Troubleshooting group policy

Posted on By Mark Wilson

I picked up the following advice for troubleshooting application of group policy objects (GPOs) from John Howard at a recent Microsoft TechNet UK event and thought it might be useful if I posted it here:

  1. Is the client operating system Windows 2000 or later? Group policy is not available with legacy clients.
  2. Are computer and user accounts valid in the Active Directory (AD) domain? Group policy is not available with NT domains.
  3. Are the accounts in the correct organizational unit (OU)?
  4. Can clients access the sysvol share on the domain controller? GPOs are partly stored in AD, but also within sysvol.
  5. Is AD replicating correctly? AD information and sysvol information are replicated via the file replication service (FRS).
  6. What is the connectivity like between the client and the nearest domain controller (it may be useful to know that slow link detection relies on ICMP – if ICMP is disabled then this may cause some issues and further information is contained in Microsoft knowledge base article 816045).
  7. Have changes been made to the default policies that may be causing issues? Microsoft recommend that the default policies are not changed, but instead to new policies created to override the defaults (policy precedence is discussed in the priority order for the application of GPOs post from September 2004.
  8. Check DNS – Microsoft UK claim that 50% of the GPO calls received by their product support services (PSS) division are actually DNS issues.

If none of the above resolve the issue, then the issue is likely to be with a GPO itself and there are several tools available to assist with diagnosing this. The group policy modelling wizard and group policy results wizard (which includes WMI filtering) are both included within the group policy management console (GPMC), a free download from Microsoft which also provides reports on policy settings (discussed in the new features of Windows Server 2003 Active Directory post from February 2005). GPMC makes use of the resultant set of policy (RSoP) service to ascertain the policies that would have been applied. Although it is an older utility, the gpresult.exe command line tool (along with gpupdate.exe) is extremely useful for diagnosing the application of GPOs.

Troubleshooting DNS on a Windows server

Posted on By Mark Wilson

Earlier today, I blogged about some of the tools that are available for monitoring Active Directory (AD) enterprise replication and troubleshooting Windows authentication. Given that AD is so heavily reliant on the domain name system (DNS), it seems logical that I also list some of the tools available for monitoring and troubleshooting DNS issues.

The first port of call is the Windows version of the original Unix DNS lookup tool (nslookup.exe). Typing nslookup at a command prompt enters the nslookup shell, from where issuing the help command will list all of the available options.

The DNS server troubleshooting tool (dnscmd.exe) is a support tool for Windows 2000 Server and Windows Server 2003 (available on the Windows installation media) which allows administration of DNS from a command prompt. It extends and replaces the earlier dnsstat.exe tool provided as part of the Windows NT resource kit. The DNS server troubleshooting tool displays and changes the properties of DNS servers, zones, and resource records, manually modifying properties, creating and deleting zones and resource records, and forcing replication events between DNS server physical memory and DNS databases and data files. Some operations of the tool work at the DNS server level while others work at the zone level. Simply type dnscmd for usage information.

DNS has its own set of performance counters available under the performance monitor DNS object.

The domain controller diagnostic tool (dcdiag.exe) checks DNS functionality as part of its diagnostic tests but the command to specifically test DNS registration (which does not need to be run from a domain controller) is dcdiag /test:registerindns /dnsdomain:domainname.

The network connectivity tester (netdiag.exe) helps to isolate networking and connectivity problems by performing a series of tests to determine the state of a network client to identify and isolate network problems. Parsing the output for “DNS test” will give DNS-specific results. Type netdiag /? for usage information.

DNS debug logging may be set in the DNS server properties and creates a log file at %systemroot%\system32\dns\dns.log for further diagnosis of DNS activity.

Finally, the dnslint.exe support tool allows verification of DNS records for a specified domain name to help diagnose potential causes of incorrect delegation and other common DNS problems, producing an HTML report. Usage information can be obtained by issuing the dnslint /? command.

Monitoring Active Directory enterprise replication

Posted on By Mark Wilson

Unlike Windows NT domains, Active Directory (AD) domains have multiple masters and so all domain controller servers must be kept up-to-date with directory modifications made at other domain controllers. AD uses two forms of replication between domain controllers – directory replication is used for directory objects (users, computers, groups, etc.) and the file replication service (FRS) replicates sysvol items (login scripts, policies, etc.).

Microsoft provides a number of free tools for monitoring and troubleshooting the FRS and at a recent Microsoft TechNet UK event, John Howard demonstrated the sonar and ultrasound tools so I decided to dig a bit deeper into their potential use.

As described in Microsoft knowledge base article 815473, the FRS cannot propagate files that are open while the propagation code is running. So, if files in the sysvol director or files hosted with the distributed file system (DFS – which also uses the FRS) aren’t being replicated, it may be because a user or an application has the files open (e.g. a virus scanner, a disk optimisation tool, or a user profile). When the system encounters sharing violations in either of these situations, it doesn’t post an error message in the FRS event log stating that the file or files to be replicated were open and couldn’t be propagated, so there is a lack of diagnostic information about what went wrong.

The sonar utility (sonar.exe – taken from the Windows 2000 Server resource kit) can help troubleshoot file-sharing violations and other replication problems. Sonar monitors key replication statistics, including traffic levels, backlogs, and free space, providing feedback about any issues and optionally logging to a comma-separated value (.CSV) file.

Sonar is effectively a cut down version of the ultrasound utility, which installs WMI providers on replica members in an organisation and effectively acts as a domain controller replica with the WMI providers gathering FRS status information, which is polled and gathered by the ultrasound controller (the service component of the tool) and pushed into its own database for analysis. By using the user interface portion of ultrasound, known as the console, administrators can configure ultrasound to alert them via email of serious problems and use an incident log to keep track of changes or tasks they performed in response to alerts. Ultrasound can also be used to propagate test files.

Other tools include:

  • The file replication service diagnostics tool (frsdiag.exe), which provides a graphical interface to help troubleshoot and diagnose problems with the FRS, gathering snap-shot information about the service, performing automated tests against that data, and compiling an overview of possible problems that may exist in the environment.
  • ntfrsutl.exe, shipped with Windows Server 2003 and part of the Windows 2000 Server resource kit, which provides a snapshot view of the FRS internal state dumping the internal tables, thread and memory information for the FRS. It runs against local as well as remote servers but to access the internal information, the logged in user should have the required access on the following registry keys on the target server:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Access Checks\Get Internal Information (Full control).
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Access Checks\Get Ds Polling Interval (Read).
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Access Checks\Set Ds Polling Interval (Full Control).

The FRS monitoring and troubleshooting tools also include a MOM management pack for the FRS, an FRS monitoring help file and both reporting and scripting packs for Ultrasound.

For directory replication there are two tools of particular use, both of which are available as support tools for installation from the Windows Server 2003 media:

  • replmon.exe is the AD replication monitor, which allows an administrator to view the status of AD replication, to view the replication topology in a graphical format and to force replication between domain controller servers. Specifically, the AD replication monitor can be used to:
    • See when a replication partner fails.
    • View the history of successful and failed replication changes for troubleshooting purposes.
    • View the properties of directory replication partners.
    • Create applications or scripts to extract specific data from AD.
    • View a snapshot of the performance counters on the computer, and the registry configuration of the server.
    • Generate status reports that include direct and transitive replication partners, and detail a record of changes.
    • Find all direct and transitive replication partners on the network.
    • Display replication topology.
    • Poll replication partners and generate individual histories of successful and failed replication events.
    • Force replication.
    • Trigger the knowledge consistency checker (KCC) to recalculate the replication topology.
    • Display changes that have not yet replicated from a given replication partner.
    • Display a list of the trust relationships maintained by the domain controller being monitored.
    • Display the metadata of an AD object’s attributes.
    • Monitor replication status of domain controllers from multiple forests.
  • repadmin.exe is the replication diagnostics tool, whch assists administrators in diagnosing replication problems between domain controllers by allowing administrators to:
    • View the replication topology as seen from the perspective of each domain controller.
    • Manually create the replication topology (although in normal practice this should not be necessary as usually, the KCC manages the replication topology for each naming context).
    • Force replication events between domain controllers
    • View both the replication metadata and up-to-datedness vectors
    • Monitor the relative health of an AD forest using the replsummary, showreps, showreps /csv, and showvector /latency operations to check for replication problems.

In the case of directory failure, some of the troubleshooting tools available include:

  • dcdiag.exe – a support tool used to analyse domain controllers across the forest.
  • netdom.exe – a support tool which can help in verifying domain trust relationships and replication credentials.
  • ntdsutil.exe – provided with Windows 2000 and Windows Server 2003 for AD database maintenance, management of FSMO roles and clearing out unnecessary metadata (beware that this is an extremely powerful tool and should be used with care).

Troubleshooting Windows authentication with the Microsoft account lockout and management tools

Posted on By Mark Wilson

A few weeks back I was at a Microsoft TechNet UK event where John Howard demonstrated the free tools provided by Microsoft to troubleshoot and diagnose account lockout and management issues for Windows NT, 2000 and 2003:

  • acctinfo.dll (also included with the Windows Server 2003 resource kit tools) is installed using the regsvr32 acctinfo.dll command and extends the functionality of the Active Directory users and computers MMC snap-in, with an Additional Account Info page on the user object properties to assist in isolating and troubleshooting account lockouts and to change a user’s password on a domain controller in that user’s site. This extra page contains a variety of information, including:
    • The last time the password was set.
    • Domain password policies.
    • Password expiration date.
    • Lockout status.
    • Last good and bad logons.
  • alockout.dll can be used to create a log file to assist in diagnosing the cause of account lockout problems. It should be copied to the %systemroot%\system32 folder on the computer experiencing the lockout problems (usually a user’s workstation) and the appinit.reg script run to add alockout.dll to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs key. Once the computer is restarted and an account locked out, a log file called alockout.log will be created in the %systemroot%\debug folder. This tool should not be used on servers that host network applications or services (in particular it should not be used on Exchange servers, because it may prevent the Exchange store from starting).
  • aloinfo.exe displays the password age for user accounts to allow determination of accounts which are about to expire in order to anticipate problems before they occur. It is a command prompt tool, with two options:
    • aloinfo /expires /server:servername returns a list of user names followed by the age of their password.
    • aloinfo /stored returns a list of services and the accounts used as well as mapped drives for the currently logged on user.
  • enablekerblog.vbs can be used as a startup script to enable Kerberos logging (as described in Microsoft knowledge base article 262177) on all clients running Windows 2000 or later (it actually sets HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Parameters\LogLevel to 1, which once removed will disable Kerberos logging). When looking at Kerberos authentication issues, it is worth checking to see that the Kerberos key distribution center service is started on all domain controllers, that time synchronisation is working correctly from the PDC emulator at the root of the forest down to all client machines (Kerberos authentication will fail if the time is skewed by more than 5 minutes by default), and that both Kerberos and LDAP have service location records defined in DNS (check with nslookup _kerberos._udp.domainname and nslookup _ldap._tcp.domainname).
  • eventcombmt.exe (also included with the Windows Server 2003 resource kit tools) searches event logs on multiple computers and collects event records matching specified criteria (useful for gathering specific events from event logs on several different computers to one central location).
  • lockoutstatus.exe (also included with the Windows Server 2003 resource kit tools) determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. It can be useful in identifying if lockout problems are arising from Active Directory replication issues, as typically this means there will be two or more entries for different domain controllers.
  • nlparse.exe can be used to extract and display desired entries from the netlogon log files generated by lockoutstatus.exe or alockout.dll, parsing the logs for specific return status codes and directing the output to a comma-separated value (.CSV) file. It is also possible to enable netlogon debug logging with the nltest.exe Windows support tool, or via the registry, as described in Microsoft knowledge base article 109626.

Links

Implementing and troubleshooting account lockout (WindowSecurity.com).
Microsoft account lockout and management tools.