TCP/IP Troubleshooting

Previous Topic Next Topic

Netdiag

Netdiag is a utility that helps isolate networking and connectivity problems by performing a series of tests to determine the state of your network client and whether it is functional. These tests and the key network status information they expose give network administrators and support personnel a more direct means of identifying and isolating network problems. Moreover, because this tool does not require parameters or switches to be specified, support personnel and network administrators can focus on analyzing the output, rather than training users about tool usage.

Netdiag diagnoses network problems by checking all aspects of a host computer's network configuration and connections. Beyond troubleshooting TCP/IP issues, it also examines a host computer's Internetwork Packet Exchange (IPX) and NetWare configurations.

Run Netdiag whenever a computer is having network problems. The utility tries to diagnose the problem and can even flag problem areas for closer inspection. It can fix simple DNS problems with the optional /fix switch.

For more information about Netdiag, see Windows 2000 Support Tools Help. For information about installing and using the Windows 2000 Support Tools and Support Tools Help, see the file Sreadme.doc in the \Support\Tools folder of the Windows 2000 operating system CD.

Netdiag performs its tests by examining .dll files, output from other tools, and the system registry to find potential problem spots. It checks to see which network services or functions are enabled and then runs the network configuration tests listed in Table 3.5, in the order presented. If a computer is not running one of the services listed, the test is skipped.

Table 3.5 Netdiag Tests

Test Name Function Details
NDIS Network Adapter Status Lists the network adapter configuration details, including the adapter name, configuration, media, globally unique identifier (GUID), and statistics. If this test shows an unresponsive network adapter, the remaining tests are aborted.
IPConfig IP Configuration This test provides most of the TCP/IP information normally obtained from ipconfig /all, pings the DHCP and WINS servers, and checks that the default gateway is on the same subnet as the IP address.
Member Domain Membership Checks to confirm details of the primary domain, including computer role, domain name, and domain GUID. Checks to see if NetLogon service is started, adds the primary domain to the domain list, and queries the primary domain security identifier (SID).
NetBTTransports Transports Test Lists NetBT transports managed by the redirector. Prints error information if no NetBT transports are found.
Automatic Private IP Addressing (APIPA) APIPA Address Checks if any interface is using Automatic Private IP Addressing (APIPA).
IPLoopBk IP Loopback Ping Pings the IP loopback address of 127.0.0.1.
DefGw Default Gateway Pings all the default gateways for each interface.
NbtNm NetBT Name Test Similar to the nbtstat -n command. It checks that the workstation service name <00> is equal to the computer name. It also checks that the messenger service name <03>, and server service name <20> are present on all interfaces and that none of these names are in conflict.
WINS WINS Service Test Sends NetBT name queries to all the configured WINS servers.
Winsock Winsock Test Uses Windows Sockets WSAEnumProtocols () function to retrieve available transport protocols.
DNS DNS Test Checks whether DNS cache service is running, and whether this computer is correctly registered on the configured DNS servers. If the computer is a domain controller, DNS Test checks to see whether all the DNS entries in Netlogon.dns are registered on the DNS server. If the entries are incorrect and the /fix option is on, try to re-register the domain controller record on a DNS server.
Browser Redirector and Browser Test Checks whether the workstation service is running. Retrieves the transport lists from the redirector and from the browser. Checks whether the NetBT transports are in the list of NetBT transports test. Checks whether the browser is bound to all the NetBT transports. Checks whether the computer can send mailslot messages. Tests both via browser and redirector.
DsGetDc DC Discovery Test First finds a generic domain controller from directory service, then finds the primary domain controller. Then, finds a Windows 2000 domain controller (DC). If the tested domain is the primary domain, checks whether the domain GUID stored in Local Security Authority (LSA) is the same as the domain GUID stored in the DC. If not, the test returns a fatal error; if the /fix option is on, DsGetDC tries to fix the GUID in LSA.
DcList DC List Test Gets a list of domain controllers in the domain from the directory services on an active domain controller (DC). If there is no DC info for this domain, tries to get a DC from DS (similar to the DsGetDc test). Tries to get an active DC as the target DC. Gets the DC list from the target DC. Checks the status of each DC. Adds all the DCs into the DC list of the tested domain.

If the above sequence fails, uses the browser to obtain the DCs. Checks the status of all DCs and adds them to the DC list.

If the DcAccountEnum registry entry option is enabled, Netdiag tries to get a DC list from the Security Accounts Manager (SAM) on the discovered DC.

Trust Trust Relationship Test Test trust relationships to the primary domain only if the computer is a member workstation, member server, or a Backup Domain Controller (BDC) domain controller that is not a PDC emulator Checks that the primary domain security identifier (SID) is correct. Contacts an active DC. Connects to the SAM server on the DC. Uses the domain SID to open the domain to verify whether the domain SID is correct Queries info of the secure channel for the primary domain. If the computer is a BDCDC, reconnects to the PDC emulator. If the computer is a member workstation or server, sets secure channel to each DC on the DC list for this domain.
Kerberos Kerberos Test Tests Kerberos protocols only if the computer is a member computer or DC and the user is not logged onto a local account. Tests Kerberos protocols only when the user is logged onto a Windows 2000 domain account. Connects to LSA and looks up the Kerberos package. Gets the ticket cache of the Kerberos package. Checks if Kerberos package has a ticket for the primary domain and the local computer.
LDAP Lightweight Directory Access Protocol (LDAP) Test This per-domain test is run only if the DC is running DS. The computer must be a member computer or DC. NetDiag tests LDAP on all the active DCs found in the domain. It creates an LDAP connection block to the DC, then does a trivial search in the LDAP directory with three types of authentication: "unauthenticated", NTLM, and "Negotiate." If the /v (verbose) option is on, the LDAP test prints out the details of each entry retrieved.
Route Route test Displays the static and persistent entries in the routing table, including a destination address, subnet mask, gateway address, interface, and metric.
NetStat NetStat test Similar to Netstat tool. Displays statistics of protocols and current TCP/IP network connections.
Bindings Bindings test Lists all bindings, including interface name, lower module name, upper module name, whether the binding is currently enabled, and the owner of the binding.
WAN WAN test Displays the settings and status of current active remote access connections.
Modem Modem test Retrieves all the line devices that are available. Displays the configuration of each line device.
NetWare NetWare test Determines whether NetWare is using the directory tree or bindery logon process, determines the default context if Netware is using the directory tree logon process, and finds the server to which the host attaches itself at startup.
IPX IPX test Examines the network's IPX configuration, including Frame Type, Network ID, RouterMTU and whether packet burst or source routing are enabled.
IPSec IP Security test Tests whether IP security is enabled and displays a list of active IPSec policies.

Netdiag Syntax

The required syntax for Netdiag is simple. The tool can be configured to perform any subset of its exhaustive list of tests by careful use of the /test or /skip options.

Although no parameters or syntax need be specified, several options are available for Netdiag, primarily to increase or decrease the level of detail in its reports. These switches are shown in the Table 3.6. Complete details on the /test and /skip options can be found by typing netdiag /? at a command prompt; this returns a complete list of more than 20 tests that can be singled out or skipped.

Table 3.6 Netdiag Switches

Switch Name Function
/q Quiet output Lists only tests that return errors.
/v Verbose output More extensive listing of test data as tests are performed.
/l Log output Stores output in NetDiag.log, in the default directory.
/debug Most verbose output Complete list of test data with reasons for success or failure.
/d:<DomainName> Find DC Finds a domain controller in the specified domain.
/fix Fix DNS problems Compares DNS value to host file.
/DcAccountEnum Enumerate DC Enumerates Domain Controller computer accounts.
/test:<test name> Single test Runs only the test specified by <test name>. For a complete list, type netdiag /?.
/skip:<test name> Skip test Skips the named test.

In general, Netdiag calls Ipconfig and returns a structure that contains most of the general information that ipconfig /all prints. It takes that information from the registry and by calling the various drivers.

Netdiag prints the string [FATAL] when it detects a condition that needs to be fixed immediately. By contrast, the string [WARNING] signals a failure condition that can be put off for a while.

© 1985-2000 Microsoft Corporation. All rights reserved.