Windows 2000Domain ControllerDiagnostic tool that can analyze the status of the domain controller in the directory forest or organization. The specific content is as follows.
I. Features
Dcdiag.exe is a domain controller diagnostic tool. Before explaining this tool, you must first interpret several concepts.
1. Domain: in short, a network is a unit of centralized data security management composed of domains. It has a unique name and can define security boundaries in the Active Directory. The domain originally appeared in windowsNT and is inherited by CW2KP.
2. Some Contents in the directory forest are simply called forests.): You can see the name. This is a collection of many directories. For the exact meaning, see related materials.
As mentioned above, windows2000 has enhanced network functions. This diagnostic tool can only be used in a network environment, and it is impossible to use domain controllers in a standalone environment. in other words, the domain controller is diagnosed. dcdiag can analyze the status of domain controllers in the directory forest or "Organization" and generate a report that brings together all the problems that have passed the diagnostic test, when the administrator or technical support personnel analyzes the problem and resolves the fault, this serves as a reference for judgment. dcDiag itself can report problems to end users. In the program, it has encapsulated detailed functions and knowledge about how to identify abnormal states of the system.
If DcDiag is understood as a framework, this framework is composed of a series of tests and verifications for the system. of course, since it is a test, these tests must be carried out in a certain order. the program diagnoses and tests the domain controller based on the user's choice. In terms of scope, the test can be certain items for the organization unit, site, or single server, you can also perform a complete test on all projects. in terms of execution methods, a test can specify a project or skip unnecessary projects. generally, the following items should be included:
· Connectivity
· Copy
· Complete extension
· Check NCHead Security Descriptor
· Check logon Permissions
· Obtain the domain controller location
· Security boundaries
· Check tasks or roles.
· Verify the trust relationship.
In the previous NetDiag connectivity test tool, there were also projects for trust relationship verification. For details, refer to my previous article "Introduction to connectivity test tools ")
Ii. Syntax:
Dcdiag/s: DomainController [/n: NamingContext] [/u: Domain \ Username/p: {* | Password | ""}] [{/a |/e}] [{/q |/v}] [/I] [/f: logFile] [/ferr: ErrLog] [/c [/skip: Test] [/test: Test] [{/h |/?}]
Parameter description:
/S: DomainController
The primary server used by the domain controller. This is a required parameter and cannot be omitted.
/N: NamingContext
Specify the system associated with the test. You can specify NetBIOS, DNS, or other systems for the domain.
/U: Domain \ Username/p: {* | Password | ""}
The prompt symbol used to use the Trust creden attached to "domain/User Name" is actually the display symbol of the password. For example, when we type the password, it is not the password itself, it is the *** symbol. it is also used .... as the display symbol.
/
Test all servers of the website.
/E
Test all servers in the entire plan and ignore option/
/Q
Print the error message report during idle time.
/V
Print the detailed information report.
/I
Ignore unnecessary error messages.
/F: LogFile
Change all information reports to the registration files named by LogFile, that is, do not output the information reports to the default registration files of the system.
/Ferr: ErrLog
Change the fatal error information to a separate registration file named by ErrLog., which is similar to the previous one.
/C
Run all test items, including non-default tests. If you have determined that some projects do not require tests, you can use the/skip switch to specify which tests can be skipped. Non-default tests refer to the following items:
Extension
Whether the server of the Peer server is disabled
Security channel output range.
Skip: Test
Use the skip switch to indicate that to skip unexpected projects, you must use/c to select a full test, note that there are no conflicting options in the command line.
/Test: Test
Only a single test is run, but the connectivity test cannot be skipped. Note that there are no conflicting options in the command line.
The following names must be used no matter which tests are performed or which tests are skipped:
Connectivity
Test whether the domain controller has been registered in the DNS domain name resolution service system, or has passed the Ping test, and is compatible with LDAP/RPC ..
Replications Replication
Check the replication between domain controllers.
Topology Extension
Check the Extension Structure of all links of all domain controllers)
CutoffServers
Check whether the server has not received the copy because the other server is disabled.
NCSecDesc
Check the security descriptor with sub-names as the associated information
NetLogons
Check whether the logon permission is appropriate. If appropriate, allow replication to continue.
LocatorGetDc
Check whether each domain controller has ads that can be closed.
Intersite
Check temporary bitwise Replication
RolesHeld
Check the known global "task occupies role-holders)", possible locations, and responses.
RidManager
Checks whether the RID is accessible and whether the related information is correct.
MachineAccount
Check the computer account information.
Services
Checks the operation of the domain controller service.
OutboundSecureChannels
Check the security channel from the specified domain
ObjectsReplicated
Check the computer account and copy of the DSA object
{/H | /?} Displays help information.
Iii. Verification and discovered problems
This tool can only run in the command line. Follow the previous instructions to open the command line window. After opening this window, type: dcdiag /? Or dcdiag/h, which can display help information. Maybe there are too many projects in this tool! The displayed help information is very long and detailed descriptions are provided for the usage of each test item in the tool. if you want to study the information carefully, it is recommended to save the information to a file for further study. to save the help information, you can display the complete help information in the command line window, move the mouse to the icon of the command line window in the "Tray" under the screen, right click, A menu appears, including "edit", and then move the mouse to "edit". The next menu is displayed automatically, click "select all", and then click "copy" to paste it into the notepad window and save it.
According to the displayed information, the content is different from the content described in the second section above. It is also a tool with its dedicated help documentation and usage /? The help information obtained is different. It was not the first time in SupportTools. I have never figured out the cause. After comparison, we found that the following items are not found in the help document:
/Fix: security fix
Frssysvol-This test is used to check whether the file and system volume are ready.
Kccevent-This test is used to check compatibility or conflict with external Com ports .)
Systemlog-This test is used to check external errors in system operation.
The above information is found after I intercept the prompt information in the command line window and compare it with the help document. at the same time, it is also found that some projects are described in the help document, but not in the prompt information. for the test items in the tool, I have only performed a few verifications considering the time and conditions. It is okay to run normally.
I hope this article will be helpful to readers in introducing windows 2000 Domain Controller diagnostic tools.