Introduction to windows 2000 Domain Controller diagnostic tools

Windows 2000Domain ControllerDiagnostic tool that can analyze the status of the domain controller in the directory forest or organization. The specific content is as follows.

I. Features

Dcdiag.exe is a domain controller diagnostic tool. Before explaining this tool, you must first interpret several concepts.

1. Domain: in short, a network is a unit of centralized data security management composed of domains. It has a unique name and can define security boundaries in the Active Directory. The domain originally appeared in windowsNT and is inherited by CW2KP.

2. Some Contents in the directory forest are simply called forests.): You can see the name. This is a collection of many directories. For the exact meaning, see related materials.

As mentioned above, windows2000 has enhanced network functions. This diagnostic tool can only be used in a network environment, and it is impossible to use domain controllers in a standalone environment. in other words, the domain controller is diagnosed. dcdiag can analyze the status of domain controllers in the directory forest or "Organization" and generate a report that brings together all the problems that have passed the diagnostic test, when the administrator or technical support personnel analyzes the problem and resolves the fault, this serves as a reference for judgment. dcDiag itself can report problems to end users. In the program, it has encapsulated detailed functions and knowledge about how to identify abnormal states of the system.

If DcDiag is understood as a framework, this framework is composed of a series of tests and verifications for the system. of course, since it is a test, these tests must be carried out in a certain order. the program diagnoses and tests the domain controller based on the user's choice. In terms of scope, the test can be certain items for the organization unit, site, or single server, you can also perform a complete test on all projects. in terms of execution methods, a test can specify a project or skip unnecessary projects. generally, the following items should be included:

· Connectivity

· Copy

· Complete extension

· Check NCHead Security Descriptor

· Check logon Permissions

· Obtain the domain controller location

· Security boundaries

· Check tasks or roles.

· Verify the trust relationship.

In the previous NetDiag connectivity test tool, there were also projects for trust relationship verification. For details, refer to my previous article "Introduction to connectivity test tools ")

Ii. Syntax:

Dcdiag/s: DomainController [/n: NamingContext] [/u: Domain \ Username/p: {* | Password | ""}] [{/a |/e}] [{/q |/v}] [/I] [/f: logFile] [/ferr: ErrLog] [/c [/skip: Test] [/test: Test] [{/h |/?}]

Parameter description:

/S: DomainController

The primary server used by the domain controller. This is a required parameter and cannot be omitted.

/N: NamingContext

Specify the system associated with the test. You can specify NetBIOS, DNS, or other systems for the domain.

/U: Domain \ Username/p: {* | Password | ""}

The prompt symbol used to use the Trust creden attached to "domain/User Name" is actually the display symbol of the password. For example, when we type the password, it is not the password itself, it is the *** symbol. it is also used .... as the display symbol.

/

Test all servers of the website.

/E

Test all servers in the entire plan and ignore option/

/Q

Print the error message report during idle time.

/V

Print the detailed information report.

/I

Ignore unnecessary error messages.

/F: LogFile

Change all information reports to the registration files named by LogFile, that is, do not output the information reports to the default registration files of the system.

/Ferr: ErrLog

Change the fatal error information to a separate registration file named by ErrLog., which is similar to the previous one.

/C

Run all test items, including non-default tests. If you have determined that some projects do not require tests, you can use the/skip switch to specify which tests can be skipped. Non-default tests refer to the following items:

Extension

Whether the server of the Peer server is disabled

Security channel output range.

Skip: Test

Use the skip switch to indicate that to skip unexpected projects, you must use/c to select a full test, note that there are no conflicting options in the command line.

/Test: Test

Only a single test is run, but the connectivity test cannot be skipped. Note that there are no conflicting options in the command line.

The following names must be used no matter which tests are performed or which tests are skipped:

Connectivity

Test whether the domain controller has been registered in the DNS domain name resolution service system, or has passed the Ping test, and is compatible with LDAP/RPC ..

Replications Replication

Check the replication between domain controllers.

Topology Extension

Check the Extension Structure of all links of all domain controllers)

CutoffServers

Check whether the server has not received the copy because the other server is disabled.

NCSecDesc

Check the security descriptor with sub-names as the associated information

NetLogons

Check whether the logon permission is appropriate. If appropriate, allow replication to continue.

LocatorGetDc

Check whether each domain controller has ads that can be closed.

Intersite

Check temporary bitwise Replication

RolesHeld

Check the known global "task occupies role-holders)", possible locations, and responses.

RidManager

Checks whether the RID is accessible and whether the related information is correct.

MachineAccount

Check the computer account information.

Services

Checks the operation of the domain controller service.

OutboundSecureChannels

Check the security channel from the specified domain

ObjectsReplicated

Check the computer account and copy of the DSA object

{/H | /?} Displays help information.

Iii. Verification and discovered problems

This tool can only run in the command line. Follow the previous instructions to open the command line window. After opening this window, type: dcdiag /? Or dcdiag/h, which can display help information. Maybe there are too many projects in this tool! The displayed help information is very long and detailed descriptions are provided for the usage of each test item in the tool. if you want to study the information carefully, it is recommended to save the information to a file for further study. to save the help information, you can display the complete help information in the command line window, move the mouse to the icon of the command line window in the "Tray" under the screen, right click, A menu appears, including "edit", and then move the mouse to "edit". The next menu is displayed automatically, click "select all", and then click "copy" to paste it into the notepad window and save it.

According to the displayed information, the content is different from the content described in the second section above. It is also a tool with its dedicated help documentation and usage /? The help information obtained is different. It was not the first time in SupportTools. I have never figured out the cause. After comparison, we found that the following items are not found in the help document:

/Fix: security fix

Frssysvol-This test is used to check whether the file and system volume are ready.

Kccevent-This test is used to check compatibility or conflict with external Com ports .)

Systemlog-This test is used to check external errors in system operation.

The above information is found after I intercept the prompt information in the command line window and compare it with the help document. at the same time, it is also found that some projects are described in the help document, but not in the prompt information. for the test items in the tool, I have only performed a few verifications considering the time and conditions. It is okay to run normally.

I hope this article will be helpful to readers in introducing windows 2000 Domain Controller diagnostic tools.