Overview of Active Directory Troubleshooting
Overview Responding to Events Responding to Monitoring Alerts Responding to Symptoms Prerequisites for Troubleshooting Active Directory Problem Tracking Prerequisites Information About Your IT Environment Active Directory Concepts and Services Tools for Troubleshooting Active Directory
Active Directory directory service is a distributed system that is comprised of many different services and depends on all of the services to function properly. The methodology presented in this chapter can ease the difficulties inherent in identifying the computers and services involved in problems you might be having, and help you isolate a problem to the core component.
In most cases, troubleshooting begins when you detect one of the following:
An event reported in an event log.
An alert generated by a monitoring system, such as Microsoft Operations Manager (MOM).
A symptom reported by a user or noticed by IT personnel.
This chapter includes troubleshooting procedures for the events, monitoring alerts, and symptoms that either have the highest frequency of occurrence or that can cause the greatest problem in your organization. Specific sections for each Active Directory service also include troubleshooting procedures for error messages generated by some tools that you might use in the troubleshooting process.
When responding to events in the event logs, first determine the source that is listed in the event log, such as the Net Logon service or the File Replication service (FRS). Table 2.1 shows the event source and IDs, and references the troubleshooting sections for events that occur most frequently or that cause problems with the highest severity. If Table 2.1 does not include the event ID that you are looking for, search for it in the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.
Table 2.1 Active Directory Events Reference
Event Source |
Event ID |
Reference |
---|---|---|
FRS |
13508, 13509, 13512, 13522, 13567, 13568 |
See "Troubleshooting FRS." |
Netlogon |
5774, 5775, 5781, 5783, 5805 |
See "Troubleshooting Active DirectoryRelated DNS Problems." |
NTDS |
1083, 1265, 1388, 1645 |
"See Troubleshooting Active Directory Replication Problems." |
UserEnv |
1085 |
"See Troubleshooting Active Directory Replication Problems." |
W32Time |
13, 14, 52-56, 60-64 |
"See Troubleshooting Windows Time Service Problems." |
As a best practice, use a comprehensive monitoring system for your environment. The alerts that monitoring systems generate vary. Table 2.2 shows some common alerts generated by Microsoft Operations Manager (MOM) with the Active Directory Management Pack (ADMP) installed and points you to the appropriate references for troubleshooting information.
If you are using a different monitoring system, look for the alert that most closely matches the alert generated by your system. If you do not find a monitoring alert in this table that you need information about, view the event logs and troubleshoot related error events that you find, or refer to further troubleshooting instructions in the section in this guide that most closely matches the problem reported.
Table 2.2 Active Directory Monitoring Alerts Reference
Monitoring Alert |
Description |
Reference |
---|---|---|
A domain controller has received a significant number of new replication partners. |
This is normal when a computer is in the process of becoming a global catalog server or bridgehead server, or when new domains or domain controllers are added to the environment. Abnormal causes of this alert include replication or site link problems. |
See "Troubleshooting Active Directory Replication Problems" for replication troubleshooting procedures. See "Managing Sites" for recommendations and procedures for establishing and verifying sites and site links. |
Active Directory Essential Services has detected |
This is a high priority alert, because it indicates that the domain controller is unusable for the reason specified in the error. |
If the alert indicates that a service is not running, restart the service. If the alert indicates a SYSVOL problem, see "Troubleshooting FRS" or "Managing SYSVOL" for further troubleshooting procedures or recommendations. If the alert indicates that the domain controller is not advertising, see "Troubleshooting Active DirectoryRelated DNS Problems." |
Active Directory global catalog search failed. |
This is a high priority alert, because if a global catalog server cannot be reached, users will not be able to log on, and Exchange's address book will not function. |
Verify that this is a global catalog server. See "Verifying Server Health" to ensure the server is functioning properly. |
Active Directory - lost objects warning. |
A large number of objects are in the LostAndFound container. |
See "Troubleshooting Directory Data Problems." |
Active Directory replication is occurring slowly. |
The monitoring system has determined that replication times are exceeding set thresholds. |
If necessary, see "Managing Sites" for recommendations on setting replication schedules or site topology configuration. You can also change the threshold if you are satisfied with the current schedule. |
Failed to ping or bind to the <operations master> role holder. |
The destination server might not be functioning, or there might not be network connectivity. |
See "Verifying Server Health" and "Verifying Network Path." If necessary, see "Managing Operations Masters" to determine if it is appropriate to seize the role. If the outage is expected, see "Managing Operations Masters" to transfer the role before the outage to avoid this error. |
High CPU alert. |
An application or service is consuming an inordinate amount of CPU. |
See "Troubleshooting High CPU Usage on a Domain Controller." |
Replication is not occurring all AD replication partners failed to synchronize. |
Short term connectivity problems can be expected, but extended failures indicate a problem. Investigate any problem that persists for more than a few hours. |
See "Troubleshooting Active Directory Replication Problems." |
Time skew detected. |
The system time on the servers indicated in the alert is not synchronized. |
See "Troubleshooting Windows Time Service Problems." |
If you are troubleshooting Active Directory based on symptoms reported by users or noticed by IT personnel, you need to perform some preliminary troubleshooting steps to isolate the cause of the problem. See "High-Level Methodology for Troubleshooting Active Directory Problems" in this guide for information about how to iterate the troubleshooting process until you have found the root cause and resolved the problem.
If you have already determined the most likely source or cause of the problem, you can refer to the appropriate section in this guide, such as "Troubleshooting High CPU Usage on a Domain Controller" or "Troubleshooting Active Directory Replication Problems." Each section contains additional troubleshooting steps that allow you to further isolate the problem.
Before you begin troubleshooting Active Directory, ensure that you establish problem tracking prerequisites, review information about your IT environment, and become familiar with Active Directory concepts and services.
Have the following mechanisms in place to ensure timely problem detection, handling, and resolution:
Service desk (or help desk)
Incident and problem management processes
Continuous monitoring software
For more information about implementing a service desk and incident and problem management processes within your organization, see the Microsoft Operations Framework (MOF) link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources. For more information about monitoring Active Directory, see "Monitoring Active Directory" in this guide.
Ensure that the personnel performing Active Directory troubleshooting can easily access the following types of documentation:
Active Directory configuration, including replication-related configuration documentation.
Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and IP configurations.
Application and service documentation (such as Exchange).
Administrative model.
Server placement and configurations.
Change management logs.
Ensure that the personnel performing the troubleshooting have at least a basic understanding of Active Directory concepts and services.
Active Directory Concepts
Active Directory concepts include the following areas:
Name resolution, including both DNS and NetBIOS name resolution with broadcasts, LMHOSTS files, and Windows Internet Name Service (WINS).
Replication (including Microsoft Windows 2000 Server native mode and Microsoft Windows NT 4.0 emulation).
Time synchronization.
Group Policy and File Replication service (FRS).
Core Active Directory, including an understanding of the global catalog, domains, and forests.
Authentication (both Kerberos authentication and LAN Manager).
Active Directory Microsoft Management Console (MMC) snap-ins and Active Directory-related tools (including operating system, Support, and Resource Kit tools).
Active Directory Services
To discover the root cause of problems with Active Directory, ensure that the personnel performing troubleshooting understand common Active Directory operations like replication and password change and how the following processes and role holders are involved in these operations:
Operations master roles (including PDC emulator, relative identifier (RID) master, domain naming master, schema master, and infrastructure master).
Key Distribution Center (KDC).
Knowledge Consistency Checker (KCC).
Intersite Topology Generator (ISTG).
Time Reference Server (TRS).
Because Active Directory interacts with external services and protocols, such as TCP/IP for the transport protocol, DNS for name resolution, and FRS for file replication of Group Policy objects and logon scripts, accurately determining the cause of a problem and applying a solution becomes more complex. Effective troubleshooting requires a thorough knowledge of these and other protocols, as well as the diagnostic tools associated with each protocol.
For more information about Active Directory®, networking protocols, and tools, see the Microsoft® Windows 2000 Server Resource Kit. You can obtain additional information by searching Microsoft.com and TechNet, or by taking advantage of MCSE training classes and books.
Table 2.3 lists the tools that you can use to troubleshoot Active Directory, where the tools are found, and a brief description of the purpose of the tool.
For information about installing the Windows 2000 Support Tools and the Windows 2000 Administrative Tools Pack, see Windows 2000 Server Help.
Table 2.3 Tools Used to Troubleshoot Active Directory
Tool |
Location |
Function |
---|---|---|
Active Directory Domains and Trusts snap-in |
Windows 2000 Administrative Tools Pack |
Administer domain trusts, add user principal name suffixes, and change the domain mode. |
Active Directory Sites and Services snap-in |
Windows 2000 Administrative Tools Pack |
Administer the replication of directory data. |
Active Directory Users and Computers snap-in |
Windows 2000 Administrative Tools Pack |
Administer and publish information in the directory. |
ADSI Edit, MMC snap-in |
Windows 2000 Support Tools |
View, modify, and set access control lists (ACLs) on objects in the directory. |
Backup Wizard |
Windows 2000 operating system tool |
Back up and restore data. |
Control Panel |
Windows 2000 |
View and modify computer, application, and network settings. |
Dcdiag.exe |
Windows 2000 Support Tools and Windows 2000 Server Resource Kit |
Analyze the state of domain controllers in a forest or enterprise; assist in troubleshooting by reporting any problems. |
DNS snap-in |
Windows 2000 Administrative Tools Pack |
Manage DNS. |
Dsastat.exe |
Windows 2000 Support Tools |
Compare directory information on domain controllers and detect differences. |
Event viewer |
Windows 2000 Administrative Tools Pack |
Monitor events recorded in event logs. |
Ipconfig.exe |
Windows 2000 operating system tool |
View and manage network configuration. |
Ldp.exe |
Windows 2000 Support Tools |
Perform Lightweight Directory Access Protocol (LDAP) operations against Active Directory. |
Linkd.exe |
Windows 2000 Server Resource Kit |
Create, delete, update, and view the links that are stored in junction points. |
MMC |
Windows 2000 |
Create, save, and open administrative tools (called MMC snap-ins) that manage hardware, software, and network components. |
Netdiag.exe |
Windows 2000 Server Resource Kit and Windows 2000 Support Tools |
Check end-to-end network connectivity and distributed services functions. |
Netdom.exe |
Windows 2000 Support Tools |
Allow batch management of trusts, joining computers to domains, and verifying trusts and secure channels. |
Net use, start, stop, del, copy, time |
Windows 2000 operating system tool |
Perform common tasks on network services, including stopping, starting, and connecting to network resources. |
Nltest.exe |
Windows 2000 Support Tools |
Verify that the locator and secure channel are functioning. |
Ntdsutil.exe |
Windows 2000 operating system tool |
Manage Active Directory, manage single master operations, remove metadata. |
Ntfrsutl.exe |
Windows 2000 Server Resource Kit |
View and manage FRS configuration. |
Performance Monitor |
Windows 2000 operating system tool |
View system performance data, performance logs and alerts, and trace log files. |
Pathping.exe |
Windows 2000 operating system tool |
Trace a route from a source to a destination on a network, show the number of hops, and show packet loss. |
Ping.exe |
Windows 2000 operating system tool |
Verify network connectivity. |
Regedit.exe |
Windows 2000 operating system tool |
View and modify registry settings. |
Repadmin.exe |
Windows 2000 Support Tools |
Verify replication consistency between replication partners, monitor replication status, display replication metadata, and force replication events and topology recalculation. |
Replmon.exe |
Windows 2000 Support Tools |
Display replication topology, monitor replication status, and force replication events and topology recalculation. |
Secedit.exe |
Windows 2000 operating system tool |
Manage Group Policy settings. |
Services snap-in |
Windows 2000 Administrative Tools Pack |
Start, stop, pause, or resume system services on remote and local computers, and configures startup and recovery options for each service. |
Setspn.exe |
Windows 2000 Support Tools |
Manage security principal names (SPNs). |
Task Manager |
Windows 2000 |
View processes and performance data. |
Terminal Services |
Windows 2000 |
Access and manage computers remotely. |
W32tm |
Windows 2000 operating system tool |
Manage Windows Time Service. |
Windows Explorer |
Windows 2000 |
Access files, Web pages, and network locations. |