What does DFSDiag do?

So you have heard about a tool DFSDiag which is meant to be used to help you diagnose your DFS Namespace. You just type DFSDiag.exe and...

voilà you got the list of the commands you can use. Oh yes you also have the “DFSDIAG_ERROR” message, but that’s because DFSDiag expect one of the commands that it has implemented. Ok let me try to explain the options you have:

/testdcs:
With this you can check the configuration of the domain controllers. It performs the following tests:

• Verifies that the DFS Namespace service is running on all the DCs and its Startup Type is set to Automatic.
• Check for the support of site-costed referrals for NETLOGON and SYSVOL.
• Verify the consistency of site association by hostname and IP address on each DC.

To run this command against your domain Contoso.com just type:

DFSDiag /testdcs /domain:Contoso.com

If you omit the parameter /Domain, the tests are run against the Domain the machine is joined to.

/testsites:
Used to check the configuration of Active Directory Domain Services (AD DS) sites by verifying that servers that act as namespace servers or folder (link) targets have the same site associations on all domain controllers.

So for a machine you will be running something like:

DFSDiag /testsites /machine:MyServer

For a folder (link):

DFSDiag /testsites /dfspath:\\Contoso.com\MyNamespace\MyLink /full

For a root:

DFSDiag /testsites /dfspath:\\Contoso.com\MyNamespace /recurse /full

But hey what’s the meaning of “recurse” and “full”? Don’t panic these are a couple of parameters that run a more comprehensive test. /recurse applies only to a namespace root path, where it enumerates and verifies the site associations for all folder targets. /full verifies that AD DS and the registry of the server contain the same site association information

/testdfsconfig:
With this you can check the DFS namespace configuration. The tests that perform are:

• Verifies that the DFS Namespace service is running and that its Startup Type is set to Automatic on all namespace servers.
• Verifies that the DFS registry configuration is consistent among namespace servers.
• Validates the following dependencies on clustered namespace servers that are running Windows 2008 (non supported for W2K3 clusters L):
• Namespace root resource dependency on network name resource.
• Network name resource dependency on IP address resource.
• Namespace root resource dependency on physical disk resource.

To run this you just need to type:

DFSDiag /testdfsconfig /dfsroot:\\Contoso.com\MyNamespace

/testdfsintegrity:
Used to check the namespace integrity. The tests performed are:

• Checks for DFS metadata corruption or inconsistencies between domain controllers
• In Windows 2008 server, validates that the Access Based Enumeration state is consistent between DFS metadata and the namespace server share.
• Detect overlapping DFS folders (links), duplicate folders and folders with overlapping folder targets (link targets).

To check the integrity of my namespace at contoso.com:

DFSDiag /testdfsintegrity /dfsroot:\\Contoso.com\MyNamespace

Additionally you can specify /full, /recurse, which in this case, /full verifies the consistency of share and NTFS ACLs in all the folder targets. It also verifies that the Online property is set in all the folder targets. /recurse performs the testing including the namespace interlinks.

/testreferral:
Perform specific tests, depending on the type of referral being used.

• For Trusted Domain referrals, validates that the referral list includes all trusted domains.
• For Domain referrals, perform a DC health check as in /testdcs
• For Sysvol and Netlogon referrals perform the validation for Domain referrals and that it’s TTL has the default value (900s).
• For namespace root referrals, perform the validation for Domain referrals, a DFS configuration check (as in /testdfsconfig) and a Namespace integrity check (as in /testdfsintegrity).
• For DFS folder referrals, in addition to performing the same health checks as when you specify a namesapace root, this command validates the site configuration for folder target (DFSDiag /testsites) and validates the site association of the local host

Again for your namespace at contoso.com:

DFSDiag /testreferral /dfspath:\\Contoso.com\MyNamespace

There is also the option to use /full as an optional parameter, but this only applies to Domain and Root referrals. In these cases /full verifies the consistency of site association information between the registry and Active Directory.

A brief example of how DFSDiag can help you is to detect duplicate folders (links) in your deployment. For this you can use the command /testdfsintegrity with the /full flag and…

It will show you the “troublemaker” folders as in this case, where Link1 and Link2 are duplicated.

Ok these are the tests that DFSDiag performs; I hope this gives you a better understanding of what’s going on once you run the tool against your deployment!

See you,

John Angel Diaz