You are on page 1of 25

Module 10:

Troubleshooting AD DS,
DNS, and Replication
Issues
Module Overview
• Troubleshooting Active Directory Domain Services

• Troubleshooting DNS Integration with AD DS

• Troubleshooting AD DS Replication
Lesson 1: Troubleshooting Active Directory
Domain Services
• Introduction to AD DS Troubleshooting

• Discussion: How to Troubleshoot AD DS Issues

• Troubleshooting User Access Errors

• Demonstration: Tools for Troubleshooting User


Access Errors
• Troubleshooting Domain Controller Performance Issues
Introduction to AD DS Troubleshooting

AD DS troubleshooting begins when:

• Users report authentication or authorization errors

• AD DS related events appear in the Event Viewer

• Domain controller performance is degraded

• An alert is generated by a monitoring system

• Data is not being replicated between domain controllers


Discussion: How to Troubleshoot AD DS Issues
• What tools would you use?

• How would you verify that your solution worked?


Troubleshooting User Access Errors

User access errors may be the result of:

• Network access errors


• Authentication errors
• Authorization errors

To address user access errors, verify:

• Network connectivity
• Time synchronization
• Domain controller availability
• User account and user
lockout settings
• Group memberships
Demonstration: Tools for Troubleshooting User
Access Errors
In this demonstration, you will see how to troubleshoot
user access errors using Windows tools
Troubleshooting Domain Controller
Performance Issues

Most common performance issues include:

• High CPU utilization

• High network utilization

To resolve performance issues:


Identify the processes with Distribute AD DS
 high CPU utilization  and DNS roles across
multiple servers
Monitor application-specific
 network traffic Review and modify the
 replication topology
Move applications or services
 to another server Deploy domain controllers
 with 64-bit hardware
Lesson 2: Troubleshooting DNS Integration
with AD DS
• Overview of DNS and AD DS Troubleshooting

• Troubleshooting DNS Name Resolution

• Troubleshooting DNS Name Registration

• Troubleshooting DNS Zone Replication


Overview of DNS and AD DS Troubleshooting

Troubleshoot DNS and AD DS integration when:

• Users cannot log on to AD DS

• AD DS replication is failing

• AD DS installation fails

To troubleshoot DNS and AD DS integration, verify:

• DNS client and server configurations

• DNS name registration

• DNS zone replication


Troubleshooting DNS Name Resolution

DNS name resolution may fail due to:

• Network connectivity issues


• Client configuration errors
• DNS server availability
• Name registration or DNS replication issues

To troubleshoot DNS name resolution:

• Test network connectivity by pinging the DNS server


by IP address
• Use IPconfig to examine the client configuration
• Use NSlookup to verify server availability
• Flush the DNS cache
• Use NSlookup to verify SRV records
Troubleshooting DNS Name Registration

DNS name registration may fail due to:

• Client configuration errors


• DNS server availability
• DNS zone configuration

To troubleshoot DNS name registration:

• Verify that the client is configured to register in DNS


• Test DNS server availability
• Verify that the DNS zone is configured for
dynamic updates
• Test DNS by using the DCDiag /Test:DNS command
• Register the SRV records by restarting the
Netlogon service
Troubleshooting DNS Zone Replication

Investigate DNS zone replication issues when:

• DNS-related issues are specific to certain


DNS server clients
• Zone information is not consistent on different
DNS servers
• DNS server availability is not consistent
• There are DNS replication or name registration issues

Troubleshoot AD DS replication for AD DS


integrated zones
To troubleshoot standard zone transfer issues:

• Verify network connectivity


• Verify primary server and secondary server configuration
• Verify Start of Authority record
• Verify zone transfer configuration
Lesson 3: Troubleshooting AD DS Replication
• AD DS Replication Requirements

• Common Replication Issues

• What Is the Repadmin Tool?

• What Is the DCDiag Tool?

• Identifying the Cause of Replication Errors

• Discussion: Troubleshooting Inter-Site AD DS


Replication Issues
• Troubleshooting Distributed File Replication Issues
AD DS Replication Requirements

AD DS replication requires:
• Routable IP infrastructure
• DNS name resolution
• RPC or Simple Mail Transfer Protocol (SMTP)
connectivity between domain controllers
• Kerberos v5 authentication
• Lightweight Directory Access Protocol (LDAP)
connectivity to install new domain controllers
• File Replication Service or Distributed File
System Replication
Common Replication Issues

Symptom Possible causes

• Sites not connected by site links


Replication does
not finish or occur • No bridgehead server in the site group

• Inefficient site topology


Replication is slow and schedule

• No domain controller online


Client computers in client site
receive a slow
• Not enough domain
response
controllers

Replication greatly • Insufficient bandwidth


increases network • Incorrect site topology
traffic
What Is the Repadmin Tool?

Use the Repadmin command-line tool to:

• View and manually create the replication topology


• Force replication events between domain controllers
• View the replication metadata

Syntax:
repadmin command arguments [/u:[domain\]user pw:{password|*}]
What Is the DCDiag Tool?

Use the Dcdiag command-line tool to:

• Analyze the state of a domain controller, and report


any problems
• Perform a series of tests to verify different
system areas

Syntax:
dcdiag command arguments [/v /f:LogFile /ferr:ErrLog ]
Identifying the Cause of Replication Errors

Possible causes Testing method

Sites are not • Dcdiag /test:Topology


connected by
site links
No bridgehead • Repadmin /bridgeheads
server in the site
Inefficient site • Repadmin /latency
topology and
schedule
No domain controller • Dcdiag /test:Replication
online in the site • Dcdiag /test:Connectivity
Not enough domain • System monitor NTDS counters
controllers
• AD DS Sites and Services
Incorrect site • Repadmin /latency
topology
• V Dcdiag /test:Intersite
Discussion: Troubleshooting Inter-Site AD DS
Replication Issues
• What steps would you take to troubleshoot an AD DS
replication issue?
• How would you verify that your solution worked?
Troubleshooting Distributed File
Replication Issues

• Windows Server 2008 uses FRS or DFSR to replicate the


SYSVOL directory between domain controllers

• Both FRS and DFSR require LDAP and RPC connectivity


between domain controllers

• Use Ntfrsutl and FRSDiag to troubleshoot FRS replication

• Use DFSRAdmin to troubleshoot DFRS replication


Lab: Troubleshooting AD DS, DNS, and
Replication Issues
• Exercise 1: Troubleshooting Authentication and
Authorization Errors
• Exercise 2: Troubleshooting the Integration of DNS and
AD DS
• Exercise 3: Troubleshooting AD DS Replication

Logon information
Virtual machine NYC-DC1, NYC-CL1

User name Administrator


Password Pa$$w0rd

Estimated time: 60 minutes


Lab Review
• If the Los Angeles office was configured as a separate site,
what additional steps would you need to take to
troubleshoot Trouble Ticket #5?
• What AD DS troubleshooting issues do you think you will
need to deal with most often in your organization?
Module Review and Takeaways
• Considerations

• Tools

• Review questions