Troubleshooting Windows Domains

See also WindowsDomainsTroubleshootingExamples

Things to make sure are OK

• If any DC has more than one ethernet card either disable those that are unused or un-check the "Register this connection's address in DNS" checkbox (e.g. if it's used for iSCSI )
• Only at the DC that has the PDC role: configure NTP Server (other DCs, member servers and clients should not have NTP configured).

IF SOMETHING IS WRONG AND for troubleshooting reasons only point them to one and the same DNS Server, then run ipconfig /registerdnsthen restart the netlogon service.

Check if both of your DCs are Global Catalog servers [I am 99% sure this is good -- among other references a few good sysadmins at spiceworks are saying it's good for some use cases with huge domains and non of them says it's bad in any case]

Tests to run on Domain Controllers

Basic tests #1 (get information about the domain)

These commands will list the DC(s),PDC & FSMO holders of domain. Run them on any domain SERVER.

netdom query dc # display domain's DC(s)
netdom query pdc # display domain's PDC
netdom query fsmo # display domain's FSMO

Alternatives for some of the above

Basics tests #2

• on all DCs: Make sure that these services are running: Server, Workstation, NETLOGON
  

  (Get-Service "server").status
  (Get-Service "workstation").status
  (Get-Service "netlogon").status

• Check if TIME IS SYNCED between DCs and domain members. If a member is over ~5min away from DC clock it will lose domain access.
• This should return no output (see WindowsDomainTestIfDcIsOk)

  dcdiag | sls -pattern "failed|error" -Context 2

If you have (as you should) more than 1 DC check the following to make sure DFS replication is working:

Tests regarding DFS replication

DFSDIAG /TestDCs | sls -NotMatch '^$|^Information|^[A-Za-z]+ing|^Success'
Finished TestDcs.

Run the following and be sure fails are 0

repadmin /replsum | sls -NotMatch '^ *$'
Replication Summary Start Time: 2019-03-21 14:54:29
Beginning data collection for replication summary, this may take awhile:
Source DSA largest delta fails/total %% error
DC2 01m:05s 0 / 5 0
PDCSRV 07m:37s 0 / 5 0
Destination DSA largest delta fails/total %% error
DC2 07m:37s 0 / 5 0
PDCSRV 01m:05s 0 / 5 0

Run the following and make sure all lists report 'successful'

repadmin /showreps | sls 'attempt'

Last attempt @ 2019-03-21 14:53:24 was successful.
Last attempt @ 2019-03-21 14:53:24 was successful.
Last attempt @ 2019-03-21 14:53:24 was successful.
Last attempt @ 2019-03-21 14:53:24 was successful.
Last attempt @ 2019-03-21 14:53:24 was successful.

Run the following from cmd and make sure the state is 4 (• 0 Uninitialized • 1 Initialized • 2 Initial_Sync • 3 Auto_Recovery • 4 Normal • 5 Error)

For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

• ALTERNATIVE way from powershell BUT you need to run it once for each DC: Get-WmiObject -ComputerName DC2 -Namespace "root\MicrosoftDFS" -Class DfsrReplicatedFolderInfo | Select-Object ReplicatedFolderName,ReplicationGroupName,state | ft -AutoSize

If you have any DFSR issues check the logs

Get-WinEvent "DFS Replication" -MaxEvents 3 | fl

Tests to run on Clients

Set the variables at the top to match your domain and run these tests to pinpoint any domain connectivity issues your client may have.

You can run these tests on DCs also and you only need to ignore the error "no network has proper DNS config"

TODO:

• this script should not run the DNS config test if it is run on one of the DCs
• I could provide just a list of DC computer names (or maybe find them automaticaly). The IP address can be found from the names

#---------------------------------
$DC="pdcsrv"
$list_of_DC_IPs = @("192.168.254.104","192.168.254.100")
#---------------------------------

# get domain name
$DOMAIN_FULL= (Get-WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem | Select Domain).domain
echo "This PC reports it is part of $DOMAIN_FULL"
function alert($msg){Write-Host -ForegroundColor red "ERROR: $msg"}
function display_test_result($test_result, $test_descr) {
if ($test_result) {"OK: Test passed: $test_descr"} else {alert "Test failed: $test_descr"}
}
function test_DNS_config() {
   display_test_result (ping  $DOMAIN_FULL -n 1 | sls '^Pinging ') "Detected domain (resolved domain name to IP)"
   
    # get list of all networks 
    $Networks = Get-WmiObject -Class Win32_NetworkAdapterConfiguration `
     -Filter IPEnabled=TRUE `
     -ErrorAction Stop

    # check each network
    $found_proper_net=$false
    foreach ($Network in $Networks) {
     $DNS_servers = $Network.DNSServerSearchOrder
     $at_least_one_ip = $false 
     If(!$DNS_servers) {
       $good_dns = $false
     } else {
       $good_dns = $true
       $DNS_servers | %{
          $good_dns = ($good_dns -and ($list_of_DC_IPs -contains $_))
          $at_least_one_ip = $list_of_DC_IPs -contains $_
       }
     }
     if ($good_dns) {$found_proper_net=$true; "    Good: Proper DNS servers on Interface $($Network.Description)"} 
     elseif ($at_least_one_ip) {"WARNING: Unsupported configuration. Network has extra non-domain DNS servers,$($Network.Description)"} 
     else {"    Info: '$($Network.Description)' is not configured for the domain"}
    }
    if ($found_proper_net) {"OK: at least one net has proper DNS configuration"} else {alert "no network has proper DNS config"}
}
function test_if_tcp_port_open($port) {
    if (!(Test-NetConnection -Port $port -ComputerName "$DC.$DOMAIN_FULL")) {alert "port $port is not open on $DC"}
}
function do_and_expect_success($cmd) {
 "    Trying '$cmd'"
 $out = (cmd /c $cmd)
 if ( $out -match "completed successfully") {echo "OK: command succeeded: $cmd"} else {alert "Failure on command '$cmd'. The output follows:"; $out}
}
function do_and_expect_DC_IP($cmd) {
 "    Trying '$cmd'"
 $out = (cmd /c $cmd)
 $found=$false
 $list_of_DC_IPs | %{ 
   $found = ($found -or $out -match " $_$")
 }
 if ($found) {"OK: got DC IP"} else {alert "Was expecting the IP of one DC in the output of '$cmd' but didn't found it. Output is:"; $out}
}
function domain_tests() {
    # check the date & time
    #----------------------------------------------------------------------------
    "    Checking if my clock is synced to $DC"
    $ret=(w32tm /stripchart /computer:$DC /dataonly /samples:1 | select -Last 1)
    if ($ret -match ", [+-]0[0-9][.]") { "OK: clocks are in sync"} else {
        write-host -foreground Magenta "WARNING: more than 9 seconds out of sync. This is unusual (but not fatal)"
        "You may run this to examine the situation. If you are more than 5mins out of syncs it's bad"
        "   w32tm /stripchart /computer:$DC "
        $ret=(Read-Host -Prompt ("Is this the current date and time? -> "+(Get-Date)))
        if ("yes" -notlike "$ret*") {alert "Date or time is not current"; return}
    }

    # check DNS Suffix
    #----------------------------------------------------------------------------
    "    Checking DNS Suffix"
    if (ipconfig /all|sls "DNS Suffix.* $DOMAIN_FULL$") {"OK: domain name appears in DNS suffix"} else {alert "domain name does not appear in DNS suffix"}

    # check each network and report those that have proper DNS configuration
    # (proper = all DNS servers are in the list of IPs of the Domain Controllers)
    # At least one net should have "proper" config.
    #----------------------------------------------------------------------------
    "    Testing if there's at least one interface where all DNS servers point to domain DCs"
    test_DNS_config

    # TCP ports that should be open: You should get no errors from this test 
    #----------------------------------------------------------------------------
    "    testing if TCP ports are open on $DC"
    @(88,389,445,464,3268,3269,53) | %{ test_if_tcp_port_open $_ }
    ""

    # Tests with NLTEST, NSLOOKUP
    #----------------------------------------------------------------------------
    do_and_expect_success "NLTEST /Server:`"$DC.$DOMAIN_FULL`"" 
    do_and_expect_success "NLTEST /dsgetsite" do_and_expect_success "nltest /dsgetdc:`"$DOMAIN`""
    do_and_expect_success "NLTEST /dsgetdc:`"$DOMAIN_FULL`"" 
    do_and_expect_success "NLTEST /DCLIST:`"$DOMAIN_FULL`"" 
    do_and_expect_DC_IP "nslookup `"$DC.$DOMAIN_FULL`""
    do_and_expect_DC_IP "nslookup -type=SRV _kerberos._tcp.dc._msdcs.`"$DOMAIN_FULL`""
    do_and_expect_DC_IP "nslookup `"$DOMAIN_FULL`""
    do_and_expect_DC_IP "nslookup _ldap._tcp.dc._msdcs.`"$DOMAIN_FULL`""

    "    Pinging DCs"
   $list_of_DC_IPs | %{ 
      display_test_result (ping  $_ -n 1 | sls 'Lost = 0') "DC with IP $_ replies to ping"
   }

    # check if gpupdate completes
    #-----------------------------------
    "    Running gpudate"
    $ret=(gpupdate)
    display_test_result ($ret -like "*Computer Policy update has completed successfully*") "Computer policy update"
    display_test_result ($ret -like "*User Policy update has completed successfully*") "User policy update"
   
}
domain_tests

Finally in most cases ping <PC-NAME> at least from the DC(DNS server) should resolve to the IP of the client

---

keywords: Domain Test, Domains Tests, troubleshooting.