是否包含正确的信息。
&&&&&&&&&&&&&&&&&&&&&&&&MachineAccount
－ 检查机器的帐户是否包含正确信息。
　　　　　　　　　　　　　　　　如果本地计算机帐号丢失，使用/RecreateMachineAccount进行尝试修复
　　　　　　　　　　　　　　　　如果本地计算机帐号标志不正确，使用/FixMachineAccount进行尝试修复
&&&&&&&&&&&&&&&&&&&&&&&&Services
- 检查DC服务是否在运行正常
&&&&&&&&&&&&&&&&&&&&&&&&OutboundSecureChannels
检查当前域中所有DC的安全通道。
　　　　　　　ObjectsReplicated - 检查 Machine Account 和 DSA
对象是否已复制
&&&&&&&&&&&&&&&&&&&&&&&&frssysvol
- 检查SYSVOL文件夹共享状态。
　　　　　　　frsevent
-&&检查FRS是否存在错误记录
　　　　　　　kccevent -&&检查
KCC是否存在错误记录。
&&&&&&&&&&&&&&&&&&&&&&&&systemlog
- 检查系统是否无错误运行。
&&&&&&&&&&&&&&&&&&&&&&&&DCPromo
检查DC上的DNS记录是否正常&&&&&&&&&&&&&&&&&&&&&
　　　　　　　RegisterInDNS - 检查DC是否在DNS中注册
　　　　　　　CrossRefValidation - 检查交叉引用是否有效
&&&&&&&&&&&&&&&&&&&&&　CheckSDRefDom
- 检查目录分区的安全
&&&&&&&&&&&&&&&&&&&&&&&&VerifyReplicas
- 检查复制服务器上目录分区的安全性
　　　　　　　VerifyReference - 检查对于 FRS 和“复制”基础结构系统参数的正确与完整性
&&&&&&&&&&&&&&&&&&&&&&&&VerifyEnterpriseReferences
- 检查整个企业范围内的所有DC上系统参数是否正确与完整
&&&&&&&&&&&&&&&&&&&&&&&(Win2003
SP1新增功能)
&&&&&&&&&&&&&&&&&&&&&&&CheckSecurityError
- 检测可能会造成AD复制失败的安全配置
&&&&&&&&&&&&&&&&&&&&&&&DNS
- 检查整个企业内的DNS健康性。
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&DNS测试子项有：
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/DnsBasic
- 基本DNS测试，包括网络连接性、DNS客户端配置、服务可用性和区域存在性。
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/DnsForwarders
-&&/DnsBasic
测试，还检查转发器的配置
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/DnsDelegation
- /DnsBasic 测试，还检查委派配置
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/DnsDynamicUpdate
- /DnsBasic测试,还检查是否配置动态更新
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/DnsRecordRegistration
- /DnsBasic测试,检查是否已注册A、CNAME和已知的SRV记录。此外，还根据结果创建清单报告
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/DnsResolveExtName
- /DnsBasic测试，还尝试解析指定的域名名称.
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/DnsInternetName
- /DnsBasic测试，还尝试解析指定域名
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/DnsAll
- 除了/DnsResolveExtName外的所有DNS测试项
三：使用示例
&&&&DcDiag参数众多，且可以组合使用，下面只给出基本的使用示例，对用法做一简单描述。
&&&&1：最简单的用法,诊断当前DC状况
&&&&&&&&DcDiag
&&&&2：测试当前DC的连通性
&&&&&&&dcdiag&/s:vmtest
/test:connetivity
&&&&3：测试整个林拓扑结构
&&&&&&dcdiag&/e
/test:Topology
&&&&4：DCPromo参数用法。注：DcPromo主要是当使用AD安装向导或通过DCPromo命令安装AD出错时使用
&&&&&&&测试是否可以在当前服务器上新建一个林
&&&&&&&&dcdiag&/test:dcpromo
/ /newforest
&&&&&&&测试是否可以在当前服务器上新建树&&&&&&&&dcdiag&/test:DCpromo
/ /newtree /
&&&&&&&测试是否可以在当前服务器上新建子域
&&&&&&&&dcdiag&/test:dcpromo
/ /childDomain
&&&&&&&测试是否可以在当前服务器上安装辅助DC
&&&&&&&&dcdiag&/test:dcpromo
/ReplicaDC&&&&
&&&&&5：测试DC是否在DNS中注册
&&&&&&&&&Dcdiag&/v
/test:RegisterInDns /
&&&&&6：DNS诊断
&&&&&&&&最简单用法,测试除/DnsResolveExtName之外的六项子测试
&&&&&&&&&dcdiag&/test:dns
&&&&&&&&基本测试：执行基本&DNS
测试，包括网络连接性、DNS 客户端配置、服务可用性和区域存在性
&&&&&&&&&dcdiag&/test:dns
&&&&&&&&测试DnsBasic和转发器
&&&&&&&&&dcdiag&/v
/test:dns /dnsForwarders
&&&&&&&&测试DnsBasic和解析指定的域名
&&&&&&&&&Dcdiag&/v
/test:dns /dnsinternetname:
用微信&&“扫一扫”
将文章分享到朋友圈。
用易信&&“扫一扫”
将文章分享到朋友圈。
历史上的今天
loftPermalink:'',
id:'fks_',
blogTitle:'AD维护管理工具详解（一）dcdiag',
blogAbstract:'\n\t\t\t\n\n\n\n工具名称：DcDiag',
blogTag:'',
blogUrl:'blog/static/',
isPublished:1,
istop:false,
modifyTime:0,
publishTime:9,
permalink:'blog/static/',
commentCount:0,
mainCommentCount:0,
recommendCount:0,
bsrk:-100,
publisherId:0,
recomBlogHome:false,
currentRecomBlog:false,
attachmentsFileIds:[],
groupInfo:{},
friendstatus:'none',
followstatus:'unFollow',
pubSucc:'',
visitorProvince:'',
visitorCity:'',
visitorNewUser:false,
postAddInfo:{},
mset:'000',
remindgoodnightblog:false,
isBlackVisitor:false,
isShowYodaoAd:false,
hostIntro:'',
hmcon:'1',
selfRecomBlogCount:'0',
lofter_single:''
{list a as x}
{if x.moveFrom=='wap'}
{elseif x.moveFrom=='iphone'}
{elseif x.moveFrom=='android'}
{elseif x.moveFrom=='mobile'}
${a.selfIntro|escape}{if great260}${suplement}{/if}
{list a as x}
推荐过这篇日志的人：
{list a as x}
{if !!b&&b.length>0}
他们还推荐了：
{list b as y}
转载记录：
{list d as x}
{list a as x}
{list a as x}
{list a as x}
{list a as x}
{if x_index>4}{break}{/if}
${fn2(x.publishTime,'yyyy-MM-dd HH:mm:ss')}
{list a as x}
{if !!(blogDetail.preBlogPermalink)}
{if !!(blogDetail.nextBlogPermalink)}
{list a as x}
{if defined('newslist')&&newslist.length>0}
{list newslist as x}
{if x_index>7}{break}{/if}
{list a as x}
{var first_option =}
{list x.voteDetailList as voteToOption}
{if voteToOption==1}
{if first_option==false},{/if}&&“${b[voteToOption_index]}”&&
{if (x.role!="-1") },“我是${c[x.role]}”&&{/if}
&&&&&&&&${fn1(x.voteTime)}
{if x.userName==''}{/if}
网易公司版权所有&&
{list x.l as y}
{if defined('wl')}
{list wl as x}{/list}