Active Directory: Troubleshooting

This is intended to be a “running post” with bits and pieces I find on AD troubleshooting. If I bookmark these I’ll forget them. But if I put them here I can search easily and also put some notes alongside. 

DCDiag switches and other commands

From Paul Bergson:

  • dcdiag /v /c /d /e /s:dcname > c:\dcdiag.log
    • /v tells it to be verbose
    • /d tells it to also show debug out – i.e. even more verbosity
    • /c tells it to be comprehensive – do all the non-default tests too (except DCPromo and RegisterInDNS)
    • /e tells it to test all servers in the enterprise – i.e. across site links

This prompted me to make a table with the list of DcDiag tests that are run by default and in comprehensive mode. 

Test Name By default? Comprehensive?
Advertising Y Y
CheckSDRefDom Y Y
CheckSecurityError N Y
Connectivity Y Y
CrossRefValidation Y Y
CutOffServers N Y
DcPromo N/A N/A
DNS N Y
FrsEvent Y Y
DFSREvent Y Y
SysVolCheck Y Y
LocatorCheck Y Y
Intersite Y Y
KccEvent Y Y
KnowsOfRoleHolders Y Y
MachineAccount Y Y
NCSecDesc Y Y
NetLogos Y Y
ObjectsReplicated Y Y
OutboundSecureChannels Y Y
RegisterInDNS N/A N/A
Replications Y Y
RidManager Y Y
Services Y Y
SystemLog Y Y
Topology N Y
VerifyEnterpriseReferences N Y
VerifyReferences  Y Y
VerifyReplicas N Y

Replication error 1722 The RPC server is unavailable

Came across this after I setup a new child domain. Other DCs in the forest were unable to replicate to this for about 2 hours. The error was due to DNS – the CNAME records for the new DC hadn’t replicated yet. 

This TechNet post was a good read. Gives a few commands worth keeping in mind, and shows a logical way of troubleshooting.

Replication error 8524 The DSA operation is unable to proceed because of a DNS lookup failure

Another TechNet post came across in relation to the above DNS issue. 

This command is worth remembering:

Shows all the replication partners and a summary of last replication. Seems to be similar to:

 Especially useful is the fact that both commands give the DSA GUIDs of the target DC and its partners:

It is possible to specify a DC by giving its name. Have the GUIDs is useful when you suspect DNS issues. Check that the CNAMEs can be resolved from both source and destination DCs.