How to Check Windows Active Directory for Problems


Having helped many small organizations troubleshoot problems with Microsoft Active Directory, I thought I would put a few of my favorite trouble shooting tips and tricks in a blog for reference and for my later reference.

Active Directory

Active Directory

First: how do you determine that something may be wrong with the current active directory configuration?

Here are a few good examples from real world experience.  I am referencing a multi server Active Directory single domain structure running on Windows 2012 or newer.  Most of the items I will discuss are also relevant and function on older versions of Active Directory.

  1. User passwords do not work consistently after a password change
  2. User password works fine at site one, but not at site two
  3. DNS lookup sometimes gives errors for internal resource

Most of the problems that I have fixed have been mis-configurations of either the network settings, DNS or a combination of the two.

  1. Make certain that each Active Directory Server has Integrated DNS loaded and that the servers network settings are configured properly
    1. DNS entry 1 should be the local IP address of the Active Directory Server.  Server can find itself when the network is active.
    2. DNS entry 2 should be set to 127.0.0.1.  Server can find itself when the network is not active.
    3. Nothing else is in DNS (no external, no other DNS servers)
  2. Make certain that DNS is configured properly and that proper forwarders are in place.  Follow directions with the following Microsoft Technet Article.  The link is for Windows 2012 R2.  Also pay special attention to scavenging records.  If not correctly configured, it can either leave multiple records with the same IP address, or it can remove critical DNS records.  I usually will set scavenging on the forward and reverse subnets where DHCP is employed and set the time to 7 days.
  3. On Windows 2012 and 2012 R2 servers, the best practices analyzer is your friend, update its definitions, run it against your server.  It will give you many things to consider.  Evaluate the recommendations for your environment.  If you still have Windows Xp running (1. please upgrade) but you may not be able to disable NT LanMan v1 in your environment.
  4. DCDiag  Command line utility for verifying proper configuration of the the Active Directory.  This is a great tool for verifying that the functionality.  Technet article here
  5. DNSCMD Command line utility for testing DNS, commands are also useful for scripting automated tasks.  Technet Article here
  6. IPCONFIG Basic tool for  looking up Ip address information on a windows system.  Useful switches include /flushdns /release /renew.  More information here
  7. NSLOOKUP Tool used for testing dns lookups on client machines.  Useful for identifying and troubleshooting problems with domains.  More information here

One of the most common issue that I identify and resolve are when Actve Directory Servers are removed from the domain improperly or just physically decommissioned.

To read about the proper method of removing an Active Directory Server this technet article is the guide to follow.  In Windows 2012 and later, the DCPromo method is no longer used and has been replaced by a Powershell or GUI method that is much easier to follow.

The next most common issue is basic DNS misconfiguration on the Active Directory Servers.  DNS should always be pointed to local IP address and then to 127.0.0.1.  All other configurations cause strange side effects such as registering clients in the secondary domain controller first then replicating to the primary.