DCDIAG.EXE, from the Windows Server 2003 SP1 Support Tools, has two major improvements:

The /TEST:DNS switch to validate DNS health of domain controllers.

The /TEST:CheckSecurityError to detect security configurations that can cause Active Directory replication to fail.

When you type DCDiag /?, the relevant section of the displayed help is:

       <b>CheckSecurityError</b>  - Locates security errors (or those possibly security related)
                and performs the initial diagnosis of the problem.
                Optional Arguments:
                /ReplSource:<source dc> to target a specific source,
                regardless of it's error status.  Need not be a current partner.

       <b>DNS</b>  - This test checks the health of DNS settings
                for the whole enterprise. Sub tests can be run individually
                using the switches below. By default, all tests except
                external name resolution are run)
                /DnsBasic (basic tests, can't be skipped)
                /DnsForwarders (forwarders and root hints tests)
                /DnsDelegation (delegations tests)
                /DnsDynamicUpdate (dynamic update tests)
                /DnsRecordRegistration (records registration tests)
                /DnsResolveExtName (external name resolution test)
                /DnsAll (includes all tests above)
                /DnsInternetName: <internet name> (for test /DnsResolveExtName)
                         (default is www.microsoft.com)</internet></source>
NOTE: If you run DCDiag.exe from your workstation, you need the /s: or /n: switch:
   <b>/s:</b> Use <domain controller> as Home Server.
   <b>/n:</b> Use <naming context> as the Naming Context to test</naming></domain>

Sample Usage:

DCDiag /s:JSI001 /test:dns

DCDiag /n:JSIINC.COM /test:dns