In this article, you will learn how to use command line utilities like; Dcdiag, Nslookup, etc to perform a domain controller health check.
Several post seen where people looking solution for – how to check DNS working perfectly, how to test the internal DNS details or performance of DNS, etc..
Quick way to check DNS Health
Firstly, verify that forward/reverse lookups work as expected.
Then examine the output of dcidag /v /c
Lastly, Monitor DNS logs.
You may also like it - Most Important Group Policy Settings for Preventing Security Breaches
How to test DNS with DCDiag Command
You have various command line switches that can be used with Dcdiag.
Get an overview of the switches:
/s: this can be used to run Dcdiag against a remote server
/v: to get more detailed information about each test
/c: this will run all tests
/q: this switch will only print errors
/f: this switch can be used to redirect the results to a file
List of some DCdiag command line to test DNS:
/DnsBasic (for basic tests)
/DnsForwarders
/DnsDelegation
/DnsDynamicUpdate
/DnsRecordRegistration
/DnsResolveExtName (for external name resolution test)
/DnsAll (for all the test mention above)
/DnsInternetName:<internet name>
Example of DCdiag command line
dcdiag /s:DC1 (This command will run all the DC tests against the remote server DC1)
For local server – /s:servername
dcdiag /s:DC1 /v (as like above this verbose switch will displays more details about each test)
dcdiag /s:DC1 /f:c:\it\dcdiag_test.txt (This can be used to save the results to a text file, useful for logging results)
dcdiag /s:DC1 /a (useful for multiple domain controllers test at once)
dcdiag /s:DC1 /q (display the errors)
dcdiag /s:DC1 /c /v /f:c:\it\dcdiag_test.txt (very useful command line to run all tests, displays all the details, and save results in txt file)
NSLookup Syntax to test
Just open cmd prompt and type nslookup and press enter
IP to Domain Name (PTR Record Lookup)
Want to find the domain name, use this command but you must know the IP address.
nslookup 8.8.8.8
Domain to IP Address (A Record Lookup)
Use the below cammand to find the IP address of a domain name.
nslookup domainname
MX Lookup
By using MX record lookup you will find the mail server that is responsible for accepting email for the domain.
nslookup hit enter
set q=mx hit enter
type domain, hit enter
SOA Record Lookup
SOA stands for – Start of Authority, SOA record indicates which DNS server is the best source of information for the domain.
SOA Record Lookup will return the primary name server, responsible mail addresses, default ttl and much more.
type nslookup hit enter
type set q=SOA hit enter
type domain name, hit enter
CNAME
set q=cname
Name Server
To get the name server a domain using use below command.
type nslookup hit enter
type set q=ns hit enter
type in domain to query hit enter
Using an alternative DNS Server
Crucial command for troubleshooting. Use your ISP DNS or Google to see if your internal DNS is returning different results for external DNS server.
nslookup hit enter
server=DNS-Server-IP hit enter
type in domain name hit enter
Using Verbose
Use the below command to trun on debug, which will lets you detailed information about the resource record such as primary name server, mail address, default TTL, and much more.
nslookup
set debug
Monitoring DNS
Areas to focus while monitoring DNS:
- DCdiag Command results
- NS records
- IP addresses
- MX and SRV records
Tips for troubleshooting DNS Issues
- Make sure that you have connectivity to the DNS server.
2. Check weather it just one, two, or many devices that have name resolution issues.
3. Use NSLookup to test and verify DNS records on local server.
4. Use DCDiag to check the AD Health.
5. Scan for viruses/malware.
6. Check the client’s host file.
7. Flush DNS Cache – ipconfig /flushdns
Conclusion
I hope this article helped you understand the DCdiag command and NSLookup and how it can be used to verify and troubleshoot DNS Problems. Please share your thoughts on comments.