This is intended to be a “running post” with bits and pieces I find on AD troubleshooting. If I bookmark these I’ll forget them. But if I put them here I can search easily and also put some notes alongside.
DCDiag switches and other commands
From Paul Bergson:
dcdiag /v /c /d /e /s:dcname > c:\dcdiag.log
/v
tells it to be verbose/d
tells it to also show debug out – i.e. even more verbosity/c
tells it to be comprehensive – do all the non-default tests too (except DCPromo and RegisterInDNS)/e
tells it to test all servers in the enterprise – i.e. across site links
This prompted me to make a table with the list of DcDiag
tests that are run by default and in comprehensive mode.
Test Name | By default? | Comprehensive? |
Advertising | Y | Y |
CheckSDRefDom | Y | Y |
CheckSecurityError | N | Y |
Connectivity | Y | Y |
CrossRefValidation | Y | Y |
CutOffServers | N | Y |
DcPromo | N/A | N/A |
DNS | N | Y |
FrsEvent | Y | Y |
DFSREvent | Y | Y |
SysVolCheck | Y | Y |
LocatorCheck | Y | Y |
Intersite | Y | Y |
KccEvent | Y | Y |
KnowsOfRoleHolders | Y | Y |
MachineAccount | Y | Y |
NCSecDesc | Y | Y |
NetLogos | Y | Y |
ObjectsReplicated | Y | Y |
OutboundSecureChannels | Y | Y |
RegisterInDNS | N/A | N/A |
Replications | Y | Y |
RidManager | Y | Y |
Services | Y | Y |
SystemLog | Y | Y |
Topology | N | Y |
VerifyEnterpriseReferences | N | Y |
VerifyReferences | Y | Y |
VerifyReplicas | N | Y |
Replication error 1722 The RPC server is unavailable
Came across this after I setup a new child domain. Other DCs in the forest were unable to replicate to this for about 2 hours. The error was due to DNS – the CNAME
records for the new DC hadn’t replicated yet.
This TechNet post was a good read. Gives a few commands worth keeping in mind, and shows a logical way of troubleshooting.
Replication error 8524 The DSA operation is unable to proceed because of a DNS lookup failure
Another TechNet post came across in relation to the above DNS issue.
This command is worth remembering:
1 |
repadmin /showreps |
Shows all the replication partners and a summary of last replication. Seems to be similar to:
1 |
repadmin /showrepl |
Especially useful is the fact that both commands give the DSA GUIDs of the target DC and its partners:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
C:\Windows\system32>repadmin /showreps | more KOTTAYAM\WIN-DC02 DSA Options: IS_GC Site Options: (none) DSA object GUID: 6fdae042-053c-47e2-be5f-67db18dfc088 DSA invocationID: 2ba93522-4caf-4130-b946-b4069081c137 ==== INBOUND NEIGHBORS ====================================== DC=rakhesh,DC=local COCHIN\WIN-DC03 via RPC DSA object GUID: 33398129-7632-4014-a3b4-eabb2b74de8b Last attempt @ 2015-01-02 12:26:07 was successful. CN=Configuration,DC=rakhesh,DC=local KOTTAYAM\WIN-DC04 via RPC DSA object GUID: 1e8f2e00-76c6-4e7c-86da-63a398ee2095 Last attempt @ 2015-01-02 11:56:07 was successful. KOTTAYAM\WIN-DC05 via RPC DSA object GUID: 3e82a06d-ec61-48a9-ac83-f68623fdfe85 Last attempt @ 2015-01-02 11:56:07 was successful. COCHIN\WIN-DC03 via RPC DSA object GUID: 33398129-7632-4014-a3b4-eabb2b74de8b Last attempt @ 2015-01-02 12:26:07 was successful. |
It is possible to specify a DC by giving its name. Have the GUIDs is useful when you suspect DNS issues. Check that the CNAME
s can be resolved from both source and destination DCs.