Working with the Domain Controller Diagnostic Utility - Part 6

In this section, I will show you the remaining tests that can be performed on the Domain Controller.

Working with the Domain Controller Diagnostic Utility - Part 6 Picture 1Working with the Domain Controller Diagnostic Utility - Part 6 Picture 1 Working with the Domain Controller Diagnostic Utility - Part 1
Working with the Domain Controller Diagnostic Utility - Part 6 Picture 2Working with the Domain Controller Diagnostic Utility - Part 6 Picture 2 Working with the Domain Controller Diagnostic Utility - Part 2
Working with the Domain Controller Diagnostic Utility - Part 6 Picture 3Working with the Domain Controller Diagnostic Utility - Part 6 Picture 3 Working with the Domain Controller Diagnostic Utility - Part 3
Working with the Domain Controller Diagnostic Utility - Part 6 Picture 4Working with the Domain Controller Diagnostic Utility - Part 6 Picture 4 Working with the Domain Controller Diagnostic Utility - Part 4
Working with the Domain Controller Diagnostic Utility - Part 6 Picture 5Working with the Domain Controller Diagnostic Utility - Part 6 Picture 5 Working with the Domain Controller Diagnostic Utility - Part 5

Brien M. Posey

In this section, I will show you the remaining tests that can be performed on the Domain Controller.

Introduce

In this article, I have explained that many different tests can be performed on your Domain Controller using the Domain Controller Diagnostic Utility. However, there are still some tests that we think still need to be introduced to you, and to finish this series we will introduce the remaining tests.

Register in DNS

If you are working on a Windows operating system, we are sure that you will know that the Active Directory is entirely dependent on DNS services, and that each host on your network requires a Host (A) record. organization's DNS server. What many people don't really realize is that, when you create a domain (first) in a forest, there will be a number of domain-specific DNS records that will be created inside a folder called DomainDnsZones. This folder is located inside Forward Lookup Zones in the domain directory.

The DomainDnsZones directory keeps logs for each Domain Controller. Without logs, other servers on the network will not be able to find the domain controller's resources. Therefore, each domain controller needs to register itself within DNS. This is where the Register in DNS test takes effect. This test will verify that the Domain Controller can register a server record.

You can do this test by entering the command below:

DCDIAG / Test: RegisterInDns / DnsDomain:

For example, if your domain is called Contoso.com, the command syntax command will look like this:

DCDIAG / Test: RegisterInDns /DnsDomain:Contoso.com

Replications

Windows 2000 Server and later versions of Windows Server all use a multimaster domain model. This means that each domain controller has a copy of its own Active Directory database and updates can be made directly to any copy. When an upgrade is made to the Active Directory database, the upgrade will be replicated to other domain controllers.

This test will check to make sure the updates are appearing appropriately. If there is a delay in the upgrade process, the domain controllers will lose synchronization and the possibility of conflict will occur.

You can do this test by entering the command below:

DCDIAG / TEST: Replications

RID Manager

Whenever you create a new Active Directory object, such as a user or a group, Windows assigns it a unique Security Identifier (SID). The Security Identifier (SID) is a fictional domain SID that is common to all objects within the domain and a relative identifier (RID) unique to the domain. The RID master provides for each Domain Controller within the domain a number of RIDs that it can use when new objects are created. When the RID number is low, the domain controller will issue a request to the RID master to request additional RIDs. If the Domain Controller cannot contact the RID Master, then no additional objects will be created on that Domain Controller when the RID is running out.

The RID Manager test will allow you to verify that the sc can recognize and contact the RID Master, and that the RID Master contains the appropriate information. You can run this test by entering the command below:

DCDIAG / Test: RidManager

Services

In Windows Server 2008, Active Directory is now listed as a service within the Service Control Manager. As you can guess, the Active Directory is a bit more complicated than what you first appeared. Active Directory Domain Service has a number of dependent services, one of which must include DNS Server (if it is present on the server), Kerberos Key Distribution Center, Intersite Messaging and File Replication Service.

You can use this test to make sure that the Active Directory Domain Service and all of its supported services are working properly. To test, use the following command:

DCDIAG / Test: Services

System Log

According to Microsoft documentation, the System Log test will check the system to make sure that no errors appear. This listens to this test that will parse the event log to find out the errors. Maybe one of those steps will do so, but that's not what appears here when you perform this test.

When running this test, the Domain Controller Diagnostic Utility will start by identifying its server and Active Directory forest. It will then perform a connection check, system log and a series of test partitions on Active Directory Partitions (ForestDnsZones, DomainDnsZones, Schema, Configuration, .).

You can run the System Log test by entering the following command:

DCDIAG / Test: SystemLog

Topology

Windows Server uses the Directory System Agent (DSA) to provide access to data warehouses. The Directory Service Agent is fictional of different services and processes that facilitate that access. DSA is part of the Local System Authority system and is accessed via the LDAP protocol.

When multiple domain controllers are used for a while, each domain controller must have a topology information to associate it with other DSAs. This test will validate the topology that Windows has created to be fully connected to all DSAs.

One important thing to know about this test is that it is one of the rare test types that does not run by default. It must be executed manually. You can do this test by entering the command below:

DCDIAG / Test: Topology

Verify References

Test Verify References ensures that system references required by the File Replication Service and the general replication infrastructure are not touched. You can do this by using the following command:

DCDIAG / Test: VerifyReferences

Verify Enterprise References

Test Verify Enterprise References are the same as Verify References. It checks to make sure that the references required by the File Replication Service and the general replication infrastructure are not touched. What makes the difference between these two commands is that it types the references of file copy service and replication infrastructure in general over all Domain Controllers throughout the enterprise.

Đây là một một của các sự thử nghiệm không phải chạy bởi mặc định. Bạn có thể thực hiện này thử thử vào vào lệnh theo đây:

This is also a test that doesn't run by default and you can perform a tape using the following command:

DCDIAG / Test: VerifyEnterpriseReferences

Verify Replicas

This is another test that does not run by default. The basic idea behind this test is that Windows allows you to create application directory partitions and those partitions can be replicated to other servers. This test will allow you to ensure that all replication servers contain appropriate copies. Perform the test using the following command:

DCDIAG / Test: VerifyReplicas

Conclude

As you can see, the Domain Controller Diagnostic Utility can perform many different tests. In this article, I have shown you a lot of tests that you can do, and I wish you every success.

4 ★ | 1 Vote