DNS Server Health Test

If the DNS component of the AD server is unable to provide domain name resolution services, then users may be denied access to their mission-critical servers managed by the AD server. Under such circumstances, you may want to quickly check what is stalling the operations of DNS, so that the source of the issue can be isolated and eliminated.

DCDIAG is a command-line tool that encapsulates detailed knowledge of how to identify abnormal behavior in the system. The tool analyzes the state of one or all domain controllers in a forest and reports any problems to assist in troubleshooting. It consists of a framework for executing tests and a series of tests to verify different functional areas of the system.

DCDIAG also performs seven DNS-centric health checks to report on the overall DNS health of the domain controllers. To know the current status of each of these seven health checks, use the DNS Server Health test. The periodic health reports provided by the DNS Server Health test will enable administrators to proactively isolate potential DNS-related issues with their domain controllers, determine the reason for these issues, and work towards preventing them.

Target of the test : An Active Directory or Domain Controller on Windows

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every Active Directory being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.

Host

The IP address of the machine where the Active Directory is installed.

Port

The port number through which the Active Directory communicates. The default port number is 389.

Use DNSBasic

In some environments, when the DCDIAG command is executed on the domain controllers, if the Forwarder test failed due to the Forwarder not configured in the tartget environment or if the Forwarder is not working properly, then, this test may not report metrics. In such cases, set the Use DNSBasic flag to Yes. By default, this flag is set to No.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Authentication

This test is run by default and checks the following:

  • Are domain controllers registered in DNS?
  • Can they be pinged?
  • Do they have Lightweight Directory Access Protocol/Remote Procedure Call (LDAP/RPC)?

This measure reports the current status of the Authentication or Connectivity test.

 

The values that this measure reports and their corresponding numeric values have been discussed in the table below:

Measure Value Numeric Value
Pass 1
Fail 0
Warning 2

Note:

By default, the measure reports the Measure Values listed in the table above to indicate the status of a DCDIAG health check. However, in the graph of this measure, the same will be represented using the numeric equivalents only. 

If the measure reports the value Fail or Warning, you can use the detailed diagnosis of this measure to know the reason for the failure/warning. This eases the pain involved in troubleshooting problem conditions.

Basic

The basic DNS test confirms the following:

  1. Whether the DNS client, Netlogon, KDC, and DNS Server services are running and available on domain controllers tested by dcdiag
  2. Whether the DNS servers on all adapters are reachable.
  3. Whether A record of each domain controller is registered on at least one of the DNS servers configured on the client.
  4. If a domain controller is running the DNS Server service, whether the Active Directory domain zone and SOA record for the Active Directory domain zone are present.
  5. Whether the root (.) zone is present.

 

This measure reports the current status of the Basic test.

 

The values that this measure reports and their corresponding numeric values have been discussed in the table below:

Measure Value Numeric Value
Pass 1
Fail 0
Warning 2

Note:

By default, the measure reports the Measure Values listed in the table above to indicate the status of a DCDIAG health check. However, in the graph of this measure, the same will be represented using the numeric equivalents only. 

If the measure reports the value Fail or Warning, you can use the detailed diagnosis of this measure to know the reason for the failure/warning. This eases the pain involved in troubleshooting problem conditions.

Forwarders

 

The forwarder test determines whether recursion is enabled. If forwarders or root hints are configured, the forwarder test confirms that all forwarders or root hints on the DNS server are functioning, and also confirms that the _ldap._tcp.<Forest root domain> DC Locator record is resolved.

This measure reports the current status of the Forwarder test.

 

The values that this measure reports and their corresponding numeric values have been discussed in the table below:

Measure Value Numeric Value
Pass 1
Fail 0
Warning 2

Note:

By default, the measure reports the Measure Values listed in the table above to indicate the status of a DCDIAG health check. However, in the graph of this measure, the same will be represented using the numeric equivalents only. 

If the measure reports the value Fail or Warning, you can use the detailed diagnosis of this measure to know the reason for the failure/warning. This eases the pain involved in troubleshooting problem conditions.

Delegations

The delegation test confirms that the delegated name server is a functioning DNS Server. The delegation test checks for broken delegations by ensuring that all NS records in the Active Directory domain zone in which the target domain controller resides have corresponding glue A records.

This measure reports the current status of the Delegation test.

 

The values that this measure reports and their corresponding numeric values have been discussed in the table below:

Measure Value Numeric Value
Pass 1
Fail 0
Warning 2

Note:

By default, the measure reports the Measure Values listed in the table above to indicate the status of a DCDIAG health check. However, in the graph of this measure, the same will be represented using the numeric equivalents only. 

If the measure reports the value Fail or Warning, you can use the detailed diagnosis of this measure to know the reason for the failure/warning. This eases the pain involved in troubleshooting problem conditions.

Dynamic update

The dynamic update test confirms that the Active Directory domain zone is configured for secure dynamic update and performs registration of a test record (_dcdiag_test_record).

This measure reports the current status of the Dynamic Update test.

 

The values that this measure reports and their corresponding numeric values have been discussed in the table below:

Measure Value Numeric Value
Pass 1
Fail 0
Warning 2

Note:

By default, the measure reports the Measure Values listed in the table above to indicate the status of a DCDIAG health check. However, in the graph of this measure, the same will be represented using the numeric equivalents only. 

If the measure reports the value Fail or Warning, you can use the detailed diagnosis of this measure to know the reason for the failure/warning. This eases the pain involved in troubleshooting problem conditions.

Record registration

The record registration test verifies the registration of all essential DC Locator records on all DNS Servers configured on each adapter of the domain controllers.

This measure reports the current status of the Record Registration test.

 

The values that this measure reports and their corresponding numeric values have been discussed in the table below:

Measure Value Numeric Value
Pass 1
Fail 0
Warning 2

Note:

By default, the measure reports the Measure Values listed in the table above to indicate the status of a DCDIAG health check. However, in the graph of this measure, the same will be represented using the numeric equivalents only. 

If the measure reports the value Fail or Warning, you can use the detailed diagnosis of this measure to know the reason for the failure/warning. This eases the pain involved in troubleshooting problem conditions.

Resolve external name

The external name resolution test verifies basic resolution of external DNS from a given client, using a sample Internet name (www.microsoft.com), or user-provided Internet name.

This measure reports the current status of the External name resolution test.

 

The values that this measure reports and their corresponding numeric values have been discussed in the table below:

Measure Value Numeric Value
Pass 1
Fail 0
Warning 2

Note:

By default, the measure reports the Measure Values listed in the table above to indicate the status of a DCDIAG health check. However, in the graph of this measure, the same will be represented using the numeric equivalents only. 

If the measure reports the value Fail or Warning, you can use the detailed diagnosis of this measure to know the reason for the failure/warning. This eases the pain involved in troubleshooting problem conditions.