Active Directory Best Practices Analyzer
The Active Directory Best Practices Analyzer (ADBPA) tool provided by Microsoft in Windows Server 2008 R2 is not perfect but, at least for troubleshooting, it does offer some good value. ADBPA appears under the Active Directory Domain Services role in Server Manager. You can click on each entry and get a description below the listing. It will show errors and warnings as well.
It checks to ensure:
- All primary DCs are configured to a valid time source
- All domains have two functioning DCs
- All organizational units (OUs) are protected from accidental deletion
- When last backups were executed
- DNS is configured correctly
- If file replication service (FRS) replication and Group Policy replication are working.
ADBPA is a good place to start as an overview, but details are obviously lacking. For instance, it doesn’t display information about Active Directory replication or if any DCs haven’t replicated over a period of time (like tombstone lifetime). While it indicates if DNS is working to allow clients to connect, there’s nothing to indicate which DNS server might be incorrectly configured.
Repadmin and Replsum
Repadmin, as a rule, is the most powerful command-line tool for Active Directory troubleshooting. The Replication Summary option, or Replsum command, displays an overview of the replication status of all DCs in all domains in the forest. In terms of an Active Directory health check, it’s imperative to know if all DCs are replicating — and for those that aren’t, you’ll want to know the last time they did replicate and why they stopped.
The Repadmin command can quickly and clearly answer these questions. This is a valuable time saver as opposed to the commonly used Repadmin/showrepl, which details each DC in a long listing. The Replsum option looks at all DCs in all domains in the forest and puts them in an easy-to-read table. Use the command:
Repadmin /bysrc /bydest sort:Delta >repadmin.txt
Tip: If replication hasn’t occurred for tombstone lifetime days, the “largest delta” entry will show “> 60 days.” This indicates that the DC should not be brought back online because it could introduce lingering objects. Manually demote and re-promote the DC.
Besides replication, the other most common cause of Active Directory failure is DNS. DNS can often cause replication failure. The problem is that many environments install DNS servers on all Active Directory DCs, and there are many ways DNS can fail. Examining each one is time-consuming. In the Windows Server 2003 time frame, Microsoft added the /Test:DNS option to the DC diag command. Execute this command as follows:
DCDiag /Test:DNS /e /v >DcdiagDNS.txt
This command will analyze every DNS server it finds on the network and test DNS server authentication, basic connectivity, configuration of forwarders, delegation, dynamic registration and resource record registration. For the latter, DCDiag creates a test Resource Record and tries to register it. If this fails, new records aren’t able to be registered (which will cause other failures).
It will record three potential results: Pass, Fail or Warn. Warn means it isn’t a failure but should be investigated. For instance, Warn under the dynamic registration (DYN) column means the secure dynamic updates are not enabled. This isn’t a failure, but you should be sure this is what you want.
Tip: The listing of domains and DCs in the table is a handy display of all domains in the forest and all DCs (that are DNS servers) in each domain. This is a quick map of the domain structure and the DCs. Most environments make all DCs DNS servers, so this is a nice way to see the domain and DC structure.
DNSCMD Command-Line Tool
If you’re working on a remote system for an environment you’re not familiar with (or if you just want details about the DNS environment you work in), the DNSCMD command-line tool will provide a wealth of information.
|DNScmd /Info||Shows server properties|
|DNScmd /enumzones||Lists all DNS zones on the network|
|DNScmd /zoneinfo <zone name>||Displays zone properties for <zone>|
|DNScmd <serverName>/zoneExport <Zone name> <output filename>||Requires admin-privileged cmd window; dumps all DNS records in the zone, so may be a large file|
|DNScmd <serverName>/zoneExport/cache<output filename>||Same as previous zoneExport, but dumps the cache|
Use for command-line maintenance of your Active Directory database. Installed by default on domain controllers and menu driven. Although many of its functions are also available via the GUI, it’s worth becoming familiar with this tool as sometimes nothing else will do. For example, it’s needed for cleaning up if a domain controller isn’t demoted cleanly.
Command-line tool to perform various domain controller tests to help confirm health and diagnose problems. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.
For network-related tests and troubleshooting. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.
Command-line tool to monitor and troubleshoot replication issues.
Accesses information on the ntfrs service including subscription information etc. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.
A graphical tool to monitor the status of the File Replication Service. Download here: Microsoft Download Center.
dsadd, dsget, dsmod, dsmove, dsquery and dsrm
Built-in command-line tools included with 2003 and 2008.
csvde and ldifde
Built-in command-line tools included with 2000 and above, csvde is particularly useful for dumping the contents of Active Directory into a csv file, or creating new objects from a similar file.
redirusr.exe and redircmp.exe
Built-in command-line tools included with Windows 2003 and above. Change the default containers for new user and computer objects respectively.
Account Lockout and Management Tools
Tools you can use to troubleshoot account lockouts, as well as add functionality to Active Directory. Download here: Microsoft Download Center.
- AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user’s password on a domain controller in that user’s site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).
- ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials. Caution! Do not use this tool on servers that host network applications or services. Also, you should not use ALockout.dll on Exchange servers, because it may prevent the Exchange store from starting.
- ALoInfo.exe. Displays all user account names and the age of their passwords.
- EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.
- EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.
- LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed.
- NLParse.exe. Used to extract and display desired entries from the Netlogon log files.