dcdiag i f server 2012 - … 13, 2014 · 1 introduction: dcdiag one of the powerful tools for...
TRANSCRIPT
DCDIAG IMPORTED FUNCTIONS– SERVER 2012
Prepared By
Sainath K.E.V
Microsoft MVP –Directory Services
Dated: 13/04/2014
TABLE OF CONTENTS
1 Introduction: ......................................................................................................................................... 3
2 Technical Details: ................................................................................... Error! Bookmark not defined.
2.1 Scenario1: ...................................................................................... Error! Bookmark not defined.
2.2 Scenario2: ...................................................................................... Error! Bookmark not defined.
2.3 Scenario 3 ....................................................................................... Error! Bookmark not defined.
2.4 Win32 Time Modules .................................................................................................................... 7
2.4.1 Function Details .................................................................................................................... 8
1 INTRODUCTION:
DCDIAG one of the powerful tools for Active Directory Administrators and it’s a trouble-saver for most
painful issues related to Active Directory infrastructure. For any troubleshooting, the first request from
Microsoft or either in the forums is to produce DCDIAG / <switches> output ( Eg: DcDiag /V or /e ) which
helps in validating the Active Directory infrastructure data.
Microsoft TechNet and Forums provides exceeded information about DcDiag usage and scenarios, this
article addresses underlying building blocks which makes DcDiag to work. This article lists different
Dynamic Link Libraries and all the imported function calls used in DcDiag.
2 TECHNICAL DETAILS
DcDiag utility analyzes Domain controller’s state in an Active Directory Forest and reports back
configuration information and errors. DcDiag runs different tests to provide detail information to
Administrators, below are the tests
Advertising : checks whether DSA is advertising itself
CheckSDRefdom: Checks all Application directory partitions have appropriate security
descriptor reference domains.
CheckSecurityError: Checks security errors and performs initial diagnosis of the problem.
Connectivity: Tests whether DSAs are DNS registered and responding to LDAP / RPC
connectivity
CrossRefValidation: checks for invalid cross-references
CutoffServers: Checks for servers that won’t receive replications because its partners are
down
DcPromo: Tests the existing DNS infrastructure for promotion of Domain Controller. If
the infrastructure is sufficient, the computer can be promoted to DC in an Active
directory domain.
DNS: Checks the health of DNS settings for the whole enterprise. This test further has
subtests that can be performed to check Forwarders, Dynamic Updates, Delegation etc..
FrsEvent: This test checks to see if there are any operation errors in the FRS
DFSREvent: This test checks to see if there are any operation errors in the DFS
SysVolCheck: Checks SYSVOL is ready
LocatorCheck: Checks for global role-holders status and whether they can be located
Intersite: Checks for failures that would prevent or temporarily hold up intersite
replication
KccEvent: This test checks KCC is completing without errors
KnowsOfRoleHolders: Checks whether the DSA know its role holders
MachineAccount: Checks to see if the Machine Account has the proper information
NCSecDesc: checks the Security Descriptors on the naming context have appropriate
permissions for replication
Netlogons: Checks that the approrpirate logon privileges allow replication to proceed
ObjectsReplicated: Checks the Machine Account and DSA objects have replicated
OutboundSecureChannels: Checks for the Secure Channels from all of the DC’s in the
domain
RegisterDNS: Tests whether the directory server can register the directory server locator
DNS records
Replications: Checks for timely replication between directory servers
RidManager: Check to see if RID master is accessable
Services: Check to see if all the required AD services are running
SystemLog: Checks that the system is running without errors
Topology: Checks that the generated topology is fully connected for all DSA’s
VerifyEnterpriseReference: This test verifys that certain System references are intact for
the FRS and Replication infrastructure
VerifyReferences: Verifies that certain system references are intact for the FRS and
Replication infrastructure
VerifyReplicas: This test verifies that all application directory partition are fully
instantiated on all replica servers
Administrators can use different switches with the use of DcDiag, please follow the below link
http://technet.microsoft.com/en-us/library/cc731968.aspx
3 DCDIAG MODULES
This section will describe the major module imported by DcDiag executable which will be required for
understanding of DcDiag functionality.
Components: DcDiag.exe – executable
When DcDiag runs, it imports a series of modules which are responsible for displaying information with
DcDiag
ADVAPI32 IPHLPAPI Kernel 32
NetAPI32 NTDSAPI32.dll Shell32.dll
User32.dll WS2_32 Msvcrt.dll
DNSAPI
MPR
OLEAUT32 RPCRT4 WLDAP32 Ntdll.dll
Ole32.dll
wevtapi
3.1.1 DCD IAG IMPORT FUNCTION DETAILS
Below are the list of functions used by different imported modules. This list is extremely useful when
understanding DcDiag functionality and for advance troubleshooting. These modules when paired /
graphed together will provide DcDiag Architectural implementation detailis. Below function are not
documented in TechNet, these are learnt from by debugging the DcDiag and validating different dumps
to analyse the stack and functions imported by DcDiag executable.
Below list provides rich list of functions imported by DcDiag. There are 343 + functions used by DcDiag.
Function Name Module
OpenServiceW ADVAPI32
ImpersonateLoggedOnUser ADVAPI32
LsaQueryTrustedDomainInfoByName ADVAPI32
QueryServiceConfigW ADVAPI32
QueryServiceStatus ADVAPI32
LsaSetSecret ADVAPI32
FreeSid ADVAPI32
ReadEventLogW ADVAPI32
OpenEventLogW ADVAPI32
RegConnectRegistryW ADVAPI32
LsaOpenSecret ADVAPI32
GetNumberOfEventLogRecords ADVAPI32
RevertToSelf ADVAPI32
EnumDependentServicesW ADVAPI32
AllocateAndInitializeSid ADVAPI32
CloseEventLog ADVAPI32
EqualSid ADVAPI32
CloseServiceHandle ADVAPI32
GetAce ADVAPI32
OpenSCManagerW ADVAPI32
ControlService ADVAPI32
ConvertSecurityDescriptorToStringSecurityDescriptorW ADVAPI32
ConvertSidToStringSidW ADVAPI32
StartServiceW ADVAPI32
IsValidSid ADVAPI32
GetLengthSid ADVAPI32
LsaQueryInformationPolicy ADVAPI32
LsaOpenPolicy ADVAPI32
LsaFreeMemory ADVAPI32
LsaEnumerateAccountsWithUserRight ADVAPI32
LsaClose ADVAPI32
LookupAccountSidW ADVAPI32
LogonUserW ADVAPI32
DnsModifyRecordsInSet_W DNSAPI
DnsQueryConfig DNSAPI
DnsQuery_W DNSAPI
DnsNameCompare_W DNSAPI
DnsUpdateTest_W DNSAPI
DnsValidateName_W DNSAPI
DnsFlushResolverCacheEntry_W DNSAPI
DnsFree DNSAPI
IcmpCreateFile IPHLPAPI
IcmpCloseHandle IPHLPAPI
Icmp6CreateFile IPHLPAPI
GetUnicastIpAddressTable IPHLPAPI
Icmp6SendEcho2 IPHLPAPI
GetAdaptersAddresses IPHLPAPI
GetIfEntry2 IPHLPAPI
FreeMibTable IPHLPAPI
IcmpSendEcho2 IPHLPAPI
RegOpenKeyExW KERNEL32
RegQueryValueExW KERNEL32
ReleaseMutex KERNEL32
CloseHandle KERNEL32
CompareFileTime KERNEL32
CreateEventW KERNEL32
CreateFileW KERNEL32
CreateThread KERNEL32
DeleteCriticalSection KERNEL32
lstrlenW KERNEL32
EnterCriticalSection KERNEL32
ExpandEnvironmentStringsW KERNEL32
FileTimeToLocalFileTime KERNEL32
FileTimeToSystemTime KERNEL32
FreeLibrary KERNEL32
GetComputerNameExA KERNEL32
GetComputerNameExW KERNEL32
GetComputerNameW KERNEL32
GetConsoleMode KERNEL32
GetConsoleOutputCP KERNEL32
GetConsoleScreenBufferInfo KERNEL32
GetCurrentProcess KERNEL32
GetCurrentProcessId KERNEL32
GetCurrentThreadId KERNEL32
GetDateFormatW KERNEL32
GetLastError KERNEL32
CompareStringW KERNEL32
GetModuleHandleExW KERNEL32
GetModuleHandleW KERNEL32
GetProcAddress KERNEL32
GetProcessHeap KERNEL32
GetStdHandle KERNEL32
GetSystemTime KERNEL32
GetSystemTimeAsFileTime KERNEL32
GetTickCount KERNEL32
GetTimeFormatW KERNEL32
GetTimeZoneInformation KERNEL32
HeapFree KERNEL32
GetModuleHandleA KERNEL32
InitializeCriticalSection KERNEL32
InterlockedCompareExchange KERNEL32
InterlockedDecrement KERNEL32
InterlockedExchange KERNEL32
InterlockedIncrement KERNEL32
LeaveCriticalSection KERNEL32
LoadLibraryExW KERNEL32
LocalAlloc KERNEL32
LocalFree KERNEL32
LocalReAlloc KERNEL32
LocalSize KERNEL32
OutputDebugStringA KERNEL32
WriteFile KERNEL32
WideCharToMultiByte KERNEL32
WaitForSingleObject KERNEL32
WaitForMultipleObjects KERNEL32
QueryPerformanceCounter KERNEL32
MultiByteToWideChar KERNEL32
RaiseException KERNEL32
ReadConsoleW KERNEL32
FormatMessageW KERNEL32
ResetEvent KERNEL32
RegCloseKey KERNEL32
UnhandledExceptionFilter KERNEL32
TerminateProcess KERNEL32
SystemTimeToTzSpecificLocalTime KERNEL32
SystemTimeToFileTime KERNEL32
RegEnumKeyExW KERNEL32
Sleep KERNEL32
SetUnhandledExceptionFilter KERNEL32
SetThreadUILanguage KERNEL32
SetLastError KERNEL32
SetEvent KERNEL32
SetConsoleMode KERNEL32
WNetGetResourceInformationW MPR
WNetCancelConnection2W MPR
WNetAddConnection2W MPR
NetApiBufferFree NETAPI32
NetRemoteTOD NETAPI32
NetUserGetInfo NETAPI32
NetUserSetInfo NETAPI32
I_NetLogonControl2 NETAPI32
DsRoleFreeMemory NETAPI32
DsGetDcNameW NETAPI32
DsRoleGetPrimaryDomainInformation NETAPI32
DsReplicaAddW NTDSAPI
DsMakeSpnW NTDSAPI
DsListRolesW NTDSAPI
DsIsMangledDnW NTDSAPI
DsFreeNameResultW NTDSAPI
DsCrackNamesW NTDSAPI
DsReplicaSyncW NTDSAPI
DsReplicaSyncAllW NTDSAPI
DsReplicaGetInfo2W NTDSAPI
DsReplicaGetInfoW NTDSAPI
DsReplicaFreeInfo NTDSAPI
DsWriteAccountSpnW NTDSAPI
VariantInit OLEAUT32
VariantChangeType OLEAUT32
SysFreeString OLEAUT32
SysAllocString OLEAUT32
SafeArrayUnaccessData OLEAUT32
SafeArrayAccessData OLEAUT32
VariantClear OLEAUT32
RpcErrorStartEnumeration RPCRT4
RpcErrorGetNextRecord RPCRT4
RpcErrorEndEnumeration RPCRT4
RpcEpResolveBinding RPCRT4
RpcBindingToStringBindingW RPCRT4
RpcBindingSetOption RPCRT4
RpcBindingSetAuthInfoExW RPCRT4
RpcBindingSetAuthInfoExA RPCRT4
RpcBindingSetAuthInfoA RPCRT4
RpcBindingFromStringBindingW RPCRT4
RpcBindingFree RPCRT4
NdrClientCall2 RPCRT4
I_RpcGetExtendedError RPCRT4
I_RpcExceptionFilter RPCRT4
UuidToStringW RPCRT4
UuidFromStringW RPCRT4
RpcStringFreeW RPCRT4
RpcStringBindingParseW RPCRT4
RpcStringBindingComposeW RPCRT4
RpcMgmtEpEltInqNextW RPCRT4
RpcMgmtEpEltInqDone RPCRT4
RpcMgmtEpEltInqBegin RPCRT4
RpcIfInqId RPCRT4
LoadStringW USER32
ldap_result2error WLDAP32
ldap_modify_sW WLDAP32
ldap_msgfree WLDAP32
ldap_next_attributeW WLDAP32
ldap_next_entry WLDAP32
LdapMapErrorToWin32 WLDAP32
LdapGetLastError WLDAP32
ldap_search_abandon_page WLDAP32
ldap_explode_dnW WLDAP32
ldap_search_ext_sW WLDAP32
ldap_search_init_pageW WLDAP32
ldap_search_sW WLDAP32
ldap_set_optionW WLDAP32
ldap_get_dnW WLDAP32
ldap_first_entry WLDAP32
ldap_first_attributeW WLDAP32
ldap_unbind WLDAP32
ldap_err2stringW WLDAP32
ldap_count_values_len WLDAP32
ldap_count_valuesW WLDAP32
ldap_value_freeW WLDAP32
ldap_count_entries WLDAP32
ldap_bind_sW WLDAP32
ldap_value_free_len WLDAP32
ldap_add_sW WLDAP32
ldap_get_next_page_s WLDAP32
ldap_get_optionW WLDAP32
ldap_get_valuesW WLDAP32
ldap_get_values_lenW WLDAP32
ldap_initW WLDAP32
ldap_memfreeW WLDAP32
WSALookupServiceNextW WS2_32
getprotobyname WS2_32
WSASetLastError WS2_32
WSAStartup WS2_32
WSACleanup WS2_32
getaddrinfo WS2_32
getnameinfo WS2_32
freeaddrinfo WS2_32
GetNameInfoW WS2_32
FreeAddrInfoW WS2_32
closesocket WS2_32
GetAddrInfoW WS2_32
inet_ntoa WS2_32
inet_addr WS2_32
WSAGetLastError WS2_32
WSAIoctl WS2_32
WSALookupServiceBeginW WS2_32
WSALookupServiceEnd WS2_32
ntohs WS2_32
socket WS2_32
__wgetmainargs msvcrt
_amsg_exit msvcrt
_atoi64 msvcrt
_callnewh msvcrt
_cexit msvcrt
_controlfp msvcrt
_except_handler4_common msvcrt
_exit msvcrt
_fcloseall msvcrt
_ftol2_sse msvcrt
_initterm msvcrt
_iob msvcrt
_local_unwind4 msvcrt
_lock msvcrt
_onexit msvcrt
_purecall msvcrt
_snwprintf_s msvcrt
_stricmp msvcrt
_strupr msvcrt
_ultoa msvcrt
_unlock msvcrt
_vsnprintf msvcrt
_vsnwprintf msvcrt
_wcsdup msvcrt
_wcsicmp msvcrt
_wcsnicmp msvcrt
_wfopen msvcrt
_wtoi msvcrt
_wtoi64 msvcrt
_wtol msvcrt
atoi msvcrt
__p__fmode msvcrt
exit msvcrt
fflush msvcrt
free msvcrt
fwprintf msvcrt
iswdigit msvcrt
iswxdigit msvcrt
_ltow msvcrt
wcstoul msvcrt
wcstombs msvcrt
wcstol msvcrt
wcsstr msvcrt
wcsncpy_s msvcrt
wcsncmp msvcrt
wcscspn msvcrt
wcscpy_s msvcrt
wcschr msvcrt
wprintf msvcrt
wcscat_s msvcrt
vswprintf_s msvcrt
towupper msvcrt
towlower msvcrt
_CxxThrowException msvcrt
_XcptFilter msvcrt
__CxxFrameHandler3 msvcrt
__dllonexit msvcrt
__p__commode msvcrt
malloc msvcrt
mbstowcs msvcrt
memchr msvcrt
memcpy msvcrt
memcpy_s msvcrt
memmove msvcrt
memmove_s msvcrt
memset msvcrt
__set_app_type msvcrt
printf msvcrt
putchar msvcrt
qsort msvcrt
realloc msvcrt
setlocale msvcrt
__setusermatherr msvcrt
sprintf_s msvcrt
strncmp msvcrt
strtoul msvcrt
swprintf_s msvcrt
time msvcrt
?what@exception@@UBEPBDXZ msvcrt
?terminate@@YAXXZ msvcrt
??1type_info@@UAE@XZ msvcrt
??1exception@@UAE@XZ msvcrt
??0exception@@QAE@XZ msvcrt
??0exception@@QAE@ABV0@@Z msvcrt
??0exception@@QAE@ABQBD@Z msvcrt
RtlAllocateHeap ntdll
RtlSubAuthoritySid ntdll
RtlSubAuthorityCountSid ntdll
RtlGetDaclSecurityDescriptor ntdll
RtlFreeHeap ntdll
RtlNtStatusToDosError ntdll
RtlLengthSid ntdll
RtlIpv6StringToAddressW ntdll
RtlIpv6StringToAddressExW ntdll
RtlIpv6AddressToStringExW ntdll
RtlIpv6AddressToStringA ntdll
RtlIpv4StringToAddressW ntdll
RtlIpv4StringToAddressExW ntdll
RtlIpv6StringToAddressA ntdll
RtlIpv4StringToAddressA ntdll
RtlIpv4AddressToStringExW ntdll
RtlInitUnicodeString ntdll
CoUninitialize ole32
CoSetProxyBlanket ole32
CoQueryProxyBlanket ole32
CoInitializeSecurity ole32
CoInitializeEx ole32
CoInitialize ole32
CoCreateInstance ole32
EvtFormatMessage wevtapi
EvtCreateRenderContext wevtapi
EvtRender wevtapi
EvtQuery wevtapi
EvtOpenSession wevtapi
EvtOpenPublisherMetadata wevtapi
EvtNext wevtapi