These are notes from the AD Troubleshooting WorkshopPLUS session I attended. The notes are on troubleshooting Domain Controller critical services. I am mostly following what was discussed in class here rather than add anything new (except in the section of SC where I talk a bit about it).
Before moving on let’s recap the DC critical services from my previous post:
- DHCP client / DNS client – registers the DCs A and PTR records
- DHCP client for Server 2003 and prior
- DNS client for Server 2008 and later
- FRS / DFSR – responsible for SYSVOL replication between DCs
- FRS is now deprecated, may or may not be used in the domain. DFSR is the replacement.
- If the domain was born in functional level 2008 (i.e. all DCs are Server 2008 or later) then DFRS is used.
- Else FRS could be in use unless it was migrated.
- DNS server – used by DCs to locate each other, clients to locate DCs
- KDC – used for Kerberos authentication in the domain
- Netlogon – maintains secure channel between DCs and other DCs and clients; also updates DNS with the SRV records
- Secure channel is used for Kerberos authentication and AD replication
- DNS records are also written to
%systemroot%\system32\config\Netlogon.DNS
in case manual updating of DNS server is required.
- Windows Time – maintains correct time in the domain, required for Kerberos authentication and AD replication
- AD DS – provides AD
- AD WDS – provides a web interface to AD
Event Viewer
In case of issues the Event Viewer is the best place to start troubleshooting from. Bear in mind merely looking at the System and Application logs as most admins do is not enough. AD specific events are usually logged under the Custom Views > Server Roles section.
Event IDs for some of the common problems can be found at this link. Some more event IDs and their resolution can be found at this link. The previous two links are worth a read in that they also give a high level overview of AD and troubleshooting.
DcDiag
This has a separate post of its own now.
Service Controller (SC)
This is a command I haven’t used much except in the context of checking for drivers. Try the following if you want to get a list of all active drivers on your system:
1 |
sc query type= driver | findstr DISPLAY_NAME |
Omit the pipe and findstr
after that if you want more details. SC is cool in that it can do remote computers too:
1 |
sc \\win-dc03 query type= driver | findstr DISPLAY_NAME |
But drivers are just one type of objects SC can query. If you omit the type= driver
SC returns services (and if you set type= All
SC returns both drivers and services).
For example, to get a list of all services on the machine
1 |
sc query |
An example entry in the output looks like this:
1 2 3 4 5 6 7 8 9 |
SERVICE_NAME: ADWS DISPLAY_NAME: Active Directory Web Services TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 |
Too much info, so to output just the Service Name, Display Name, and State use findstr
:
1 |
sc query | findstr "SERVICE_NAME DISPLAY_NAME STATE" |
Services can be stopped and started using the following commands:
1 |
sc stop <service name> |
1 |
sc start <service name> |
SC has its limitations though, in that you can’t stop a service if it has other services dependent on it. To my knowledge SC doesn’t have a way of enumerate services that depend on a particular service either, so there’s no way to manually stop all those services via a batch file or something. That said, SC can find which services a particular service depends upon via the sc qc
command. For example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
C:\Users\Administrator>sc qc DNS [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DNS TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\dns.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DNS Server DEPENDENCIES : Tcpip : Afd : RpcSs : NTDS SERVICE_START_NAME : LocalSystem |
Given a service you can also get its description. For example:
1 2 3 4 5 6 7 8 |
C:\Users\Administrator>sc qdescription DNS [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: DNS DESCRIPTION: Enables DNS clients to resolve DNS names by answering DNS queries and dynamic DNS update requests. If this service is stopped, DNS updates will no t occur. If this service is disabled, any services that explicitly depend on it will fail to start. |
Like I said, I don’t use SC much except to query drivers. What I typically use for querying services is PowerShell.
PowerShell
- Start-Service
- Stop-Service
- Restart-Service
- Get-Service
I have noticed that sometimes the results from Get-Service
and sc query
vary. A recent example was when I did Get-Service NTDS
on a Server 2008 R2 machine and it returned nothing while sc query NTDS
returned results as expected.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
PS> Get-Service NTDS Get-Service : Cannot find any service with service name 'NTDS'. At line:1 char:12 + Get-Service <<<< NTDS + CategoryInfo : ObjectNotFound: (NTDS:String) [Get-Service], ServiceCommandException + FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.Commands.GetServiceCommand C:\> sc query NTDS SERVICE_NAME: NTDS TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\> wmic service list status | findstr "NTDS" 0 NTDS OK |
Even WMIC is able to find NTDS above, but Get-Service
doesn’t. Go figure!
Be mindful of the symptoms
One thing that was emphasized in class a lot is that while troubleshooting start with the symptoms (doh!). As in, think of the symptoms you are experiencing and work backwards from them as to what critical services could be down/ broken which might be leading to these symptoms. That will give you a good starting point to troubleshoot and then you can use the tools above to dig deeper and identify the problem. AD is a complex system made up of many moving parts, so a good understanding of the underlying structure and how they tie in together is important.