Monitoring DNS Health Check & Best Practice Analyzer

In this article, you will learn how to use command line utilities like; Dcdiag, Nslookup, etc to perform a domain controller health check.

Several post seen where people looking solution for – how to check DNS working perfectly, how to test the internal DNS details or performance of DNS, etc..

Quick way to check DNS Health

Firstly, verify that forward/reverse lookups work as expected.
Then examine the output of dcidag /v /c
Lastly, Monitor DNS logs.

You may also like it - Most Important Group Policy Settings for Preventing Security Breaches

How to test DNS with DCDiag Command

You have various command line switches that can be used with Dcdiag.

Get an overview of the switches:

/s: this can be used to run Dcdiag against a remote server

/v: to get more detailed information about each test

/c: this will run all tests

/q: this switch will only print errors

/f: this switch can be used to redirect the results to a file

List of some DCdiag command line to test DNS:

/DnsBasic (for basic tests)





/DnsResolveExtName (for external name resolution test)

/DnsAll (for all the test mention above)

/DnsInternetName:<internet name>

Example of DCdiag command line

dcdiag /s:DC1 (This command will run all the DC tests against the remote server DC1)

For local server – /s:servername

dcdiag /s:DC1  /v (as like above this verbose switch will displays more details about each test)

dcdiag /s:DC1 /f:c:\it\dcdiag_test.txt (This can be used to save the results to a text file, useful for logging results)

dcdiag /s:DC1 /a (useful for multiple domain controllers test at once)

dcdiag /s:DC1 /q (display the errors)

dcdiag /s:DC1 /c /v /f:c:\it\dcdiag_test.txt (very useful command line to run all tests, displays all the details, and save results in txt file)

NSLookup Syntax to test

Just open cmd prompt and type nslookup and press enter

IP to Domain Name  (PTR Record Lookup)

Want to find the domain name, use this command but you must know the IP address.


Domain to IP Address  (A Record Lookup)

Use the below cammand to find the IP address of a domain name.

nslookup domainname

MX Lookup

By using MX record lookup you will find the mail server that is responsible for accepting email for the domain.

nslookup hit enter

set q=mx hit enter

type domain, hit enter

SOA Record Lookup

SOA stands for – Start of Authority, SOA record indicates which DNS server is the best source of information for the domain.

SOA Record Lookup will return the primary name server, responsible mail addresses, default ttl and much more.

type nslookup hit enter

type set q=SOA hit enter

type domain name, hit enter


set q=cname

Name Server

To get the name server a domain using use below command.

type nslookup hit enter

type set q=ns hit enter

type in domain to query hit enter

Using an alternative DNS Server

Crucial command for troubleshooting. Use your ISP DNS or Google to see if your internal DNS is returning different results for external DNS server.

nslookup hit enter

 server=DNS-Server-IP hit enter

type in domain name hit enter

Using Verbose

Use the below command to trun on debug, which will lets you detailed information about the resource record such as primary name server, mail address, default TTL, and much more.


set debug

Monitoring DNS

Areas to focus while monitoring DNS:

  • DCdiag Command results
  • NS records
  • IP addresses
  • MX and SRV records

Tips for troubleshooting DNS Issues

  1. Make sure that you have connectivity to the DNS server.

2. Check weather it just one, two, or many devices that have name resolution issues.

3. Use NSLookup to test and verify DNS records on local server.

4. Use DCDiag to check the AD Health.

5. Scan for viruses/malware.

6. Check the client’s host file.

7. Flush DNS Cache – ipconfig /flushdns


I hope this article helped you understand the DCdiag command and NSLookup and how it can be used to verify and troubleshoot DNS Problems. Please share your thoughts on comments.

Leave a Comment

one × four =