Tools to Troubleshoot DC issues
DCDIAG analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting.
- Preparing to install or migrate to Exchange new version
- Checking FSMO roles.
- Troubleshooting Group Policy.
- Investigating Active Directory not replicating frssysvol error.
- Running down Kerberos authentication problems.
- Resetting the Directory Service Administrator’s password.
- Fixing servers Service Principle Name (SPN) error.
- Other DC issues
Example: dcdiag.exe /V /D /C /E > c:\dcdiag.log
DCDIAG tool article http://technet.microsoft.com/en-us/library/cc731968(v=ws.10).aspx
Repadmin.exe is a Microsoft Windows 2000 Resource Kit tool that is available in the Support Tools folder on the Windows 2000 CD-ROM. It is a command-line interface to Active Directory replication. This tool provides a powerful interface into the inner workings of Active Directory replication, and is useful for troubleshooting Active Directory replication problems.
Example: repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
RepAdmin tool article http://technet.microsoft.com/en-us/library/cc770963(v=ws.10).aspx
This command-line diagnostic tool helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network client. These tests and the key network status information they expose give network administrators and support personnel a more direct means of identifying and isolating network problems. Moreover, because this tool does not require parameters or switches to be specified, support personnel and network administrators can focus on analyzing the output rather than on training users how to use the tool.
- Installing Exchange and you wish to check that you can connect to other servers.
- Checking VPN network tunnels on the WAN.
- DNS problems. Computers cannot ‘see’ their domain controller on the LAN.
- A quick check on hotfixes.
- Check the Network Card Bindings from the command prompt.
- You are having problems with IPSEC.
- Winsock corruption, wrong version incompatibilities.
- NetDiag checks that Domain Controllers are all able to ‘speak’ LDAP.
Example: netdiag.exe /v > c:\netdiag.log
Note: This command need to be run on each DC of the domain.
NetDiag tool article http://technet.microsoft.com/en-us/library/cc731434(v=ws.10).aspx
Active Directory Features
So why the hell we need Active Directory? Can’t we just live a happy life without AD concepts and avoid the stress of reading all these Blogs, books, videos , certifications and etc. ? To be honest, AD is really very interesting topic and it has changed a lot of administration style, improved security, managed authentication. It can help you to take control over entire forest or domain just by a single click. You can immediately force a new security policy forest wide, change the functional level of your infrastructure, join and remove domains and many more.
As you work with Active Directory, you should understand the following concepts:
The Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of the Global Catalog is a global catalog server. The Global Catalog facilitates faster searches because different domain controllers do not have to be referenced.
Operations master roles, also referred to as Flexible Single-Master Operation (FSMO) roles, are specialized domain controller tasks assigned to a domain controller in the domain or forest. Operations master roles are useful because certain domain and
enterprise-wide operations are not well suited for the multi-master replication performed by Active Directory to replicate objects and attributes. A domain controller that performs an operations master role is known as an operations master or operations master role owner.
The following roles are forest roles, meaning that one domain controller within the entire forest holds the role:
The schema master maintains the Active Directory schema for the forest.
The domain naming master adds new domains to and removes existing domains from the forest.
The following roles are domain roles, meaning that one domain controller in each domain holds the role:
The RID master allocates pools or blocks of numbers (called relative IDs or RIDs) that are used by the domain controller when creating new security principles (such as user, group, or computer accounts).
The PDC emulator acts like a Windows NT 4.0 Primary Domain Controller (PDC) and performs other tasks normally associated with NT domain controllers.
The Infrastructure master is responsible for updating changes made to objects.
As you install or remove domain controllers, you will need to be aware of which domain controllers hold these roles.
The Windows time service (w32tm.exe) provides network date and time synchronization for computers in an Active Directory domain. The Windows Time service:
Is an essential component of Kerberos authentication, file timestamps, and data replication.
Is installed by default in the %Systemroot%\System32 folder during operating system setup and installation.
Uses the Network Time Protocol (NTP) to synchronize computer clocks on the network so that an accurate clock value, or time stamp, can be assigned to
network validation and resource access requests.
Integrates NTP and time providers, making it reliable and scalable in an enterprise environment.
Is backwards compatible with Simple Network Time Protocol (SNTP), which is an older protocol used in some versions of Windows.
A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest. A functional level defines:
Which Active Directory Domain Services (AD DS) features are available to the domain or forest.
Which Windows Server operating systems can be run on domain controllers in the domain or forest. Functional levels do not affect which operating systems you can
run on workstations and servers that are joined to the domain or forest.
Windows Server 2008 or Windows Server 2008 R2 supports the following domain functional levels:
Windows 2000 Native
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2 (limited to Windows Server 2008 R2)
Windows Server 2008 or Windows Server 2008 R2 supports the following forest functional levels:
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2 (Limited to Windows Server 2008 R2)
Note: You cannot have Windows NT domain controllers and Windows Server 2008 or
Windows Server 2008 R2 domain controllers in the same forest.
A policy is a set of configuration settings that must be applied to users or computers. Collections of policy settings are stored in a Group Policy object (GPO). The GPO is a collection of files that includes registry settings, scripts, templates, and software-specific configuration values.
Group Policy is an important component of Active Directory because through Group Policy you can centrally manage and enforce desktop and other settings for users and computers within your organization. For example, with Group Policy you can:
Enforce a common desktop for users
Remove desktop components, such as preventing access to the Control Panel
Restricting what actions users can perform, such as preventing users from shutting down the system
Automatically installing software
Dynamically set registry settings required by applications