Active Directory Troubleshooting

Author: © 2011 Sean Deuby

URL: http://tinyurl.com/adtroubleshooting

Active Directory Troubleshooting

Version 1.1

Begin

1: Define The

Problem

Precisely state

what the problem

is – and what it

isn’t

2: Gather

Detailed

Information

What doesn’t

work? What does

work? What

changed? Do

others have this

problem?

3: Consider

Probable Cause

For The Failure

4: Devise A Plan

To Test The

Hypothesis

5: Observe The

Test Results

6: Success?

8: Document

Changes

Hold post mortem,

update production

docs

Yes

End

7: Choose Next

Most Likely

Hypothesis

No

Occam’s

Razor:

The simplest

answer is

usually the

correct one.

Have you

exhausted the most

likely (i.e. Occam’s)

causes?

No

Yes

Troubleshoot From

The Wire Up.

Physical, network,

name resolution,

OS,

authentication/

authorization,

application

8-Step Network Application

Troubleshooting




Version 1.1

Cable plugged

into the network?

Router / switch

working?

Y

Ping test to

destination?

Y

Y

Network

Issues

N

Client -

DC Name

Resolution

Issues

Client

communicating

with the DC?

Is the cable

good?

Y

Y

AD Service

Trouble-

shooting

N

Wire

Network

Name

Resoluti

on

Client-DC

Trouble-

shooting

N

N

Is this

a

Client?

Y

N

Did that solve

the problem?

End

Y

Are the errors related

only to the local DC?Y

Did that solve

the problem?

N

Y

Replication

Issues

PICNIC

Error

Replace

Cable

Escalate to

Network

Engineering

N

Troubleshooting From The Wire Up

Trust

Errors?

N

Trust

troubleshootingY

N

A

A

Troubleshoot

potential server

OS Issues




Version 1.1

Client

experiencing

error?

Error

Joining

Domain?

Y

Error

Finding /

Contacting

DC?

N

Error

Authentication

(e.g. password)

Related?

N

Slow

Logon?

N

Group Policy

Not applied?

N

Error

Authorization

Related?

N

DC experiencing

Error

DC won’t boot

normally?

Boots, but local

NTDS error?

AD changes

not showing up

everywhere?

What else?

DS

Replication?

SYSVOL

Replication

FRS?

DFS-R




Version 1.1

Network

Issues

Run

IPCONFIG

/ALL

DHCP client &

169.254.x.x IP

address?

N

Y

Confirm

Host IP,

Subnet / DG,

DNS config

N

Windows

2003?Y

Y

N

Run

NETDIAG

Run “Diagnose

& Repair”

Ping a computer

on this computer’s

subnet?

Success?

Ping a

computer on

another

subnet?

Y

N

Y

Success?

End

Y

Success?

Tracert / NetMon /

Wireshark

N

N

Y

Windows XP? Y

NETSH DIAG GUI

Vista + /

WS08+ ?

Not receiving

IP address

from DHCP

Network Troubleshooting

Check subnet

mask and default

gateway




Version 1.1

Client -

DC Name

Resolution

Issues

Does the client’s

DNS server respond

to pings?

N

Can the

client resolve

their domain?

NSLOOKUP

<FQDN.>

Are all name

servers listed

available?

Y

Y

N

N

Success?

(List of DC SRV

records)

Check SRV records for the domain

(nslookup -q=srv

_ldap._tcp.dc._msdcs.<FQDN>)

Y

Y

N

Can client

get a DC?

(NLTEST /

DSGETDC:

<domain>)

Return Y

N

Client-DC Name Resolution

(Assumes network testing passed)

DNS Server

Problem

(already passed

network tests)

Is the primary

DNS server

correct?

Configure correct

DNS server

DNS Server

Configuration

Problem

Correct DC errors

or DNS

configuration

Reset secure channel

(NLTEST /

SC_RESET:<domain>)

N




Version 1.1

AD Service

Trouble-

shooting

FRS

Event?

Y

Netlogon

event?

Y

NTDS or

ActiveDirectory_

DomainService

(W2K8)

event?

NTDS

Database /

ISAM?

Check

EventID.Net /

Search

AD Database

Trouble-

shooting

Y

Replication

Issues

Dcdiag

/test:topology

& correct errors

Troubleshoot

FRS

http://bit.ly/XD3jK

Y

Y

SceCli

Event?

Group

Policy

Trouble-

shooting

Y

NTDS

Replication?Y

Sysvol?

Y

NTDS

KCC?

N

Y

N

NTDS

General?

N

Global

Catalog?

Y

Site-related

errors?Y

Did that fix the

problem?N

N N

End

Event Viewer Error

or Warning

Kerberos

Errors?

Kerberos

Trouble-

shooting

Global

Catalog

Trouble-

shooting

AD Service Troubleshooting

Y

On Your

Own!

Many potential

causes -

On Your Own!

On Your

Own!

N

N

N

Y

N N

On Your

Own!

N

N




Version 1.1

Client-DC

Trouble-

shooting Slow logon?

Authentication

Problems

Authorization

Problems

Does client have a

session w/ DC? NLTEST /

SC_QUERY:<domain>

Is client in the

expected site?

NLTEST /

DSGETSITE

Attempt reset:

NLTEST /

SC_RESET:<domain>

Success?Reset computer

account

Y

Group Policy

Trouble-

shooting

Y

Is DC in the right

site?

Y

GPO settings

not seen?

Access denied

to DC?

Kerberos

Issues

Gpresult /r

Or

Rsop.msc

Client-DC Name Resolution

(Assumes client can communicate with a DC)

Any “trust”

messages in

system log?

Y

N

On Your

Own!

N

Success? End

N

N

Y

Rejoin to domain

N

Confirm site

subnet mapping

against network

charts

N

Perform client

network monitor

trace

Y

Fix it!

N




Version 1.1

End

Did that fix the

problem?

Y

Check the source

DC’s OS and DS

N

Did that fix the

problem?

Any other

DCs not getting

updates from the

source DC?

Y

Check source DC’s

DNS configuration

(dcdiag /test:dns /v)

& correct errors

N

N

Trigger

replication with failed

partner

(repadmin /replicate

for single partner, or

repadmin /syncall for

all partners)

Replication

Issues

Run DCDIAG

Quick OS Check

(e.g. System Log)

Serious

errors?

N Server OS

Issues

Y

Directory svc log

errors

Fail any

primary tests?

Run verbose failed

test

(DCDIAG

/TEST:<test> /V)

& correct

problem(s)

Y

(SystemLog test

errors will mirror

earlier check)

N

DCDIAG

test descriptions at

http://bit.ly/4ueDz9

Check this (target)

DC’s DNS

configuration

(dcdiag /test:dns /v)

& correct errors

Y

Y

Did that fix the

problem?

Y

Did that fix the

problem?

Y

N

AD Replication Troubleshooting

(Assumes

physical, network,

local-only errors

have been

checked)

Is the source DC

in a different site?

Verify site topology

(all sites

connected by site

links, site bridging

disabled or

accounted for,

etc.)

N

N

Advanced

replication

troubleshooting

(e.g. lingering

objects)

Y

Elapsed time

< (Site link

interval)?

“Access

Denied”

Errors?

N

Kerberos

Issues

Y




Version 1.1

Check DB Integrity:

NTDSUTIL,

FILE,

INTEGRITY

Success?

Run semantic database analysis:

NTDSUTIL,

SEMANTIC DATABASE ANALYSIS,

VERBOSE ON,

GO

Success?Recoverable

Errors?

Run semantic database analysis with fixup:

NTDSUTIL,

SEMANTIC DATABASE ANALYSIS,

VERBOSE ON,

GO FIXUP

Success?

Perform database recovery:

NTDSUTIL,

FILES,

RECOVER

Success?

End

Y

Y

N

Y

N

N

Y

N

Y

N

Reboot

Into

DSRM

Windows

2008?

“Net

Stop

NTDS”

N

Y

AD Database

Trouble-

shooting

AD Database Troubleshooting

Rebuild

N

Reboot into normal

mode




Version 1.1

Group Policy

Trouble-

shooting

Customer reports

GPO is not being

applied to client

Run GPMC,

review Results

report

Is the setting

listed?

Run RSOP.MSC

on client,

examine results

Has policy been

applied?N

Y

Y

Is the GPO listed

in the Denied List?

N

Y

N

Group Policy Troubleshooting

(http://bit.ly/9H6y2)

End

Check:

- Scope of Management

- Replication

- Group Policy Refresh

- Network Connectivity

Check:

- Security Filtering

- Disabled GPO

- Inaccessible Data

- Empty GPO

- WMI Filter

Check:

- Replication


-Operating System

Support

- Slow Link

Check:

- GPO Inheritance

- Replication


- Asynchronous Processing

- Client Side Extensions

- Loopback Processing




Version 1.1

Kerberos

Issues

Install

kerbtray.exe or

klist.exe

Have a session

ticket?

SPN Issue?

Y

Setspn.exe

Y

Authorization (not

authentication)

issue

N

End

Have a TGT?N

Examine system

log to determine

why you can’t get

a session ticket

Y

Clock skew

errors?

UDP

fragmentation

Problem?

N

Group

Membership

Overloads?

N

PRINCIPAL_

UNKNOWN

Errors?

N

Logons

failing in mixed

NT4 & Unix

env?

N

NTLM

Fallback

Issues?

N

N

Time

Service

Trouble-

shooting

Y

Force Kerberos to

use TCP instead

of UDP

Y

Kerberos

token size

issue

Need an

SPN set

with setspn

Y

Match

passwords

between NT &

Unix

Y

See “NTLM

Fallback” in

“Troubleshooting

Kerberos Errors”

document

Kerberos Troubleshooting

http://go.microsoft.com/fwlink/?LinkId=23043




Version 1.1

Time

Service

Trouble-

shooting




Version 1.1

Global

Catalog

Trouble-

shooting

Active Directory Troubleshooting

Documents

Transcript of Active Directory Troubleshooting