[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 473
  • Last Modified:

How to verify active directory is functioning correctly

Hello,

One of my customers, who has a small network of 80 users at one site lost power for almost 12 hours (this happened overnight).

The customer has two Domain Controllers, each with a copy of the Global catalogue and a distribution of the FSMO roles amongst themselves. These are windows 2003  standard server edition with SP2.

Since the  with two Domain were off for quite a while, I would like to verify that after bringing the m up that AD is functioning correctly.

Initially I brought them on-line and there were some errors, but a reboot of both servers seemed to fix most of the problem.

The only error I seem to be encountering is that some of the computer accounts need to be reset (net logon errors in the event viewer).

Can someone suggest some steps to perform to ensure that AD is indeed running correctly?

Thanks in advance!

Mark
0
mbudman
Asked:
mbudman
  • 3
  • 3
  • 3
  • +3
2 Solutions
 
Nagendra Pratap SinghCommented:
You should check the replication first.

This is an old site but will tell you the details well.


http://www.mcmcse.com/microsoft/guides/replmon.shtml

Of course there may be other issues and you need to check the system logs and install a UPS with graceful shutdown feature.
0
 
XaelianCommented:
Hi you should check the replication between the two domain controllers. Can you do the following?

To verify replication is functioning

1. Open a Command Prompt.

2. Type the following command, and then press Enter:
    dcdiag /test:replications
    noteNote
    For this set of tests, the /v option is available. However, it does not display any significant additional information. Messages indicate that the connectivity and replications tests passed.

To verify that the proper permissions are set for replication, type the following command and then press Enter:

1. dcdiag /test:netlogons

2. Messages indicate that the connectivity and netlogons tests passed.

You can also do a health check of the Active Directory if you don't trust the eventviewer.

You can read all the appropriate commands in this link:

http://msmvps.com/blogs/ad/archive/2008/06/03/active-directory-health-checks-for-domain-controllers.aspx
0
 
Krzysztof PytkoActive Directory EngineerCommented:
If you wish you may go through an article on my blog for that at
http://kpytko.wordpress.com/2012/08/15/active-directory-troubleshooting-tools/

there are a lot of steps but they will give you full overview for that

Regards,
Krzysztof
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
usslindstromCommented:
Agreed with npsingh123.  Replication will be the most important...  But it wouldn't be the first thing I'd check.

Run a "dcdiag" against the domain controllers and check to see that all the tests pass.  If anything pops up, it's usually safe to run "dcdiag /fix" to get rid of the most obvious errors (if any).

Once that's complete, then I'd move into the replication checks, and make sure there aren't any errors there.  From a command line, "repadmin" will be your friend here. - Where in your context, it would be "repadmin /showrepl".  Note any errors (again, if any).

DCs being offline usually isn't cause for any alarm - unless that "offline" time turns into "months" - where the DC objects would be "tombstoned".  A few hours of down-time shouldn't do anything detrimental to your environment.
0
 
Darkworld1000Commented:
Login to your Windows server using a remote desktop application or by directly logging in via console.

Open a command prompt.

Run the following command: repadmin /replsummary
0
 
mbudmanAuthor Commented:
I ran the netdiag command and I got the following error repeatedly.

Can someone provide an explanation as I am not certain how to proceed.

Thanks,

Mark:

===================================================
An Error Event occured.  EventID: 0x0000168E
            Time Generated: 08/17/2012   04:45:12
            Event String: The dynamic registration of the DNS record

'_ldap._tcp.<<domain_name>>.com. 600 IN SRV 0 100 389 <<companydomaincontroller>>.com.'

 failed on the following DNS server:  

DNS server IP address: <UNAVAILABLE>

Returned Response Code (RCODE): 0

Returned Status Code: 0  

For computers and users to locate this domain

controller, this record must be registered in

DNS.  

USER ACTION  

Determine what might have caused this failure,

resolve the problem, and initiate registration of

the DNS records by the domain controller. To

determine what might have caused this failure,

run DCDiag.exe. You can find this program on the

Windows Server 2003 installation CD in

Support\Tools\support.cab. To learn more about

DCDiag.exe, see Help and Support Center. To
nltest.exe /dsregdns
initiate registration of the DNS records by  this

domain controller, run 'nltest.exe /dsregdns'

from the command prompt on the domain  controller

or restart Net Logon service. Nltest.exe is

available in the Microsoft Windows  Server

Resource Kit CD.

  Or, you can manually add this record to DNS,

but it is not recommended.  

ADDITIONAL DATA

Error Value: %%10065

========================================================
0
 
XaelianCommented:
It seems you are likely having DNS issues. Your Primary DC is failing Domain membership.
Try doing a dcdiag /test:dns on both servers and run a netdiag /fix see if issue is resolved.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Looks like there is issue with DNS server, maybe it is unreachable/broken or was removed

Please run on a DC in command-line

dcdiag /e /c /v /f:c:\dcdiag.log

Open in new window


and attach this file for analyze here, please

Krzysztof
0
 
mbudmanAuthor Commented:
Hi,

Here is one of the main errors:

Thanks,

Mark

-------------------

DC1
========
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An Error Event occured.  EventID: 0xC0003500
            Time Generated: 08/17/2012   06:54:27
            (Event String could not be retrieved)
         ......................... DC1 failed test frsevent
0
 
XaelianCommented:
Well this is not good. Because both DC's were out. You can't migratie the sysvol to the other server.

I would suggest taking a look at this kb: how you can rebuild the SYSVOL tree and its content in a domain.

http://support.microsoft.com/?id=315457
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, that looks like DNS issue might be in your environment that's why SYSVOL is not replicating. However, please try to do non-authoritative SYSVOL restoration on DC1 using D2 burflag accordingly to MS article at
http://support.microsoft.com/kb/840674

and check if SYSVOL started its replication

Krzysztof
0
 
mbudmanAuthor Commented:
Thank you for your assistance.

Everything seems to check out.

Cheers,

Mark
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now