A Cable plugged into the network?

N PICNIC Error

Y

Are the errors related only to the local DC?

Y N Client communicating with the DC?

Wire

Is the cable good?

N

Replace Cable Trust troubleshooting

N Troubleshoot potential server OS Issues

Y

Y

Trust Errors?

Router / switch working?

N

Escalate to Network Engineering Y N

N Did that solve the problem?

Y

Y

N

Replication Issues Network Issues

N AD Service Troubleshooting Client-DC Troubleshooting

Network

Ping test to destination?

Y

Y Y Client DC Name Resolution Issues

Did that solve the problem?

Name Resoluti on

Is this a Client?

End A

Author: © 2009 Sean Deuby URL: http://adtroubleshooting.deuby.com

Active Directory Troubleshooting
Version 1.0

Troubleshooting From The Wire Up

x IP address? N Y Success? Y N Confirm Host IP.Network Issues Windows XP? Y Ping a computer on this computer’s subnet? NETSH DIAG GUI Vista + / WS08+ ? Y Success? N Run IPCONFIG /ALL Run “Diagnose & Repair” Y Ping a computer on another subnet? N Check subnet mask and default gateway DHCP client & 169. Subnet / DG.0 Network Troubleshooting . DNS config Not receiving IP address from DHCP N Y Tracert / NetMon / Wireshark N Windows 2003? Y Run NETDIAG Success? End Y Author: © 2009 Sean Deuby URL: http://adtroubleshooting.x.254.deuby.com Active Directory Troubleshooting Version 1.

Client DC Name Resolution Issues Y Are all name servers listed available? N Correct DC errors or DNS configuration Y Does the client’s DNS server respond to pings? DNS Server Problem (already passed network tests) Check SRV records for the domain (nslookup -q=srv _ldap.deuby._tcp.<FQDN>) N Y Success? (List of DC SRV records) Is the primary DNS server correct? Configure correct DNS server N N Y Can the client resolve their domain? NSLOOKUP <FQDN._msdcs.dc.com Active Directory Troubleshooting Version 1.> N DNS Server Configuration Problem Can client get a DC? (NLTEST / DSGETDC: <domain>) N Reset secure channel (NLTEST / SC_RESET:<domain>) Return Y Author: © 2009 Sean Deuby URL: http://adtroubleshooting.0 Client-DC Name Resolution (Assumes network testing passed) .

ly/XD3jK NTDS Replication? Y N N Y AD Database Troubleshooting Replication Issues Did that fix the problem? N On Your Own! NTDS Database / ISAM? N NTDS General? Y Y Global Catalog Troubleshooting N On Your Own! N Global Catalog? Y End Author: © 2009 Sean Deuby URL: http://adtroubleshooting.0 AD Service Troubleshooting .deuby.Net / Search NTDS KCC? Site-related errors? N On Your Own! Y Y N Y Dcdiag /test:topology & correct errors Troubleshoot FRS http://bit.com Active Directory Troubleshooting Version 1.AD Service Troubleshooting NTDS or ActiveDirectory_ DomainService (W2K8) event? N Kerberos Errors? N Netlogon event? N SceCli Event? N Sysvol? N Y Kerberos Troubleshooting Y Y Group Policy Troubleshooting Event Viewer Error or Warning Y Many potential causes On Your Own! Y FRS Event? Check EventID.

deuby.com Active Directory Troubleshooting Version 1.Client-DC Troubleshooting Access denied to DC? Slow logon? N GPO settings not seen? Y Authentication Problems Gpresult /r Or Rsop.0 Client-DC Name Resolution (Assumes client can communicate with a DC) .msc Is client in the expected site? NLTEST / DSGETSITE N N Any “trust” messages in system log? Y Confirm site subnet mapping against network charts Group Policy Troubleshooting N Y Is DC in the right site? Kerberos Issues Does client have a session w/ DC? NLTEST / SC_QUERY:<domain> Y N Fix it! On Your Own! Attempt reset: NLTEST / SC_RESET:<domain> Y Perform client network monitor trace Reset computer account N Success? Success? Y End N Rejoin to domain Author: © 2009 Sean Deuby URL: http://adtroubleshooting.

deuby.g.Replication Issues Y Fail any primary tests? Y Verify site topology (all sites connected by site links. network. or repadmin /syncall for all partners) (Assumes physical.0 AD Replication Troubleshooting .) Trigger replication with failed partner (repadmin /replicate for single partner.ly/4ueDz9 Y End N Check source DC’s DNS configuration (dcdiag /test:dns /v) & correct errors Advanced replication troubleshooting (e. local-only errors have been checked) Run verbose failed test (DCDIAG /TEST:<test> /V) & correct problem(s) N (SystemLog test errors will mirror earlier check) Elapsed time < (Site link interval)? N Did that fix the problem? Quick OS Check (e. site bridging disabled or accounted for. etc. lingering objects) Author: © 2009 Sean Deuby URL: http://adtroubleshooting. System Log) Did that fix the problem? N Check this (target) DC’s DNS configuration (dcdiag /test:dns /v) & correct errors N “Access Denied” Errors? N Y Kerberos Issues Y Serious errors? Y N Directory svc log errors Server OS Issues Did that fix the problem? Y N Check the source DC’s OS and DS Any other DCs not getting updates from the source DC? Run DCDIAG Is the source DC in a different site? Y Did that fix the problem? N Y Y DCDIAG test descriptions at http://bit.g.com Active Directory Troubleshooting Version 1.

VERBOSE ON. GO FIXUP N Y Y Run semantic database analysis: NTDSUTIL. FILE.deuby.AD Database Troubleshooting N Success? Y Windows 2008? Y “Net Stop NTDS” Perform database recovery: NTDSUTIL. RECOVER Rebuild N Reboot Into DSRM N Check DB Integrity: NTDSUTIL. SEMANTIC DATABASE ANALYSIS. GO Success? N Recoverable Errors? Y Author: © 2009 Sean Deuby URL: http://adtroubleshooting.0 AD Database Troubleshooting . SEMANTIC DATABASE ANALYSIS. FILES. VERBOSE ON.com Active Directory Troubleshooting Version 1. INTEGRITY N Success? Y N Reboot into normal mode End Success? Run semantic database analysis with fixup: NTDSUTIL.

Group Policy Refresh . review Results report Run RSOP.GPO Inheritance .Disabled GPO .Slow Link End Author: © 2009 Sean Deuby URL: http://adtroubleshooting.Group Policy Refresh .Client Side Extensions .Group Policy Refresh -Operating System Support .Group Policy Troubleshooting Has policy been applied? Is the GPO listed in the Denied List? N N Customer reports GPO is not being applied to client Y Y Run GPMC.Loopback Processing Check: .deuby.Replication . examine results Is the setting listed? N Check: .ly/9H6y2) .com Active Directory Troubleshooting Version 1.MSC on client.Asynchronous Processing .Network Connectivity Y Check: .Inaccessible Data .WMI Filter Check: .Scope of Management .Replication .Empty GPO .Replication .0 Group Policy Troubleshooting (http://bit.Security Filtering .

exe End Author: © 2009 Sean Deuby URL: http://adtroubleshooting.exe N Clock skew errors? N UDP fragmentation Problem? N Group Membership Overloads? N PRINCIPAL_ UNKNOWN Errors? N Logons failing in mixed NT4 & Unix env? N NTLM Fallback Issues? Y Time Service Troubleshooting Y Kerberos token size issue Y Need an SPN set with setspn Y Match passwords between NT & Unix See “NTLM Fallback” in “Troubleshooting Kerberos Errors” document Have a session ticket? N Have a TGT? Force Kerberos to use TCP instead of UDP Y Y SPN Issue? N Authorization (not authentication) issue Examine system log to determine why you can’t get a session ticket Y Setspn.com Active Directory Troubleshooting Version 1.microsoft.Kerberos Issues Install kerbtray.0 Kerberos Troubleshooting http://go.exe or klist.deuby.com/fwlink/?LinkId=23043 .