Username   Password       Register

Troubleshooting Active Directory Availability

The Importance of Ensuring Availability of Active Directory Dependencies, Components and Objects

As an Administrator, ensuring the availability and reliability of the Windows Server 2000 or Windows Server 2003 Active Directory directory service is extremely important if you are running Active Directory within your environment. Performance problems and poor availability leads to users being unable to perform their tasks or duties within the organization.

For instance, when a DNS server fails, it is transparent that Active Directory would be negatively affected. In order for a domain controller to replicate with other domain controllers within a domain, the domain controller has to be able to resolve host names and service locator (SRV) records. Therefore, if the DNS server used by the domain controller fails, the domain controller itself would not be able to remain operational for long. Active Directory clients would initially be able to use cached DNS records, but after these records become invalid, clients will not be able to find or connect to any domain controllers. This in turn leads to clients being unable to renew their Kerberos session tickets, which in turn makes it impossible for them to connect to any member servers. From this short discussion, you can easily conclude that ensuring the availability of the DNS server is vitally important. It is recommended to have backup DNS servers within your environment. You should also avoid the situation that Microsoft refers to as the island effect. The island effect occurs when the domain controller which is the DNS server with Active Directory integrated zones, is pointed at its own self for name resolution. In Active Directory, replication partners are located by the domain controller by performing a DNS lookup. When IP addresses are changed, the domain controller would be unable to update DNS as it would not be able to locate its replication partners, simply because it would not be able to replicate. The domain controller should typically only point to its own self as a secondary DNS server, and only if the secondary entry is to be used for a short time span. You should configure each domain controller's primary DNS server as another domain controller. This configuration is performed through the TCP/IP properties of a domain controller.

Authentication is also impacted when domain controllers fail. This is because the Kerberos tickets times out when the domain controller fails, and the client basically has to query DNS for another domain controller to authenticate again. In a site that only has one domain controller, the client is forced to perform authentication over the WAN. Based on the speed of the site link, the performance of authentication could be negatively affected.

In Active Directory, the Global Catalog contains a copy of each object in Active Directory. While Domain Local group membership and Global group membership is not stored in the Global Catalog, Universal group membership is stored in the Global Catalog. If the particular domain controller on which the Global Catalog fails, users will not be able to log on to the domain if this domain controller cannot be accessed. In Windows Server 2003, you can however enable Universal group membership caching. This is a new Windows Server 2003 Active Directory feature that enables domain controllers to cache Universal group membership information, and in turn authenticate users when the domain controller hosting the Global Catalog is unavailable. It is good practice to enable Universal group membership caching for every site that does not contain a Global Catalog server.

As an Administrator, you should monitor information on Active Directory by checking the Event Viewer logs and by monitoring performance counters. These are also typically the initial steps associated with troubleshooting the performance and availability of Active Directory. The Event Viewer i the tool used to monitor and check the directory service log. It is the directory service log that can be used to examine and analyze a vast quantity of information, including errors, alerts and warnings which can be used to determine whether the directory service is operating as should be. This makes Event Viewer an attractive tool to troubleshoot issues which relate to the functioning of Active Directory.

You can also collect and analyze Active Directory performance statistics to pinpoint any likely bottlenecks in your Active Directory configuration. You can use the System Monitor Tool included in the Performance console to set up counters to monitor Active Directory performance statistics.

The remainder of this Article focuses on the methods and utilities which can be used to troubleshoot Active Directory availability.

Troubleshooting the Directory Service Log and System Monitor

Because the Directory Service log contains information, warnings and errors generated by Active Directory, and it is typically used to troubleshoot Active Directory problems, you would need to sort out any issues relating to the Directory Service log as a matter of urgency. The same can be said of System Monitor issues, because it used to monitor the activities of NT Directory Services (NTDS) performance object. This is the performance object used to monitor Active Directory.

A few techniques for troubleshooting the issues associated with System Monitor and the directory service log are listed below.

  • If System Monitor displays gaps within graph lines, you should decrease the performance overhead of system monitoring. The problem experienced, is typically caused when a system has heavy load characteristics, and another processing activity enjoys greater priority than collecting performance data.

  • If the performance counters cease to function after a new application is installed or deployed within your environment, you probably need to restore the performance counter registry to its previous state (before the new application was installed). This usually occurs when a new application that installs its own performance counters, is installed. Performance counters typically cease to operate because the performance counter registry entries are replaced by the new application's counters.

  • If you have a situation where the value of counters are constantly reflecting zero, you should check whether the process being monitored is still running. You can restart the particular process again to view it in System Monitor. Another cause for this type of problem could be that the counter dynamic link library (DLL) was disabled once the counters have been specified. To fix this, enable the associated counter DLL.

  • If you have missing or invalid performance counters or objects, the following strategies can be used:

    • Firstly, verify that the performance counters are indeed enabled. If the counter was provided through a service, ensure that the service itself is installed, configured, and running.

    • You can use the Task Manager tool to determine whether the process being monitored is running. The problem can also be caused by the process which initiates the counters, not starting. You should also check that the counter DLL is enabled.

    • Use Event Viewer to determine whether the counter DLL or the Performance Data Helper logged errors. At times, the counter DLL which installed the counters could be causing the problem. If necessary, disable the problematic counter DLLs.

How to set logging levels for additional information

With Active Directory, the default logging level value is zero (0), which is basically the lowest logging level that can be set. Information is typically logged in Event Viewer's application log. Other values that can be specified or the logging level are 1, 2, 3, 4, and 5. A logging level of 0 just about ensures that critical errors are logged. Information that could prove essential for troubleshooting Active Directory problems is not logged.

You can however set individual logging levels for numerous components and elements of Active Directory, to assist in troubleshooting. Because a logging level of 4 or 5 for an Active Directory element typically fills the application log swiftly, you should consider raising the logging level to this level only when you need to examine additional information when troubleshooting Active Directory. System performance is also negatively impacted when the logging levels of Active Directory elements are set high. You can set individual logging levels by editing settings in the Registry, in the Diagnostics Registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Registry subkey.

The settings included in the Diagnostics Registry subkey are listed below:

  • Knowledge Consistency Checker

  • Performance Counters

  • Initialization/Termination

  • Service Control

  • Name Resolution

  • Backup

  • Field Engineering

  • LDAP Interface Events

  • Setup

  • Global Catalog

  • Inter-site Messaging

  • Security Events

  • Group Caching

  • Linked-Value Replication

  • DS RPC Client

  • DS RPC Server

  • DS Schema

  • ExDS Interface Events

  • MAPI Interface Events

  • Replication Events

  • Garbage Collection

  • Internal Configuration

  • Directory Access

  • Internal Processing

How to use the Ntdsutil command-line utility to ensure, and troubleshoot Active Directory availability

You can use the repair options in the Ntdsutil command-line utility to ensure Active Directory availability, and when you need to troubleshoot Active Directory availability. The various repair options of the Ntdsutil utility are detailed below:

  • The Ntdsutil integrity command: The integrity command can be used to isolate corruption of the Active Directory database, and to verify the integrity of the directory service files. The integrity command has to be executed when the Active Directory database is offline, which essentially means that it has to be run from Directory Services Restore Mode. The Ntdsutilintegrity command operates at the binary level, and can therefore utilize quite some time when it runs. A semantic database analysis should be performed after the Ntdsutil integrity command has completed running.

  • The Ntdsutil semantic database analysis command: This is the main command used to verify and ensure the Active Directory database's integrity. While the Ntdsutil integrity command can be used to check the integrity of the database, it cannot check all areas of the database. The Ntdsutil semantic database analysis command on the other hand can check all areas of the Active Directory. The semantic database analysiscommand has to be executed from Directory Services Restore Mode. The elements which are checked when the semantic database analysis command runs is listed below:

  • The Semantic Checker checks that all objects have a full distinguished name, GUID and a non-zero reference count.

  • Deleted objects are checked to ensure that they do not have a distinguished name or GUID. The Semantic Checker also verifies that deleted objects have a special relative distinguished name. All deleted objects are checked to ensure that they have associated deleted date and deleted time information.

  • For data records, the references from the data table and link table are checked to ensure that they correspond to the counts for a record.

  • The Semantic Checker also verifies that each object has a property metadata vector as part of its verification of Active Directory replication.

  • It performs security descriptor checks as well. This includes the verification of valid descriptors, and verification that the discretionary access control list contains data.

  • The Ntdsutil recover command: The recover command can be used to write transactions from the database log files to the Active Directory database. This is usually necessary when some sort of system problem occurred and certain transactions are not written to the Active Directory database because of some discrepancy. The recover command also has to be executed when the Active Directory database is offline.

How to use the integrity command

  1. Reboot the computer.

  2. During startup, press F8 when prompted to do so.

  3. Choose Directory Services Restore Mode (Windows DCs only) from the Windows Advanced Options menu. Press Enter.

  4. Choose the operating system to start. Press Enter.

  5. Enter the appropriate local administrator account password when prompted to log on to the system. Click OK.

  6. When a message dialog box appears, stating that Windows is running in Safe Mode, click OK.

  7. Proceed to open a command prompt.

  8. Enter ntdsutil to access the Ntdsutil command-line utility.

  9. Enter files

  10. Enter integrity

  11. As the command runs, you can view and assess all information displayed.

  12. Enter quit

  13. Enter quit to close the Ntdsutil command-line utility.

  14. Reboot the server.

  15. It is recommended to perform a semantic database analysis after running the Ntdsutil integrity command.

How to use the semantic database analysis command

Before running the semantic database analysis command option of the Ntdsutil command-line utility, it is recommended to perform a full backup of system state data.

To run the semantic database analysis command,

  1. Reboot the computer.

  2. During startup, press F8 when prompted to do so.

  3. Choose Directory Services Restore Mode (Windows DCs only) from the Windows Advanced Options menu. Press Enter.

  4. Choose the operating system to start. Press Enter.

  5. Enter the appropriate local administrator account password when prompted to log on to the system. Click OK.

  6. When a message dialog box appears, stating that Windows is running in Safe Mode, click OK.

  7. Proceed to open a command prompt.

  8. Enter ntdsutil to access the Ntdsutil command-line utility.

  9. Enter files

  10. Enter Semantic database analysis, and press Enter.

  11. Enter Verbose on at the semantic checker prompt, and press Enter.

  12. You can now perform one of the following actions:

    • If you want to run the Semantic Checker, and not have any detected errors repaired, enter Go, and press Enter.

    • If you want to run the Semantic Checker, and have detected errors repaired, enter Go Fixup, and press Enter.

  13. As the command runs, you can view and assess all information displayed.

  14. Enter quit

  15. Enter quit to close the Ntdsutil command-line utility.

  16. Reboot the server.

How to use the recover command

  1. Reboot the computer.

  2. During startup, press F8 when prompted to do so.

  3. Choose Directory Services Restore Mode (Windows DCs only) from the Windows Advanced Options menu. Press Enter.

  4. Choose the operating system to start. Press Enter.

  5. Enter the appropriate local administrator account password when prompted to log on to the system. Click OK.

  6. When a message dialog box appears, stating that Windows is running in Safe Mode, click OK.

  7. Proceed to open a command prompt.

  8. Enter ntdsutil to access the Ntdsutil command-line utility.

  9. Enter files

  10. Enter recover

  11. As the command runs, view and analyze all information displayed.

  12. Enter quit

  13. Enter quit to close the Ntdsutil command-line utility

  14. Reboot the server.

  15. It is recommended to perform a semantic database analysis after running the Ntdsutil recover command.

 

blog comments powered by Disqus

Discuss Troubleshooting Active Directory Availability in the forums.

 
(0 - user rating)