Working with the Domain Controller Diagnostic Utility - Part 3
Working with the Domain Controller Diagnostic Utility - Part 1
Working with the Domain Controller Diagnostic Utility - Part 2
In this article, I will continue the discussion by showing you how to work with the Domain Controller Diagnostic Utility by examining some tests.
Now that you know that the Domain Controller Diagnostic Utility has many problems you can use to configure the utility to run in the most appropriate way for each of your own situations. We have already introduced you to the switches, and now go back to the individual tests that the utility is capable of performing.
Advertising - service promotion
The first test you can perform is advertising. This test performs a test to find out if the Directory System Agent is advertising itself. If the Directory System Agent is advertising itself, the test will ensure that the advertisement lists the domain controller with the capabilities of the Directory System Agent.
In case you are not familiar with the concept of the Directory System Agent, you need to understand that the Directory System Agent (commonly abbreviated as DSA) is a collection of services and processes that run on domain controllers. Its job is to provide access to the Active Directory database. DSA is a child component in the Local System Authority (LSA). The reason why it relates to such processes and services is because of its ability to provide multiple mechanisms for client access.
The best known of these mechanisms is the Light Weight Directory Access Protocol, or LDAP for short. LDAP is a protocol through which most recent Windows operating systems are used to query Active Directory. Older clients still require DSA access, but are typically done through Security Account Manager (SAM). This is because there is no mechanism to access DSA. For example, Microsoft exchange communicates with DSA by MAPI calls. DSAs also communicate with another DSA using remote procedure calls.
CheckSDRefDom
This test will verify that all partitions contain the application directory with the security directive for the appropriate reference domains. This test will be meaningless for those who are not familiar with Active Directory. Therefore, we will take a moment to introduce what this test is.
You probably already know this, each object in the Active Directory includes a security directive. The job of the security indicator is to maintain a list of access control information. Usually, the security security indicator usually works well for maintaining a record of who has access and what components they access are components. However, the problem may appear here if an organization uses application directory partitions (formerly known as Active Directory Application Mode or ADAM). The reason for that is that the application directory partitions are independent domains. In fact, it is possible to create an application directory partition and then create replicas for other domain controllers in multiple domains. Because of this, Windows assigns a security indicator set with domain references to each application directory partition when created.
This reference domain notifies you of the application directory partition which domain name to use when a domain value needs to be entered inside a security directive. Windows has a lot of rules to distinguish which domain is used. Simplify, if you create a new application domain partition that is not the child of any partition and the reference domain of the security directive uses the forest root domain as the domain name to use within the security directive set. different secrets. If the application directory partition is a child of an object, it will assume the reference domain of its parent object security indicator.
CheckSecurityError
The next test that I want to show you is Check Security Error. Unlike the previous test that we introduced for you. Check Security Error does not work by default. If you want to run this test, you must specify it within the DCDIAG command.
When running this test, DCDIAG will find errors related to security issues, as well as possible related errors, then try to diagnose the problem. There is an optional parameter that you can use with this switch. The / ReplSource switch allows you to specify a specific domain controller to run the test. You can use any desired domain controller, regardless of its error state or whether it is an existing partner. Simply enter the name of the test (CheckSecurityError), and add the / ReplSource, colon and the name of the domain controller you want to test.
Connectivity
Connectivity is one of the most useful tests you can do with it. In fact, this test is so important that even DCDIAG does not allow you to ignore it. If you run a default instance of DCDIAG, the Connectivity will run completely automatically.
Connectivity will check if domain controllers are registered in DNS. It also checks to see if it can ping each domain controller and whether it can establish an LDAP and RDP connection.
CrossRefValidation
This is a test that you won't be able to see many documents about. What we can recommend to you is like informal references. If you encounter a reference validation error, the problem can be solved by using ADSI edit to remove the error-causing object.
We also want to point out that if you use ADSI edit incorrectly, you can destroy your Active Directory. Therefore, perform a full backup of the system state for domain controllers from before making any changes.
CutOffServers
Our final test is about Cut off Servers. The basic idea in this test is that in most cases, domain controllers have one or more replication partners. If the domain controller's replication partner is in trouble, the domain controller may not be able to update Active Directory updates and DCDIAG will report a Cut off Servers error.
One trick that can solve this problem is that you have to show what copy partners are domain controllers. The actual method varies greatly depending on the Windows version, but in Windows Server 2003, you can look up replication partners through the Active Directory Site and Services console.
When opening the tree view, open the Site section to display a list of sites in your Active Directory. Next, double-click the site that contains the domain controller you want to check. Next, open the Servers folder, then the folder corresponding to the name of the domain controller you are interested in. Finally, double click on NTDSSettings, and Windows will display the list of connected objects. This list displays replica partners in the From Server column.
Conclude
In this section, I have discussed some tests that run with the DCDIAG utility. In the next part of this series, I will continue the discussion by showing you some more tests.
You should read it
- Working with the Domain Controller Diagnostic Utility - Part 1
- Working with the Domain Controller Diagnostic Utility - Part 5
- Working with the Domain Controller Diagnostic Utility - Part 2
- Fix Xbox One game console not working
- Instructions for creating a Domain Controller - DC on Windows Server 2012
- Domain Controller virtualization solutions - Part 3
- 7 leading hardware error diagnosis tools for Windows 10
- Domain Controller virtualization solutions - Part 2
May be interested
- Fix Xbox One game console not workingan inactive xbox one gaming controller is an annoying problem that many xbox owners face. tipsmake.com will show you how to troubleshoot xbox one gaming controllers that are not connected, synchronized or turned on incorrectly.
- Run Windows Server 2008 R2 - Install and create a Lab Domain Controller (Part 1)in this series, i will show you how to create a lab domain controller in windows server 2008 r2.
- How to check which Domain Controller holds the FSMO role in Active Directorythis tutorial illustrates how to test the fsmo role in server 2016. the 5 fsmo roles in active directory include: rid master, pdc emulator master, infrastructure master, domain naming master, schema master.
- Use eBox as Windows Primary Domain Controllerthe platform platform is one of the open source server systems that allows administrators to capture, control and manage network services.
- Download the Indexer Diagnostic Tool for Windows 10the indexer diagnostic tool is a new utility developed by microsoft to help windows 10 users find and fix search problems.
- Learn about .io domain names.io is a domain name chosen by many technology companies and startups.
- Top 9 best MIDI Controller for musiciansmidi controller (midi controller) allows you to control virtual instruments with real keys or blank pad, making the experience more flexible. below is a list of the best midi controllers for you to choose from.
- Install DNS server and Domain Controller in Windows Server 2003dns configuration is similar to installing it, which means you don't need to be too bothered or ask any administrator to help you do that, because you can do this yourself.
- Instructions for joining the domain on Windows 8.1 (Part 1)joining your windows 8.1 computer into a domain (domain) will have a lot of benefits. in the article below, network administrator will guide you to join the domain on windows 8.1.
- Instructions for joining the domain on Windows 8.1 (Part 2)since nt 3.5, microsoft client operating systems are joined to the windows domain. each new client uses the same technique as in the previous article that the network administrator introduced to you. however, to the next version of the operating system, microsoft adjusted additional steps in the process of joining the domain to resolve dns connectivity issues and secure configuration settings.