8/8/2019 Troubleshooting Active Directory

http://slidepdf.com/reader/full/troubleshooting-active-directory 1/3

Troubleshooting Active Directory

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server2003 with SP2

Troubleshooting Active Directory

What problem are you having?

y  Cannot add or remove a domain. 

y  Cannot create security principals in Active Directory. 

y  Changes to group memberships are not taking effect. 

y  Clients without Active Directory client software installed fail to authenticate. 

y  Receiving "Domain not found," "Server not available," or "RPC server is unavailable" error messages. 

y  User is unable to log on locally to a domain controller. 

y  Cannot enable auditing. 

y  Cannot remove Active Directory from a domain controller. 

y  Cannot connect to a domain controller running Windows 2000. 

Cannot add or remove a domain.

Cause: The domain naming master is not available. This may be caused by a network connectivity problem or anActive Directory Installation Wizard failure. It may also be due to a failure of the computer holding the domain

naming master role. Or, the user who is attempting to add or remove the domain does not have the necessaryadministrative credentials.

Solution: Identify the computer holding the domain naming master role by using the command netdom queryfsmo and repair or replace the domain naming master computer. It may be necessary to seize the domain naming

master role. Or, resolve the network connectivity problem. If this does not help solve the issue, see articleQ223787, "Flexible Single Master Operation Transfer and Seizure Process," in the Microsoft Knowledge Base.

See also:  Diagnose Connections; Operations master roles; Responding to operations master failures; Transfer thedomain naming master role; Seize the domain naming master role 

Cannot create security principals in Active Directory.

Cause: The RID master is not available or failed to replicate. This may be caused by a network connectivity

problem or may be due to a failure of the computer holding the RID master role. This behavior can also occur when

the Access this computer from the network user right is not assigned to the appropriate groups on the RIDmaster. Or, the user who is attempting to create the security principal does not have the necessary administrativecredentials.

Solution: Identify the computer holding the RID master role by using the command netdom query fsmo andrepair or replace the computer holding the RID master role. It may be necessary to seize the RID master role. Or,

resolve the network connectivity problem. If this does not help solve the issue, see articles Q223787, "FlexibleSingle Master Operation Transfer and Seizure Process," and Q248410 "Err Msg: The Account-Identifier Allocator

Failed To..." in the Microsoft Knowledge Base.

8/8/2019 Troubleshooting Active Directory

http://slidepdf.com/reader/full/troubleshooting-active-directory 2/3

See also:  Access this computer from the network; Diagnose Connections; Operations master roles; Responding to

operations master failures; Transfer the RID master role; Seize the RID master role 

Changes to group memberships are not taking effect.

Cause: The infrastructure master is not available. This may be caused by a network connectivity problem. It mayalso be due to a failure of the computer holding the infrastructure master role. Or, the user who is attempting to

change group membership does not have the necessary administrative credentials.

Solution: Identify the computer holding the infrastructure master role by using the command netdom query

fsmo and repair or replace the computer holding the infrastructure master role. It may be necessary to seize theinfrastructure master role.Or, resolve the network connectivity problem. If this does not help solve the issue, see

article Q223787, "Flexible Single Master Operation Transfer and Seizure Process," in the Microsoft Knowledge Base.

See also:  Diagnose Connections; Operations master roles; Responding to operations master failures; Transfer the

infrastructure master role; Seize the infrastructure master role 

Clients without Active Directory client software installed f ail to authenticate.

Cause: The end user's password has expired and the primary domain controller (PDC) emulator master is notavailable. This may be caused by a network connectivity problem. It may also be due to a failure of the computer

holding the PDC emulator master role.

Solution: Identify the computer holding the PDC emulator master role by using the command netdom queryfsmo and repair or replace the computer holding the PDC emulator master role. It may be necessary to seize thePDC emulator master role. Or, resolve the network connectivity problem. If this does not help solve the issue, see

articles Q223787, "Flexible Single Master Operation Transfer and Seizure Process," and Q239869, "How to EnableNTLM 2 Authentication for Windows 95, Windows 98, Windows NT Server 4.0, and Windows 2000 Advanced

Server," in the Microsoft Knowledge Base.

See also:  Diagnose Connections; Operations master roles; Responding to operations master failures; Transfer the

PDC emulator role; Seize the PDC emulator role 

Receiving "Domain not found," "Server not available," or "RPC server is unavailable" error messages.

Cause: Name registration or name resolution problem.

Solution: Verify that Domain Name System (DNS) is available and functioning correctly. Run the Netdiag

/debug command on the server in question. This will evaluate the registration of NetBIOS, DNS, and services. If this does not help solve the issue, see article Q265706, "DCDiag/NetDiag Facilitate Join and DC Creation," in the

Microsoft Knowledge Base.

See also: Active Directory support tools; Install Windows Support Tools 

User is unable to log on locally to a domain controller.

Cause: The ability to log on locally to a domain controller is controlled by security policies, which are establishedin Group Policy settings.

Solution: In the default Domain Controller Policy object, assign the particular user or group the Allow log onlocally user right. If this does not help solve the issue, see article Q234237, "Assign "Log On locally" Rights to

Windows Domain Controller," in the Microsoft Knowledge Base.

See also:  Allow log on locally; Logon rights; Permit users to log on locally to a domain controller 

Cannot enable auditing.

Cause: For servers running Windows Server 2003, auditing must be enabled in the Group Policy object. Or, the

user who is attempting to enable auditing does not have the necessary administrative credentials.

Solution: Run GPEdit.msc to enable auditing or monitoring of system events.

See also:  Define or modify auditing policy settings for an event category 

8/8/2019 Troubleshooting Active Directory

http://slidepdf.com/reader/full/troubleshooting-active-directory 3/3

Cannot remove Active Directory from a domain controller.

Cause: The NTDS Settings object could not be properly removed. Or, the user who is attempting to remove thedomain controller does not have the necessary administrative credentials.

Solution: Use the Ntdsutil command-line tool to manually remove the NTDS Settings object. If this does not help

solve the issue, see article Q216498, "Remove Data in Active Directory After an Unsuccessful Demotion," in theMicrosoft Knowledge Base.

See also:  Delete extinct server metadata 

Cannot connect to a domain controller running Windows 2000.

Cause: You are trying to connect to a domain controller running Windows 2000 that does not have Service Pack 3

or later installed.

Solution: Upgrade domain controllers running Windows 2000 to Service Pack 3 or later.

See also: Connecting to domain controllers running Windows 2000