Active Directory Troubleshooting and Maintenance Windows 2008

Leave a comment

July 24, 2011 by Rakesh Boraiah

Things will inevitably break in your network—this is a given. Additionally, you’ll need to perform a few tasks on a regular basis to keep your AD DS installation running at maximum performance and efficiency.

Auditing Activities in Active Directory Domain Services

Windows Server 2008 and AD DS include an improved auditing infrastructure that lets you more easily see the activities within your domain. By enabling auditing through Group Policy for your domain controllers, you can see success and failure attempts for specific objects within your directory tree when those objects try to access or change settings on your domain.

Auditing in Windows Server 2008’s implementation of Active Directory has four subcategories:

Directory Service Access

The information in this audit event is essentially the same as what you received in Windows Server 2003, but the event ID changes to 4662.

Directory Service Changes

This event is new and records both the previous and the new, current value of whatever in the directory changed to the Security event log. Objects with properties that changed will have the old and new values logged (event 5136). New objects will have all of their initial settings logged (event 5137), and objects that are moved will have their old and current locations written to the event log (event 5139). Finally, undeleted objects will have their new destination logged as event 5138.

Directory Service Replication

This audits events regarding successes and failures with replication.

Detailed Directory Service Replication

This digs deeper into replication to provide other information (this is still up in the air and will flesh out during the beta period).

To enable auditing, first open Server Manager, and under Features, expand Group Policy Management, your forest, and the active domain. Click on Domain Controllers, and in the right pane, right-click on Default Domain Controller Policy and click Edit. Within the Group Policy Management Editor window that appears, drill down through Computer Configuration, Windows Settings, Security Settings, and Local Policy, and select Audit Policy. In the right pane, double-click on “Audit directory service access” to configure the policy. Check the “Define these policy settings” box, select whether to audit successes, failures, or both, and then click OK.

At this point, you have enabled the auditing policy. Now, you can specify what should be written on the ACLs of each object you want to audit. From Server Manager, drill down to Active Directory Users and Computers, and select Advanced Features from the View menu. Now, right-click on the organizational unit for which you want auditing to be configured, and select Properties. Navigate to the Security tab and click the Advanced button. On the Advanced Security Settings screen, navigate to the Audit tab, and click Add. Add your users as necessary, and then on the resulting Auditing Entry dialog box, select Descendant User Objects from the “Apply onto” drop-down list box; choose the fourth entry on the list, “Write all properties”; and select whether to audit upon success or failure in the respective columns. Click OK, and OK again, and go back to the Server Manager.

Auditing is now enabled on your domain controllers, and any change to the OU you selected will be logged to the Security event log.

Restarting AD Domain Services

Windows Server 2008 now allows you to restart AD DS without necessarily having to reboot your entire domain controller into Directory Services Restore Mode. This is possible because of a re-architecturing of AD services that allows the Domain Services component to have three possible states:


The nominal state.


A newly supported state that in effect turns a domain controller machine into a member server connected to a domain, but with the repair functionality of Directory Services Restore Mode, covered next.

Directory Services Restore Mode

Available after a reboot (strike the F8 key on your keyboard during boot and select this mode from the text-based startup menu) and allows you to perform offline maintenance on many aspects of the AD database, NTDS.DIT, itself. More on this mode later in this chapter.

You can simply stop the Domain Controller service through the Services console. Alternatively, try the following from the command line.

To stop AD DS, issue this command:

net stop ntds

To start AD DS, issue this command:

net start ntds

Troubleshooting AD with DNSLint

Well, since AD is based on DNS, there are some specific scenarios in which DNSLint can be a lifesaver in terms of identifying and solving a quirky problem with your AD infrastructure. In fact, DNS problems are the most common pitfalls that keep AD from working correctly.

DNSLint can help you figure out when the following issues are occurring:

  • A network adapter whose TCP/IP configuration doesn’t refer to an authoritative DNS server for the zone that works with the AD domain.
  • A DNS zone file without a CNAME record with the globally unique identifier (GUID) of each domain controller along with the A records that act as glue records.
  • Lame delegations to child zones where the NS records specified for the delegation either do not have corresponding glue records or point to servers that are offline or not responding.
  • The DNS zone corresponding to an AD domain does not contain the necessary SRV records, including the _ldap service on TCP port 389 and the _kerberos service on TCP and UDP port 88. GC servers need a SRV record for the _gc service on TCP port 3268.
  • The PDC Emulator FSMO role master does not have a required SRV record for the _ldap service.

Even better, you can use DNSLint with Dcdiag, another program that can be found in the Support Tools on the Windows Server 2008 CD, to perform many tests and checks prior to promoting a machine to a DC role. You can also probe a current DC just to make sure it’s configured correctly. Specifically, the /dcpromo switch for Dcdiag tests to verify that you have the correct DNS settings for promoting a machine to a DC, and it will list the problems and solutions if there are any.

To check the machine JH-W2K3-DC2 to ensure that it’s ready to be promoted to a DC in the corp.hasselltech.local domain, use the following command:

dcdiag /s:jh-w2k3-dc2 /dcpromo /dnsdomain:corp.hasselltech.local /replicadc

Offline Defragmenting of NTDS Database

Like a hard disk, the database containing all the objects and information within AD DS can become fragmented at times on domain controllers because different parts of the
directory are being written to often, and other parts are being rearranged to be read less often. Although you might think that defragging your hard drive will defragment the NTDS.DIT file
on your domain controller’s hard disk automatically, this just isn’t the case.

AD DS handles online defragmenting itself, and it does an adequate job. To really clean out the database, however, and defrag it for the maximum possible gain in efficiency, you need to take the domain controller offline so that the
defragmenting process can have exclusive use of the database file. This requires four steps: first, reboot the domain controller in question and get it into directory services restore mode; second,
perform the actual defragmentation; third, copy the defragmented database back into the production directory; and fourth, reboot the machine.
(Replication to other domain controllers in AD DS won’t be affected, as AD DS is smart enough to work around the downed domain controller. It will receive changes when it is brought back online.)

Let’s go through these steps now:

  1. Reboot your domain controller.

  2. As the domain controller begins to boot, press F8 to make the Startup menu appear.

  3. Select Directory Services Restore Mode.

  4. When the system prompts you to log in, use the domain administrator account, but use the restore mode password you created when you first promoted this domain controller to a domain controller role.

  5. Open a command prompt.

  6. Enter ntdsutil at the command prompt to start the offline NTDSUtil tool.

  7. Enter file to enter the file maintenance context.

  8. Type compact to <location>, where <location> signifies the path to the place you want the defragmented copy of the directory stored. When defragmented, AD DS makes a copy of the database so that if something goes wrong, you haven’t messed up the production copy of the directory.

  9. Look for the line “Operation completed successfully in x seconds.” If you see this, type quit to exit NTDSUtil.

  10. At the regular command prompt, copy the file NTDS.DIT from the location you selected in step 8 to \Windows\NTDS. Feel free to overwrite the current file at that location—it is the fragmented version.

  11. Delete any files with the extension .LOG in that same directory.

  12. Restart your domain controller normally, and boot Windows Server 2003 as normal.

Your database is now defragmented.

Cleaning Directory Metadata

As your AD DS implementation ages, you’ll probably be left with some junk: old computer accounts that refer to PCs you dumped a long time ago, domain controllers you removed from service without first decommissioning them within AD DS, and other detritus. Every so often, it’s a good idea to clean out this old data so bugs that are hard to track (and therefore are hard to troubleshoot) don’t pop up, and so future major AD DS actions, such as renaming or removing a domain, aren’t held up because of a junked-up directory.

Let’s say we have a child domain, called cluster.hasselltech.local, which we want removed. To do this, we again will use the NTDSUtil tool and its metadata cleanup feature. To begin, go to a domain controller and log in as an enterprise administrator. Then follow these steps:

  1. Open a command prompt.

  2. Type ntdsutil to open the program.

  3. Type metadata cleanup to enter that part of the program.

  4. Type connections to receive the Server Connections prompt.

  5. Enter connect to server localhost to initiate a connection with the current domain controller.

  6. Type quit to exit that module.

  7. Now, type select operation target and press Enter.

  8. Type list domains to get a list of domains.

  9. NTDSUtil will bring up a list of domains in your system. In our example, cluster.hasselltech.local comes up as domain 2. So, to set the domain in our sights to destroy, type select domain 2 and press Enter.

  10. Next, you’ll need to determine the site in which cluster.hasselltech.local resides. Type list sites to bring up a list like you saw in steps 8 and 9.

  11. In our case, cluster.hasselltech.local resides in site CHARLOTTE, which comes up as site 3 in our list. So, type select site 3 and press Enter.

  12. Now you need to get rid of the domain controllers in that domain. Find out what those machines are by typing list servers for domain in site and pressing Enter.

  13. There are two domain controllers, numbered 0 and 1. You need to get rid of both, so type select server 0 and press Enter.

  14. Type quit, and then type remove selected server. Confirm your choice.

  15. Type select server 1 and press Enter.

  16. Type remove selected server, and again confirm your choice.

  17. Finally, type remove selected domain and press Enter.

  18. Type quit to exit out of NTDSUtil.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: