Share via


Active Directory Domain Services (AD DS) Troubleshooting Survival Guide and Content Map

This page categorizes the Active Directory troubleshooting information that is spread all over the Internet, so you can get to the resource you need to solve your specific issue.

Troubleshooting Overviews

You might want to check out these overviews, flow charts, and general Active Directory troubleshooting strategy resources if you are not quite sure where to start:

Collecting Information

The following topics contain information that can help you gather more information about the problems that you are experiencing:

Useful Utilities

  • DCdiag - general domain controller diagnostics especially dcdiag /fix on a domain controller
  • Netdiag - general network diagnostics, especially useful is netdiag /fix for Windows Server 2003 R2 and earlier implementations
  • Netdom - used for resetting domain member computer secure channels and setting up trust relationships
  • ADSIEdit - used for browsing Active Directory structure from an LDAP perspective
  • LDP - LDAP browser that can be used for browsing, finding, and modifying the security settings of Active Directory objects
  • Insight for Active Directory - Intercepts and displays LDAP and ADSI calls to show you what is happening when Active Directory is accessed from the system on which it is installed.
  • ACLDiag - shows permissions set on Active Directory objects
  • SDCheck - Security Descriptor Checker is used to query security descriptor information on Active Directory objects
  • DSAStat - used to compare Active Directory replica sets
  • NTFRSUtil - used to monitor and diagnose issues with the NT File Replication System used for Active Directory replication by default in Windows Server 2003 R2 and earlier. Starting in Windows Server 2008 Directory File Service Replication (DFSR) was enabled by default on new forests
  • Repadmin - used for monitoring and troubleshooting Active Directory replication
  • Replmon - a graphical replication troubleshooting tool for Windows Server 2003 R2 and earlier - deprecated starting in Windows Server 2008
  • Codeplex Active Directory Utilities - Multiple tools available for Active Directory from this site
  • Useful Microsoft Active Directory Tools - Another site ad-active-directory-tools.com that is dedicated to discussing Active Directory tools.
  • Active Directory Replication Status Tool  - GUI tool released 7/2012 to analyze and check replication status. 

Active Directory Events

Starting with Windows Server 2008 the most frequently encountered event viewer messages have been targeted for more information. There are two big collections in the TechNet Library that we are planning to move onto the TechNet Wiki, so that a larger group of people can help provide assistance in getting them documented.

There are also people working on a similar endeavor at EventID.Net, where you can search for more information by providing the Event Source and ID. A similar mechanism exists on the TechNet Errors and Events Message Center.  This TechNet Wiki may one day be the best place to find more information on Events and Errors as there are several people working on fleshing these out on this platform. More about that in the following section. 

Event Sources

The vision for this section is to link from each of the following event sources below to pages that discuss the event source and link out to specific Event IDs. The Event ID pages will then provide troubleshooting information specific to the event. We are already working on this as you can see in Event ID 1311. Our goal is for each page to provide the information that people will need to solve the issues they encounter. There are many people already committed to this effort and working on it. Still, we can use all the help we can get; if you are inclined to help - we encourage you to do so.

Active Directory Limitations

There are many different factors that can limit the scale and performance of Active Directory. Here are articles that discuss them:

Active Directory Replication Issues

Resources that will help you troubleshoot Active Directory replication issues include:

Services or Access Denied

If the user account you are using truly does not have permissions to perform an action in Active Directory, you will likely receive an Access Denied message. To see if you are using an account with the appropriate privileges, see Privileges. To learn more about permissions and the specific permissions required to perform specific tasks, see Best Practices for Delegating Active Directory Permissions: Appendices.
 
You might also need a service principal name (SPN) for your service in Active Directory. To learn more about troubleshooting SPNs, take a look at Service Principal Names (SPNs).

Sometimes the reason for an access denied message may be related to something that is not immediately obvious. For example, it is possible that the computer was set to Shutdown the system immediately if unable to log security events or the CrashOnAuditFail Registry value was set. You may have to log on interactively or directly to the console (Session 0). For more information, see Services Denied and Computer Unresponsive When Security Event Log is Full." For more information about Session 0, see Scheduled Tasks Run in the Context of Session 0 with Terminal Services and How to Connect to and Shadow the Console Session with Windows Server 2003 Terminal Services and Application Compatibility Session 0 Isolation.

Performance Issues

Blogs with Troubleshooting Information

See Also