Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
Begin
1: Define The Problem
Precisely state what the problem
is – and what it isn’t 2: Gather Detailed Information What doesn’t work? What does
work? What changed? Do others have this
problem?
3: Consider Probable Cause
For The Failure
4: Devise A Plan To Test The Hypothesis 5: Observe The Test Results 6: Success? 8: Document Changes
Hold post mortem, update production docs Yes End 7: Choose Next Most Likely Hypothesis No Occam’s Razor: The simplest answer is usually the correct one. Have you exhausted the most likely (i.e. Occam’s)
causes?
No
Yes
Troubleshoot From The Wire Up. Physical, network, name resolution, OS, authentication/ authorization, application
8-Step Network Application
Troubleshooting
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
Cable plugged into the network?
Router / switch working? Y Ping test to destination? Y Y Network Issues N Client -DC Name Resolution Issues Client communicating with the DC? Is the cable good? Y Y AD Service Trouble-shooting N Wire Network Name Resoluti on Client-DC Trouble-shooting N N Is this a Client? Y N
Did that solve the problem?
End Y
Are the errors related
only to the local DC? Y
Did that solve the problem? N Y Replication Issues PICNIC Error Replace Cable Escalate to Network Engineering N
Troubleshooting From The Wire Up
Trust Errors? N Trust troubleshooting Y N A A Troubleshoot potential server OS Issues
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1 Client experiencing error? Error Joining Domain? Y Error Finding / Contacting DC? N Error Authentication (e.g. password) Related? N Slow Logon? N Group Policy Not applied? N Error Authorization Related? N DC experiencing Error DC won’t boot normally?
Boots, but local NTDS error? AD changes not showing up everywhere? What else? DS Replication? SYSVOL Replication FRS? DFS-R
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
Network
Issues
Run IPCONFIG /ALL DHCP client & 169.254.x.x IP address? N Y Confirm Host IP, Subnet / DG, DNS config N Windows 2003? Y Y N Run NETDIAG Run “Diagnose & Repair” Ping a computer on this computer’s subnet? Success? Ping a computer on another subnet? Y N Y Success? End Y Success? Tracert / NetMon / Wireshark N N Y Windows XP? YNETSH DIAG GUI Vista + / WS08+ ? Not receiving IP address from DHCP
Network Troubleshooting
Check subnetmask and default gateway
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
Client
-DC Name
Resolution
Issues
Does the client’s DNS server respond to pings? N Can the client resolve their domain? NSLOOKUP <FQDN
.
>Are all name servers listed available? Y Y N N Success? (List of DC SRV records)
Check SRV records for the domain
(nslookup -q=srv _ldap._tcp.dc._msdcs.<FQDN>) Y Y N Can client get a DC? (NLTEST / DSGETDC: <domain>) Return Y N
Client-DC Name Resolution
(Assumes network testing passed)
DNS Server Problem (already passed network tests) Is the primary DNS server correct? Configure correct DNS server DNS Server Configuration Problem Correct DC errors or DNS configuration
Reset secure channel (NLTEST /
SC_RESET:<domain>) N
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
AD Service
Trouble-shooting
FRS Event? Y Netlogon event? Y NTDS or ActiveDirectory_ DomainService (W2K8) event? NTDS Database / ISAM? Check EventID.Net / Search AD Database Trouble-shooting Y Replication Issues Dcdiag /test:topology& correct errors
Troubleshoot FRS http://bit.ly/XD3jK Y Y SceCli Event? Group Policy Trouble-shooting Y NTDS Replication? Y Sysvol? Y NTDS KCC? N Y N NTDS General? N Global Catalog? Y Site-related errors? Y
Did that fix the problem?
N
N N
End
Event Viewer Error or Warning Kerberos Errors? Kerberos Trouble-shooting Global Catalog Trouble-shooting
AD Service Troubleshooting
Y On Your Own! Many potential causes - On Your Own! On Your Own! N N N Y N N On Your Own! N NAuthor: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
Client-DC
Trouble-shooting
Slow logon?Authentication Problems
Authorization Problems
Does client have a session w/ DC? NLTEST / SC_QUERY:<domain> Is client in the expected site? NLTEST / DSGETSITE Attempt reset: NLTEST / SC_RESET:<domain> Success? Reset computer account Y Group Policy Trouble-shooting Y Is DC in the right site? Y GPO settings not seen? Access denied to DC? Kerberos Issues Gpresult /r Or Rsop.msc
Client-DC Name Resolution
(Assumes client can communicate with a DC)
Any “trust” messages in system log? Y N On Your Own! N Success? End N N Y Rejoin to domain N Confirm site subnet mapping against network charts N Perform client network monitor trace Y Fix it! N
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
End
Did that fix the problem?
Y
Check the source DC’s OS and DS
N
Did that fix the problem?
Any other DCs not getting updates from the
source DC?
Y
Check source DC’s DNS configuration (dcdiag /test:dns /v)
& correct errors
N
N
Trigger replication with failed
partner (repadmin /replicate
for single partner, or
repadmin /syncall for
all partners)
Replication
Issues
Run DCDIAG Quick OS Check (e.g. System Log)
Serious errors? N Server OS Issues Y Directory svc log errors Fail any primary tests?
Run verbose failed test (DCDIAG /TEST:<test> /V) & correct problem(s) Y (SystemLog test errors will mirror earlier check)
N
DCDIAG test descriptions at
http://bit.ly/4ueDz9
Check this (target) DC’s DNS configuration (dcdiag /test:dns /v)
& correct errors
Y Y
Did that fix the problem?
Y
Did that fix the problem? Y N
AD Replication Troubleshooting
(Assumes physical, network, local-only errors have been checked) Is the source DC in a different site?Verify site topology (all sites connected by site links, site bridging
disabled or accounted for, etc.) N N Advanced replication troubleshooting (e.g. lingering objects) Y Elapsed time < (Site link interval)? “Access Denied” Errors? N Kerberos Issues Y
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1 Check DB Integrity: NTDSUTIL, FILE, INTEGRITY Success?
Run semantic database analysis: NTDSUTIL,
SEMANTIC DATABASE ANALYSIS, VERBOSE ON,
GO
Success? Recoverable
Errors?
Run semantic database analysis with fixup: NTDSUTIL,
SEMANTIC DATABASE ANALYSIS, VERBOSE ON,
GO FIXUP Success? Perform database recovery:
NTDSUTIL, FILES, RECOVER Success?
End
Y Y N Y N N Y N Y N Reboot Into DSRM Windows 2008? “Net Stop NTDS” N YAD Database
Trouble-shooting
AD Database Troubleshooting
Rebuild NReboot into normal mode
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
Group Policy
Trouble-shooting
Customer reports GPO is not being applied to client Run GPMC, review Results report Is the setting listed? Run RSOP.MSC on client, examine results
Has policy been
applied? N
Y
Y
Is the GPO listed in the Denied List?
N
Y
N
Group Policy Troubleshooting
(http://bit.ly/9H6y2)
End
Check:
- Scope of Management - Replication - Group Policy Refresh - Network Connectivity Check: - Security Filtering - Disabled GPO - Inaccessible Data - Empty GPO - WMI Filter Check: - Replication - Group Policy Refresh
-Operating System Support - Slow Link Check: - GPO Inheritance - Replication - Group Policy Refresh - Asynchronous Processing
- Client Side Extensions - Loopback Processing
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
Kerberos
Issues
Install kerbtray.exe or klist.exe Have a session ticket? SPN Issue? Y Setspn.exe Y Authorization (not authentication) issue N End Have a TGT? N Examine system log to determine why you can’t geta session ticket Y Clock skew errors? UDP fragmentation Problem? N Group Membership Overloads? N PRINCIPAL_ UNKNOWN Errors? N Logons failing in mixed NT4 & Unix env? N NTLM Fallback Issues? N N Time Service Trouble-shooting Y Force Kerberos to use TCP instead of UDP Y Kerberos token size issue Need an SPN set with setspn Y Match passwords between NT & Unix Y See “NTLM Fallback” in “Troubleshooting Kerberos Errors” document
Kerberos Troubleshooting
http://go.microsoft.com/fwlink/?LinkId=23043
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
Time
Service
Trouble-shooting
Author: © 2011 Sean Deuby
URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting
Version 1.1
