A Cable plugged into the network? N PICNIC Error Y Are the errors related only to the local DC?

Y N Client communicating with the DC? Wire Is the cable good? N Replace Cable Trust troubleshooting N Troubleshoot potential server OS Issues Y Y Trust Errors? Router / switch working? N Escalate to Network Engineering Y N N Did that solve the problem? Y Y N Replication Issues Network Issues N AD Service Troubleshooting Client-DC Troubleshooting Network Ping test to destination? Y Y Y Client DC Name Resolution Issues Did that solve the problem? Name Resoluti on Is this a Client? End

Active Directory Troubleshooting Version 1.0 Troubleshooting From The Wire Up .

0 Network Troubleshooting . DNS config Not receiving IP address from DHCP N Y Tracert / NetMon / Wireshark N Windows 2003? Y Run NETDIAG Success? End Active Directory Troubleshooting Version 1. Subnet / DG.x IP address? N Y Success? Y N Confirm Host IP.x IP address? N Y Success? Y N Confirm Host IP.Network Issues Windows XP? Y Ping a computer on this computer's subnet? NETSH DIAG GUI Vista + / WS08+ ? Y Success? N Run IPCONFIG /ALL Run "Diagnose & Repair" Y Ping a computer on another subnet? N Check subnet mask and default gateway DHCP client & 169.254.

Client DC Name Resolution Issues Y Are all name servers listed available? N Correct DC errors or DNS configuration Y Does the client's DNS server respond to pings? DNS Server Problem (already passe d network tests) Check SRV records for the domain (nslookup -q=srv _ldap.com Active Directory Troubleshooting Version 1.dc .0 Client-DC Name Resolution (Assumes network testing passed) .> N DNS Server Configuration Problem Can client get a DC? (NLTEST / DSGETDC: <domain>) N Reset secure channel (NLTEST / SC_RESET:<domain>) Return Active Directory Troubleshooting Version 1.0 Client-DC Name Resolution (Assumes network testing passed) .<FQDN>) N Y Success? (List of DC SRV records) Is the primary DNS server correct? Configure correct DNS server N N Y Can the client resolve their domain? NSLOOKUP <FQDN._tcp._msdcs.

Net / Search NTDS KCC? Site-related errors? N On Your Own! Y Y N Y Dcdiag /test:topology & correct errors Troubleshoot FRS http://bit.ly/XD3jK NTDS Replication? Y N N Y AD Database Troubleshooting Replication Issues Did that fix the problem? N On Your Own! NTDS Database / ISAM? N NTDS General? Y Y Global Catalog Troubleshooting .AD Service Troubleshooting NTDS or ActiveDirectory_ DomainService (W2K8) event? N Kerberos Errors? N Netlogon event? N SceCli Event? N Sysvol? N Y Kerberos Troubleshooting Y Y Group Policy Troubleshooting Event Viewer Error or Warning Y Many potential causes On Your Own! Y FRS Event? Check EventID.

N On Your Own! N Global Catalog? Y End Active Directory Troubleshooting Version 1.0 AD Service Troubleshooting .

Client-DC Troubleshooting Access denied to DC? Slow logon? N GPO settings not seen? Y Authentication Problems Gpresult /r Or Rsop.msc Is client in the expected site? NLTEST / DSGETSITE N N Any "trust" messages in system log? Y Confirm site subnet mapping against network charts Group Policy Troubleshooting N Y Is DC in the right site? Kerberos Issues Does client have a session w/ DC? NLTEST / SC_QUERY:<domain> Y N Fix it! On Your Own! Attempt reset: NLTEST / SC_RESET:<domain> Y Perform client network monitor trace Reset computer account N Success? Success? Y End N Rejoin to domain Active Directory Troubleshooting Version 1.0 .

Client-DC Name Resolution (Assumes client can communicate with a DC) .

g.com Active Directory Troubleshooting . local-only errors have been checked) Run verbose failed test (DCDIAG /TEST:<test> /V) & correct problem(s) N (SystemLog test errors will mirror earlier check) Elapsed time < (Site link interval)? N Did that fix the problem? Quick OS Check (e. or repadmin /syncall for all partners) (Assumes physical.ly/4ueDz9 Y End N Check source DC's DNS configuration (dcdiag /test:dns /v) & correct errors Advanced replication troubleshooting (e.) Trigger replication with failed partner (repadmin /rep licate for single partner. System Log) Did that fix the problem? N Check this (target) DC's DNS configuration (dcdiag /test:dns /v) & correct errors N "Access Denied" Errors? N Y Kerberos Issues Y Serious errors? Y N Directory svc log errors Server OS Issues Did that fix the problem? Y N Check the source DC's OS and DS Any other DCs not getting updates from the source DC? Run DCDIAG Is the source DC in a different site? Y Did that fix the problem? N Y Y DCDIAG test descriptions at http://bit. site bridging disable d or accounted for. network. lingering objects) Version 1.0 AD Replication Troubleshooting .

0 AD Replication Troubleshooting .Version 1.

AD Database Troubleshooting N Success? Y Windows 2008? Y "Net Stop NTDS" Perform database recovery: NTDSUTIL.0 AD Database Troubleshooting . VERBOSE ON. FILE. GO Success? N Recoverable Errors? Y Active Directory Troubleshooting Version 1.0 AD Database Troubleshooting . SEMANTIC DATABASE ANALYSIS. RECOVER Rebuild N Reboot Into DSRM N Check DB Integrity: NTDSUTIL. GO FIXUP N Y Y Run semantic database analysis: NTDSUTIL. SEMANTIC DATABASE ANALYSIS. INTEGRITY N Success? Y N Reboot into normal mode End Success? Run semantic database analysis with fixup: NTDSUTIL. FILE S. VERBOSE ON.

Slow Lin k End Group Policy Refresh -Operating System Support .0 Group Policy Troubleshooting (http://bit.GPO Inheritance .Scope of Management .Inaccessible Data . review Results report Run RSOP.MSC on client.Asynchronous Pro cessing .Disabled GPO .Network Conn ectivity Y Check: .Security Filtering .Empty GPO .ly/9H6y2) .Group Policy Refresh .Client Side Extensions . examine results Is the setting listed? N Check: .Replication .Group Policy Refresh .Group Policy Troubleshooting Has policy been applied? Is the GPO listed in the Denied List? N N Customer reports GPO is not being applied to client Y Y Run GPMC.Replication .WMI Filter Check: .Replication .Loopback Processing Check: . Active Directory Troubleshooting Version 1.0 Group Policy Troubleshooting (http://bit.ly/9H6y2)

Kerberos Issues Install kerbtray.exe End .exe or klist.exe N Clock skew errors? N UDP fragmentation Problem? N Group Membership Overloads? N PRINCIPAL_ UNKNOWN Errors? N Logons failing in mixed NT4 & Unix env? N NTLM Fallback Issues? Y Time Service Troubleshooting Y Kerberos token size issue Y Need an SPN set with setspn Y Match passwords between NT & Unix See “NTLM Fallback” in “Troubleshooting Kerberos E rrors” document Have a session ticket? N Have a TGT? Force Kerberos to use TCP instead of UDP Y Y SPN Issue? N Authorization (not authentication) issue Examine system log to determine why you can’t get a session ticket Y Setspn.

Active Directory Troubleshooting Version 1.0 Kerberos Troubleshooting http://go.microsoft.com/fwlink/?LinkId=23043

