{"id":1539,"date":"2012-02-10T12:34:01","date_gmt":"2012-02-10T15:34:01","guid":{"rendered":"http:\/\/www.radians.com.ar\/blog\/?p=1539"},"modified":"2012-02-10T12:35:40","modified_gmt":"2012-02-10T15:35:40","slug":"dcdiag-la-herramienta-de-diagnstico-para-nuestros-controladores-de-dominio-de-nuestra-arquitectura-de-active-directory","status":"publish","type":"post","link":"https:\/\/www.radians.com.ar\/blog\/?p=1539","title":{"rendered":"DcDiag &ldquo;LA&rdquo; herramienta de diagn&oacute;stico para nuestros controladores de dominio de nuestra arquitectura de Active Directory"},"content":{"rendered":"<p align=\"justify\"><a href=\"http:\/\/www.radians.com.ar\/Articulos\/Images\/f159eb42e9c9_8DEE\/diagnostic_icon.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; border-right-width: 0px; margin: 5px; padding-left: 0px; padding-right: 0px; display: inline; float: left; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px\" title=\"diagnostic_icon\" border=\"0\" alt=\"diagnostic_icon\" align=\"left\" src=\"http:\/\/www.radians.com.ar\/Articulos\/Images\/f159eb42e9c9_8DEE\/diagnostic_icon_thumb.png\" width=\"200\" height=\"205\" \/><\/a>Hoy vamos a hablar de una herramienta fundamental para nuestra Arquitectura de Directory Services (Active Directory). <font size=\"2\">Esta herramienta de l\u00ednea de comandos se incluye al instalar el Support Tools de Windows Server 2003 y en Windows Server 2008 viene instalado.<\/font><\/p>\n<p align=\"justify\"><font size=\"2\">Que hacemos con DCDiag, con esta herramienta de l\u00ednea de comandos podemos analizar el estado de nuestros controladores de dominio en un bosque o empresa y el informe que genera nos ayudara a solucionar los problemas. <\/font><\/p>\n<p align=\"justify\"><font size=\"2\">Dcdiag ejecuta una serie de pruebas para verificar distintas \u00e1reas funcionales de nuestros DCs, en un marco, en el cual&#160; selecciona qu\u00e9 controladores de dominio son probados de acuerdo con las directivas de alcance que definimos. Esta herramienta no tienen ninguna interfaz de usuario (IU).<\/font><\/p>\n<p align=\"justify\"><font size=\"2\">Debemos tener en cuenta que todos los controladores de dominio de un mismo dominio son iguales entre s\u00ed y cualquier controlador de dominio puede realizar las actualizaciones de directorio. <\/font><\/p>\n<p align=\"justify\"><font size=\"2\">Sin embargo, dada la forma en que las actualizaciones del directorio se replican desde un controlador de dominio a otro, es posible que pueden surgir dificultades. Por ejemplo, si los controladores de dominio necesarios no est\u00e1n conectados por una topolog\u00eda de replicaci\u00f3n, los controladores de dominio adecuados no recibir\u00e1n las actualizaciones del directorio cuando se produce la replicaci\u00f3n. <\/font><\/p>\n<p align=\"justify\"><font size=\"2\">Tambi\u00e9n, para que (Domain Controller) Locator encuentre un controlador de dominio, debe tener informaci\u00f3n precisa para que poder localizar correctamente el recurso. Si un controlador de dominio se anuncia incorrectamente, el localizador no lo encontrara. <\/font><\/p>\n<p align=\"justify\"><font size=\"2\">Incluso podemos chequear nuestros DNS (esto desde Windows Server 2003 SP1), hay siete pruebas nuevas relacionadas con DNS que se pueden ejecutar de forma individual o simult\u00e1nea. Estas pruebas se pueden realizar en uno o en todos los controladores de dominio de un bosque de Active Directory. Una vez completadas las pruebas, DCDiag.exe presenta un resumen de los resultados con informaci\u00f3n detallada sobre cada controlador de dominio probado. Por ejemplo:<\/font><\/p>\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\"><font color=\"#ff0000\" face=\"OCR A Extended\">DCDIAG \/TEST:DNS<\/font> para validar el estado de DNS. <\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\"><font color=\"#ff0000\" face=\"OCR A Extended\">DCDIAG \/CheckSecurityError<\/font> para detectar configuraciones de seguridad que pueden ocasionar que la r\u00e9plica de Active Directory tenga errores.<\/font><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\"><font size=\"2\">Por ejemplo, si queremos chequear con \u00e9sta herramienta es que el DC haya registrado correctamente en los DNS los registros necesarios para que sea reconocido y anunciado en el Active Directory como un DC v\u00e1lido, debemos ejecutar lo siguiente: <\/font><\/p>\n<ul>\n<li>\n<div align=\"justify\"><font color=\"#ff0000\" size=\"2\" face=\"OCR A Extended\">dcdiag \/test:registerindns \/dnsdomain:FQDN \/v<\/font><\/div>\n<\/li>\n<\/ul>\n<p><a href=\"http:\/\/www.radians.com.ar\/Articulos\/Images\/f159eb42e9c9_8DEE\/DCDiag_DNS.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; border-bottom: 0px; border-left: 0px; margin: 5px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px\" title=\"www.radians.com.ar \u00a9 2012\" border=\"0\" alt=\"www.radians.com.ar \u00a9 2012\" src=\"http:\/\/www.radians.com.ar\/Articulos\/Images\/f159eb42e9c9_8DEE\/DCDiag_DNS_thumb.png\" width=\"544\" height=\"204\" \/><\/a><\/p>\n<p><font size=\"2\">La sintaxis de este comando es la siguiente:<\/font><\/p>\n<blockquote>\n<p><font face=\"OCR A Extended\"><font size=\"2\"><font color=\"#ff0000\"><strong>dcdiag<\/strong><strong>\/s:<\/strong><em>DomainController<\/em> [<strong>\/n:<\/strong><em>NamingContext<\/em>] [<strong>\/u:<\/strong><em>Domain<\/em>\\<em>UserName <\/em><strong>\/p:<\/strong>{<strong>*<\/strong> | <em>Password<\/em> | <strong>&quot;&quot;<\/strong>}] [{<strong>\/a<\/strong> | <strong>\/e<\/strong>}] [{<strong>\/q<\/strong> | <strong>\/v<\/strong>}] [<strong>\/i<\/strong>] [<strong>\/f:<\/strong><em>LogFile<\/em>] [<strong>\/ferr:<\/strong><em>ErrLog<\/em>] [<strong>\/c<\/strong> [<strong>\/skip:<\/strong><em>Test<\/em>]] [<strong>\/test:<\/strong><em>Test<\/em>] [<strong>\/fix<\/strong>] [{<strong>\/h<\/strong> | <strong>\/?<\/strong>}] [<strong>\/ReplSource:<\/strong><em>SourceDomainController<\/em>]<\/font><\/font><\/font><\/p>\n<h4>Parameters<\/h4>\n<ul>\n<li><strong><strong>\/s:<\/strong><em>DomainController : <\/em><\/strong>Uses <em>DomainController<\/em> as the home server. This parameter is required. It is ignored for DcPromo and RegisterInDns tests which can only be run locally.<\/li>\n<li><strong><strong>\/n:<\/strong><em>NamingContext : <\/em><\/strong>Uses <em>NamingContext<\/em> as the naming context to test. Domains may be specified in NetBIOS, DNS or distinguished name format. <\/li>\n<li><strong><strong>\/u:<\/strong><em>Domain<\/em>\\<em>UserName <\/em><strong>\/p:<\/strong>{<strong>* <\/strong>| <em>Password <\/em>| <strong>&quot;&quot;<\/strong>} : U<\/strong>ses <em>Domain<\/em>\\<em>UserName<\/em>DCDiag uses the process&#8217;s or users default credentials. If alternate credentials are needed, use the following options to provide those credentials for binding with <em>Password<\/em> as the password. Use <strong>&quot;&quot;<\/strong> for an empty or null password, or the wildcard character (<strong>*<\/strong>) to prompt for the password. <\/li>\n<li><strong><strong>\/a : <\/strong><\/strong>Tests all the servers on this site. <\/li>\n<li><strong><strong>\/e : <\/strong><\/strong>Tests all the servers in the entire enterprise. Overrides <strong>\/a<\/strong>. <\/li>\n<li><strong><strong>\/q : <\/strong><\/strong>Quiet. Prints only error messages. <\/li>\n<li><strong><strong>\/v : <\/strong><\/strong>Verbose. Prints extended information. <\/li>\n<li><strong><strong>\/i : <\/strong><\/strong>Ignores superfluous error messages. <\/li>\n<li><strong><strong>\/fix : <\/strong><\/strong>Only affects the <em>MachineAccount<\/em> test. It causes the test to fix the SPNs (Service Principal Names) on the domain controller&#8217;s Machine Account Object. <\/li>\n<li><strong><strong>\/f:<\/strong><em>LogFile : <\/em><\/strong>Redirects all output to <em>LogFile<\/em>. The <strong>\/f<\/strong> parameter operates independently of <strong>\/ferr<\/strong>. <\/li>\n<li><strong><strong>\/ferr:<\/strong><em>ErrLog : <\/em><\/strong>Redirects fatal error output to a separate file <em>ErrLog<\/em>. The <strong>\/ferr<\/strong> parameter operates independently of <strong>\/f<\/strong>. <\/li>\n<li><strong><strong>\/c : <\/strong><\/strong>Comprehensive. Runs all tests except <strong>DCPromo<\/strong> and <strong>RegisterInDNS<\/strong>, including non-default tests. Optionally, can be used with <strong>\/skip<\/strong> to skip specified tests. The following tests are not run by default: <strong>Topology<\/strong><strong>CutoffServers<\/strong><strong>OutboundSecureChannels<\/strong><\/li>\n<li><strong>{ <strong>\/h <\/strong>| <strong>\/?<\/strong>}&#160; :<\/strong>Displays a syntax screen at the command prompt.<\/li>\n<li><strong><strong>\/test:<\/strong><em>Test : <\/em><\/strong>Runs only this test. The nonskippable test <strong>Connectivity<\/strong> is also run. Should not be run in the same command with <strong>\/skip<\/strong>.<strong>         <br \/><\/strong>* All tests except <strong>DcPromo<\/strong> and <strong>RegisterInDNS<\/strong> must be run on computers that have been promoted to domain controller.        <br \/>* The test <strong>CheckSecurityError<\/strong> is available only in the version of Dcdiag that is included with Windows Support Tools in Windows Server 2003 Service Pack 1 (SP1) and must be run on a domain controller that is running Windows Server 2003 with SP1.<\/li>\n<li><strong><strong>\/ReplSource:<\/strong><em>SourceDomainController : <\/em><\/strong>Option for <strong>\/test:CheckSecurityError<\/strong>. Tests the connection between the domain controller on which you run the command and the source domain controller. <em>SourceDomainController<\/em> is the DNS name, NetBIOS name, or distinguished name of a real or potential &quot;from&quot; server that is represented by a real or potential connection object.<\/li>\n<\/ul>\n<\/blockquote>\n<p align=\"justify\"><font size=\"2\">El par\u00e1metro <font color=\"#ff0000\" face=\"OCR A Extended\">CheckSecurityError<\/font> se puede realizar en uno o en todos los controladores de dominio de un bosque de Active Directory, y realiza las siguientes operaciones:<\/font><\/p>\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">Comprueba la disponibilidad de un Centro de distribuci\u00f3n de claves (KDC) en los dominios de los controladores de dominio de origen y destino.<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Comprueba que el controlador de dominio de destino puede transmitir y recibir paquetes con formato UDP suficientemente grandes (que utiliza Kerberos).<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Comprueba que el reloj del sistema del controlador de dominio de destino no tiene una diferencia de m\u00e1s de 5 minutos respecto de la hora del sistema del KDC en el dominio de destino y origen, y el controlador de dominio de origen.<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Confirma que la ra\u00edz de cada contexto de asignaci\u00f3n de nombres del controlador de dominio de origen est\u00e1 configurada con el permiso necesario.<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Confirma que las cuentas de equipo de los controladores de dominio de origen y destino no est\u00e1n deshabilitadas, son de confianza para la delegaci\u00f3n y contienen todos los nombres principales de servicio requeridos.<\/font><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\"><font size=\"2\">Una vez terminada la prueba, DCDiag.exe presenta el resumen de los resultados de cada controlador de dominio probado y el diagn\u00f3stico de los errores de seguridad encontrados. La l\u00ednea de comando seria: <font color=\"#ff0000\" face=\"OCR A Extended\">Dcdiag \/test:CheckSecurityError <\/font><\/font><\/p>\n<p align=\"justify\"><font size=\"2\">La lista de test que podemos hacer es bastante extensa, el \u00fanico test que no puede ser evitado es el de conectividad, el resto si. La lista seria la siguiente:<\/font><\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"2\" width=\"450\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font style=\"font-weight: normal\" size=\"2\">Connectivity<\/font><\/div>\n<\/li>\n<p> <!--EndFragment--><\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li><font size=\"2\">ObjectsReplicated<\/font><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">Replications<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li><font size=\"2\">frssysvol<\/font><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">NCSecDesc<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li><font size=\"2\">frsevent<\/font><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">NetLogons<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li><font size=\"2\">kccevent<\/font><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">Advertising<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">systemlog<\/font><\/div>\n<\/li>\n<p> <!--EndFragment--><\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">KnowsOfRoleHolders<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">CheckSDRefDom<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">Intersite<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">VerifyReplicas<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">FSMOCheck<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">CrossRefValidation<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">RidManager<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">VerifyReferences<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">MachineAccount<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">VerifyEnterpriseReferences<\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li><font size=\"2\">Services<\/font><\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">\/skip:<em>Test<\/em><\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<ul>\n<li><font size=\"2\">OutboundSecureChannels<\/font><\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p align=\"justify\">Los test que no se ejecutan por defecto son:<\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"2\" width=\"450\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"225\"><strong><strong><font size=\"2\">Topology<\/font><\/strong><\/strong><\/td>\n<td valign=\"top\" width=\"225\">\n<dt>\n<div align=\"justify\"><strong><strong><font size=\"2\">OutboundSecureChannels<\/font><\/strong><\/strong><\/div>\n<\/dt>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\"><strong><strong><font size=\"2\">CheckSecurityError<\/font><\/strong><\/strong><\/td>\n<td valign=\"top\" width=\"225\">\n<dt>\n<div align=\"justify\"><strong><strong><font size=\"2\">VerifyReplicas<\/font><\/strong><\/strong><\/div>\n<\/dt>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\"><strong><strong><font size=\"2\">CutoffServers<\/font><\/strong><\/strong><\/td>\n<td valign=\"top\" width=\"225\">\n<dt>\n<div align=\"justify\"><strong><strong><font size=\"2\">VerifyEnterpriseReferences<\/font><\/strong><\/strong><\/div>\n<\/dt>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"225\">\n<dt>\n<div align=\"justify\"><strong><strong><font size=\"2\">DNS <\/font><\/strong><\/strong><\/div>\n<\/dt>\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\"><strong>\/DnsBasic<\/strong><\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\"><strong>\/DnsForwarders<\/strong> <\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\"><strong>\/DnsDelegation<\/strong> <\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\"><strong>\/DnsDymanicUpdate<\/strong><\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\"><strong>\/DnsRecordRegistration<\/strong><\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\"><strong>\/DnsResolveExtName<\/strong><\/font><\/div>\n<\/li>\n<\/ul>\n<\/td>\n<td valign=\"top\" width=\"225\">\n<dt>\n<div align=\"justify\">&#160;<\/div>\n<\/dt>\n<dt>\n<div align=\"justify\">&#160;<\/div>\n<\/dt>\n<dt>\n<div align=\"justify\"><\/div>\n<\/dt>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p align=\"justify\"><font size=\"2\">Y los Non-Domain Controller tests:<\/font><\/p>\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">DcPromo<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">RegisterInDNS<\/font><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\"><font size=\"2\">Algunos ejemplos para verificar nuestros DNS podr\u00edan ser:<\/font><\/p>\n<ul>\n<li>\n<div align=\"justify\"><font size=\"2\">Para ejecutar todas las pruebas de DNS en un \u00fanico controlador de dominio en modo no detallado: <\/font><font color=\"#ff0000\" size=\"2\" face=\"OCR A Extended\">Dcdiag \/test:DNS \/s:nombreDeControladorDeDominioDeDestino          <br \/>\/f:nombreDeArchivoDeRegistro<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Para ejecutar todas las pruebas de DNS en un \u00fanico controlador de dominio en modo detallado: <\/font><font color=\"#ff0000\" size=\"2\" face=\"OCR A Extended\">Dcdiag \/test:DNS \/s:nombreDeControladorDeDominioDeDestino&#160; <br \/>\/v \/f:nombreDeArchivoDeRegistro<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Para ejecutar todas las pruebas de DNS en todo el bosque en modo no detallado:         <br \/><font color=\"#ff0000\" face=\"OCR A Extended\">Dcdiag \/test:DNS \/e \/f:nombreDeArchivoDeRegistro<\/font><\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Para ejecutar todas las pruebas de DNS en todo el bosque en modo detallado:         <br \/><font color=\"#ff0000\" face=\"OCR A Extended\">Dcdiag \/test:DNS \/v \/e \/f:nombreDeArchivoDeRegistro<\/font><\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Para ejecutar la prueba b\u00e1sica de DNS en un \u00fanico controlador de dominio:         <br \/><\/font><font color=\"#ff0000\" size=\"2\" face=\"OCR A Extended\">Dcdiag \/test:DNS \/DnsBasic \/s:nombreDeControladorDeDominioDeDestino         <br \/>\/f:nombreDeArchivoDeRegistro<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Para ejecutar la prueba de reenviadores de DNS en un \u00fanico controlador de dominio:         <br \/><\/font><font color=\"#ff0000\" size=\"2\" face=\"OCR A Extended\">Dcdiag \/test:DNS \/DnsForwarders \/s:nombreDeControladorDeDominioDeDestino         <br \/> \/f:nombreDeArchivoDeRegistro<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Para ejecutar la prueba de delegaci\u00f3n de DNS en un \u00fanico controlador de dominio:         <br \/><\/font><font color=\"#ff0000\" size=\"2\" face=\"OCR A Extended\">Dcdiag \/test:DNS \/DnsDelegation \/s:nombreDeControladorDeDominioDeDestino         <br \/> \/f:nombreDeArchivoDeRegistro<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Para ejecutar la prueba de actualizaci\u00f3n din\u00e1mica de DNS en un \u00fanico controlador de dominio:         <br \/><\/font><font color=\"#ff0000\" size=\"2\" face=\"OCR A Extended\">Dcdiag \/test:DNS \/DnsDynamicUpdate \/s:nombreDeControladorDeDominioDeDestino         <br \/>\/f:nombreDeArchivoDeRegistro<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Para ejecutar la prueba de inscripci\u00f3n de registros de DNS en un \u00fanico controlador de dominio: <\/font><font color=\"#ff0000\" size=\"2\" face=\"OCR A Extended\">Dcdiag \/test:DNS \/DnsRecordRegistration \/s:nombreDeControladorDeDominioDeDestino         <br \/> \/f:nombreDeArchivoDeRegistro<\/font><\/div>\n<\/li>\n<li>\n<div align=\"justify\"><font size=\"2\">Para resolver un nombre de Internet o intranet de ejemplo:         <br \/><font color=\"#ff0000\" face=\"OCR A Extended\">Dcdiag \/test:DNS \/DnsResolveExtName \/DnsInternetName:nombreDeInternet \/f: nombreDeArchivoDeRegistro<\/font><\/font><\/div>\n<\/li>\n<\/ul>\n<p align=\"justify\"><font size=\"2\">Si ejecutamos esta herramienta en un DC normal, deber\u00edamos tener la siguiente salida: <font color=\"#ff0000\" face=\"OCR A Extended\">dcdiag \/s:SRVDC1 \\administrator password<\/font><\/font><\/p>\n<blockquote>\n<p><font face=\"OCR A Extended\">Domain Controller Diagnosis       <br \/><\/font><font face=\"OCR A Extended\">Performing initial setup:       <br \/>&#160;&#160; Done gathering initial info.        <br \/><\/font><font face=\"OCR A Extended\">Doing initial required tests       <br \/><\/font><font face=\"OCR A Extended\">&#160;&#160; Testing server: Default-First-Site-Name\\SRVDC1       <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: Connectivity        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test Connectivity        <br \/><\/font><font face=\"OCR A Extended\">Doing primary tests       <br \/><\/font><font face=\"OCR A Extended\">&#160;&#160; Testing server: Default-First-Site-Name\\SRVDC1       <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: Replications        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test Replications        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: NCSecDesc        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test NCSecDesc        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: NetLogons        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test NetLogons        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: Advertising        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test Advertising        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: KnowsOfRoleHolders        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test KnowsOfRoleHolders        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: RidManager        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test RidManager        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: MachineAccount        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test MachineAccount        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: Services        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test Services        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: ObjectsReplicated        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test ObjectsReplicated        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: frssysvol        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test frssysvol        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: kccevent        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 passed test kccevent        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: systemlog        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; An Error Event occured.&#160; EventID: 0xC25A001D        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Time Generated: 2\/10\/2012&#160;&#160; 01:28:25        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Event String: The time provider NtpClient is configured to        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; An Error Event occured.&#160; EventID: 0xC25A001D        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Time Generated: 2\/10\/2012&#160;&#160; 01:40:30        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Event String: The time provider NtpClient is configured to        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; An Error Event occured.&#160; EventID: 0xC25A001D        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Time Generated: 2\/10\/2012&#160;&#160; 01:43:30        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Event String: The time provider NtpClient is configured to        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; An Error Event occured.&#160; EventID: 0xC25A001D        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Time Generated: 2\/10\/2012&#160;&#160; 01:58:46        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Event String: The time provider NtpClient is configured to        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; An Error Event occured.&#160; EventID: 0xC25A001D        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Time Generated: 2\/10\/2012&#160;&#160; 02:02:11        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Event String: The time provider NtpClient is configured to        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; An Error Event occured.&#160; EventID: 0xC25A001D        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Time Generated: 2\/10\/2012&#160;&#160; 02:05:11        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Event String: The time provider NtpClient is configured to        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; An Error Event occured.&#160; EventID: 0xC25A001D        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Time Generated: 2\/10\/2012&#160;&#160; 02:10:51        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Event String: The time provider NtpClient is configured to        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. SRVDC1 failed test systemlog        <br \/>&#160;&#160; Running partition tests on : Schema        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: DeadCRTest        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. Schema passed test DeadCRTest        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: CheckSDRefDom        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. Schema passed test CheckSDRefDom        <br \/>&#160;&#160; Running partition tests on : Configuration        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: DeadCRTest        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. Configuration passed test DeadCRTest        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: CheckSDRefDom        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. Configuration passed test CheckSDRefDom        <br \/>&#160;&#160; Running partition tests on : RADIANS-DOM        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: DeadCRTest        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. RADIANS-DOM passed test DeadCRTest        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: CheckSDRefDom        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. RADIANS-DOM passed test CheckSDRefDom        <br \/>&#160;&#160; Running enterprise tests on : RADIANS-DOM.radians.com.ar        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: Intersite        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. RADIANS-DOM.radians.com.ar passed test Intersite        <br \/>&#160;&#160;&#160;&#160;&#160; Starting test: FsmoCheck        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. RADIANS-DOM.radians.com.ar passed test FsmoCheck<\/font><\/p>\n<\/blockquote>\n<p align=\"justify\"><font size=\"2\">Alg\u00fan error de los roles FSMO podr\u00eda ser:<\/font><\/p>\n<blockquote>\n<p><font face=\"OCR A Extended\">&#160;&#160;&#160;&#160;&#160; Starting test: FsmoCheck       <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1717        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; A Global Catalog Server could not be located &#8211; All GC&#8217;s are down.        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1717        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; A Primary Domain Controller could not be located.        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; The server holding the PDC role is down.        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Warning: DcGetDcName(TIME_SERVER) call failed, error 1717        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; A Time Server could not be located.        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; The server holding the PDC role is down.        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1717        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; A Good Time Server could not be located.        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1717        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; A KDC could not be located &#8211; All the KDCs are down.        <br \/>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; &#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;. RADIANS-DOM.radians.com.ar failed test FsmoCheck<\/font><\/p>\n<\/blockquote>\n<p align=\"justify\"><font size=\"2\">Tambi\u00e9n tenemos disponibles algunos fixes, como ser (si es que no tenemos el SP1 en Windows Server 2008):<\/font><\/p>\n<ul>\n<li><a href=\"http:\/\/support.microsoft.com\/default.aspx?scid=kb;en-US;2401600\"><font size=\"2\">KB2401600 The Dcdiag.exe VerifyReferences test fails on an RODC that is running Windows Server 2008 R2<\/font><\/a><font size=\"2\"> <\/font><\/li>\n<li><a href=\"http:\/\/support.microsoft.com\/default.aspx?scid=kb;EN-US;979294\"><font size=\"2\">KB979294 The Dcdiag.exe tool takes a long time to run in Windows Server 2008 R2 and in Windows 7<\/font><\/a><font size=\"2\"> <\/font><\/li>\n<li><a href=\"http:\/\/support.microsoft.com\/default.aspx?scid=kb;EN-US;978387\"><font size=\"2\">KB978387 FIX: The connectivity test that is run by the Dcdiag.exe tool fails together with error code 0x621<\/font><\/a><font size=\"2\"> <\/font><\/li>\n<\/ul>\n<p align=\"justify\"><font size=\"2\">En definitiva, esta herramienta es sumamente importante para los diagn\u00f3sticos, y fundamentalmente para los administradores de DNS y para los administradores de controladores de dominio. Incluye funciones de r\u00e9plica para identificar configuraciones de seguridad que pueden hacer que la r\u00e9plica de Active Directory tenga errores.&#160; Y no debemos dejarla de lado, ya que cuando realmente tengamos un problema grave, esta herramienta ser\u00e1 nuestro principal aliado para arreglarlo.<\/font><\/p>\n<p align=\"justify\"><font size=\"2\">Espero que les sea de inter\u00e9s y utilidad. Saludos, Roberto Di Lello.<\/font><\/p>\n<h2 align=\"justify\">Mas Informaci\u00f3n:<\/h2>\n<ul>\n<li>\n<div align=\"justify\"><a title=\"http:\/\/technet.microsoft.com\/es-es\/library\/cc758753(WS.10).aspx\" href=\"http:\/\/technet.microsoft.com\/es-es\/library\/cc758753(WS.10).aspx\">Mas ejemplos del DCDiag<\/a><\/div>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Hoy vamos a hablar de una herramienta fundamental para nuestra Arquitectura de Directory Services (Active&#8230;<\/p>\n","protected":false},"author":1,"featured_media":4291,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[12,11],"tags":[],"class_list":["post-1539","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-2003-r2","category-2008-r2"],"_links":{"self":[{"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1539"}],"version-history":[{"count":2,"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1539\/revisions"}],"predecessor-version":[{"id":1541,"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1539\/revisions\/1541"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=\/wp\/v2\/media\/4291"}],"wp:attachment":[{"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.radians.com.ar\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}