AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

Browse by Tags

Related Posts
  • Blog Post: I'm your Clone Baby DC

    While doing some research on whether servers with identical Sids (I.e. that have been cloned without Sysprep) propose either a security risk or an operational risk I came across the following blog entry by Mark Russinovich (Dark Lord of the Sid). The essence of it is as follows (I love summarizing...
  • Blog Post: Credential Roaming and NTDS.dit bloat

    Following up on a previous post about Credential Roaming (aka DIMS): http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx With a recent DCR to Windows 7 & W2k8 R2 ( http://support.microsoft.com/kb/2520487 ) it is now possible to filter out...
  • Blog Post: Exchange Powershell get-user cmdlet only recognizes certificates using the X500 format

    The Windows OS supports 7 different types of entries in the Subject Alternate Names extension of certificates (and in the altSecurityIdentities attribute in AD). The Exchange Powershell cmdlets on of the other hand only support the X500 format ( X500DistinguishedName) . The net result of this is...
  • Blog Post: The Smartcard Removal Policy Service and VPN

    The ScPolicySvc service works by monitoring a specific registry key (See Deconstructing the Smartcard Removal Policy Service ). The VPN client (Connection Manager aka CM) on the other hand doesn’t use the Credential Provider architecture, it uses its own code for picking which certificate from...
  • Blog Post: Dude, where's my Forest Root?

    Let's look at a hypothetical worst-case scenario: ü Your AD infrastructure contains one root domain and one or more child domains. ü You've lost all the DC's in the Root domain due to hardware failure (Example: putting all DC’s in the root domain on the same SAN) ü There are no usable System...
  • Blog Post: Assigning a static RPC port to ADLDS or ADAM for replication

    Just wanted to put this here as it's not been easy to find this information anywhere: ADLDS registers a custom RPC port which is by default taken from the dynamic port range 49152-65535, this is NOT the same as the LDAP port specified for the instance. On ADAM the same thing applies but the dynamic...
  • Blog Post: Primers for building a highly available Active Directory environment

    Notes from the field on things to consider with regards to maintaining Active Directory: Hardware Diversity - this includes virtualization and SAN's. Read the official Microsoft notes on virtualization recommendations in the Technet article and KB below. DC's are designed to be redundant and distributed...
  • Blog Post: Can't find script engine "VBScript" for script after installing MS10-020

    Summer is here and support volumes trickle down to a minimum as people jump into their SUV's and drive off into the wild blue yonder. Having said that I encountered the following interesting issue: We installed the fix from KB 981332 on a Windows 2008 R2 server and after that we're not able to...
  • Blog Post: The problem with problems...

    Let's say you're looking at a glaring Red event in your event log that has an ominous ring to it or some monitoring program that screams loudly because some parameter it has defined isn´t being met by tests it is doing. That's bad, right? The answer is of course, it depends on the context...
  • Blog Post: Using Wevtutil to capture and view the CAPI2 Operational log

    CAPI2 events are logged to Application Logs\Microsoft\Windows\CAPI 2\Operational. However, CAPI2 logging is off by default due to performance reasons. To enable CAPI2 Operational logging, wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e: true To clear the log so we only get the...
  • Blog Post: What is logged to the Userenv.log file?

    Winlogon is the main component that logs data to the Userenv.log file (through userenv.dll). If Userenv debug logging is enabled as per KB 221833, the userenv.log file will include the following: - Slow link detection - Machine Group Policy Application - Processes and applications which start...
  • Blog Post: PreferLogonDC issues on W2k8 R2 DC's

    A hotfix has recently been issued that resolves an issue where the Windows 7/Windows 2008 R2 client "forgets" its dynamic site name during the startup sequence. The net effect of this being that the client always makes additional generic DNS queries which return non-site specific DC names back to...
  • Blog Post: The case of the mysterious account lockout coming from Exchange

    I worked the following case recently: We have a single user that keeps getting his account locked out every 60 seconds. We've managed to isolate this down to coming from the Exchange server but there isn't anything pointing in the right direction as to what is causing it. The really strange bit is...
  • Blog Post: ADCS CA Server disaster recovery steps when smartcard logon is required but no valid CRL can be published

    Consider the following disaster recovery scenario: The CA has become temporarily unavailable, the current CRL and Delta CRL have expired and revocation checking is failing which is preventing smartcard logons. You have the private/public key pair of the CA certificate available and...
  • Blog Post: Fun with LDIFDE and MS09-056

    The LDIFDE export tool that has shipped with all flavors of Windows since Windows 2000 is one of the more useful tools that can be used for troubleshooting. A fraction of the things you can do with it include: conditional exporting of data from Active Directory bulk modifying specific attributes testing...
  • Blog Post: DCDIAG and the Not-N'sync Home Server

    A customer called in with questions about the following error she received in Dcdiag: I ran DCDIAG /V /E /C and found these errors at the end of it: Starting test: Intersite Doing intersite inbound replication test on site Contoso-HQ-CHI: Locating & Contacting Intersite Topology Generator (ISTG...
  • Blog Post: What happens in a Journal Wrap?

    FRS is a multi-master replication system that takes care of replicating the contents of Sysvol between all DC’s in the domain (it can also replicate normal data but we're primarily interested in Sysvol replication in the blog entry). With proper care and maintenance, Post-SP2 FRS on W2k3 is pretty...
  • Blog Post: Deconstructing the KDC certificate processing functionality

    For a DC to be able to service smartcard logons the DC must have a valid and suitable certificate present in the personal store of the computer account. This is typically autoenrolled for whenever a Windows CA server has been installed into the AD environment. The KDC service on W2k8 R2 monitors the...
  • Blog Post: Converting AD attributes using FILETIME to a meaningful value

    If you've ever looked at the raw attributes of an Active Directory object, you've no doubt noticed that some of the attributes use the format of "nanoseconds since 01-01-1601" (otherwise known as FILETIME ). To a computer this makes perfect sense but to an administrator it's just gibberish until it...
  • Blog Post: Trusts and isolated names and logon performance

    While bouncing around ideas with colleagues more intelligent than me I was reminded of a case I had with a customer 5 years ago. The exact specifics of the problem aren’t important but the reason it became a problem are as follows: If a DC receives a Name2Sid query about an account that isn’t...
  • Blog Post: Configuring a Windows Server 2008 front-end web enrollment server for delegation

    After you install the web enrollment pages on an external IIS7 web server, 2 additional steps are required: On the service account running the website in IIS 7 (commonly the computer account/Network Service account): - Trust the security principal for delegation against the back-end server ...
  • Blog Post: Why should I restore System State rather than troubleshoot?

    Some thoughts concerning why the quickest way to troubleshoot AD can be to simply restore the last good backup that you have: Troublshooting any issue is always an unknown time factor. You simply don't know how long it will take, you could find the problem immediately or it could take several days...
  • Blog Post: Changing the Primary Domain DNS name of this computer to "" failed.

    This is a bogus error message that can be safely ignored - it's caused by the domain join code ending up in a function which it doesn't need to run anyway during a domain join operation using the GUI. What's failing is the attempt to change the Primary DNS suffix of the machine after the domain join...
  • Blog Post: Installing DPM Agent on target server fails:

    When the DPM agent is installed on a machine that is to be protected by DPM, the admin doing the install specifies credentials that will be used for the initial installation. After the installation phase has completed however, the DPM Agent services on the target machine to be protected will start...
  • Blog Post: ADFS case sensitivity

    ADFS is case-sensitive for the most part - but there are some sections of ADFS 2.0 where you might not need an exact match. In general you should however still try to make sure you both compy with the standard format for public attributes and settings and maintain consistency when referring to internal...