DCDIAG.EXE, from the Windows Server 2003 SP1 Support Tools, has two major improvements:
The /TEST:DNS switch to validate DNS health of domain controllers.
The /TEST:CheckSecurityError to detect security configurations that can cause Active Directory replication to fail.
When you type DCDiag /?, the relevant section of the displayed help is:
CheckSecurityError - Locates security errors (or those possibly security related) and performs the initial diagnosis of the problem. Optional Arguments: /ReplSource:NOTE: If you run DCDiag.exe from your workstation, you need the /s: or /n: switch:
as Home Server. /n: Use as the Naming Context to test
Sample Usage:DCDiag /s:JSI001 /test:dns
DCDiag /n:JSIINC.COM /test:dns