The /TEST:DNS switch to validate DNS health of domain controllers.
The /TEST:CheckSecurityError to detect security configurations that can cause Active Directory replication to fail.
When you type DCDiag /?, the relevant section of the displayed help is:
and performs the initial diagnosis of the problem.
/ReplSource:<source dc> to target a specific source,
regardless of it's error status. Need not be a current partner.
<b>DNS</b> - This test checks the health of DNS settings
for the whole enterprise. Sub tests can be run individually
using the switches below. By default, all tests except
external name resolution are run)
/DnsBasic (basic tests, can't be skipped)
/DnsForwarders (forwarders and root hints tests)
/DnsDelegation (delegations tests)
/DnsDynamicUpdate (dynamic update tests)
/DnsRecordRegistration (records registration tests)
/DnsResolveExtName (external name resolution test)
/DnsAll (includes all tests above)
/DnsInternetName: <internet name> (for test /DnsResolveExtName)
(default is www.microsoft.com)</internet></source>
<b>/n:</b> Use <naming context> as the Naming Context to test</naming></domain>
Sample Usage:DCDiag /s:JSI001 /test:dns
DCDiag /n:JSIINC.COM /test:dns