Common Active Directory Troubleshooting Commands


DCDiag /c /v /e /fix /f:c:\DCDIAG.Log
Run a comprehensive test against all DCs in the forest with verbose logging

  • /c: Performs a comprehensive suite of tests.
  • /v: Provides verbose logging displaying additional information on what is being tested and the result.
  • /fix: fixes any unregistered DC SPNs
  • /a: Test all DCs in the site.
  • /e: Tests ALL the DCs in the enterprise. Use with caution.
  • /ReplSource:<SourceDomainController>: test connection between this DC and another.

http://technet.microsoft.com/en-us/library/cc731968%28v=ws.10%29.aspx

DCDiag Replication Related tests:

  • CutOffServers
  • Intersite
  • MachineAccount
  • NCSecDesc
  • Netlogon
  • ObjectsReplicated
  • VerifyEnterpriseReferences
  • VerifyRreplicas

NLTest /sc_query:DNSDomainName

Check Secure Channel

NLTest /sc_verify:DNSDomainName

Verifies Secure Channel

NLTest /dsgetsite

Check computer site (also checks secure channel)

Kllist -li 0x3e7

List Kerberos tickets for machine account

RPCDump

Shows replication rpc ports

Portqry

Run against port 135 to see mapped RPC ports.

Repadmin /SyncAll /A /e /P
Force a full forest replication synchronization of all partitions “pushing” changes out from the DC the command is run on.
http://technet.microsoft.com/en-us/library/cc770963%28v=ws.10%29.aspx

Repadmin /options *

Check to see if any DC is misconfigured (Options)
http://technet.microsoft.com/en-us/library/cc736571%28v=ws.10%29.aspx#BKMK_38

Repadmin /replsummary

Forest wide replication health check

Repadmin /kcc *

Forces KCC to run on all DCs

Repadmin /kcc /site:SITENAME

Forces KCC to run on all DCs in specified site

repadmin /removelingeringobjects ServerName ServerGUID DirectoryPartition /advisory_mode

http://technet.microsoft.com/en-us/library/cc785298(v=ws.10).aspx

Repadmin /bind

Check RPC connectivity

NOTE: If LinkValueReplication=NO, then it’s Windows 2000 Forest Functional Mode.
Repadmin /queue <DCNAME>

See replication queue
Or Perf counter: NTDS_DRA Pending Replication Synchronizations

Repadmin /showreps

Repadmin /showrepl /v

Information about replication partners – shows NEVER replicated DCs

Repadmin /showutdvec

Information about NC Up-to-dateness Vector

Repadmin /showconn

Information about connection objects

Repadmin /showsig

Shows InvocationID & Retired InvIDs

 

Repadmin /siteoptions SERVERNAME /site:SITENAME +Win2k3_Bridges_Required

When BASL is disabled, this site option configures Intersite Mesaging to develop the intersite cost matrix useful for DFS.
Repadmin /showobjmeta

See AD object history

  • Legacy shows groups existing before Win2k3 Forest Funtional Level
  • Present shows groups created/modified (group members removed/added) after Win2k3 Forest Funtional Level
  • Recycle Bin deleted objects show here as Present but with DEL:GUID

Ipconfig /all

Ping ##.##.##.##

Nslookup ######.###

DNSCMD

DNSLint (KB 321045)

Active Directory Common Ports Used:

53 DNS
88 Kerberos
123 SNTP
135 RPC Endpoint Mapper
137 NetBIOS
138 NetBIOS
139 NetBIOS
389 LDAP
445 SMB
464 Kerberos Change Password
636 LDAP (SSL)
3268 Global Catalog
3269 Global Catalog (SSL)
5722 DFS-R (SYSVOL)
5985 WinRM
9389 ADWS (AD Powershell)

Windows Server 2008 (and newer) DCs use IANA RPC port range: 49152 – 65535

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: