If you missed the other parts in this article series please read:
- TCP/IP Troubleshooting: A Structured Approach – Part 1: An Introduction
- TCP/IP Troubleshooting: A Structured Approach – Part 2: Troubleshooting Routing Tables
- TCP/IP Troubleshooting: A Structured Approach – Part 3: Repairing Network Connections
In the last article of this series we examined how to repair network connections using the Repair feature of Windows network connections. The Repair feature works by performing a series of tests to try and restore network connectivity caused by network misconfiguration on either the client (issues with DHCP settings or resolver cache) or server (name registration with WINS or DNS server). The Repair feature has several limitations however, namely:
-
- The results of the Repair process can’t be saved for later review or reporting purposes.
- On multihomed machines, the Repair process must be performed separately on each network connection.
- The number of tests performed by the Repair process is limited.
Get your copy of Windows Server Hacks!
These limitations can be overcome by using Netdiag.exe, a network connectivity troubleshooting tool that is part of the Windows Support Tools. Netdiag runs a more extensive series of tests than the Repair process does, and it performs many more tests than the Repair process does. You can also redirect output for Netdiag.exe to a text file so you can have a record of the tests performed and their results.
Installing Netdiag
You can install Netdiag by installing the Windows Support Tools, which can be installed by double-clicking on \Support\Tools\SUPTOOLS.MSI. By default the Support Tools install to %SystermDrive%\Program Files\Support Tools but I find it easier to install them to %SystemDrive%\Tools since the tools need to be run from the command-line and this makes typing the path to these tools simpler to run them. Alternatively, if you only want to install Netdiag and not the other Support Tools, you can double-click on the \Support\Tools\Support.cab cabinet file and then double-click on Netdiag.exe to install this tool alone.
Understanding Netdiag
Netdiag performs a series of tests on each network adapter on the local system. Once these tests are performed, Netdiag performs a series of global connectivity tests to identify and resolve connectivity problems that may be caused by issues beyond the local system.
Netdiag first performs the following tests on the local system’s network adapters:
- Ndis
- Ipconfig
- Autonet
- DefGw
- NbtNm
- WINS
Once these tests are performed, Netdiag then performs the following series of global connectivity tests:
- Member
- NetBTTransports
- Autonet
- IpLoopBk
- DefGw
- NbtNm
- Winsock
- DNS
- Browser
- DsGetDc
- DcKust
- Trust
- Kerberos
- Ldap
- Bindings
- WAN
- Modem
- IPSec
Details concerning each of these tests are provided by the following table:
Test name |
Description |
Autonet |
Checks if APIPA is being used by network adapters. |
Bindings |
Lists network bindings including interface name, lower and upper module names, indicates whether the binding is currently enabled, and reports the owner of the binding. |
Browser |
Lists all network protocols bound to the Browser service and to the Redirector. |
DcList |
Obtains a list of domain controllers for the domain. |
DefGw |
Verifies connectivity with each configured default gateway. |
DNS |
Verifies availability of configured DNS servers and verifies the client’s DNS registrations. |
DsGetDc |
Obtains the name of any domain controller from directory service and then obtains the name of the PDC Emulator. Verifies if the domain GUID stored in the Local Security Authority (LSA) is the same as the domain GUID stored in the DC. |
IpConfig |
Enumerates TCP/IP settings for each network adapter. |
IpLoopBk |
Pings the loopback address 127.0.0.1 for each adapter. |
IPSec |
Checks whether IPsec is enabled and if so then lists all active IPsec policies for the computer. |
IPX |
Lists statistics for IPX (if installed). |
Kerberos |
Verifies whether the Kerberos authentication package is up-to-date. |
Ldap |
Contacts all available domain controllers and determines which LDAP authentication protocol is currently being used. |
Member |
Checks to confirm details of the primary domain, including computer role, domain name, and domain GUID. Checks to see if NetLogon service is started, adds the primary domain to the domain list, and queries the primary domain security identifier (SID). |
Modem |
Provides configuration information for each modem on the system. |
NbtNm |
Performs actions similar to the nbtstat -n command i.e. verifies that the Workstation Service name <00> is the same as the computer name and verifies that the Messenger =Service name <03> and Server Service name <20> are present on all interfaces and that none of these names are in conflict. |
Ndis |
Lists details concerning the configuration of each network adapter including adapter name, configuration, media, GUID and statistics. |
NetBTTransports |
Lists all transport protocols bound to NetBIOS over TCP/IP (NetBT). |
Netstat |
Lists current TCP/IP connections and protocol statistics. |
Netware |
Queries the nearest Netware server (if used) for current login information. |
Route |
Lists all static routes in the routing table and indicates whether they are persistent. |
Trust |
Tests domain trust relationships and verifies the primary domain SID is correct. |
WAN |
Summarizes the settings and status for each COM port currently in use. |
WINS |
Verifies the availability of the configured WINS server and verifies WINS client registrations. |
Winsock |
Displays protocols and ports available to WinSock service. |
In addition to performing these tests, Netdiag.exe also reports the following information concerning the system:
- NetBIOS name of system
- DNS name of system
- General system info
- Installed hotfixes
Running Netdiag
The simplest way to run Netdiag is without any parameters, which tests each local network adapter on the system and then performs a series of global connectivity tests. Sample output from running this command on a Windows Server 2003 member server is as follows (hotfix list has been truncated):
C:\tools\netdiag
……………………………..
Computer Name: SRV
DNS Host Name: SRV.contoso.com
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB890046
KB893756
KB896358
…
KB925486
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : SRV
IP Address . . . . . . . . : 172.16.11.31
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.16.11.1
Dns Servers. . . . . . . . : 172.16.11.32
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> ‘WorkStation Service’, <03> ‘Messenger Service’, <20> ‘WINS’ names is missing.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{64B5D4FF-0014-4CC2-BB8D-9FB0C67CB75E}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don’t have a single interface with the <00> ‘WorkStation Service’, <03> ‘Messenger Service’, <20> ‘WINS’ names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{64B5D4FF-0014-4CC2-BB8D-9FB0C67CB75E}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{64B5D4FF-0014-4CC2-BB8D-9FB0C67CB75E}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain ‘CONTOSO’ is to ‘\\DC-1A.contoso.com’.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run “netsh ipsec dynamic show /?” for more detailed information
The command completed successfully
Note that running the NbtNm test gave the following results:
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> ‘WorkStation Service’, <03> ‘Messenger Service’, <20> ‘WINS’ names is missing.
This warning is not really a problem since by default the Messenger service is not running on Windows Server 2003 so no <20> name will be registered for it.
There are other ways you can run Netdiag, specifically:
- Netdiag /q runs tests in quiet mode and reports only errors.
- Netdiag /v runs tests in verbose mode and provides additional detail.
- Netdiag /test:test_name(s) runs the standard tests and then they perform the specified test(s) only.
- Netdiag /skip:test_name(s) runs the standard tests followed by global tests except for the one(s) specified. (Certain tests can’t be skipped however, including Member, Ndis and NetBTTransports.)
- Netdiag /fix performs all standard and global tests and attempts to fix any problems that it finds.
For example, running the Netdiag /q test on the above system produces these results:
C:\tools\netdiag /q
……………………………..
Computer Name: SRV
DNS Host Name: SRV.contoso.com
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB890046
KB893756
KB896358
…
KB925486
Q147222
Per interface results:
Adapter : Local Area Connection
Host Name. . . . . . . . . : SRV
IP Address . . . . . . . . : 172.16.11.31
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.16.11.1
Dns Servers. . . . . . . . : 172.16.11.32
WINS service test. . . . . : Skipped
Global results:
[WARNING] You don’t have a single interface with the <00> ‘WorkStation Service’, <03> ‘Messenger Service’, <20> ‘WINS’ names defined.
IP Security test . . . . . . . . . : Skipped
The command completed successfully
More Netdiag Examples
The best way of learning how to interpret Netdiag output is to try running it under various test scenarios. The following are a few examples of different scenarios and the kind of output you may get from this tool. These scenarios are performed by running Netdiag on a member server in a Windows Server 2003 domain, and the output has been truncated to highlight only the error messages reported by the tool.
1. Output from running netdiag /q when the domain controller is offline:
Global results:
[WARNING] You don’t have a single interface with the <00> ‘WorkStation Service’, <03> ‘Messenger Service’, <20> ‘WINS’ names defined.
Redir and Browser test . . . . . . : Failed
[FATAL] Cannot send mailslot message to ‘\\CONTOSO*\MAILSLOT\NET\NETLOGON’ via redir. [ERROR_BAD_NETPATH]
DC discovery test. . . . . . . . . : Failed
[FATAL] Cannot find DC in domain ‘CONTOSO’. [ERROR_NO_SUCH_DOMAIN]
DC list test . . . . . . . . . . . : Failed
‘CONTOSO’: Cannot find DC to get DC list from [test skipped].
Trust relationship test. . . . . . : Failed
[FATAL] Secure channel to domain ‘CONTOSO’ is broken. [RPC_S_SERVER_UNAVAILABLE]
Kerberos test. . . . . . . . . . . : Skipped
‘CONTOSO’: Cannot find DC to get DC list from [test skipped].
LDAP test. . . . . . . . . . . . . : Failed
Cannot find DC to run LDAP tests on. The error occurred was: The specified domain either does not exist or could not be contacted.
[WARNING] Cannot find DC in domain ‘CONTOSO’. [ERROR_NO_SUCH_DOMAIN]
2. Output from running netdiag /q when the wrong default gateway is configured on the system:
Default gateway test . . . . . . . : Failed
[FATAL] NO GATEWAYS ARE REACHABLE.
You have no connectivity to other network segments.
If you configured the IP protocol manually then
you need to add at least one valid gateway.
[WARNING] You don’t have a single interface with the <00> ‘WorkStation Service’, <03> ‘Messenger Service’, <20> ‘WINS’ names defined.
DC list test . . . . . . . . . . . : Failed
Failed to enumerate DCs by using the browser. [ERROR_REQ_NOT_ACCEP]
3. Output from running netdiag /q when the Computer Browser service is not running on the system:
Global results:
[WARNING] You don’t have a single interface with the <00> ‘WorkStation Service’, <03> ‘Messenger Service’, <20> ‘WINS’ names defined.
DC list test . . . . . . . . . . . : Failed
Failed to enumerate DCs by using the browser. [NERR_ServiceNotInstalled]
4. Output from running netdiag /q when the computer account for the system is disabled in Active Directory when the system starts up:
Global results:
[WARNING] You don’t have a single interface with the <00> ‘WorkStation Servi
ce’, <03> ‘Messenger Service’, <20> ‘WINS’ names defined.
Trust relationship test. . . . . . : Failed
Cannot test secure channel for domain ‘CONTOSO’ to DC ‘DC-1A’. [ERROR_NO_LOG
ON_SERVERS]
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Cannot get ticket cache from Kerberos.
The error occurred was: (null)
Conclusion
Netdiag.exe is a powerful tool for troubleshooting network connectivity issues on Windows networks. Readers of this article are encouraged to try and think up additional scenarios similar to the examples above to help them gain more experience in understanding the capabilities of this tool and how to use it.
If you missed the other parts in this article series please read: