Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting.

As an end-user reporting program, dcdiag is a command-line tool that encapsulates detailed knowledge of how to identify abnormal behavior in the system. Dcdiag displays command output at the command prompt.

Dcdiag consists of a framework for executing tests and a series of tests to verify different functional areas of the system. This framework selects which domain controllers are tested according to scope directives from the user, such as enterprise, site, or single server.

Dcdiag is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use dcdiag, you must run the dcdiag command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

dcdiag /s:<DomainController> [/n:<NamingContext>] [/u:<Domain>\<UserName> /p:{* | <Password> | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:<LogFile>] [/c [/skip:<Test>]] [/test:<Test>] [/fix] [{/h | /?}] [/ReplSource:<SourceDomainController>]

Parameters

Parameter	Description
/s:<DomainController>	Specifies the name of the server to run the command against. This parameter is required. It is ignored for DcPromo and RegisterInDns tests, which can be run locally only.
/n:<NamingContext>	Uses NamingContext as the naming context to test. You can specify domains in NetBIOS, Domain Name System (DNS), or distinguished name format.
/u:<Domain>\<UserName> /p:{* \| <Password> \| ""}	Uses Domain\UserName. Dcdiag uses the current credentials of the user (or process) that is logged on. If alternate credentials are needed, use the following options to provide those credentials for binding with Password as the password: Use quotation marks ("") for an empty or null password. Use the wildcard character (*) to prompt for the password.
/a	Tests all the servers on this site.
/e	Tests all the servers in the enterprise. Overrides /a.
/q	Quiet. Prints only error messages.
/v	Verbose. Prints extended information.
/i	Ignores superfluous error messages.
/fix	Affects the MachineAccount test only. This parameter causes the test to fix the Service Principal Names (SPNs) on the Machine Account object of the domain controller.
/f:<LogFile>	Redirects all output to a log file (LogFile).
/c	Comprehensive. Runs all tests except DCPromo and RegisterInDNS, including non-default tests. Optionally, you can use this parameter with the /skip parameter to skip specified tests. The following tests are not run by default: Topology CutoffServers OutboundSecureChannels
{/h \| /?}	Displays help at the command prompt.
/test:<Test>	Runs this test only. The Connectivity test, which you cannot skip, is also run. You should not have this parameter in the same command with the /skip parameter.
/ReplSource:<SourceDomainController>	Tests the connection between the domain controller on which you run the command and the source domain controller. (This parameter is used for the CheckSecurityError test.) SourceDomainController is the DNS name, NetBIOS name, or distinguished name of a real or potential server that will be the source domain controller for replication, as represented by a real or potential connection object.

DNS Test Syntax

The Dcdiag DNS test uses the following syntax:

dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate | /DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:<InternetName>] | /DnsAll] [/f:<LogFile>] [/x:<XMLLog.xml>] [/xsl:<XSLFile.xsl> or <XSLTFile.xslt>] /s:<DomainController> [/e] [/v]

DNS Test Parameters

/test:DNS [DNS test]: Performs the specified DNS test. If no test is specified, defaults to /DnsAll.

/DnsBasic: Performs basic DNS tests, including network connectivity, DNS client configuration, service availability, and zone existence.

/DnsForwarders: Performs the /DnsBasic tests, and also checks the configuration of forwarders.

/DnsDelegation: Performs the /DnsBasic tests, and also checks for proper delegations.

/DnsDynamicUpdate: Performs /DnsBasic tests, and also determines if dynamic update is enabled in the Active Directory zone.

/DnsRecordRegistration: Performs the /DnsBasic tests, and also checks if the address (A), canonical name (CNAME) and well-known service (SRV) resource records are registered. In addition, creates an inventory report based on the test results.

/DnsResolveExtName [/DnsInternetName:<InternetName>]: Performs the /DnsBasic tests, and also attempts to resolve InternetName. If /DnsInternetName is not specified, attempts to resolve the name www.microsoft.com. If /DnsInternetName is specified, attempts to resolve the Internet name supplied by the user.

/DnsAll: Performs all tests, except for the /DnsResolveExtName test, and generates a report.

/f:<LogFile>: Redirects all output to LogFile.

/s:<DomainController>: Runs the tests against DomainController.

/e: Runs all tests specified by /test:DNS against all domain controllers in the Active Directory forest.

/v: Verbose. Presents extended information about successful test results, in addition to information about errors and warnings. When the /v parameter is not used, provides only error and warning information. Use the /v switch when errors or warnings are reported in the summary table.

/x:<XMLLog.xml>: Redirects all output to <XMLLog.xml>. This parameter works only with the /test:dns option.

/xsl:<XSLFile.xsl> or <XSLTFile.xslt>: Adds the processing instructions that reference the specified stylesheet. This parameter works only with /test:dns /x:<XMLLog.xml> option.

Dcdiag tests

The tables in this section show tests that you can run by using dcdiag. The tests are grouped into the following categories:

Domain controller tests that you cannot skip
Domain controller tests that you can skip

These tests are grouped into two tables based on whether they run by default.
Non-domain controller tests

Domain controller tests that you cannot skip

Connectivity: Checks if domain controllers are registered in DNS, if they can be pinged and if they have LDAP or remote procedure call (RPC) connectivity.

Domain contoller tests that you can skip

The following table shows tests that run by default.

Replications: Checks for timely replication and any replication errors between domain controllers.

NCSecDesc: Checks that the security descriptors on the naming context heads have appropriate permissions for replication.

NetLogons: Checks that the appropriate logon privileges exist to allow replication to proceed.

Advertising: Checks whether each domain controller advertises itself in the roles that it should be capable of performing. This test fails if the Netlogon Service has stopped or failed to start.

KnowsOfRoleHolders: Checks whether the domain controller can contact the servers that hold the five operations master roles (also know as flexible single master operations or FSMO roles).

Intersite

Checks for failures that would prevent or temporarily hold up intersite replication and predicts how long it would take for the Knowledge Consistency Checker (KCC) to recover.

	Important
	Results of this test are often not valid, especially in atypical site or KCC configurations or at the Windows Server 2003 forest functional level.

FSMOCheck: Checks that the domain controller can contact a Kerberos Key Distribution Center (KDC), a time server, a preferred time server, a primary domain controller (PDC), and a global catalog server. This test does not test any of the servers for operations master roles.

RidManager: Checks whether the relative identifier (RID) master is accessible and if it contains the proper information.

MachineAccount: Checks whether the machine account has properly registered and that the services are advertised. Use the /RecreateMachineAccount parameter to attempt a repair if the local machine account is missing. Use the /FixMachineAccount parameter if the machine account flags are incorrect.

Services: Checks whether the appropriate domain controller services are running.

OutboundSecureChannels: Checks that secure channels exist from all of the domain controllers in the domain to the domains that are specified by the /testdomain parameter. The /nositerestriction parameter prevents dcdiag from limiting the test to the domain controllers in the site.

ObjectsReplicated: Checks that the Machine Account and Directory System Agent (DSA) objects have replicated. You can use the /objectdn:dn parameter with the /n:nc parameter to specify an additional object to check.

frssysvol: Checks that the file replication system (FRS) system volume (SYSVOL) is ready.

frsevent: Checks to see if there are errors in the file replication system. (Failing replication of the SYSVOL share can cause policy problems.)

kccevent: Checks that the KCC is completing without errors.

systemlog: Checks that the system is running without errors.

CheckSDRefDom: Checks that all application directory partitions have appropriate security descriptor reference domains.

VerifyReplicas: Checks that all application directory partitions are fully instantiated on all replica servers.

CrossRefValidation: Checks the validity of cross-references.

VerifyReferences: Checks that certain system references are intact for the FRS and replication infrastructure.

VerifyEnterpriseReferences: Checks that specified system references are intact for the FRS and replication infrastructure across all objects in the enterprise on each domain controller.

/skip:<Test>: Skips the specified test. You should not specify this parameter in the same command with the /test parameter. The only test that you cannot skip is Connectivity.

The following table shows tests that do not run by default.

Topology: Checks that the KCC has generated a fully connected topology for all domain controllers.

CheckSecurityError: Reports on the overall health of replication with respect to Active Directory security in domain controllers running Windows Server 2003 SP1. You can perform this test against one or all domain controllers in an enterprise. When the test finishes, dcdiag presents a summary of the results, along with detailed information for each domain controller tested and the diagnosis of security errors that the test reported.The following argument is optional:/ReplSource: SourceDomainController This argument checks the ability to create a replication link between a real or potential source domain controller (SourceDomainController) and the local domain controller.

CutoffServers: Checks for any server that is not receiving replications because its partners are not running.

DNS

Includes six optional DNS-related tests, as well as the Connectivity test, which runs by default. You can run the tests individually or together. The tests include the following parameters:

/DnsBasic

Confirms that essential services are running and available, necessary resource records are registered, and domain and root zones are present.
/DnsForwarders

Determines whether recursion is enabled and that any configured forwarders or root hints are functioning.
/DnsDelegation

Confirms that the delegated name server is functioning and checks for broken delegations.
/DnsDymanicUpdate

Checks that the Active Directory domain zone is configured to do secure dynamic updates and register a test record.
/DnsRecordRegistration

Tests the registration of all essential DC Locator records.
/DnsResolveExtName

Checks the basic resolution of either an intranet or Internet name.

OutboundSecureChannels: Checks that secure channels exist from all of the domain controllers in the domain to the domains that are specified by the /testdomain parameter. The /nositerestriction parameter prevents dcdiag from limiting the test to the domain controllers in the site.

VerifyReplicas: Checks that all application directory partitions are fully instantiated on all replica servers.

VerifyEnterpriseReferences: Checks that specified system references are intact for the FRS and replication infrastructure across all objects in the enterprise on each domain controller.

	Note
	AD DS displays text, such as naming context names and server names, which contains international or Unicode characters correctly only if you have installed appropriate fonts and language support on the test computer.

Non-domain controller tests

DcPromo: Tests the existing DNS infrastructure for any computer that you want to promote to be a domain controller. If the infrastructure is sufficient, you can promote the computer to a domain controller in the domain specified in the parameter /DnsDomain:Active_Directory_Domain_DNS_Name. This parameter reports whether any modifications to the existing DNS infrastructure are required. The required argument is /DnsDomain:Active_Directory_Domain_DNS_Name.One of the following arguments is required: /NewForest /NewTree /ChildDomain /ReplicaDC If you specify the /NewTree argument, you must also specify the /ForestRoot:Forest_Root_Domain_DNS_Name argument.

RegisterInDNS: Tests whether this domain controller can register the Domain Controller Locator DNS records. These records must be present in DNS for other computers to locate this domain controller for the Active_Directory_Domain_DNS_Name domain. This parameter reports whether any modifications to the existing DNS infrastructure are required. The required argument is /DnsDomain:Active_Directory_Domain_DNS_Name

	Note
	With the exception of the DcPromo and RegisterInDNS tests, you must promote computers to be domain controllers before you run tests on them.

Examples

Example 1: A normal domain controller

In this example, you want to examine the domain controller so you can verify that it is healthy and functioning properly. Type the following command at the elevated command prompt:

C:\Windows\system32>dcdiag /s:reskit-DC1 \administrator password

Output similar to the following appears:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\RESKIT-DC1
	Starting test: Connectivity
		 ......................... RESKIT-DC1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\RESKIT-DC1
	Starting test: Replications
		 ......................... RESKIT-DC1 passed test Replications
	Starting test: NCSecDesc
		 ......................... RESKIT-DC1 passed test NCSecDesc
	Starting test: NetLogons
		 ......................... RESKIT-DC1 passed test NetLogons
	Starting test: Advertising
		 ......................... RESKIT-DC1 passed test Advertising
	Starting test: KnowsOfRoleHolders
		 ......................... RESKIT-DC1 passed test KnowsOfRoleHolders
	Starting test: RidManager
		 ......................... RESKIT-DC1 passed test RidManager
	Starting test: MachineAccount
		 ......................... RESKIT-DC1 passed test MachineAccount
	Starting test: Services
		 ......................... RESKIT-DC1 passed test Services
	Starting test: ObjectsReplicated
		 ......................... RESKIT-DC1 passed test ObjectsReplicated
	Starting test: frssysvol
		 ......................... RESKIT-DC1 passed test frssysvol
	Starting test: kccevent
		 ......................... RESKIT-DC1 passed test kccevent
	Starting test: systemlog
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:28:25
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:40:30
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:43:30
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:58:46
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:02:11
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:05:11
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:10:51
			Event String: The time provider NtpClient is configured to
		 ......................... RESKIT-DC1 failed test systemlog

   Running partition tests on : Schema
	Starting test: DeadCRTest
		 ......................... Schema passed test DeadCRTest
	Starting test: CheckSDRefDom
		 ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
	Starting test: DeadCRTest
		 ......................... Configuration passed test DeadCRTest
	Starting test: CheckSDRefDom
		 ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : RESKIT-DOM
	Starting test: DeadCRTest
		 ......................... RESKIT-DOM passed test DeadCRTest
	Starting test: CheckSDRefDom
		 ......................... RESKIT-DOM passed test CheckSDRefDom

   Running enterprise tests on : RESKIT-DOM.reskit.com
	Starting test: Intersite
		 ......................... RESKIT-DOM.reskit.com passed test Intersite
	Starting test: FsmoCheck
		 ......................... RESKIT-DOM.reskit.com passed test FsmoCheck

Example 2: Failed DNS registration

In this example, you have noticed that one of the domain controllers is not replicating properly. After you verify that the domain controller is operational and can be pinged by IP address, use dcdiag to do an enterprise check. Type the following command at an elevated command prompt:

C:\Windows\system32>dcdiag /s:reskit-DC1 \administrator password /e

Output similar to the following appears:

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\RESKIT-DC1
Starting test: Connectivity
......................... RESKIT-DC1 passed test Connectivity

Testing server: Default-First-Site-Name\RESKIT-DC2
Starting test: Connectivity
The host 7594898c-8ba4-4496-a01a-b0f2cadd28a6._msdcs.RESKIT-DOM.reskit.com could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(7594898c-8ba4-4496-a01a-b0f2cadd28a6._msdcs.RESKIT-DOM.reskit.com)
couldn't be resolved, the server name
(reskit-DC2.reskit-sib.RESKIT-DOM.reskit.com) resolved
to the IP address (172.26.220.34) and was pingable. Check that the IP
address is registered correctly with the DNS server.
......................... RESKIT-DC2 failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\RESKIT-DC1
Starting test: Replications
[Replications Check,RESKIT-DC1] A recent replication attempt failed:
From RESKIT-DC2 to RESKIT-DC1
Naming Context: CN=Configuration,DC=RESKIT-DOM,DC=reskit,DC=com
The replication generated an error (1722):
The RPC server is unavailable.
The failure occurred at 2007-12-21 02:19:04.
The last success occurred at 2007-12-21 01:57:43.
1 failures have occurred since the last success.
The source remains down. Please check the machine.
......................... RESKIT-DC1 passed test Replications
Starting test: NCSecDesc
......................... RESKIT-DC1 passed test NCSecDesc
Starting test: NetLogons
......................... RESKIT-DC1 passed test NetLogons
Starting test: Advertising
......................... RESKIT-DC1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... RESKIT-DC1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... RESKIT-DC1 passed test RidManager
Starting test: MachineAccount
......................... RESKIT-DC1 passed test MachineAccount
Starting test: Services
......................... RESKIT-DC1 passed test Services
Starting test: ObjectsReplicated
......................... RESKIT-DC1 passed test ObjectsReplicated
Starting test: frssysvol
......................... RESKIT-DC1 passed test frssysvol
Starting test: kccevent
......................... RESKIT-DC1 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2007 01:28:25
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2007 01:40:30
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2007 01:43:30
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2007 01:58:46
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2007 02:02:11
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2007 02:05:11
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2007 02:10:51
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2007 02:13:51
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2007 02:18:58
Event String: The time provider NtpClient is configured to
An Error Event occured. EventID: 0xC25A001D
Time Generated: 12/21/2007 02:21:58
Event String: The time provider NtpClient is configured to
......................... RESKIT-DC1 failed test systemlog

Testing server: Default-First-Site-Name\RESKIT-DC2
Skipping all tests, because server RESKIT-DC2 is
not responding to directory service requests

Running partition tests on : Schema
Starting test: DeadCRTest
......................... Schema passed test DeadCRTest
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: DeadCRTest
......................... Configuration passed test DeadCRTest
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : RESKIT-DOM
Starting test: DeadCRTest
......................... RESKIT-DOM passed test DeadCRTest
Starting test: CheckSDRefDom
......................... RESKIT-DOM passed test CheckSDRefDom

Running partition tests on : reskit-sib
Starting test: DeadCRTest
......................... reskit-sib passed test DeadCRTest
Starting test: CheckSDRefDom
......................... reskit-sib passed test CheckSDRefDom

Running enterprise tests on : RESKIT-DOM.reskit.com
Starting test: Intersite
......................... RESKIT-DOM.reskit.com passed test Intersite
Starting test: FsmoCheck
......................... RESKIT-DOM.reskit.com passed test FsmoCheck

Example 3: Failed Netlogon Service

In this example, the Netlogon Service has failed on one of the domain controllers. To troubleshoot, type the following command at an elevated command prompt:

C:\Windows\system32>dcdiag /s:reskit-DC1 \administrator password

Output similar to the following appears:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\RESKIT-DC1
	Starting test: Connectivity
		 ......................... RESKIT-DC1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\RESKIT-DC1
	Starting test: Replications
		 ......................... RESKIT-DC1 passed test Replications
	Starting test: NCSecDesc
		 ......................... RESKIT-DC1 passed test NCSecDesc
	Starting test: NetLogons
		 ......................... RESKIT-DC1 passed test NetLogons
	Starting test: Advertising
		 Fatal Error:DsGetDcName (RESKIT-DC1) call failed, error 1722
		 The Locator could not find the server.
		 ......................... RESKIT-DC1 failed test Advertising
	Starting test: KnowsOfRoleHolders
		 ......................... RESKIT-DC1 passed test KnowsOfRoleHolders
	Starting test: RidManager
		 ......................... RESKIT-DC1 passed test RidManager
	Starting test: MachineAccount
		 ......................... RESKIT-DC1 passed test MachineAccount
	Starting test: Services
			NETLOGON Service is stopped on [RESKIT-DC1]
		 ......................... RESKIT-DC1 failed test Services
	Starting test: ObjectsReplicated
		 ......................... RESKIT-DC1 passed test ObjectsReplicated
	Starting test: frssysvol
		 ......................... RESKIT-DC1 passed test frssysvol
	Starting test: kccevent
		 ......................... RESKIT-DC1 passed test kccevent
	Starting test: systemlog
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:28:25
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:40:30
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:43:30
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:58:46
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:02:11
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:05:11
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:10:51
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:13:51
			Event String: The time provider NtpClient is configured to
		 ......................... RESKIT-DC1 failed test systemlog

   Running partition tests on : Schema
	Starting test: DeadCRTest
		 ......................... Schema passed test DeadCRTest
	Starting test: CheckSDRefDom
		 ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
	Starting test: DeadCRTest
		 ......................... Configuration passed test DeadCRTest
	Starting test: CheckSDRefDom
		 ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : RESKIT-DOM
	Starting test: DeadCRTest
		 ......................... RESKIT-DOM passed test DeadCRTest
	Starting test: CheckSDRefDom
		 ......................... RESKIT-DOM passed test CheckSDRefDom

   Running enterprise tests on : RESKIT-DOM.reskit.com
	Starting test: Intersite
		 ......................... RESKIT-DOM.reskit.com passed test Intersite
	Starting test: FsmoCheck
		 Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1717
		 A Global Catalog Server could not be located - All GC's are down.
		 Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1717
		 A Primary Domain Controller could not be located.
		 The server holding the PDC role is down.
		 Warning: DcGetDcName(TIME_SERVER) call failed, error 1717
		 A Time Server could not be located.
		 The server holding the PDC role is down.
		 Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1717
		 A Good Time Server could not be located.
		 Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1717
		 A KDC could not be located - All the KDCs are down.
		 ......................... RESKIT-DOM.reskit.com failed test FsmoCheck

Example 4: Unresponsive or inaccessible server

In this example, you have noticed replication problems. To resolve the issue, type the following command at an elevated command prompt:

C:\Windows\system32>dcdiag /s:reskit-DC1 \administrator password /e

Output similar to the following appears:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\RESKIT-DC1
	Starting test: Connectivity
		 ......................... RESKIT-DC1 passed test Connectivity

   Testing server: Default-First-Site-Name\RESKIT-DC2
	Starting test: Connectivity
		 Server RESKIT-DC2 resolved to this IP address 172.26.220.34,
		 but the address couldn't be reached(pinged), so check the network.
		 The error returned was: Error due to lack of resources.
		 This error more often means that the targeted server is
		 shutdown or disconnected from the network
		 ......................... RESKIT-DC2 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\RESKIT-DC1
	Starting test: Replications
		 [Replications Check,RESKIT-DC1] A recent replication attempt failed:
			From RESKIT-DC2 to RESKIT-DC1
			Naming Context: CN=Configuration,DC=RESKIT-DOM,DC=reskit,DC=com
			The replication generated an error (1722):
			The RPC server is unavailable.
			The failure occurred at 2007-12-21 02:19:04.
			The last success occurred at 2007-12-21 01:57:43.
			1 failures have occurred since the last success.
			The source remains down. Please check the machine.
		 ......................... RESKIT-DC1 passed test Replications
	Starting test: NCSecDesc
		 ......................... RESKIT-DC1 passed test NCSecDesc
	Starting test: NetLogons
		 ......................... RESKIT-DC1 passed test NetLogons
	Starting test: Advertising
		 ......................... RESKIT-DC1 passed test Advertising
	Starting test: KnowsOfRoleHolders
		 ......................... RESKIT-DC1 passed test KnowsOfRoleHolders
	Starting test: RidManager
		 ......................... RESKIT-DC1 passed test RidManager
	Starting test: MachineAccount
		 ......................... RESKIT-DC1 passed test MachineAccount
	Starting test: Services
		 ......................... RESKIT-DC1 passed test Services
	Starting test: ObjectsReplicated
		 ......................... RESKIT-DC1 passed test ObjectsReplicated
	Starting test: frssysvol
		 ......................... RESKIT-DC1 passed test frssysvol
	Starting test: kccevent
		 ......................... RESKIT-DC1 passed test kccevent
	Starting test: systemlog
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:28:25
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:40:30
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:43:30
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   01:58:46
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:02:11
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:05:11
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:10:51
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:13:51
			Event String: The time provider NtpClient is configured to
		 An Error Event occured.  EventID: 0xC25A001D
			Time Generated: 12/21/2007   02:18:58
			Event String: The time provider NtpClient is configured to
		 ......................... RESKIT-DC1 failed test systemlog

   Testing server: Default-First-Site-Name\RESKIT-DC2
	Skipping all tests, because server RESKIT-DC2 is
	not responding to directory service requests

   Running partition tests on : Schema
	Starting test: DeadCRTest
		 ......................... Schema passed test DeadCRTest
	Starting test: CheckSDRefDom
		 ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
	Starting test: DeadCRTest
		 ......................... Configuration passed test DeadCRTest
	Starting test: CheckSDRefDom
		 ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : RESKIT-DOM
	Starting test: DeadCRTest
		 ......................... RESKIT-DOM passed test DeadCRTest
	Starting test: CheckSDRefDom
		 ......................... RESKIT-DOM passed test CheckSDRefDom

   Running partition tests on : reskit-sib
	Starting test: DeadCRTest
		 ......................... reskit-sib passed test DeadCRTest
	Starting test: CheckSDRefDom
		 ......................... reskit-sib passed test CheckSDRefDom

   Running enterprise tests on : RESKIT-DOM.reskit.com
	Starting test: Intersite
		 ......................... RESKIT-DOM.reskit.com passed test Intersite
	Starting test: FsmoCheck
		 ......................... RESKIT-DOM.reskit.com passed test FsmoCheck

Additional references

Command-Line Syntax Key