AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

Browse by Tags

Related Posts
  • Blog Post: Cheat sheet for Smartcard Redirection on W2k8 R2 RDP servers

    Available Updates for Remote Desktop Services (Terminal Services) in Windows Server 2008 R2 http://support.microsoft.com/kb/2601888 Latest BaseCSP.DLL (as of April 2012): You may wait for up to 30 seconds when you use a smart card to unlock a computer that is running Windows 7 or Windows Server...
  • Blog Post: Debunking Slow Logon Myths

    Over the years, the following three causes for slow logons have been mistakenly identified as being relevant for improving logon speed on Windows clients. Deleting your cached roaming profile. This will most likely do nothing or even make your logon slower if the profile is excessively big and...
  • Blog Post: Can't find script engine "VBScript" for script after installing MS10-020

    Summer is here and support volumes trickle down to a minimum as people jump into their SUV's and drive off into the wild blue yonder. Having said that I encountered the following interesting issue: We installed the fix from KB 981332 on a Windows 2008 R2 server and after that we're not able to...
  • Blog Post: What is logged to the Userenv.log file?

    Winlogon is the main component that logs data to the Userenv.log file (through userenv.dll). If Userenv debug logging is enabled as per KB 221833, the userenv.log file will include the following: - Slow link detection - Machine Group Policy Application - Processes and applications which start...
  • Blog Post: PreferLogonDC issues on W2k8 R2 DC's

    A hotfix has recently been issued that resolves an issue where the Windows 7/Windows 2008 R2 client "forgets" its dynamic site name during the startup sequence. The net effect of this being that the client always makes additional generic DNS queries which return non-site specific DC names back to...
  • Blog Post: Trusts and isolated names and logon performance

    While bouncing around ideas with colleagues more intelligent than me I was reminded of a case I had with a customer 5 years ago. The exact specifics of the problem aren’t important but the reason it became a problem are as follows: If a DC receives a Name2Sid query about an account that isn’t...
  • Blog Post: RODC’s and Port Exhaustion

    The problem of port exhaustion usually doesn’t affect DC’s to the same extent as it affects clients and application servers. The reason is that a Domain Controller is the lord of its own small kingdom, it will usually have a local copy (RW or RO) of the partitions it needs to consult for servicing...
  • Blog Post: Massaging the XP registry for logon performance

    There are two registry settings on Windows XP clients that have been observed to be key catalysts for slow boot/slow logon scenarios (also referred to as SBSL). On the Windows XP side (SP3 must be present on all clients): Turn on opportunistic locking on the XP clients: - Review http:...
  • Blog Post: Considerations for implementing Credential Roaming

    Credential Roaming is the replacement or alternative to using Roaming Profiles (or RUP - Roaming User Profiles). The biggest drawback to using RUP has always been that the profile tends to grow bigger as time goes by ( raise your hand if you've ever saved a file on your desktop ). One of the primary...
  • Blog Post: Time travel and factors that increase client startup or login time

    This entry is written concerning the following issue; How applications and services can add to the startup or login time of clients. The basics first; On any operating system, performing any operation takes time. This is just a fact of life and is more related to the nature of time than a question...
  • Blog Post: What are Userenv 1030 and 1058 events?

    These are very generic client events and are logged whenever the system fails to apply Group Policy settings for either the user or the computer. One thing to note concerning a Userenv 1030/1058 event is that it doesn’t have to be indicative of a problem , it can be caused by environmental issues...
  • Blog Post: Why am I seeing LsaSrv 45058 events on my client?

    From Julio: I recently installed a new server running Windows 2008 R2 (as a DC) and the related computers running Windows 7 Pro. The computers are joined to the domain. In a computer, which is shared by two users (userA and UserB), I see the following event on the Event Viewer while userA was logged...
  • Blog Post: Troubleshooting account lockout the PSS way

    I‘ve been thinking for some time about pulling together the typical approaches we use when troubleshooting account lockout issues. So... here is the CSS/PSS approach to troubleshooting Account Lockouts. #1 - Look at the Account Lockout Threshold policy that is defined for the Domain. Applications...
  • Blog Post: The golden rules of user resource management

    If you make unlimited storage space available to users, your users will use unlimited storage space...and then come back and ask for more storage space to be made available. - Avoid giving out unlimited disk space or mailbox space to your users, computer systems in general are a limited resource. It...
  • Blog Post: The return of PAC-mania [AKA some reasons why PAC verification can fail]

    There's tons of good stuff out there on Kerberos PAC verification - but with current trends showing an increase in incoming cases related to this type of issue I though it would do me good to brush up on this and link the most relevant articles together. In short; PAC verification is the process where...
  • Blog Post: The magical 2 minute logon delay mystery

    Some time ago I had an interesting escalation where the problem description was as following: I'm running a Citrix Metraframe Presentation Server farm with around 20 servers in it, after about 2 days my users start getting a logon delay of *exactly* 2 minutes. If I reboot the server everything...
  • Blog Post: Cached logons and CachedLogonsCount

    A co-worker of mine had a case with the following description: We've set the CachedLogonsCount registry value to 1 on our workstations because we want to limit the number of cached user logons in the LSA cache on the system. However, this seems to have the side-effect of sometimes making it impossible...
  • Blog Post: The caveats of using Group Policy Preferences on Terminal Servers

    Note: this entry is about the Group Policy Preferences component and one aspect of it (which is resolved in later hotfixes or service packs) - for a more generic entry that describes troubleshooting slow logons in general see http://blogs.technet.com/b/instan/archive/2008/04/17/troubleshooting-the-intermittent...
  • Blog Post: Netlogon 5719 and the Disappearing Domain [Controller]

    Netlogon is a client and a server component; when it logs 5719 it is acting as a client and trying to make a network connection that fails for some reason. A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation...
  • Blog Post: Troubleshooting the intermittent slow logon or slow startup

    Update: See also the following articles for up-to-date information on how to fix slow logon issues in Windows systems: http://social.technet.microsoft.com/wiki/contents/articles/10130.root-causes-for-slow-boots-and-logons.aspx http://social.technet.microsoft.com/wiki/contents/articles/10128.tools...
  • Blog Post: Credential Providers simplified pt1

    GINA is dead.... the main reason is the fact that having more than one GINA on a system was difficult. Yes, chaining multiple GINA DLL's was a possibility but it really required at least one of the GINA providers to be aware of the other and trying to chain 3 different GINAs was still cumbersome. ...