A

Cable plugged PICNIC

N
into the network? Error

Are the errors related

Y
only to the local DC? Client
Y
N communicating
with the DC?

Is the cable Replace N

Wire N
good? Cable Troubleshoot
potential server
OS Issues
Trust Trust
Y
troubleshooting Errors?
Y

Y
N
Escalate to
Router / switch Did that solve
N Network
working? the problem?
Engineering
Y
N

Y N Replication N
Issues

AD Service Client-DC
Network Trouble- Trouble-
Ping test to Issues shooting shooting
Network destination?

Y Y Did that solve

the problem?
Y
Client -
Name Is this DC Name
Resoluti a Resolution
on Client? Issues

End

Author: © 2009 Sean Deuby Active Directory Troubleshooting

URL: http://adtroubleshooting.deuby.com
Troubleshooting From The Wire Up
Version 1.0
 Network
Issues

Windows XP? Y

NETSH DIAG GUI

Ping a computer
on this computer’s Vista + /
subnet? WS08+ ?

Success? N Run “Diagnose

& Repair”
Run
IPCONFIG
Y /ALL

Ping a
Check subnet
computer on Success?
N mask and default
another
gateway
subnet? DHCP client &
169.254.x.x IP N Y
address?

N
Y

N Not receiving
IP address Y
Confirm from DHCP
Host IP, Tracert / NetMon /
Subnet / DG, Wireshark
DNS config

Windows Run
Y Success? End
2003? NETDIAG

Author: © 2009 Sean Deuby Active Directory Troubleshooting

URL: http://adtroubleshooting.deuby.com
Version 1.0
Network Troubleshooting
 Client -
DC Name
Resolution
Issues Are all name Correct DC errors
servers listed N or DNS
available? configuration

Y
Y

DNS Server Check SRV records for the domain

Does the client’s
Problem (nslookup -q=srv
DNS server respond N
(already passed _ldap._tcp.dc._msdcs.<FQDN>)
to pings?
network tests)

Success?
Is the primary (List of DC SRV
Configure correct records)
DNS server
DNS server
correct?

N
N Y

Can the Can client

client resolve DNS Server get a DC?
their domain? N Configuration (NLTEST / N
NSLOOKUP Problem DSGETDC:
<FQDN.> <domain>)

Reset secure channel

(NLTEST /
SC_RESET:<domain>)

Return Y

Author: © 2009 Sean Deuby Active Directory Troubleshooting Client-DC Name Resolution
URL: http://adtroubleshooting.deuby.com
Version 1.0 (Assumes network testing passed)
AD Service
NTDS or
Trouble- ActiveDirectory_
Kerberos Netlogon SceCli
shooting DomainService N
Errors?
N
event?
N
Event?
N Sysvol?
(W2K8)
event?
N
Y Y Y

Group
Kerberos Policy Y
Many potential
Event Viewer Error Trouble- Trouble-
causes -
or Warning Y shooting shooting
On Your Own!

FRS On Your
N
Event? Own!
Check
EventID.Net / NTDS Site-related
Y
Search KCC? errors?
Y

N Y
Troubleshoot
Dcdiag FRS
/test:topology http://bit.ly/XD3jK
NTDS
Y & correct errors
Replication?

Did that fix the On Your

N N
NTDS problem? Own!
Database / Y
ISAM?
AD Database
Replication
Trouble-
Issues
shooting
N

NTDS Y
Y
General?

Global
N Catalog Y
Global Trouble-
Catalog? shooting
On Your End
Own!
N

Author: © 2009 Sean Deuby Active Directory Troubleshooting

URL: http://adtroubleshooting.deuby.com
Version 1.0
AD Service Troubleshooting
Client-DC
Trouble-
shooting Access denied
Slow logon? N
GPO settings
to DC? not seen?

Authentication Gpresult /r
Problems Is client in the Or
expected site? Rsop.msc
N
NLTEST /
DSGETSITE

Group Policy
Any “trust” Y
Trouble-
messages in shooting
N system log? Confirm site
Is DC in the right subnet mapping
N against network
Y site?
charts

On Your
Does client have a Y Own!
session w/ DC? NLTEST / N Fix it!
Kerberos SC_QUERY:<domain>
Issues
Attempt reset:
NLTEST / Perform client
SC_RESET:<domain> network monitor
trace
Y

Reset computer
N Success?
account

Success? Y End

N Rejoin to domain

Author: © 2009 Sean Deuby Active Directory Troubleshooting Client-DC Name Resolution
URL: http://adtroubleshooting.deuby.com
Version 1.0 (Assumes client can communicate with a DC)
 Y
Replication Verify site topology Trigger
Issues (all sites replication with failed
Fail any connected by site partner
Y
primary tests? links, site bridging (repadmin /replicate
disabled or for single partner, or
accounted for, repadmin /syncall for
etc.) all partners)
Run verbose failed N
(Assumes test
physical, network, (DCDIAG (SystemLog test
local-only errors /TEST:<test> /V) errors will mirror
have been & correct earlier check) Elapsed time Did that fix the
checked) problem(s) < (Site link problem?
interval)?

Check this (target) N N

Quick OS Check
(e.g. System Log) DC’s DNS
Did that fix the
N configuration
problem? “Access
(dcdiag /test:dns /v)
& correct errors Y Denied”
Errors?
Serious Kerberos
Y
errors? Issues N
Y

N Server OS Did that fix the Any other

Issues problem? DCs not getting
Y
updates from the
Directory svc log
Check the source source DC?
errors
N DC’s OS and DS

Is the source DC
Run DCDIAG in a different site? Did that fix the N
Y
problem?
Y
Y N Advanced
DCDIAG Check source DC’s replication
test descriptions at DNS configuration troubleshooting
http://bit.ly/4ueDz9 (dcdiag /test:dns /v) (e.g. lingering
& correct errors objects)
Y

End

Author: © 2009 Sean Deuby Active Directory Troubleshooting

URL: http://adtroubleshooting.deuby.com
Version 1.0
AD Replication Troubleshooting
 AD Database
Trouble-
shooting N

Success?
Y
“Net
Windows
Y Stop
2008?
NTDS”

N Perform database recovery: Rebuild

NTDSUTIL,
FILES,
Reboot
RECOVER
Into
DSRM

N N
Check DB Integrity:
NTDSUTIL,
FILE,
INTEGRITY Reboot into normal
N Success? Y
mode
End

Success?

Run semantic database analysis with fixup:

NTDSUTIL,
Y
SEMANTIC DATABASE ANALYSIS,
VERBOSE ON,
Run semantic database analysis: GO FIXUP
NTDSUTIL, N
SEMANTIC DATABASE ANALYSIS,
VERBOSE ON,
GO Y

Recoverable
Success? N
Errors?

Author: © 2009 Sean Deuby Active Directory Troubleshooting

URL: http://adtroubleshooting.deuby.com
Version 1.0
AD Database Troubleshooting
 Group Policy
Trouble-
shooting

Has policy been Is the GPO listed

N N
applied? in the Denied List?

Customer reports Y
GPO is not being
applied to client Y
Run GPMC,
review Results
report

Check:
Check:
Run RSOP.MSC - Security Filtering
- Scope of Management
on client, - Disabled GPO
- Replication
examine results - Inaccessible Data
- Group Policy Refresh
- Empty GPO
- Network Connectivity
Is the setting - WMI Filter
N
listed?

Check:
Check:
- GPO Inheritance
- Replication
- Replication
- Group Policy Refresh
- Group Policy Refresh End
-Operating System
- Asynchronous Processing
Support
- Client Side Extensions
- Slow Link
- Loopback Processing

Author: © 2009 Sean Deuby Active Directory Troubleshooting Group Policy Troubleshooting
URL: http://adtroubleshooting.deuby.com
Version 1.0 (http://bit.ly/9H6y2)
Kerberos
Issues

Logons
UDP Group PRINCIPAL_ NTLM
Clock skew failing in mixed
N fragmentation N Membership N UNKNOWN N N Fallback
Install errors? NT4 & Unix
N Problem? Overloads? Errors? Issues?
kerbtray.exe or env?
klist.exe

Y Y Y Y

Match See “NTLM

Time Kerberos Need an
Force Kerberos to passwords Fallback” in
Service token size SPN set
Have a session use TCP instead between NT & “Troubleshooting
N Have a TGT? Trouble- issue with setspn
ticket? of UDP Unix Kerberos Errors”
shooting
document

Examine system
Authorization (not
log to determine
SPN Issue? N authentication)
why you can’t get
issue
a session ticket

Setspn.exe

End

Author: © 2009 Sean Deuby Active Directory Troubleshooting Kerberos Troubleshooting

URL: http://adtroubleshooting.deuby.com
Version 1.0 http://go.microsoft.com/fwlink/?LinkId=23043