What does DFSDiag do?

What does DFSDiag do?

  • Comments 11
  • Likes

So you have heard about a tool DFSDiag which is meant to be used to help you diagnose your DFS Namespace. You just type DFSDiag.exe and...

clip_image001

voilà you got the list of the commands you can use. Oh yes you also have the “DFSDIAG_ERROR” message, but that’s because DFSDiag expect one of the commands that it has implemented. Ok let me try to explain the options you have:

/testdcs:
With this you can check the configuration of the domain controllers. It performs the following tests:

  • Verifies that the DFS Namespace service is running on all the DCs and its Startup Type is set to Automatic.
  • Check for the support of site-costed referrals for NETLOGON and SYSVOL.
  • Verify the consistency of site association by hostname and IP address on each DC.

To run this command against your domain Contoso.com just type:

DFSDiag /testdcs /domain:Contoso.com

If you omit the parameter /Domain, the tests are run against the Domain the machine is joined to.

/testsites:
Used to check the configuration of Active Directory Domain Services (AD DS) sites by verifying that servers that act as namespace servers or folder (link) targets have the same site associations on all domain controllers.

So for a machine you will be running something like:

DFSDiag /testsites /machine:MyServer

For a folder (link):

DFSDiag /testsites /dfspath:\\Contoso.com\MyNamespace\MyLink /full

For a root:

DFSDiag /testsites /dfspath:\\Contoso.com\MyNamespace /recurse /full

But hey what’s the meaning of “recurse” and “full”? Don’t panic these are a couple of parameters that run a more comprehensive test. /recurse applies only to a namespace root path, where it enumerates and verifies the site associations for all folder targets. /full verifies that AD DS and the registry of the server contain the same site association information

/testdfsconfig:
With this you can check the DFS namespace configuration. The tests that perform are:

  • Verifies that the DFS Namespace service is running and that its Startup Type is set to Automatic on all namespace servers.
  • Verifies that the DFS registry configuration is consistent among namespace servers.
  • Validates the following dependencies on clustered namespace servers that are running Windows 2008 (non supported for W2K3 clusters L):
    • Namespace root resource dependency on network name resource.
    • Network name resource dependency on IP address resource.
    • Namespace root resource dependency on physical disk resource.

To run this you just need to type:

DFSDiag /testdfsconfig /dfsroot:\\Contoso.com\MyNamespace

/testdfsintegrity:
Used to check the namespace integrity. The tests performed are:

  • Checks for DFS metadata corruption or inconsistencies between domain controllers
  • In Windows 2008 server, validates that the Access Based Enumeration state is consistent between DFS metadata and the namespace server share.
  • Detect overlapping DFS folders (links), duplicate folders and folders with overlapping folder targets (link targets).

To check the integrity of my namespace at contoso.com:

DFSDiag /testdfsintegrity /dfsroot:\\Contoso.com\MyNamespace

Additionally you can specify /full, /recurse, which in this case, /full verifies the consistency of share and NTFS ACLs in all the folder targets. It also verifies that the Online property is set in all the folder targets. /recurse performs the testing including the namespace interlinks.

/testreferral:
Perform specific tests, depending on the type of referral being used.

  • For Trusted Domain referrals, validates that the referral list includes all trusted domains.
  • For Domain referrals, perform a DC health check as in /testdcs
  • For Sysvol and Netlogon referrals perform the validation for Domain referrals and that it’s TTL has the default value (900s).
  • For namespace root referrals, perform the validation for Domain referrals, a DFS configuration check (as in /testdfsconfig) and a Namespace integrity check (as in /testdfsintegrity).
  • For DFS folder referrals, in addition to performing the same health checks as when you specify a namesapace root, this command validates the site configuration for folder target (DFSDiag /testsites) and validates the site association of the local host

Again for your namespace at contoso.com:

DFSDiag /testreferral /dfspath:\\Contoso.com\MyNamespace



There is also the option to use /full as an optional parameter, but this only applies to Domain and Root referrals. In these cases /full verifies the consistency of site association information between the registry and Active Directory.

A brief example of how DFSDiag can help you is to detect duplicate folders (links) in your deployment. For this you can use the command /testdfsintegrity with the /full flag and…

clip_image002

It will show you the “troublemaker” folders as in this case, where Link1 and Link2 are duplicated.

Ok these are the tests that DFSDiag performs; I hope this gives you a better understanding of what’s going on once you run the tool against your deployment!

See you,

John Angel Diaz

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Our developer team colleagues at the File Cabinet have posted an interesting article on the DFSDIAG tool.

  • dfsdiag /testdcs gives an error on the last test of "Validating Site Association of <DC> in every DC."  It provides the error "DFSDIAG_WARNING - APPL - SiteName form IP - ::1 of <DC> in DC - <remote DC) is nULL while in ADSite it is <SiteName>.  This error repeats for every non-W2K8 DC in the domain.  I have unbound IPV6 and unchecked the IPv6 protocol, but the problem still is reported.  Why?

  • Hi Brian,

    Could you check if the site association of DC by hostname and IP address is the same across all other DCs?

  • does DFSdiag only work on 2008 Server, or can you use it on 2003 server?  It seems to be an improvement of the dfsrdiag.exe tool.

    TIA,

  • I checked the Sites/subnets.  All the DCs in the domain are in the same site.  The only difference is that the two DCs that have the warning are W2K3 and the one that is consistent is W2K8.

  • Hi

    Great reading your info on DFS and DFS Replication.

    With the replication are files verified as they are copied or is it dependant on later checks.

    Tom Cross

  • Heya

    Since blogs on the site thumbs up :)

    I have the exact same issue with the "is nULL while in ADSite it is <SiteName>. "

    Not on the Domain controllers but on one of our Mgmnt machins, and it can not access the DFSroot. Also unbound the IP6 interface, and tone tons of dfsutil/dfsdiag. All rendering in RPC server in unavailable.

    Before i unbounded the ip6 interface i did not have ::1 as ipaddress but instead the "deafult" ip6 IP net

    Best regards

  • Hello all, David here again. If you are reading this post, you likely have Distributed File System Namespaces

  • Hello all, David here again. If you are reading this post, you likely have Distributed File System Namespaces

  • Hello all, David here again. If you are reading this post, you likely have Distributed File System Namespaces

  • Hello all, David here again. If you are reading this post, you likely have Distributed File System Namespaces