Tip

TCP/IP troubleshooting: A structured approach -- Using Netdiag.exe

Learn how to use the Netdiag.exe support tool to diagnose TCP/IP connectivity issues in this tip from WindowsNetworking.com.

    Requires Free Membership to View

This article originally appeared on WindowsNetworking.com.

In the last article of this series we examined how to repair network connections using the "Repair" feature of Windows network connections. The Repair feature works by performing a series of tests to try and restore network connectivity caused by network misconfiguration on either the client (issues with DHCP settings or resolver cache) or server (name registration with WINS or DNS server). The Repair feature has several limitations however, namely:

Read more tips in the 'TCP/IP troubleshooting: A structured approach' series
Part 1: Introduction

Part 2: Troubleshoot routing tables

Part 3: Repairing network connections

Part 4: Using Netdiag.exe
  • The results of the Repair process can't be saved for later review or reporting purposes.
  • On multihomed machines, the Repair process must be performed separately on each network connection.
  • The number of tests performed by the Repair process is limited.

These limitations can be overcome by using Netdiag.exe, a network connectivity troubleshooting tool that is part of the Windows Support Tools. Netdiag runs a more extensive series of tests than the Repair process does, and it performs many more tests than the Repair process does. You can also redirect output for Netdiag.exe to a text file so you can have a record of the tests performed and their results.

Installing Netdiag

You can install Netdiag by installing the Windows Support Tools, which can be installed by double-clicking on \Support\Tools\SUPTOOLS.MSI. By default the Support Tools install to %SystermDrive%\Program Files\Support Tools but I find it easier to install them to %SystemDrive%\Tools since the tools need to be run from the command-line and this makes typing the path to these tools simpler to run them. Alternatively, if you only want to install Netdiag and not the other Support Tools, you can double-click on the \Support\Tools\Support.cab cabinet file and then double-click on Netdiag.exe to install this tool alone.

Understanding Netdiag

Netdiag performs a series of tests on each network adapter on the local system. Once these tests are performed, Netdiag performs a series of global connectivity tests to identify and resolve connectivity problems that may be caused by issues beyond the local system.

Netdiag first performs the following tests on the local system's network adapters:

  • Ndis
  • Ipconfig
  • Autonet
  • DefGw
  • NbtNm
  • WINS

Once these tests are performed, Netdiag then performs the following series of global connectivity tests:

  • Member
  • NetBTTransports
  • Autonet
  • IpLoopBk
  • DefGw
  • NbtNm
  • Winsock
  • DNS
  • Browser
  • DsGetDc
  • DcKust
  • Trust
  • Kerberos
  • Ldap
  • Bindings
  • WAN
  • Modem
  • IPSec

Details concerning each of these tests are provided by the following table:

Test name Description
Autonet Checks if APIPA is being used by network adapters.
Bindings Lists network bindings including interface name, lower and upper module names, indicates whether the binding is currently enabled, and reports the owner of the binding.
Browser Lists all network protocols bound to the Browser service and to the Redirector.
DcList Obtains a list of domain controllers for the domain.
DefGw Verifies connectivity with each configured default gateway.
DNS Verifies availability of configured DNS servers and verifies the client's DNS registrations.
DsGetDc Obtains the name of any domain controller from directory service and then obtains the name of the PDC Emulator. Verifies if the domain GUID stored in the Local Security Authority (LSA) is the same as the domain GUID stored in the DC.
IpConfig Enumerates TCP/IP settings for each network adapter.
IpLoopBk Pings the loopback address 127.0.0.1 for each adapter.
IPSec Checks whether IPsec is enabled and if so then lists all active IPsec policies for the computer.
IPX Lists statistics for IPX (if installed).
Kerberos Verifies whether the Kerberos authentication package is up-to-date.
Ldap Contacts all available domain controllers and determines which LDAP authentication protocol is currently being used.
Member Checks to confirm details of the primary domain, including computer role, domain name, and domain GUID. Checks to see if NetLogon service is started, adds the primary domain to the domain list, and queries the primary domain security identifier (SID).
Modem Provides configuration information for each modem on the system.
NbtNm Performs actions similar to the nbtstat -n command i.e. verifies that the Workstation Service name <00> is the same as the computer name and verifies that the Messenger =Service name <03> and Server Service name <20> are present on all interfaces and that none of these names are in conflict.
Ndis Lists details concerning the configuration of each network adapter including adapter name, configuration, media, GUID and statistics.
NetBTTransports Lists all transport protocols bound to NetBIOS over TCP/IP (NetBT).
Netstat Lists current TCP/IP connections and protocol statistics.
Netware Queries the nearest Netware server (if used) for current login information.
Route Lists all static routes in the routing table and indicates whether they are persistent.
Trust Tests domain trust relationships and verifies the primary domain SID is correct.
WAN Summarizes the settings and status for each COM port currently in use.
WINS Verifies the availability of the configured WINS server and verifies WINS client registrations.
Winsock Displays protocols and ports available to WinSock service.

In addition to performing these tests, Netdiag.exe also reports the following information concerning the system:

  • NetBIOS name of system
  • DNS name of system
  • General system info
  • Installed hotfixes

Running Netdiag

The simplest way to run Netdiag is without any parameters, which tests each local network adapter on the system and then performs a series of global connectivity tests. Sample output from running this command on a Windows Server 2003 member server is as follows (hotfix list has been truncated):

C:\tools\netdiag

...................................

Computer Name: SRV
DNS Host Name: SRV.contoso.com
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB890046
KB893756
KB896358

KB925486
Q147222


Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : SRV
IP Address . . . . . . . . : 172.16.11.31
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.16.11.1
Dns Servers. . . . . . . . : 172.16.11.32

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Skipped
   There are no WINS servers configured for this interface.


Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{64B5D4FF-0014-4CC2-BB8D-9FB0C67CB75E}
    1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
  [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed

Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{64B5D4FF-0014-4CC2-BB8D-9FB0C67CB75E}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{64B5D4FF-0014-4CC2-BB8D-9FB0C67CB75E}
    The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Passed
   Secure channel for domain 'CONTOSO' is to '\\DC-1A.contoso.com'.

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
   No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

   Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

Note that running the NbtNm test gave the following results:

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.

This warning is not really a problem since by default the Messenger service is not running on Windows Server 2003 so no <20> name will be registered for it.

There are other ways you can run Netdiag, specifically:

  • Netdiag /q runs tests in quiet mode and reports only errors.
  • Netdiag /v runs tests in verbose mode and provides additional detail.
  • Netdiag /test:test_name(s) runs the standard tests and then they perform the specified test(s) only.
  • Netdiag /skip:test_name(s) runs the standard tests followed by global tests except for the one(s) specified. (Certain tests can't be skipped however, including Member, Ndis and NetBTTransports.)
  • Netdiag /fix performs all standard and global tests and attempts to fix any problems that it finds.

For example, running the Netdiag /q test on the above system produces these results:

C:\tools\netdiag /q
...................................

Computer Name: SRV
DNS Host Name: SRV.contoso.com
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 1, GenuineIntel
List of installed hotfixes :
KB890046
KB893756
KB896358

KB925486
Q147222


Per interface results:

Adapter : Local Area Connection

Host Name. . . . . . . . . : SRV
IP Address . . . . . . . . : 172.16.11.31
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 172.16.11.1
Dns Servers. . . . . . . . : 172.16.11.32

WINS service test. . . . . : Skipped


Global results:
   [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

IP Security test . . . . . . . . . : Skipped
The command completed successfully

More Netdiag examples

The best way of learning how to interpret Netdiag output is to try running it under various test scenarios. The following are a few examples of different scenarios and the kind of output you may get from this tool. These scenarios are performed by running Netdiag on a member server in a Windows Server 2003 domain, and the output has been truncated to highlight only the error messages reported by the tool.

  1. Output from running netdiag /q when the domain controller is offline:

    Global results:
       [WARNING] You don't have a single interface with the <00>
    'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

    Redir and Browser test . . . . . . : Failed
       [FATAL] Cannot send mailslot message to '\\CONTOSO*\MAILSLOT\NET\NETLOGON' via redir. [ERROR_BAD_NETPATH]

    DC discovery test. . . . . . . . . : Failed
       [FATAL] Cannot find DC in domain 'CONTOSO'. [ERROR_NO_SUCH_DOMAIN]

    DC list test . . . . . . . . . . . : Failed
       'CONTOSO': Cannot find DC to get DC list from [test skipped].

    Trust relationship test. . . . . . : Failed
       [FATAL] Secure channel to domain 'CONTOSO' is broken.
    [RPC_S_SERVER_UNAVAILABLE]

    Kerberos test. . . . . . . . . . . : Skipped
       'CONTOSO': Cannot find DC to get DC list from [test skipped].

    LDAP test. . . . . . . . . . . . . : Failed
       Cannot find DC to run LDAP tests on. The error occurred was: The
    specified domain either does not exist or could not be contacted.

       [WARNING] Cannot find DC in domain 'CONTOSO'.
    [ERROR_NO_SUCH_DOMAIN]

  2. Output from running netdiag /q when the wrong default gateway is configured on the system:

    Default gateway test . . . . . . . : Failed

    [FATAL] NO GATEWAYS ARE REACHABLE.
    You have no connectivity to other network segments.
    If you configured the IP protocol manually then
    you need to add at least one valid gateway.
       [WARNING] You don't have a single interface with the <00>
    'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

    DC list test . . . . . . . . . . . : Failed
       Failed to enumerate DCs by using the browser. [ERROR_REQ_NOT_ACCEP]
  3. Output from running netdiag /q when the Computer Browser service is not running on the system:

    Global results:
       [WARNING] You don't have a single interface with the <00>
    'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

    DC list test . . . . . . . . . . . : Failed
       Failed to enumerate DCs by using the browser. [NERR_ServiceNotInstalled]

  4. Output from running netdiag /q when the computer account for the system is disabled in Active Directory when the system starts up:

    Global results:
       [WARNING] You don't have a single interface with the <00>
    'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

    Trust relationship test. . . . . . : Failed
       Cannot test secure channel for domain 'CONTOSO' to DC 'DC-1A'. [ERROR_NO_LOG ON_SERVERS]

    Kerberos test. . . . . . . . . . . : Failed       [FATAL] Cannot get ticket cache from Kerberos.
       The error occurred was: (null)

Conclusion

Netdiag.exe is a powerful tool for troubleshooting network connectivity issues on Windows networks. Readers of this article are encouraged to try and think up additional scenarios similar to the examples above to help them gain more experience in understanding the capabilities of this tool and how to use it.

About the author:
Mitch Tulloch is a writer, trainer and consultant specializing in Windows server operating systems, IIS administration, network troubleshooting, and security. He is the author of 15 books including the Microsoft Encyclopedia of Networking (Microsoft Press), the Microsoft Encyclopedia of Security (Microsoft Press), Windows Server Hacks (O'Reilly), Windows Server 2003 in a Nutshell (O'Reilly), Windows 2000 Administration in a Nutshell (O'Reilly), and IIS 6 Administration (Osborne/McGraw-Hill). Mitch is based in Winnipeg, Canada, and you can find more information about his books at his Web site: www.mtit.com.

WindowsNetworking.com contains a wealth of networking information for administrators: Featuring information on how to setup and troubleshoot various networks of any size. Also includes a comprehensive archive of hundreds of reviewed networking software and hardware solutions. Frequently updated with articles and tips by a team of leading authors, it remains a favorite within the networking community.

This was first published in July 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.