Tools to Troubleshoot DC issues
DCDIAG analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting.
- Preparing to install or migrate to Exchange new version
- Checking FSMO roles.
- Troubleshooting Group Policy.
- Investigating Active Directory not replicating frssysvol error.
- Running down Kerberos authentication problems.
- Resetting the Directory Service Administrator’s password.
- Fixing servers Service Principle Name (SPN) error.
- Other DC issues
Example: dcdiag.exe /V /D /C /E > c:\dcdiag.log
DCDIAG tool article http://technet.microsoft.com/en-us/library/cc731968(v=ws.10).aspx
Repadmin.exe is a Microsoft Windows 2000 Resource Kit tool that is available in the Support Tools folder on the Windows 2000 CD-ROM. It is a command-line interface to Active Directory replication. This tool provides a powerful interface into the inner workings of Active Directory replication, and is useful for troubleshooting Active Directory replication problems.
Example: repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
RepAdmin tool article http://technet.microsoft.com/en-us/library/cc770963(v=ws.10).aspx
This command-line diagnostic tool helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network client. These tests and the key network status information they expose give network administrators and support personnel a more direct means of identifying and isolating network problems. Moreover, because this tool does not require parameters or switches to be specified, support personnel and network administrators can focus on analyzing the output rather than on training users how to use the tool.
- Installing Exchange and you wish to check that you can connect to other servers.
- Checking VPN network tunnels on the WAN.
- DNS problems. Computers cannot ‘see’ their domain controller on the LAN.
- A quick check on hotfixes.
- Check the Network Card Bindings from the command prompt.
- You are having problems with IPSEC.
- Winsock corruption, wrong version incompatibilities.
- NetDiag checks that Domain Controllers are all able to ‘speak’ LDAP.
Example: netdiag.exe /v > c:\netdiag.log
Note: This command need to be run on each DC of the domain.
NetDiag tool article http://technet.microsoft.com/en-us/library/cc731434(v=ws.10).aspx
When you delete an object from AD, it gets tombstoned i.e. not deleted but stored in tombstone for a period of time in case you want to restore it back (180 days in win 2008 by default). Once 180 days completes that object is considered to be of no use any more and can be cleaned from the database and free up some space. The cleanup process is done by Garbage Collection. Garbage collection in Active Directory Domain Services (AD DS) is the process of removing deleted objects (tombstones) from the directory database. This process results in free disk space in the directory database.
By default, this free space is not reported in Event Viewer. To see the amount of free disk space that can be made available to the file system by offline defragmentation, you can change the garbage collection logging level so that the disk space is reported in the Directory Service event log. After you change the logging level, check the Directory Service event log for Event ID 1646, which reports the amount of disk space that you can recover by performing offline defragmentation.
The garbage collection logging level is an NTDS diagnostics setting in the registry. You can use this procedure to change the garbage collection logging level to 1 so that you can view Event ID 1646 in Event Viewer.
How to change the garbage collection logging level
- Click Start, click Run, type regedit, and then press ENTER.
- In Registry Editor, navigate to the Garbage Collection entry inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
Double-click Garbage Collection. In the Value data box, type 1, and then click OK.
Now you must wait for the on-line defrag to occur on the NTDS.dit database. Then Event 1646 shows up in the Directory Service Log.
Active Directory Partition
AD database is stored in one file i.e. ntds.dit. However, the AD database is divided up into partitions for better replication and administration.
Different categories of data are stored in replicas of different directory partitions, as follows:
Domain data: It is stored in domain directory partitions.
Domain Directory Partition: Every domain controller stores one writable domain directory partition. It replicates data with DC’s in the same domain. Active Directory Users and Computers obtains it data from this partition. All Domain Controllers in that domain replicate changes to each other regardless of whether the Domain Controller is a global catalog server.
Global Catalog Directory Partition: A domain controller that is a global catalog server stores one writable domain directory partition and a partial, read-only replica of every other domain in the forest. Global catalog read-only replicas contain a partial set of attributes for every object in the domain. It Replicates GC data with all GC’s in the forest. The Global Catalog Partition is created automatically by software on the Domain Controller. This software copies some of the attributes for each object in the Global Catalog Partition. This information is replicated to other Domain Controllers inside and outside the domain. This is how, given enough time, all Global Catalog servers will have a partial replicate of all objects in the domain.
Note: Partial Attribute Set data – Need to be added in schema edit window (don’t use ADSIedit, use schema management from mmc after running regsvr32 schmmgmt.dll in run command)
2. Configuration data: Every domain controller stores one writable Configuration Directory Partition that stores forest-wide data controlling site and replication operations. Replicates with all DC’s in the forest. This partition contains configuration information for the whole forest. For example, it contains information about sites in the forest and partition defined in the Active Directory database.
3. Schema data: Every domain controller stores one writable Schema Partition that stores schema definitions for the forest. The schema partitions define what can be stored in the Active Directory database. It essentially defines the layout of the database.
Although the schema directory partition is writable, schema updates are allowed on only the domain controller that holds the role of schema operations master.
4. Application data : Domain controllers that are running Windows Server 2003 or above can store data inside AD database called Application directory partitions. Application directory partition replicas can be replicated to any set of domain controllers in a forest, irrespective of domain. The application partition is created by Applications to store their data. It is different from any other partition in that the application can choose which Domain Controller or Controllers to store the data on. The advantage for the application storing the data this way is that the application has access to the same replicate and fault tolerance used by the Domain Controllers. An example of an Application is DNS Integrated Active Directory Zones. When this zone type is used, the data is stored in an application partition. Replicates with any specified DC in which app has created the separate partition. E.g. AD integrated DNS will have an Application directory partition in AD. Similarly, Exchange 2010