Active Directory - Domain Controller - Part 4

Experience-Based Questions & Answers

How to join a computer to the domain, which is on different VLAN (Virtual LAN)?
1. Make sure both VLAN’s are communicating
2. Add exception on Windows Firewall on DC. Open required ports, in both ways from source to
destination, for:
- DNS
- NetBIOS (Network Basic Input/Output System)
- RPC (Remote Procedure Call)
- LDAP
- ICMP (Internet Control Message Protocol)

What is the difference between csvde and ldifde commands?

- csvde command is similar to ldifde command, but it has a significant limitation. It can only
import and export AD data, but ldifde can also be used to edit and delete existing AD objects.
- csvde uses the format CSV, and ldifde uses LDIF (LDAP Data Interchange Format) file type.

What is the recommendation for using ADMT?

AD migration is a complex process that, if done wrong, can cause disruptions in an organization. As
a best practice, administrators should perform extensive pre-migration testing.
For example, creating, migrating, and verifying access for one or more test users can help reveal
issues before administrators make changes in production.

The user is unable to log into his desktop, which is joined to a domain. What are the
troubleshooting steps should be done?
1. Login locally and check if you can ping DC or ping desktop remotely. If you can ping then go to
next step.
2. Check date and time on the desktop. If it is correct, then go to the next step.
3. Check if the user account is not disabled or locked. If it is not then going to the next step.
4. Check if the user can log in to another workstation. If it was successful, then go to the next
step.
5. Check if the computer’s account, where the user tries to log in, exists on AD. If it exists, then go
to the next step.
6. Remove the computer from the domain and rejoin to it.
Note: during troubleshooting, you can also restart the computer, which can resolve the issue.

One of the computers cannot join to a Windows domain? What are the steps of troubleshooting?

1. Check if the computer is pointing to the internal DNS server.

a. If the setting is not correct, then do changes on Network interface.
b. If it still failed to join, then go to the next step.
2. Check the date and time.
a. If the date is not current, then correct it.
1
 b. If it still failed to join, then go to the next step.
3. Check if you can ping DC by IP (Internet Protocol) address.
a. If you cannot ping it, then there is an issue on the network. You need to resolve it.
b. If it still failed to join, then go to the next step.
4. Check if the client can resolve the server name by pinging it.
a. If you cannot ping it, then there is an issue with DNS service. You need to resolve it.
b. If it still failed to join, then go to the next step.
5. Check if other computers on the same VLAN can be joined to the domain.
a. If you cannot join, then there is an issue on the network. You need to resolve it.
b. If it still failed to join, then go to the next step.
6. Check if in AD the same name of domain’s computer exists.
a. If yes, then rename the computer to the name, which does not exist in AD.
b. If it still failed to join, then go to the next step.
7. Check PDC (Primary Domain Controller) Emulator Master is functioning. If yes, then resolve the
issue with PDC Emulator Master.
Notes:
- during troubleshooting, you can also restart the computer, which can resolve the issue.
- be sure that security or firewall software on PC (Personal Computer) doesn’t cause the issue.

You are trying to add a Windows 10 computer to the AD domain, but it's showing an error
“Unable to find Domain Controller.” What are the troubleshooting steps should be done?
1. Check the Network Adapter settings to verify the DNS IP address.
- If they did not do correctly, then configure DNS IP address.
- If you still experience the issue, then go to the next step.
2. Check if you can ping DC(s) using IP address.
- If it is not successful, then verify (or change if necessary) IP settings on the network adapter.
- Check if DC and workstation are located on the same VLAN. If no, then there is configuration
must be done on the network, which allows VLAN, on which workstation is situated, to
communicate with DC, which is on another VLAN.
- If you still experience the issue, then go to the next step.
3. Check if you can join another workstation to the domain, which is located on the same VLAN. If
it was successful, then there is an issue with the workstation. Try to reinstall network adapters
on with the latest drivers’ version.
Notes:
- During troubleshooting, you can also restart the computer, which can resolve the issue.
- Be sure that security and firewall software on PC don’t cause a problem.

Many users of a network have a latency issue while logging into their workstations. How do you
investigate this problem?
1. Verify that the DC in the site, where user desktops are located, is up and running without high
resources usage.
2. If workstations are located not on Default AD site, be sure that GC is configured on local DC.
You need to do it in the following cases:
- If there are on-site Application servers which require GC.
- If there are 100 or more users.

2
3. If there is a low bandwidth between sites, you can enable universal group membership caching.
4. If there are high bandwidth connection and users still facing the latency, then there some
setting should be done on the network.
Note: during troubleshooting, you can also restart the computer, which can resolve the issue.

A user account is frequently being locked out. How do you investigate this issue? What can the
user do to resolve the issue on his side?
- Check for any automatic programs or devices which use Exchange actives sync, which will use
old password even after the user changed his password.
- Advise the user to reconfigure all the programs and devices which use AD credential.
- Check and verify any scheduled tasks using old passwords.
- Verify persistent drive mapping with the old password.
- Disconnect terminal service sessions.
- Reconfigure account lockout threshold if required; if it is set to very narrow.