AD health check list for troubleshooting

Kerberos active directory AD authentification

AD Health check list pour troubleshooting

Kerberos active directory AD authentification

Troubleshooting plan

  1. DNS Checkplanning
  2. PDC Check
  3. AD DB
  4. GPO
  5. Client
  6. network
  7. tools

Dns check

    • DCdiag /Test:DNS /e /vDNS
    • Redirecteur up ?
    • Nslookup
    • Check zone dns
    • Check SRV : nslookup -q=srv _ldap._tcp.dc._msdcs.
    • Can client get a DC? (NLTEST / DSGETDC: )

If not : Reset secure channel (NLTEST / SC_RESET:<domain>)

 

PDC check

    • All FSMO up ?
      • Netdom /query fsmo

Replication test

[paycontent]

  1. Repadmin /showrepl
  2. dcdiag /a /v /c
  3. DNS check : dcdiag /test:dns /v
  4. Trigger replication
    1. repadmin /replicate
    2. repadmin /syncall

(Assumes physical, network, local-only errors have been checked)

  • Quick OS Check (e.g. System Log)

Event log AD DS

    1. Check event log
    2. EventID.Net
    3. NTDS KCC
      1. Replication
        1. Dcdiag /test:topology
      1. Ntds database
    4. Kerberos
    5. SCE client event ? Go to client GPO
    6. Sysvol

Active Directory database

  1. DSRM logonbase de donnée
  1. Database integrity  :
    1. NTDSUTIL / FILE / INTEGRITY : if Not OK :
      • NTDSUTIL / FILE / RECOVER
    1. Else :
      • NTDSUTIL / SEMANTIC DATABASE ANALYSIS / VERBOSE ON / GO
    1. If OK : restart to normal mode
    1. Else :
      • NTDSUTIL / SEMANTIC DATABSE ANALYSIS / VERBOSE ON / GO FIXUP
    1. If OK : restart to normal mode
    1. Else : NTDSUTIL / FILE / RECOVER

Group Policy Management Console and HTML Reports

Gpresult /R ou gpresult /H:report.html / RSOP / GPMC
  1. GPO apply ?GPO
    1. If not and denied list, check:

– Security Filtering

– Disabled GPO

– Inaccessible Data

– Empty GPO

– WMI Filter

  1. If not and not in denied list, check:

– Scope of Management

– Replication

– Group Policy Refresh

– Network Connectivity

  1. If yes : gpmc / report
  2. Settings review, Check:

– GPO Inheritance

– Replication

– Group Policy Refresh

– Asynchronous Processing

– Client Side Extensions

– Loopback Processing

  • If setting are not listed, check:

– Replication

– Group Policy Refresh

-Operating System

Support

– Slow Link

Network

    1. Ipconfig / ping local / gateway / sites / domain / other server
    2. Confirm Ip configuration (subnet, DNS…)
    3. vNIC (VMware)
    4. Routeur / Switch / Firewall
    5. reBoot, DHCP
    6. Tracert/ NetMon / Wireshark

Client

    • Domain join
    • Authentication error
      1. System log
      2. Kerberos
      3. NLTEST /SC_QUERY:<domain>
        1. Reset computer account
        2. NLTEST /SC_RESET:<domain>
        3. Rejoin domain
    • Slow logon
      1. Nltest /dsgetsite
      2. DCs all sites
      3. Network trace monitor
    • Gpo not apply
    • Authorization error
    • –> Boot
    • local NTDS error ?
    • AD changes ?
    • DS replication ? Ssysvol replication ? DFSR

Kerberos

    • Install kerbtray.exe or klist.exe
    • Si pas de ticket :
      • Log event
      • Clock error ?
      • UDP ?
      • Token size ?
      • SPN
      • Authentication
        • NTLM, password, Unix

Tools

    • DSRM
    • Ntdsutil
    • Nltest
    • Dcdiag
    • Gpresult
    • Gpupdate
    • rsop
    • Netdom
    • Klist
    • setspn
    • W32time
    • Adsiedit
    • Acldiag
    • SDCheck  – Security Descriptor Checker is used to query security descriptor information on Active Directory objects
    • Adfind.exe
    • LGPO
    • LouckoutStatus.exe
    • Psexec.exe
    • Psshutdown.exe
    • GPMC scripped Samples
    • ADInfoFreeInstaller
    • LDAP AdminExe
    • ASA (Attack surface analyzer)
    • ADRAP
    • AD Snapshot
    • Wholockme

[/paycontent]

 

 

2 thoughts on “AD health check list for troubleshooting”

  1. Hi,

    My name is Randy and I was looking at a few different sites online and came across your site itconsult.expert. I must say – your website is very impressive. I found your website on the first page of the Search Engine.

    Have you noticed that 70 percent of visitors who leave your website will never return? In most cases, this means that 95 percent to 98 percent of your marketing efforts are going to waste, not to mention that you are losing more money in customer acquisition costs than you need to.

    As a business person, the time and money you put into your marketing efforts is extremely valuable. So why let it go to waste? Our users have seen staggering improvements in conversions with insane growths of 150 percent going upwards of 785 percent. Are you ready to unlock the highest conversion revenue from each of your website visitors?

    TalkWithLead is a widget which captures a website visitor’s Name, Email address and Phone Number and then calls you immediately, so that you can talk to the Lead exactly when they are live on your website — while they’re hot! Best feature of all, we offer FREE International Long Distance Calling!

    Try the TalkWithLead Live Demo now to see exactly how it works. Visit: https://www.talkwithlead.com/Contents/LiveDemo.aspx

    When targeting leads, speed is essential – there is a 100x decrease in Leads when a Lead is contacted within 30 minutes vs being contacted within 5 minutes.

    If you would like to talk to me about this service, please give me a call. We do offer a 14 days free trial.

    Thanks and Best Regards,
    Randy

Laisser un commentaire