DCDiag

DCDiag Syntax

DCDiag uses the following syntax:

dcdiag/s:DomainController [/n:NamingContext] [/u:Domain\UserName /p:{* | Password | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:LogFile] [/ferr:ErrLog] [/c [/skip:Test]] [/test:Test] [/fix] [{/h | /?}] [/ReplSource:SourceDomainController]

Parameters

/s:DomainController

Uses DomainController as the home server. This parameter is required. It is ignored for DcPromo and RegisterInDns tests which can only be run locally.

/n:NamingContext

Uses NamingContext as the naming context to test. Domains may be specified in NetBIOS, DNS or distinguished name format.

/u:Domain\UserName /p:{* | Password | ""}

Uses Domain\UserNameDCDiag uses the process's or users default credentials. If alternate credentials are needed, use the following options to provide those credentials for binding withPassword as the password. Use "" for an empty or null password, or the wildcard character (*) to prompt for the password.

/a

Tests all the servers on this site.

/e

Tests all the servers in the entire enterprise. Overrides /a.

/q

Quiet. Prints only error messages.

/v

Verbose. Prints extended information.

/i

Ignores superfluous error messages.

/fix

Only affects the MachineAccount test. It causes the test to fix the SPNs (Service Principal Names) on the domain controller's Machine Account Object.

/f:LogFile

Redirects all output to LogFile. The /f parameter operates independently of /ferr.

/ferr:ErrLog

Redirects fatal error output to a separate file ErrLog. The /ferr parameter operates independently of /f.

/c

Comprehensive. Runs all tests except DCPromo and RegisterInDNS, including non-default tests. Optionally, can be used with /skip to skip specified tests. The following tests are not run by default: TopologyCutoffServersOutboundSecureChannels

{ /h | /?}

Displays a syntax screen at the command prompt.

/test:Test

Runs only this test. The nonskippable test Connectivity is also run. Should not be run in the same command with /skip.NoteAll tests except DcPromo and RegisterInDNS must be run on computers that have been promoted to domain controller.The test CheckSecurityError is available only in the version of Dcdiag that is included with Windows Support Tools in Windows Server 2003 Service Pack 1 (SP1) and must be run on a domain controller that is running Windows Server 2003 with SP1.

/ReplSource:SourceDomainController

Option for /test:CheckSecurityError. Tests the connection between the domain controller on which you run the command and the source domain controller. SourceDomainController is the DNS name, NetBIOS name, or distinguished name of a real or potential "from" server that is represented by a real or potential connection object.

DNS Syntax

The new DNS tests in Windows Server 2003 SP1 use the following syntax:

dcdiag /test:DNS [/DnsBasic | /DnsForwarders | /DnsDelegation | /DnsDynamicUpdate |/DnsRecordRegistration | /DnsResolveExtName [/DnsInternetName:InternetName] | /DnsAll] [/f:LogFile] [/ferr:ErrLog] /s:DomainController [/e] [/v]

Parameters

/test:DNS [DNS test]

Performs the specified DNS test. If no test is specified, defaults to /DnsAll.

/DnsBasic

Performs basic DNS tests, including network connectivity, DNS client configuration, service availability, and zone existence.

/DnsForwarders

Performs the /DnsBasic tests, and also checks the configuration of forwarders.

/DnsDelegation

Performs the /DnsBasic tests, and also checks for proper delegations.

/DnsDynamicUpdate

Performs /DnsBasic tests, and also determines if dynamic update is enabled in the Active Directory zone.

/DnsRecordRegistration

Performs the /DnsBasic tests, and also checks if the address (A), canonical name (CNAME) and well-known service (SRV) resource records are registered. In addition, creates an inventory report based on the test results.

/DnsResolveExtName [/DnsInternetName:InternetName]

Performs the /DnsBasic tests, and also attempts to resolve InternetName. If/DnsInternetName is not specified, attempts to resolve the name www.microsoft.com. If/DnsInternetName is specified, attempts to resolve the Internet name supplied by the user.

/DnsAll

Performs all tests, except for the DnsResolveExtName test, and generates a report.

/f:LogFile

Redirects all output to LogFile. The /f parameter operates independently of /ferr.

/ferr:ErrLog

Redirects fatal error output to a separate file ErrLog. The /ferr parameter operates independently of /f.

/s:DomainController

Runs the tests against DomainController.

/e

Runs all tests specified by /test:DNS against all domain controllers in the Active Directory forest.

/v

Verbose. Presents extended information about successful test results, in addition to information about errors and warnings. When the /v parameter is not used, provides only error and warning information. Use the /v switch when errors or warnings are reported in the summary table.

How to configure windows cluster in VmWare

Microsoft Windows CLUSTER and Virtual Machines

The goal to reach is to build two virtual machines that would become Cluster nodes so that we can test and build applications that use the cluster resource. Virtual machines have always the same hardware, they don't depend from the HOST hardware type and for the same reasons you can save, move and load a virtual machine anywhere where VMWare is installed. VMWare uses 2 main file type to run virtual machines .vmw file (Config File) and .vmdk file (virtual hard disk) to create a shared SCSI disk there are 2 things we need to change manually on the config file after you use the virtual disk configuration wizard, the following line need to be changed to "FALSE": disk.locking = "FALSE" This will allow any virtual machine to load a SCSI disk device even if it's in use by an other virtual machine (Cluster disk emulation). Create as many disk as you need, keep in mind that at least one will be internally used by the cluster service, so if you need 4 clustered data drives, create 5. VMWare gets installed in the default directory C:\Program Files\VMWare and 4 CD images ISO come with it (VMWare Utilities and Drivers for guests OS: Windows, Linux, Netware and FreeBSD?). After I installed the first Windows 2000 and 2003 server OS running with all the updates, I backed the images up so they can be loaded as manytimes we need, the computername is general (it needs to be renamed) and the administrator password is blank (need to be changed too). Configuring Windows 2003 Cluster I followed the following instructons on how to build a cluster: <b>[DEAD LINK]</b> http://www.microsoft.com/windows2000/techinfo/planning/server/clustersteps.asp I created 2 Virtual Network Connections for each VMachine that was going to become a cluster node: the LAN connection (Bridged on the VMWare Network Configuration) and the "Heartbeat" crossover connection. The host OS installed is Windows 2000 Server with basic configuration, McAfee? and winzip on it. The Guests's OS in Windows 2003 Enterprise Server (for Cluster support), McAfee?, Winzip and "VMWare tools for Windows Guest OS" I configured The HOST to log automatically on with U/P on the local machine 3 batch files in the "vmuser" profile startup folder will automatically start the new nodes and lock the Host machine. The Windows 2003 Cluster has been configured with the following IP addresses

IP Address	Description
10.10.30.110	Cluster NETBIOS name
10.10.30.111	Node 1 Server
10.10.30.112	Node 2 Server
10.10.30.113	Virtual SQL Server Name
10.10.30.114	Virtual MQ Series Name

Cluster SETUP

First we need to setup the crossover connection which is needed for the Cluster to work: on Node1 I use 192.168.0.1/30 and Node2 192.168.0.2/30 Create a user on the domain that will be memeber of the local administrators on both nodes [i.e. "_Cluster"] find a good IP and NetBIOS? name to give to the cluster. On Windows 2003 there is no need to reboot the machine to create the cluster, just open CLUSTER ADMINISTRATOR from the Administrators Tools and on the first node that is going to be member of the cluster choose "Create a new cluster", you will be guided thru a Wizard that will ask for the SCSI disks, the Virtual IP and NetBIOS? name that the cluster will have, you will also need the system account created to run the cluster. After the process complete succefully, Open Cluster Administrator on Node2 and select "Add nodes to Cluster", the wizard will guide you until the process complete. Test the cluster moving the resources back and forth between the nodes. DTC Resource SetupClick Start, point to All Programs, point to Administrative Tools, and then click Cluster Administrator. In Open Connection to Cluster, select the applicable cluster or server in the Cluster or server name list. If you select a server, the name of the cluster to which it belongs will appear in the console tree. In the console tree, click the cluster group to which you want the DTC resource to belong. After the group is selected, on the File menu, point to New, and then click Resource. In the New Resource Wizard, in Name and Description, type a name and description for the DTC resource, and select Distributed Transaction Coordinator (DTC) in the Resource type list box. Then click Next. In Group, select the group that you want the DTC to belong to. By default, the DTC resource will install into the first group it locates that has an IP, Name, and Physical Disk resource, unless you identify a specific group. On the Possible Owners page, add the nodes that will own the DTC resource. If you want to add nodes to the automatically chosen list under Possible owners, select them from the list under Available nodes and click Add. If you want to remove nodes from the automatically chosen list under Possible owners, select them in this list and click Remove. Then click Next. On the Dependencies page, under Available resources, select name of the Physical Disk resource in the group and click Add. Then click Finish. To bring the DTC resource online: Click Start, point to All Programs, point to Administrative Tools, and then click Cluster Administrator. In the console tree, click the Resources folder. In the details pane, click the resource you want to bring online. On the File menu, click Bring Online. This also brings the Physical Disk resource online that the DTC resource is dependent on. MSMQ 3.0 Cluster Resource Setup To install MSMQ 3.0 on a cluster node Click Start, point to Control Panel, and then select Add or Remove Programs. Click Add/Remove? Windows Components. In the Windows Components Wizard, select the Application Server check box, click Details, select the Message Queuing check box, and then click Details. On the Message Queuing page, you can select the following subcomponents that you want to install: To provide message routing services, select the Routing Support check box. To install the MSMQ directory service, which provides access to MSMQ objects in Active Directory for MSMQ 1.0 clients on computers running Windows 98, Windows 95, Windows Millennium Edition (Me), and Windows NT ® 4.0, and for MSMQ 2.0 clients on computers running Windows 2000, select the Downlevel Client Support check box. If the computer belongs to a domain and you want it to operate in workgroup mode, clear the Active Directory Integration check box. In this case, you cannot install Routing Support. If you want to install MSMQ Triggers, select the Triggers check box. If you intend to send messages by HTTP transport, select the MSMQ HTTP Support check box. Click OK, and then click Next. Follow the remaining instructions in the wizard. SQL Server on ClusterSQL Server doesn't work on Windows 2003 w/o SP, SQL is compatible with at least SP2 installed. On a cluster environment it cannot be installed and left it OFFLINE, after the installation is complete the SETUP will try to start the SQL Cluster Resource and ,failing, will then uninstall it and clean both nodes. To workaround this problem Microsoft wrote an article, Knowledge Base # 815431 http://support.microsoft.com/default.aspx?scid=kb;en-us;815431 To get to the supported configuration of SQL Server 2000 SP3 on a Windows Server 2003-based computer, use the following method: Use Client Network Utility to Create a Named Pipes Alias Before you install a named instance of SQL Server 2000 virtual server, use Client Network Utility (CNU) to create a server alias to make a connection over named pipes (during Setup) while creating and bringing the SQL Server resources Online. Repeat this process for each named instance installation. From the node where you intend to run Setup, create a server alias for the client connection: Run Cliconfg.exe on the cluster node where you will run Setup. Note If Cliconfg.exe is not installed on your computer, install it by running Sqlredis.exe from the SQL Server 2000 installation files: to do so, type the following information at a command prompt:

\x86\Other\sqlredis.exe /q:a /C:"setupre.exe WARN=1 -s -SMS

You may have to restart your computer if Cliconfg.exe is not immediately available. For additional information about SQL Server 2000 Setup, click the following article number257716 to view the article257716 in the Microsoft Knowledge Base: 257716 INF: Frequently Asked Questions - SQL Server 2000 - Setup In the SQL Server Client Network Utility dialog box, click the Alias tab. Click Add to open the Add Network Library Configuration dialog box. Click to select the Named Pipes check box. Type the alias name in the Server alias box. For example: VIRTUALSERVERNAME\INSTANCENAME. Type the virtual server instance name in Server name box. For example: VIRTUALSERVERNAME\INSTANCENAME. Verify the name in the Pipe name box. By, default, the value in the Pipe name box is: \\VIRTUALSERVERNAME\pipe\MSSQL$instancename\sql\query Run SQL Server 2000 Setup. For the virtual server name, use the same virtual server name and instance name that you used in steps e and f. Run SQL Server 2000 SP3 Setup. After Setup completes successfully, run the Server Network Utility. Select the instance, select TCP/IP, and then click Properties. Type 0 in the Default port box. Re-start the SQL Server resource from Cluster Administrator. Remove the named pipes alias that you created in step 1. With this procedure SQL should work on the Cluster resource, try to fail over to test it.

NLTest Tool

NLTest Syntax

NLTest uses the following syntax:

nltest [/server:servername] [operation[parameter] ...

/server:ServerName

Runs NLTest at the specified remote domain controller. If this parameter is not specified, the command is executed on the local computer (domain controller).

Operations

/query

Reports on the state of the secure channel the last time it was used. This is the secure channel established by the NetLogon service.

/repl

Forces a synchronization with the PDC. Only changes not yet replicated to the BDC are synchronized. This command is for NT 4.0 BDCs only and is not for Active Directory replication. Administrative rights are required to perform this command.

/sync

Forces an immediate synchronization with the PDC of the entire SAM database. This command is for NT 4.0 BDCs only and is not for Active Directory replication. Administrative rights are required to perform this command.

/pdc_repl

Forces the PDC to send a synchronize notification to all BDCs. This command is for NT 4.0 PDCs only and is not for Active Directory replication. Administrative rights are required to perform this command.

/sc_query:DomainName

Reports on the state of the secure channel the last time it was used. This is the secure channel established by the NetLogon service. Also, lists the name of the domain controller that was queried on the secure channel.

/sc_reset:[ DomainName]

Removes and then rebuilds the secure channel established by the NetLogon service. Administrative rights are required to perform this command.

/sc_verify:[ DomainName]

Checks the status of the secure channel established by the NetLogon service. If the secure channel is not working, this operation removes the existing channel and builds a new one. Administrative rights are required to perform this command. This operation is only valid on Windows 2000 with Service Pack 2 and Windows Server 2003 domain controllers.

/sc_change_pwd:[ DomainName]

Changes the password for the trust account of the specified domain. If this command is run on a domain controller, and an explicit trust relationship exists, then the password for the interdomain trust account is reset. Otherwise, the computer account password for the specified domain is changed. This command is only for computers that are Windows 2000, Windows XP, and Windows Server 2003.

/dclist:[ DomainName]

Lists all domain controllers in the domain. In an NT 4.0 domain environment, this command uses the Browser service to retrieve the list of domains. In an Active Directory environment, this command first queries Active Directory for a list of domain controllers. If this is unsuccessful the Browser service is used.

/dcname:[ DomainName]

Lists the primary domain controller or the primary domain controller emulator for DomainName.

/dsgetdc:[ DomainName]

Queries the DNS server for a list of domain controllers and their corresponding IP addresses. Contacts each domain controller to check for connectivity. Use the following flags to filter the list of domain controllers or specify alternate names types in the syntax./PDC Returns only the PDC (NT 4.0) or domain controller designated as the PDC emulator (Windows 2000 or Windows Server 2003)./DS Returns only those domain controllers that are Windows 2000 or Windows Server 2003 servers./DSP Requests that Windows 2000 or Windows Server 2003 domain controllers be returned. If no Windows 2000 or Windows Server 2003 server is found, then this operation returns NT domain controllers./GC Returns only those domain controllers designated as Global Catalog servers./KDC Returns only those domain controllers designated as Kerberos key distribution centers. /TIMESERV Returns only those domain controllers designated as time servers./GTTIMESERV Returns only those domain controllers designated as master time servers./NetBIOS Use this command when specifying computer names in the syntax as NetBIOS names./DNS Use this command when specifying computer names in the syntax as FQDNs./IP Returns only domain controllers that have IP addresses. Domain controllers not using TCP/IP as their protocol stack are not returned./FORCE Forces the computer to run the command against the DNS server instead of looking in cache for the information.

/dnsgetdc:DomainName

Queries the DNS server for a list of domain controllers and their corresponding IP addresses. Use the following flags to filter the list of domain controllers./PDC Returns only only those domain controllers that are PDCs (NT 4.0) or designated as PDC emulators./GC Returns only those domain controllers designated as Global Catalogs./KDC Returns only those domain controllers designated as Kerberos key distribution centers. /WRITABLE Returns only those domain controllers that can accept changes to the directory database. All Active Directory domain controllers will be returned. Only NT 4.0 BDCs will not be returned with this command./LDAPONLY Returns servers that are running an LDAP application. With this command LDAP servers are returned that are not necessarily DCs./FORCE Forces the computer to run the command against the DNS server instead of looking in cache for the information./SITE:Sitename Sorts the returned records so that the ones pertaining to the site are listed first./SITESPEC Filters the returned records so only those pertaining to the site are displayed. This operation can only be used with the /SITE operation.

/dsgetfti:DomainName[ /UpdateTDO]

Returns information about interforests trust(s). This operation is only for a Windows Server 2003 domain controller that is in the root of the forest. If no interforest trusts exist, this operation will return an error./UpdateTDO Updates the locally stored information on the interforest trust.

/dsgetsite

Returns the name of the site in which the domain controller resides.

/dsgetsitecov

Returns the name of the site that the domain controller covers. A domain controller can cover a site that has no local domain controller of its own.

/parentdomain

Returns the name of the parent domain of the server.

/dsregdns

Refreshes the registration of all domain controller-specific DNS records.

/dsderegdns:DnsHostName

Deregisters DNS host records from DNS for the host specified with the DnsHostNameparameter./DOM: /DOMGUID: /DSAGUID:.Use the following flags to specify which records will be deregistered./DOM: Specifies a DNS domain name for the host to use when searching for records in the DNS server. If not specified, the suffix of the DnsHostName is assumed to be the DNS domain name/DOMGUID: Deletes DNS records that are GUID based./DSAGUID Deletes DSA records that are GUID based.

/whowill:Domain/ User

Finds the domain controller that has the specified user account. Use this command to determine whether the account information has been replicated to other domain controllers.

/finduser:User

Finds which directly trusted domain to which the specified user account belongs. Use this operation to troubleshoot logon issues of older client operating systems.

/transport_notify

Flushes the negative cache to force the discovery of a domain controller. Use this operation on NT 4.0 domain controllers only. This operation is done automatically when clients log on to Windows 2000 and Windows Server 2003 domain controllers.

/dbflag:HexadecimalFlags

Sets a new debug flag. For most purposes, use 0x2000FFFF as the value forHexadecimalFlags. The entry in the Windows Server 2003registry for debug flags is HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\DBFlag.

/user:UserName

Displays many of the attributes for the specified user account that are maintained in the SAM account database. This operation will not work for user accounts stored in Active Directory.

/time:HexadecimalLSLHexadecimalMSL

Converts Windows NT GMT time to ASCII. HexadecimalLSL is a hexadecimal value for least significant longword. HexadecimalMSL is a hexadecimal value for most significant longword.

/logon_query

Queries the cumulative number of NTLM logon attempts at the console or over the network.

/domain_trusts

Returns a list of trusted domains. /Primary /Forest /Direct_Out /Direct_In /All_Trusts /v. Use the following flags to filter the list of domains./Primary Returns only the domain to which the computer account belongs./Forest Returns only those domains that are in the same forest as the primary domain./Direct_Out Returns only the domains that are explicitly trusted with the primary domain./Direct_In Returns only the domains that explicitly trust the primary domain./All_Trusts Returns all trusted domains./v Displays verbose output including domain SIDs and GUIDs if available.

/dsquerydns

Queries for the status of the last update for all DC-specific DNS records.

/bdc_query:DomainName

Queries for a list of backup domain controllers in DomainName and displays their state of synchronization and replication status. This operation is only for NT 4.0 domain controllers.

/sim_sync:DomainNameServerName

Simulates full synchronization replication. This operation is useful in test environments.

/list_deltas:FileName

Displays the contents of the change log file FileName, which lists changes to the user account database. Netlogon.chg is the default name. This log file resides only on NT 4.0 BDCs.

/cdigest:Message/domain:DomainName

Displays the current digest (calculation derived from the password) used by the client for the secure channel. Also, displays the digest based on the previous password. The secure channel is used for logons between client computers and a domain controller, or DC to DC for directory service replication. Use this operation in conjunction with the /sdigest operation to check trust account password synchronization.

/sdigest:Message/rid:RID_In_Hexadecimal

Displays the current digest (calculation derived from the password) that the server is using for the secure channel. Also, displays the digest for the previous password. If the digest from the server matches the digest from the client (retrieved using the /cdigest operation), then the passwords used for the secure channel are synchronized. If the digests do not match, then a password change may not have replicated yet.

/shutdown:Reason[ Seconds]

Performs a remote shutdown of the ServerName for Reason, a string, after Seconds, an integer. For a complete description, see the Platform SDK documentation forInitiateSystemShutdown.

/shutdown_abort

Terminates a system shutdown.