Active Directory Troubleshooting

Begin
1: Define The Problem Precisely state what the problem is and what it isnt
4: Devise A Plan To Test The Hypothesis
No Troubleshoot From The Wire Up. Physical, network, name resolution, OS, authentication/ authorization, application
2: Gather Detailed Information What doesnt work? What does work? What changed? Do others have this problem?
Have you exhausted the most likely (i.e. Occams) causes? 5: Observe The Test Results
Yes 7: Choose Next Most Likely Hypothesis
6: Success? 3: Consider Probable Cause For The Failure Yes 8: Document Changes Hold post mortem, update production docs
No
Occams Razor: The simplest answer is usually the correct one.
End
Author: 2011 Sean Deuby URL: http://tinyurl.com/adtroubleshooting
Active Directory Troubleshooting

Version 1.1
8-Step Network Application Troubleshooting
A Cable plugged into the network? N PICNIC Error
Are the errors related only to the local DC?
Y N Client communicating with the DC?
Wire
Is the cable good?
Replace Cable Trust troubleshooting
N Troubleshoot potential server OS Issues
Trust Errors?
Router / switch working?
Escalate to Network Engineering Y N
N Did that solve the problem?
Replication Issues Network Issues
N AD Service Troubleshooting Client-DC Troubleshooting
Network
Ping test to destination?
Y Y Client DC Name Resolution Issues
Did that solve the problem?
Name Resoluti on
Is this a Client?
End A

Version 1.1
Troubleshooting From The Wire Up
Client experiencing error?
DC experiencing Error
Error Joining Domain?
DC wont boot normally?
N Error Finding / Contacting DC?
Boots, but local NTDS error?
Error Authentication (e.g. password) Related? N
AD changes not showing up everywhere?
DS Replication?
Slow Logon? What else? N SYSVOL Replication
Group Policy Not applied? FRS? N
Error Authorization Related? DFS-R

Version 1.1
Network Issues
Windows XP? Y
Ping a computer on this computers subnet?
NETSH DIAG GUI Vista + / WS08+ ?
Success?
N Run IPCONFIG /ALL
Run Diagnose & Repair
Ping a computer on another subnet?
Check subnet mask and default gateway DHCP client & 169.254.x.x IP address? N Y
Success?
Y N Confirm Host IP, Subnet / DG, DNS config Not receiving IP address from DHCP
Y Tracert / NetMon / Wireshark
N Windows 2003? Y Run NETDIAG Success? End

Version 1.1
Network Troubleshooting
Client DC Name Resolution Issues

Y
Are all name servers listed available?
Correct DC errors or DNS configuration
Y Does the clients DNS server respond to pings? DNS Server Problem (already passed network tests) Check SRV records for the domain (nslookup -q=srv _ldap._tcp.dc._msdcs.<FQDN>)
Y Success? (List of DC SRV records)
Is the primary DNS server correct?
Configure correct DNS server
N N Y
Can the client resolve their domain? NSLOOKUP <FQDN.>
DNS Server Configuration Problem
Can client get a DC? (NLTEST / DSGETDC: <domain>)
Reset secure channel (NLTEST / SC_RESET:<domain>)
Return

Version 1.1
Client-DC Name Resolution

(Assumes network testing passed)
AD Service Troubleshooting
NTDS or ActiveDirectory_ DomainService (W2K8) event?
Kerberos Errors?
Netlogon event?
SceCli Event?
Sysvol?
N Y Kerberos Troubleshooting Y Y Group Policy Troubleshooting
Event Viewer Error or Warning
Many potential causes On Your Own!
FRS Event? Check EventID.Net / Search NTDS KCC? Site-related errors?
On Your Own!
Y Dcdiag /test:topology & correct errors Troubleshoot FRS http://bit.ly/XD3jK
NTDS Replication?
N N Y AD Database Troubleshooting Replication Issues Did that fix the problem? N On Your Own!
NTDS Database / ISAM?
NTDS General?
Y Global Catalog Troubleshooting
N On Your Own! N
Global Catalog?
Y End

Version 1.1
AD Service Troubleshooting
Client-DC Troubleshooting
Access denied to DC?
Slow logon?
GPO settings not seen?
Y Authentication Problems Gpresult /r Or Rsop.msc
Is client in the expected site? NLTEST / DSGETSITE
Any trust messages in system log?
Y Confirm site subnet mapping against network charts
Group Policy Troubleshooting N
Is DC in the right site?
Kerberos Issues
Does client have a session w/ DC? NLTEST / SC_QUERY:<domain>
Y N Fix it!
On Your Own!
Attempt reset: NLTEST / SC_RESET:<domain> Y
Perform client network monitor trace
Reset computer account
Success?
Success?
End
Rejoin to domain

Version 1.1
Client-DC Name Resolution

(Assumes client can communicate with a DC)
Replication Issues
Y Fail any primary tests?
Y Verify site topology (all sites connected by site links, site bridging disabled or accounted for, etc.) Trigger replication with failed partner (repadmin /replicate for single partner, or repadmin /syncall for all partners)
(Assumes physical, network, local-only errors have been checked)
Run verbose failed test (DCDIAG /TEST:<test> /V) & correct problem(s)
N (SystemLog test errors will mirror earlier check)
Elapsed time < (Site link interval)? N
Did that fix the problem?
Quick OS Check (e.g. System Log)
Check this (target) DCs DNS configuration (dcdiag /test:dns /v) & correct errors
N Access Denied Errors? N
Y Kerberos Issues Y
Serious errors?
N Directory svc log errors
Server OS Issues
Did that fix the problem? Y N Check the source DCs OS and DS
Any other DCs not getting updates from the source DC?
Run DCDIAG
Is the source DC in a different site?
N Y
Y DCDIAG test descriptions at http://bit.ly/4ueDz9 Y End
N Check source DCs DNS configuration (dcdiag /test:dns /v) & correct errors
Advanced replication troubleshooting (e.g. lingering objects)

Version 1.1
AD Replication Troubleshooting
AD Database Troubleshooting
Success? Y Windows 2008? Y Net Stop NTDS Perform database recovery: NTDSUTIL, FILES, RECOVER Rebuild
N Reboot Into DSRM
N Check DB Integrity: NTDSUTIL, FILE, INTEGRITY N Success? Y
Reboot into normal mode
End
Success? Run semantic database analysis with fixup: NTDSUTIL, SEMANTIC DATABASE ANALYSIS, VERBOSE ON, GO FIXUP N Y
Y Run semantic database analysis: NTDSUTIL, SEMANTIC DATABASE ANALYSIS, VERBOSE ON, GO
Success?
Recoverable Errors?

Version 1.1
AD Database Troubleshooting
Group Policy Troubleshooting

Has policy been applied? Is the GPO listed in the Denied List?
Customer reports GPO is not being applied to client
Y Y
Run GPMC, review Results report
Run RSOP.MSC on client, examine results Is the setting listed? N
Check: - Security Filtering - Disabled GPO - Inaccessible Data - Empty GPO - WMI Filter
Check: - Scope of Management - Replication - Group Policy Refresh - Network Connectivity
Check: - GPO Inheritance - Replication - Group Policy Refresh - Asynchronous Processing - Client Side Extensions - Loopback Processing
Check: - Replication - Group Policy Refresh -Operating System Support - Slow Link
End

Version 1.1
Group Policy Troubleshooting

(http://bit.ly/9H6y2)
Kerberos Issues
Install kerbtray.exe or klist.exe
Clock skew errors?
UDP fragmentation Problem?
Group Membership Overloads?
PRINCIPAL_ UNKNOWN Errors?
Logons failing in mixed NT4 & Unix env?
NTLM Fallback Issues?
Y Time Service Troubleshooting
Y Kerberos token size issue
Y Need an SPN set with setspn
Y Match passwords between NT & Unix See NTLM Fallback in Troubleshooting Kerberos Errors document
Have a session ticket?
Have a TGT?
Force Kerberos to use TCP instead of UDP
Y Y
SPN Issue?
Authorization (not authentication) issue
Examine system log to determine why you cant get a session ticket
Setspn.exe
End

Version 1.1
Kerberos Troubleshooting
http://go.microsoft.com/fwlink/?LinkId=23043
Time Service Troubleshooting

Version 1.1
Global Catalog Troubleshooting

Version 1.1

Active Directory Troubleshooting

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Active Directory Troubleshooting

Transféré par

Droits d'auteur :

Formats disponibles

Begin

4: Devise A Plan To Test The Hypothesis

Yes 7: Choose Next Most Likely Hypothesis

Occams Razor: The simplest answer is usually the correct one.

Author: 2011 Sean Deuby URL: http://tinyurl.com/adtroubleshooting