DirectoryTroubleshooter Test Reference and Port...

Quest® DirectoryTroubleshooter

Test Reference and Port Assignments

4.10

© 2009 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: [email protected] Refer to our Web site for regional and international office information.

Trademarks Quest, Quest Software, the Quest Software logo, DirectoryAnalyzer, NetPro and Spotlight are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.

DirectoryTroubleshooter Test Reference and Port Assignments Updated – November 2009 Software Version – 4.10

http://www.quest.com/

mailto:[email protected]

Quest DirectoryTroubleshooter Test Reference and Port Assignments

Table of Contents Overview ................................................................................................................................... 1 DirectoryTroubleshooter Report Descriptions ........................................................................ 1

Active Connections ........................................................................................................................... 1 Active Directory Diagnostic Event Logging Levels ....................................................................... 1 Active Directory Disk Space ............................................................................................................ 2 Active Directory White Space ......................................................................................................... 2 Adapter Information ....................................................................................................................... 2 Adapter List ...................................................................................................................................... 3 Advertising ........................................................................................................................................ 3 Application Event Log ..................................................................................................................... 3 Authentication Methods .................................................................................................................. 4 Automatic Private IP Addressing ................................................................................................... 4 Bind with RID Master ..................................................................................................................... 4 Cached Tickets ................................................................................................................................. 5 Client Domain Controller ................................................................................................................ 5 Conflicting Objects .......................................................................................................................... 5 Connection Object Duplicates ......................................................................................................... 5 Cross-Domain Linked Group Policy Objects ................................................................................ 6 Directory Service Parameters ......................................................................................................... 6 Disk Drives ........................................................................................................................................ 6 Distributed File System Shares ....................................................................................................... 7 DNS Configuration .......................................................................................................................... 7 DNS Event Log ................................................................................................................................. 7 DNS Zone Information .................................................................................................................... 8 DNS Zones ........................................................................................................................................ 8 Domain Configuration ..................................................................................................................... 8 Domain Controller Adapter Information ...................................................................................... 8 Domain Controller Advertising ...................................................................................................... 9 Domain Controller Connection Objects......................................................................................... 9 Domain Controller Consistency ...................................................................................................... 9 Domain Controller Information ................................................................................................... 10 Domain Controller Owner Information ...................................................................................... 10 Domain Controller Processes List ................................................................................................ 10 Domain Controller Processors List .............................................................................................. 10 Domain Controller Replica State .................................................................................................. 11 Domain Controller Roles ............................................................................................................... 11 Domain Controller RootDSE ........................................................................................................ 11 Domain Controller Services .......................................................................................................... 12

Test Reference and Port Assignments Quest DirectoryTroubleshooter

Domain Controller Site Coverage ................................................................................................ 12 Domain Controller Sites ................................................................................................................ 12 Domain Controller SPNs ............................................................................................................... 12 Domain Controllers ....................................................................................................................... 13 Domain Role Holders ..................................................................................................................... 13 Domain Security ............................................................................................................................. 13 Domain Trusts ................................................................................................................................ 14 Drivers List ..................................................................................................................................... 14 Duplicate SIDS ............................................................................................................................... 14 Enterprise Configuration .............................................................................................................. 14 Environment Variables ................................................................................................................. 15 Event Log ........................................................................................................................................ 15 FRS Event Log ............................................................................................................................... 15 FRS Log .......................................................................................................................................... 16 FRS Parameters ............................................................................................................................. 16 Group Membership Consistency .................................................................................................. 17 Group Policy Object Consistency ................................................................................................. 17 Ineffective Group Policy Objects .................................................................................................. 18 Installed Hotfixes ........................................................................................................................... 18 IP Deny List .................................................................................................................................... 18 Last Boot Up Time ......................................................................................................................... 18 Lightweight Directory Access Protocol (LDAP) Policies............................................................ 19 Local Loopback .............................................................................................................................. 19 Lost and Found Items .................................................................................................................... 19 Naming Context Metadata ............................................................................................................ 19 Naming Context Topology............................................................................................................. 20 Naming Context Topology Aliveness ............................................................................................ 20 Naming Context Uptodateness ...................................................................................................... 20 NetLogon ......................................................................................................................................... 20 NTDS Event Log ............................................................................................................................ 21 Operating System Information ..................................................................................................... 21 Ping Domain Controller ................................................................................................................ 21 Ping Gateway .................................................................................................................................. 22 Ping Global Catalog ....................................................................................................................... 22 Remote Access Information .......................................................................................................... 22 Replication Failures ....................................................................................................................... 23 Replication Logon Privileges ......................................................................................................... 23 Replication Partner DNS Resolution ............................................................................................ 23 Replication Partners ...................................................................................................................... 23 Replication Queue Length ............................................................................................................. 24 RID Information ............................................................................................................................ 24


RIDs ................................................................................................................................................. 24 Routing Table ................................................................................................................................. 24 Security Configuration .................................................................................................................. 25 Security Event Log ......................................................................................................................... 25 Site Configuration .......................................................................................................................... 25 Site Information ............................................................................................................................. 26 Site Link Information .................................................................................................................... 26 Site Messaging ................................................................................................................................ 26 System Event Log ........................................................................................................................... 26 SYSVOL Attach ............................................................................................................................. 27 SYSVOL Consistency .................................................................................................................... 27 Time Synchronization .................................................................................................................... 27 Tombstoned Items .......................................................................................................................... 28 Unlinked Group Policy Objects .................................................................................................... 28 User Consistency ............................................................................................................................ 28

DirectoryTroubleshooter Job Descriptions ........................................................................... 29 Directory Service Replication Troubleshooter ............................................................................ 29 Enable or Disable Domain Controller Replication ..................................................................... 29 Enhance AdminSDHolder Security .............................................................................................. 30 FRS Troubleshooter ....................................................................................................................... 30 Manage User Account .................................................................................................................... 30 Metadata Cleanup (Q216498) ....................................................................................................... 31 Service Management ...................................................................................................................... 31 Set Domain Controller Site Coverage .......................................................................................... 32 Set Domain Controller Visibility .................................................................................................. 32 Set DS Log Levels (Q314980) ........................................................................................................ 32 Set NetLogon Parameters .............................................................................................................. 33 Set NTDS Parameters .................................................................................................................... 34 Set NTFRS Parameters ................................................................................................................. 35 Set Startup and Recovery Options ............................................................................................... 35 Start Online Defragmentation ...................................................................................................... 36


1

Overview DirectoryTroubleshooter consists of more than 100 tests that deliver the functionality of more than 15 Active Directory troubleshooting utilities. The test library is divided into two groups: Reports and Jobs. Jobs are dynamic components that allow users to modify and repair Active Directory automatically. DirectoryTroubleshooter’s Reports provide static test results in a user-friendly interface. This document briefly describes each Report and Job available in DirectoryTroubleshooter. NOTE: “Configuration Required” means the test requires additional information before it can

be executed. These are marked as: Configuration Required: Yes NOTE: Some tests (reports and jobs) contain default settings which may optionally be

configured / changed. These are marked with: Configuration Options. NOTE: When ports 1025 and/or 1026 are already in use, a higher port may be reassigned. NOTE: DirectoryTroubleshooter opens one UDP port (randomly assigned) for listening on

startup. All other ports are TCP.

DirectoryTroubleshooter Report Descriptions

Active Connections

Description: The Active Connections test gathers and displays the list of active connections for the local workstation. The results show connections, grouped by type (TCP and UDP), and include the following data:

• For TCP Connections: Local Address, Local Name, Remote Address, Remote Name, Local Port, Remote Port and Connection State

• For UDP Connections: Local Address, Local Name and Local Port Object Type: Workstation Command Line Equivalent: netstat -a -n Ports: 389, 135, 1025 or above

Active Directory Diagnostic Event Logging Levels

Description: The Active Directory Diagnostic Event Logging Levels test gathers the current logging levels for the Directory Service. Logging levels can be set to: 0 (none), 1 (minimal), 3 (medium) or 5 (maximum). The current logging levels for the following settings are provided, which are unique on each domain controller: Knowledge Consistency Checker (KCC), Security Events, ExDS Interface Events, MAPI Interface Events, Replication Events, Garbage Collection, Internal Configuration, Directory Access, Internal Processing, Performance Counters, Initialization/Termination, Service Control, Name Resolution, Backup, Field Engineering, LDAP Interface Events, Setup, Global Catalog, and Inter-site Messaging Object Type: Domain Controller Command Line Equivalent: None, but REGEDIT or REGEDT32 can be used to inspect the registry of the domain controller. The key that holds these values is:

HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics Ports: 389, 3268, 1025/1026 or above


2

Active Directory Disk Space

Description: The Active Directory Disk Space test displays file and folder locations for Active Directory components. It also provides the current storage requirements and available storage. This test checks to ensure that the configuration follows Microsoft’s Best Practices. This report is divided into the following sections:

• File Locations (location on disk, where the following items are listed) • Page File Information • Active Directory File Location Checks • File Information • Disk Usage • SYSVOL Information

Object Type: Domain Controller Configuration Option: By default, the maximum used space threshold is set to 90%, launch the Maximum Used Space Threshold dialog to modify this percentage. Command Line Equivalent: None. Ports: 389, 135, 445, 1025/1026 or above

Active Directory White Space

Description: The Active Directory White Space test gives you an idea of recoverable space, by returning any white space events from the NTDS event log (i.e., event ID 1646 – the amount of disk space that can be recovered by performing offline defragmentation). The results include the following details:

• White Space Logging (enabled/disabled) • White Space in Database • Active Directory Database (DIT) Size • Event Generated (where information was collected from) • Number of events

Object Type: Domain Controller Command Line Equivalent: None. Ports: 389, 135, 1025/1026 or above

Adapter Information

Description: The Adapter Information test gathers and displays information for each network adapter in the local workstation. The results show the following information: Name, Description, MAC Address, Uses WINS, WINS Primary Server, WINS Secondary Server, DHCP Enabled, DHCP Server, DHCP Lease Obtained, DHCP Lease Expires, Type, Index, IP Enabled, IP Address, Gateway, IPX Enabled, IPX Address, Full DNS Registration Enabled, DNS Server Search Order, Domain Suffix Search Order, and Service Name. Object Type: Workstation Command Line Equivalent: netdiag /test:ipconfig Ports: N/A


3

Adapter List

Description: The Adapter List test gathers and displays the list of network adapters for the local workstation. The results show the adapter name and description. Object Type: Workstation Command Line Equivalent: None. There is no equivalent command line utility that simply lists network adapters. Ports: N/A

Advertising

Description: The Advertising test gathers and displays the roles being advertised by each domain controller in the domain specified, and verifies that all domain controllers in the domain are properly registered. Object Type: Domain Command Line Equivalent: dcdiag /test:advertising /s:<dcname> /v Ports: 389, 135, 445, 1025 or above

Application Event Log

Description: Each domain controller in Active Directory stores events into six log files, which are stored locally on the server. These log files are used for auditing, reporting and troubleshooting. The Application Event Log test retrieves events from the Application Event Log for the specified domain controller.

The Application Event Log contains events generated by an application. Application vendors use the Application Event Log to store success of operations, warnings, and errors. This provides administrators with a uniform method of examining information from a variety of applications. The Application Event Log is a good place to start troubleshooting on domain controllers when an application is performing poorly or not working. Applications such as Active Directory Connector and Exchange are examples of such applications. For detailed information about what events to examine and possible remedies to specific events, please refer to the vendor or application documentation.

Since each log file is stored on each domain controller, many administrators must individually connect to each server hosting the application to examine the logs for possible errors. The process of connecting to each domain controller and searching for specific events is very time consuming. To reduce the manual effort associated with this level of troubleshooting, DirectoryTroubleshooter allows you to consolidate multiple event logs for multiple servers into a single view. The advanced sorting and filtering options also give you the power to organize the event log and locate information more quickly.

Object Type: Domain Controller

Configuration Option: By default, this test retrieves the last 1 Mb of the Application Event Log for the specified domain controller. The size is restricted for performance issues, but can be set between 1 and 1024 Mb using the Configure Maximum Event Log Read dialog. Command Line Equivalent: None. The Event Viewer can be used to connect to the domain controller to read its event logs. Ports: 389, 135, 445, 1025/1026 or above


4

Authentication Methods

Description: The Authentication Methods test authenticates to the specified domain controller using three methods: negotiate authenticated LDAP, NTLM authenticated LDAP and un-authenticated LDAP. The results include a list of RootDSE and Registered Service Principal Name attributes and values. Object Type: Domain Controller Command Line Equivalent: netdiag /test:ldap /v Ports: 389, 135, 1025 or above

Automatic Private IP Addressing

Description: The Automatic Private IP Addressing test determines if the local workstation is configured for AutoNet. It checks if the interface is using Automatic Private IP Addressing (APIPA). When the TCP/IP protocol is configured for Dynamic IP addressing and DHCP is unavailable, Windows 2000 automatically configures a unique IP address from the private IP range 169.254.0.0-169.254.255.254 with the submask 255.255.0.0. Results include the following:

• Adapter Name • Device ID • DHCP Enabled (True/False) - indicates if this particular adapter is using DHCP,

which is required to take advantage of APIPA. If it is disabled, then the IP address is a static IP address and that IP address will always be used.

• Autoconfiguration Enabled (True/False) - indicates the value of the registry key that enables APIPA.

• IP Address (current IP address) • APIPA (True/False) - is true if the IP address is in the range of 169.254.0.1 -

169.254.255.254; otherwise, this value is false. Object Type: Workstation Command Line Equivalent: netdiag /test:autonet /v Ports: 389, 135, 1025 or above

Bind with RID Master

Description: The Bind with RID Master report tests binding (DSBind) with the RID Master for the specified domain. The results indicate success or failure, as well as the RID Master for the domain. Object Type: Domain Command Line Equivalent: dcdiag /s:<servername> /test:ridmanager /v Ports: 389, 135, 1025 or above


5

Cached Tickets

Description: The Cached Tickets test gathers and displays the local workstation’s cached Kerberos tickets. The results show the name of the server the ticket applies to, the End Time and Renew Time for each ticket in the cache. Object Type: Workstation Command Line Equivalent: netdiag /test:kerberos /v Ports: 389, 135, 1025 or above

Client Domain Controller

Description: The Client Domain Controller test shows what domain controller the client workstation is talking to and displays the roles of that domain controller. If the client workstation (local host) is not in an Active Directory domain, this test will fail with the following error: "The specified domain either does not exist or could not be contacted. (0x80004005)". The most common cause for this error is when the client workstation belongs to an NT4 domain. Object Type: Workstation Command Line Equivalent: repadmin /showctx /v Ports: 389, 135, 1025 or above

Conflicting Objects

Description: The Conflicting Objects report enumerates the conflicting objects for the target naming context. This report displays the following information for both the original object and conflicting object:

• the name of the object that is conflicting • the class of the object (e.g., user) • the date the object was last modified • the date the object was created and the path for the object

In addition, the report contains sections for both the original object and the conflicting object to show the recently changed attributes. Object Type: Naming Context Command Line Equivalent: None Ports: 389, 135, 1025 or above

Connection Object Duplicates

Description: The Connection Object Duplicates test checks for objects with a class of “nTDSConnection” in the NTDS Settings container on the specified domain controller and reports back any duplicate objects found. Object Type: Domain Controller Command Line Equivalent: None. Ports: 389, 135, 1025 or above


6

Cross-Domain Linked Group Policy Objects

Description: The Cross-Domain Linked Group Policy Objects test lists the GPOs that are linked to a different domain, which Microsoft does not recommend for performance reasons. The results display the following information for each GPO that has been linked to another domain: subject domain, number of cross-domain linked GPOs, number of cross-domain links, and list of domains searched. Object Type: Domain Controller Command Line Equivalent: None. Ports: 389, 135, 1025 or above

Directory Service Parameters

Description: The Directory Service Parameters test gathers the current Directory Service configuration parameters from the specified domain controller's registry (HKLM\System\ CurrentControlSet\Services\NTDS\Parameters). The results display the following parameters: Root Domain, Configuration NC, Remote Machine DN Name, Install Site Name, Machine DN Name, Remote Connection DN Name, Local Connection DN Name, Source Root Domain Server, Source Config NC Server, Source Server DNS Domain Name, Root Domain DNS Name, DSA Working Directory, DSA Database File, Database Backup Path, Database Log Files Path, Max Threads (ExDS+NSP+DRA), Replicator notify pause after modify (seconds), Replicator notify pause between DSAs (seconds), Hierarchy Table Recalculation Interval (minutes), Database Logging/Recovery, DS Drive Mappings, Performance Counter Version, Schema Version, Source Server Object GUID, Global Catalog Promotion Complete, Schema Update Allowed, and Schema DN Name. Object Type: Domain Controller Command Line Equivalent: None, but REGEDIT or REGEDT32 can be use to inspect the registry of the domain controller. The key that holds these values is:

HKLM\System\CurrentControlSet\Services\NTDS\Parameters. Ports: 389, 135, 1025/1026 or above

Disk Drives

Description: The Disk Drives test displays detailed information about all of the fixed drives in the selected domain controller(s): Name, Type (e/g., NTFS, FAT), Capacity, Free Space (amount and percentage), System Volume (yes/no), and whether the drive contains the AD Database, SYSVOL and/or Active Directory Log Files. Object Type: Domain Controller Command Line Equivalent: None. Ports: 135, 1025/1026 or above


7

Distributed File System Shares

Description: The Distributed File System Shares test displays all of the DFS shares available on a domain controller, including the following information for each DFS share: Entry Path, Volume state and timeout, Comments associated with the DFS share, and the DFS storage entry(s) associated with the name including server name, share name and storage state.

Object Type: Domain Controller Command Line Equivalent: None. Ports: 135, 445, 1025 or above

DNS Configuration

Description: The DNS Configuration test gathers and displays DNS configuration information from the specified domain controller. The results include: Registry keys and values from HKLM\System\CurrentControlSet\Services\DNS\Parameters, zones hosted on this server, DNS Service Information, and Active Directory DNS Information. Object Type: Domain Controller Command Line Equivalent:

• dnscmd <servername> /info • A manual inspection of registry values and Active Directory DNS information.

Ports: 389, 135, 1025 or above

DNS Event Log

Description: Each domain controller in Active Directory stores events into six log files, which are stored locally on the server. These log files are used for auditing, reporting and troubleshooting. The DNS Event Log retrieves events from the DNS Server Event Log for the specified domain controller. Since each log file is stored on each domain controller, many administrators must individually connect to each server hosting the application to examine the logs for possible errors. The process of connecting to each domain controller and searching for specific events is very time consuming. To reduce the manual effort associated with this level of troubleshooting, DirectoryTroubleshooter allows you to consolidate multiple event logs for multiple servers into a single view. The advanced sorting and filtering options also give you the power to organize the event log and locate information more quickly. Object Type: Domain Controller Configuration Option: By default, this test retrieves the last 1 Mb of the DNS Server Event Log for the specified domain controller. The size is restricted for performance issues, but can be set between 1 and 1024 Mb using the Configure Maximum Event Log Read dialog. Command Line Equivalent: None. The Event Viewer can be used to connect to the domain controller to read its event logs. Ports: 389, 135, 1025/1026 or above


8

DNS Zone Information

Description: The DNS Zone Information test gathers and displays zone information for the specified domain controller. The results include DNS server and forward zone parameters and values. Object Type: Domain Controller Command Line Equivalent: dnscmd <servername> /zoneinfo <zonename> Inspect the registry for Zone records. Ports: 389, 135, 1025/1026 or above

DNS Zones

Description: The DNS Zones test looks up and lists the zones for the specified domain controller. Object Type: Domain Controller Command Line Equivalent: dnscmd <servername> /enumzones Inspect the registry for Zone records. Ports: 389, 135, 1025/1026 or above

Domain Configuration

Description: The Domain Configuration test shows domain summary information. The results include: Domain Functional Level, Tombstoned Lifetime, Domain Role Holders, Enterprise Role Holders, Object counts, Security Group counts, List of Administrative accounts in the selected domain, and Trust relationship details. Object Type: Domain Command Line Equivalent: None Ports: 389, 135, 1025 or above

Domain Controller Adapter Information

Description: The Domain Controller Adapter Information test displays information from WMI regarding the network adapters present on a domain controller. The results include the following information for each adapter: Name, Description, MAC Address, Uses WINS (true/false), WINS Primary Server, WINS Secondary Server, DHCP Enabled (true/false), DHCP Server, DHCP Lease Obtained, DHCP Lease Expires, Type, Index, IP Enabled (true/false), IP Address, Gateway, IPX Enabled (true/false), IPX Address, Full DNS Registration Enabled (true/false), DNS Server Search Order, Domain Suffix Search Order, and Service Name Object Type: Domain Controller Command Line Equivalent: ipconfig /all Ports: 135, 1025/1026 or above


9

Domain Controller Advertising

Description: The Domain Controller Advertising test shows the services that are being advertised by the domain controller to the Directory Service. The services that a domain controller might advertise can include:

• Directory service server for the domain • Global catalog server • Kerberos Key Distribution Center for the domain • PDC of the domain • Runs Windows Time Service for the domain • Hosts a writeable directory service (or SAM)

Object Type: Domain Controller Command Line Equivalent: dcdiag /s:<servername> /test:advertising /v Ports: 135, 1025 or above NOTE: The dcdiag advertising test does not show the PDC as an advertised service even

though it is being advertised.

Domain Controller Connection Objects

Description: The Domain Controller Connection Objects test gathers and displays connection objects and their attributes for the specified domain controller. For each connection object, the following details are included: From Server, Site, Fully distinguished name (of connection object), Enabled Connection (True/False), When Created, When Changed, Reason Created, Original USN, Current USN, Options, Transport Type, Replication Domain(s) and Partially Replicated Domain(s). Object Type: Domain Controller Command Line Equivalent: repadmin /showconn <servername> Ports: 389, 135, 1025 or above

Domain Controller Consistency

Description: The Domain Controller Consistency test compares domain controller level configurations between two or more domain controllers in a domain. This report checks and reports on configuration items such as:

• Domain controller's LDAP query policies

• Domain controller's knowledge of role holders

• Anonymous LDAP bind information (Windows Server 2003)

• Miscellaneous policies, such as 8.3 file names enabled, LM Hash enabled, Workstation requires unlock and Pre-2000 compatibility

Object Type: Domain Configuration Options: Domain controllers to be included (Default: All domain controllers in selected domain.) Command Line Equivalent: None Ports: 389, 135, 1025/1026 or above


10

Domain Controller Information

Description: Domain Controller Information test displays the following information for the specified domain controller as held by the Directory Service: Domain Controller Name, NetBIOS Name, DC Address, DC Address Type, GUID, Domain Name, DNS Forest Name, Site Name, Client Site Name, Domain SID, and Domain Controller Roles. Object Type: Domain Controller Command Line Equivalent:

• nltest /server:<servername> /dsgetdc:<domainname> • netdiag /test:member /v

Ports: 389, 135, 445, 1025 or above

Domain Controller Owner Information

Description: The Domain Controller Owner Information report tests and displays if the global advertised services are known by the specified domain controller, can be located, and are responding by pinging each. The advertised services are Global Catalog, Time Server, Preferred Time Server, Primary Domain Controller (PDC) emulator, and Key Distribution Center (KDC). The results include the server holding the service, the ping times, and other advertised services held by that server. Object Type: Domain Controller Command Line Equivalent: dcdiag /s:<servername> /test:fsmocheck /v Ports: 389, 135, 445, 1025 or above

Domain Controller Processes List

Description: The Domain Controller Processes List test displays the list of processes on a domain controller. The results include the following properties for each process: Process Name, Process ID, Handle Count, Page File Bytes, Page File Bytes Peak, Pool Paged Bytes, Pool Nonpaged Bytes and Thread Count. Object Type: Domain Controller Command Line Equivalent: None. Ports: 389, 135, 1025/1026 or above

Domain Controller Processors List Description: The Domain Controller Processors List test displays all of the processors on a domain controller. The results include the following information for each processor: Address Width, Architecture Availability, Config Manager Error Code, Config Manager User Config (true/false), CPU Status, Current Clock Speed, Data Width, Description, Device ID, Error Cleared (true/false), Error Description, Ext Clock, Family, L2 Cache Size, L2 Cache Speed, Level, Load Percentage, Manufacturer, Max Clock Speed, Other Family Description, PNP Device ID, Power Management Supported (true/false), Processor ID, Revision, Role, Socket Designation, Status, Status Info, Unique ID, Version and Voltage Caps. Object Type: Domain Controller Command Line Equivalent: None. Ports: 389, 135, 1025/1026 or above


11

Domain Controller Replica State Description: The Domain Controller Replica State test gets the state of the replicas of a domain in relation to a subject domain controller. Using the Domain Controller Replica State dialog you can specify the domain controllers to be included in the report as well as the naming context to be included (Configuration, Schema or Domain). For replication partners of the selected domain controller, this test displays the following information:

• Originating USN and domain controller of the attribute • Highest committed USN on the partner • Subject’s idea of the highest USN on the partner • Objects that need to be replicated in relation to a subject domain controller

For other domain controllers in the domain, this test displays the following information: • Originating writes that have not been replicated to the subject • Originating USNs of the attributes • Subject’s last known originating write from any of these non-replication DCs

NOTE: If replication occurs during the execution of this test, the information gathered prior to the replication may be out of date when the utility completes. When this happens, the replication is detected and noted in the summary section of the results.

Object Type: Domain Controller Command Line Equivalent: None. Ports: 389, 135, 1025 or above

Domain Controller Roles Description: The Domain Controller Roles test shows the operations master roles being performed by the specified domain controller: PDC Operations Master, Schema Operations Master, Domain Naming Operations Master, RID Operations Master and Infrastructure Operations Master. Object Type: Domain Controller Command Line Equivalent: dcdiag /s:<servername> /test:rolesheld /v In addition, the following utilities can be used to retrieve similar information:

• dcdiag /s:<servername> /test:advertising /v • dcdiag /s:<servername> /test:fsmocheck /v • nltest /server:<servername> /dclist:<domainname>


Domain Controller RootDSE

Description: The Domain Controller RootDSE test displays the contents of the RootDSE object. It queries the directory for and returns the list of all RootDSE entries. Object Type: Domain Controller Command Line Equivalent: Based off of Netdiag ldap test Ports: 135, 1025


12

Domain Controller Services

Description: The Domain Controller Services test shows the service name, display name, startup type and status of all services on the specified domain controller as held by the Service Control Manager. Object Type: Domain Controller Command Line Equivalent: None. However, the Services snap-in can be used to retrieve similar information. Ports: 135, 1025/1026 or above

Domain Controller Site Coverage

Description: The Domain Controller Site Coverage test displays a list of the sites covered by the specified domain controller. The information is derived from the site coverage key. Object Type: Domain Controller Command Line Equivalent: nltest /dsgetsitecov Ports: 389, 135, 445, 1025/1026 or above

Domain Controller Sites

Description: The Domain Controller Sites test displays a list of all the domain controllers and the site each belongs to for the specified domain. Object Type: Domain Command Line Equivalent: nltest /server:<servername> /dclist:<domainname> Ports: 389, 135, 1025 or above

Domain Controller SPNs

Description: The Domain Controller SPNs test lists the Service Principal Name (SPN) for all services on the specified domain controller. An SPN is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout the forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. Object Type: Domain Controller Command Line Equivalent: dcdiag /s:<servername> /test:machineaccount /v Ports: 389, 135, 1025 or above


13

Domain Controllers

Description: The Domain Controllers test enumerates all domain controllers for the specified domain. This report uses LDAP to query Active Directory for domain controller objects, and provides the DNS host name, IP address and the distinguished name for each domain controller in the domain. Object Type: Domain Command Line Equivalent:

• nltest /server:<servername> /dclist:<domainname> • netdiag /test:dclist /v


Domain Role Holders

Description: The Domain Role Holders test lists all servers that hold the following operation masters: Domain Role Holders:

• PDC Operations Master

• RID Operations Master

• Infrastructure Operations Master Enterprise Role Holders:

• Schema Operations Master

• Domain Naming Operation Master Object Type: Domain Command Line Equivalent: netdom query fsmo Ports: 389, 135, 1025 or above

Domain Security

Description: The Domain Security report features security information at a domain level. This report contains the following information: whether the Authenticated Users group has Read access to the AdminSDHolder object, users from other domains/forests that are members of the Administrators group, and a list of external trusts and if these trusts are quarantined. In addition, this report checks if the Guest account is disabled and if the Administrators and Guest accounts have been removed. Object Type: Domain Configuration Options: You can optionally search for users and groups with a SID History attribute that has been moved from one domain to another, using the Domain Security SID History dialog. Command Line Equivalent: None Ports: 389, 135, 445, 1025 or above


14

Domain Trusts

Description: The Domain Trusts test gathers and displays the domain trusts for the domain where the specified domain controller resides. The results include the following details for each domain trust: name of the trusted domain, relationship (e.g., Parent, External, etc.), transitive (yes/no), and direction ( e.g., Bi-directional, Outgoing, etc.). Object Type: Domain Controller Command Line Equivalent: nltest /domain_trusts In addition, the Active Directory Domains and Trusts snap-in can be used to retrieve similar information. Ports: 389, 135, 1025 or above

Drivers List

Description: The Drivers List test displays a list of all the drivers on the specified domain controller. The results include the following properties for each driver: Display Name, Driver Name, State and Status. Object Type: Domain Controller Command Line Equivalent: None. Ports: 135, 1025/1026 or above

Duplicate SIDS

Description: The Duplicate SIDs test searches for and displays any user, group, or computer accounts with duplicate SIDs in the specified domain. Object Type: Domain Controller Command Line Equivalent:

Ntdsutil | security account management | check duplicate SID Ports: 135, 445, 1025 or above

Enterprise Configuration

Description: The Enterprise Configuration test displays forest configuration details such as:

• Forest information (forest functional level, forest root, tombstoned lifetime, and alternate UPN suffixes)

• Enterprise role holders

• Domain Partition information (partitions in forest and the number of domain controllers in each)

• Application Partitions

• Group Policy Object information (number of GPOs in each domain and total for the forest)

• Connection Object counts (number of connections objects manually created and automatically created, and the total number of connection objects)

• Connection Object details


15

Object Type: Forest Command Line Equivalent: None. Ports: 389, 135, 1025 or above

Environment Variables

Description: The Environment Variables test displays all of the environment settings, including both system and individual user settings, on a domain controller. The results include the following details: Variable Name, User Name, System Variable (true/false), and Variable Value. Object Type: Domain Controller Command Line Equivalent: None. Ports: 135, 1025/1026 or above

Event Log

Description: The Event Log report retrieves the events from selected event logs on the specified domain controller. This report allows you to filter events based on text, event ID, date or event status. Object Type: Domain Controller Configuration Options:

• Event logs to be included • Maximum amount to be retrieved • How to apply filters (match ANY or ALL) • Text filter and fields to be searched • Date or event ID filters • Event status filters

Command Line Equivalent: None. The Event Viewer can be used to connect to the domain controller to read its event logs. Ports: 389, 135, 445, 1025/1026 or above

FRS Event Log

Description: Each domain controller in Active Directory stores events into six log files, which are stored locally on the server. These log files are used for auditing, reporting and troubleshooting. The FRS Event Log report retrieves events from the File Replication Service Event Log for the specified domain controller.




16

Configuration Option: By default, this test retrieves the last 1 Mb of the File Replication Service Event Log for the specified domain controller. The size is restricted for performance issues, but can be set between 1 and 1024 Mb using the Configure Maximum Event Log Read dialog. Command Line Equivalent: None. The Event Viewer can be used to connect to the domain controller to read its event logs. Ports: 389, 135, 445, 1025/1026 or above

FRS Log

Description: The FRS Log test reads and displays the FRS log files from the specified server. The FRS log files are not the same as the FRS Event Log: the FRS Log is a detailed, text-based log for troubleshooting NTFRS replication problems. The log stores transaction and event details in the Ntfrs_0001.log through Ntfrs_0005.log files. The most recent NTFRS transactions and events are written to the log with the highest version number in existence at that time. This test reads and displays only the last (most recent) megabyte (1 meg.) of text. Object Type: Domain Controller Command Line Equivalent: Manual inspection of the %SystemRoot%\Debug\ntfrs*.log files. Ports: 389, 135, 445, 1025/1026 or above

FRS Parameters

Description: The FRS Parameters test gathers and displays FRS parameters from the registry for the specified domain controller. The results include the following information stored in the registry (HKLM\System\CurrentControlSet\Services\NTFRS\Parameters). If one or more of these values does not show up in the results, it means that a corresponding value was not found in the registry. ...\Parameters

• Working Directory • File Inclusion Filter List • Mutual authentication [enabled or disabled] • Staging Space Limit (in KBs)

...\Parameters\Access Checks\Dcpromo

...\Parameters\Access Checks\Get Ds

...\Parameters\Access Checks\Get Internal

...\Parameters\Access Checks\Get Perfmon

...\Parameters\Access Checks\Set Ds

...\Parameters\Access Checks\Start Ds

...\Parameters\Backup/Restore\Process at Startup

...\Parameters\Cumulative Replica Sets • Number of Partners • BurFlags

...\Parameters\Replica Sets • Replica Set Name • Replica Set Root • Replica Set Stage • Replica Set Type


17

• Replica Set Tombstoned • Database Directory

*Access checks information includes whether access checks are enabled or disabled, and if they require full control or read only.

Object Type: Domain Controller Command Line Equivalent: None. Manually inspect the registry values in:

HKLM\System\CurrentControlSet\Services\NTFRS\Parameters Ports: 389, 135, 1025/1026 or above

Group Membership Consistency

Description: The Group Membership Consistency test checks the group membership consistency between two or more domain controllers in a domain. Once the selected groups and domain controllers are checked, this report returns whether group membership is consistent. If it is not consistent, the results include the following details for each group listed:

• Domain Controller Name • Group exists in domain controller • Users Consistent • Users in Subject Group not DC Group • Users in DC Group not Subject Group

Object Type: Domain Controller Configuration Options:

• Groups to be included (Default: All groups) • Domain controllers to be included (Default: All domain controllers)

Command Line Equivalent: None. Ports: 389, 135, 445, 1025/1026 or above

Group Policy Object Consistency

Description: The Group Policy Object Consistency test performs a Cyclic Redundancy Check (CRC) of the Group Policy Object (GPO) files on two or more domain controllers. The results display a list of inconsistent policies found between the specified domain controllers. Object Type: Domain Configuration Options:

• Group Policy Objects to be included (Default: All GPOs) • Domain controllers to be included (Default: All domain controllers)

Command Line Equivalent: None. Ports: 389, 135, 1025 or above


18

Ineffective Group Policy Objects

Description: The Ineffective Group Policy Objects test searches all sites, domains and organizational units and reports information regarding any policy that is not linked in the enterprise (like the Unlinked GPO Report) as well as all policies that are linked but currently in a disabled stated, which renders them ineffective. The results returned are the display name of the group policy, its unique ID and a brief description why it is considered an ineffective link (e.g., This GPO is not linked). Object Type: Domain Command Line Equivalent: None. Ports: 389, 135, 1025 or above

Installed Hotfixes

Description: The Installed Hotfixes test display the current service pack information for a DC, including when the service pack was installed and who installed it. Object Type: Domain Controller Command Line Equivalent: None. Ports: 135, 1025/1026 or above

IP Deny List

Description: The IP Deny List test shows the list of IP addresses in the IP Deny List (Configuration/services/windows nt/Directory Service/Query-Policies/Default Query Policy/ldapdenylist/IDAPIPDenyList) for the specified server. The IP Deny List is used to provide higher levels of security for the domain controller. You can apply an IP Deny List that prevents the domain controller from accepting LDAP queries from clients that have specific IP addresses. The IP Deny List is similar to LDAP administration limits; it only alters the Default LDAP Policy object. The default LDAP policy is applied to any domain controller that has not had a specific LDAP policy applied to it or to the site in which it belongs. Object Type: Domain Controller Command Line Equivalent: Ntdsutil | ipdeny list | show Ports: 389, 135, 1025 or above

Last Boot Up Time

Description: The Last Boot Up Time test displays the last time a domain controller was booted and how long the domain controller has been running. Object Type: Domain Controller Command Line Equivalent: None. Ports: 135, 1025/1026 or above


19

Lightweight Directory Access Protocol (LDAP) Policies

Description: The Lightweight Directory Access Protocol (LDAP) Policies test shows the LDAP protocol policies of the specified domain controller. The results display the attributes and values for LDAP Administration limits. It also lists LDAP Admin limits that could not be found. Object Type: Domain Controller Command Line Equivalent: ntdsutil | ldap policies | show values Found in the query policy object applied to the selected domain controller Ports: 389, 135, 1025 or above

Local Loopback

Description: The Local Loopback report tests the local workstation’s network adapter by pinging the IP loopback address of 127.0.0.1. The purpose of this test is to determine if the adapter is functioning. The results display the ping time. Object Type: Workstation Command Line Equivalent: netdiag /test:iploopbk /v Ports: 389, 135, 1025 or above

Lost and Found Items

Description: The Lost and Found Items test shows the lost and found items for the specified naming context (either a domain or the Configuration container). For example, if an object is being created in container ‘ABC’ on domain controller ‘A’ while container ‘ABC’ is being deleted on domain controller ‘B’, the item being created will be placed in the lost and found container after replication occurs. The results show the last known parent of the item and its location in the lost and found hierarchy. Items are grouped by object class in this report. NOTE: This report is NOT available for the Schema Naming Context. The Schema Naming

Context does not need tombstoned items or a lost and found container because items cannot be deleted from the Schema.

Object Type: Domain or Configuration Naming Context Command Line Equivalent: None. Ports: 389, 135, 1025 or above

Naming Context Metadata

Description: The Naming Context Metadata test gathers and displays the following information for each domain controller in the specified naming context: Local USN, Originating DSA, Originating USN, Originating Time/Date, Version and Attribute. Object Type: Naming Context Command Line Equivalent: repadmin /showmeta "dc=<domain>,dc=<name>" Ports: 389, 135, 1025 or above


20

Naming Context Topology

Description: The Naming Context Topology test checks that the generated topology is fully connected for all domain controllers, checks the connection objects and the NC header where it saves the RepsFrom and RepsTo. The results include the sites in the domains, DC Replication Topology and Intersite Replication Information.

Object Type: Naming Context Command Line Equivalent: dcdiag /test:topology /n:dc=<domain>,dc=<name> /v Ports: 389, 135, 445, 1025 or above

Naming Context Topology Aliveness

Description: The Naming Context Topology Aliveness test initiates a replication of the selected domain and reports the results of the replication. The results include the following synchronization information: source server, destination server, event, event description, and replication flags. Object Type: Domain Command Line Equivalent: dcdiag /test:cutoffservers /n:dc=<domain>,dc=<name> /v Ports: 389, 135, 445, 1025 or above

Naming Context Uptodateness

Description: The Naming Context Uptodateness test gathers and displays the Up-to-Dateness vector for the specified domain from the directory service’s state information. Object Type: Domain Command Line Equivalent: repadmin /showvector "dc=<domain>,dc=<name>" Ports: 389, 135, 1025 or above

NetLogon

Description: The NetLogon test verifies that NetLogon is running on the specified domain controller and retrieves information about the NetLogon service on the specified domain controller using WMI. The following information is returned: Logon Service Name, Logon Service Display Name, Service Status, Service Type, Service Process ID, Service Controls Accepted, Disable Password Change, Require sign or seal, Require strong key, Seal secure channel, DBFlag, Update, Sysvol Ready, Dynamic Site Name, and SysVol. The NetLogon service maintains workstations’ secure channel to a domain controller. It passes the user's credentials through a secure channel to the domain controller and returns the domain security identifiers and user rights for the user. The NetLogon service uses DNS to resolve names to IP addresses of domain controllers. Object Type: Domain Controller Command Line Equivalent: nltest /server:<servername> /query In addition, the Services snap-in for the NetLogon Services can be used to retrieve similar information. Ports: 135, 1025/1026 or above


21

NTDS Event Log

Description: Each domain controller in Active Directory stores events into six log files, which are stored locally on the server. These log files are used for auditing, reporting and troubleshooting. The NTDS Event Log report retrieves and displays events from the Directory Service Event Log for the specified domain controller.



Configuration Option: By default, this test retrieves the last 1 Mb of the Directory Service Event Log for the specified domain controller. The size is restricted for performance issues, but can be set between 1 and 1024 Mb using the Configure Maximum Event Log Read dialog. Command Line Equivalent: None. The Event Viewer can be used to connect to the domain controller to read its event logs. Ports: 135, 445, 1025/1026 or above

Operating System Information

Description: The Operating System Information test provides information about the operating systems that are installed on the selected server. It displays the name of the operating system(s), the location of the Windows and System directories, as well as version information and the service packs installed. Object Type: Domain Controller Command Line Equivalent: None. Ports: 135, 1025/1026 or above

Ping Domain Controller

Description: The Ping Domain Controller test pings the specified domain controller and displays the ping times. Times that are less than 10 milliseconds are shown as "< 10 milliseconds".

Object Type: Domain Controller Configuration Options: Number of ping attempts (Default: 4) Command Line Equivalent: Ping <servername> Ports: 135, 1025 or above


22

Ping Gateway

Description: The Ping Gateway report tests the local workstation’s gateway connectivity by pinging the gateway address. Times that are less than 10 milliseconds are shown as “< 10 milliseconds”. The purpose of this test is to verify that the gateway is reachable. Object Type: Workstation Configuration Options: Number of ping attempts (Default: 4) Command Line Equivalent: Ping <GWname> In addition, the following utility can be used to retrieve this information:

netdiag /test:defgw /v Ports: 389, 135, 1025 or above

Ping Global Catalog

Description: The Ping Global Catalog test pings all Global Catalog servers in the specified domain. The results include the total number of GCs in the domain and the ping times for each GC.

Object Type: Domain Configuration Options: Number of ping attempts (Default: 4) Command Line Equivalent: Ping <GCname> Ports: 389, 135, 1025 or above

Remote Access Information

Description: The Remote Access Information test gathers and displays the settings and status of the current active remote access connections for the specified domain controller. The results include: Entry Name, Device Type, LCP Extensions (enabled/disabled), Software Compression (enabled/disabled), Network protocols, IP Address (specified/unspecified), Name Server (s/u), IP Header Compression (enabled/disabled) and Use default gateway on remote network (enabled/disabled). And the following Connection Statistics: Bytes Transmitted/Bytes Received, Frames Transmitted/Frames Received, CRC Errors, Timeout Errors, Alignment Errors, H/W Overrun Errors, Framing Errors, Buffer Overrun Errors, Compression ratio In, Compression Ratio Out, Baud Rate (BPs) and Connection Duration. Object Type: Domain Controller Command Line Equivalent: netdiag /test:wan /v In addition, the following utilities can be used to retrieve Remote Access (RAS) information:

• RASSVRMON.EXE • RASUSERS.EXE • RASLIST.EXE

Ports: 135, 445, 1025/1026 or above


23

Replication Failures

Description: The Replication Failures test gathers and displays connection and link failure information for the specified domain controller. The results include the following details for each replication partner found:

• Distinguished Name - with whom the failure occurred • Via – transport method being used • Last Attempt – when the replication was last attempted • Last Result - the result of the last attempt

Object Type: Domain Controller Command Line Equivalent: repadmin /failcache <servername> Ports: 389, 135, 1025 or above

Replication Logon Privileges

Description: The Replication Logon Privileges test gathers and displays the replication logon privileges for the specified domain controller. The results include the following details for Domain ACLs, Schema ACLs and Configuration ACLs: Group, Owner, DACL Present (True/False), DACL Defaulted (True/False), Auto Inherit (True/False), DACL Protected (True/False), and Security Principals and Corresponding Rights Object Type: Domain Controller Command Line Equivalent: dcdiag /s:<servername> /test:netlogons /v Ports: 389, 135, 1025 or above

Replication Partner DNS Resolution

Description: The Replication Partner DNS Resolution test validates that DNS resolution is functioning properly. This report uses the same method a DC would use to resolve its replication partners and the DC’s configured DNS Server. This test displays each domain controller’s IP address and lists the DNS server IP address that they are configured to use. It also shows the records queried, the records returned by DNS including the IP address and ping response times. Object Type: Domain Controller Command Line Equivalent: None. Ports: 389, 135, 1025/1026 or above

Replication Partners

Description: The Replication Partners test gathers and displays information about the specified server’s replication partners. The results are organized by inbound and outbound partners, then by context, and include, for each partner, the following information: Replication Method, Object GUID, Address, Invocation ID, Replication Flags, USNs, Last Attempt and Last Result. Object Type: Domain Controller Command Line Equivalent: repadmin /showreps <servername> /v Ports: 389, 135, 1025 or above


24

Replication Queue Length

Description: The Replication Queue Length report displays the replication queue length for the specified domain controller. The queue contains outgoing change notifications, so if the queue length is large, it means the service is backed up or unable to process all the messages. If messages are not being processed or the queue is backed up, then replication is not occurring or occurring after some delay. Object Type: Domain Controller

Command Line Equivalent: repadmin /queue <servername>

Ports: 135, 1025 or above

RID Information

Description: The RID Information test gathers the following RID information from the registry and Active Directory containers for the selected domain controller: Minimum RID, Maximum RID, RID Threshold, RID Block Size, RID Cache Size, Cached Next RID, Role Owner (RID Master Name), Available RID pool for domain, Allocation Pool, Next RID, Previous Allocation Pool and Used Pool. Object Type: Domain Controller Command Line Equivalent: None. Ports: 389, 135, 1025/1026 or above

RIDs

Description: The RIDs test verifies the low and high values of RID sets for each domain controller in the specified domain. The results include values and pass/fail. Object Type: Domain Controller Command Line Equivalent: None. Based off of Dcdiag test Ports: 389, 135, 1025 or above

Routing Table

Description: The Routing Table test retrieves and displays the local workstation’s IP routing table. The results show the total number of entries found and the destination address, forward mask, and next hop address for each entry. Object Type: Workstation Command Line Equivalent: netdiag /test:route /v Ports: 389, 135, 1025 or above


25

Security Configuration

Description: The Security Configuration test checks core security configurations on one or more domain controllers and compares them against Microsoft’s Best Practices guidelines. This report highlights any configuration parameters that exceed the recommended guidelines and provides recommendations to correct the issue(s) reported. Object Type: Domain Controller Command Line Equivalent: None. Ports: 389, 135, 445, 1025/1026 or above

Security Event Log

Description: Each domain controller in Active Directory stores events into six log files, which are stored locally on the server. These log files are used for auditing, reporting and troubleshooting. The Security Event Log report retrieves and displays events from the Security Event Log for the specified domain controller.



Configuration Option: By default, this test retrieves the last 1 Mb of the Security Event Log for the specified domain controller. The size is restricted for performance issues, but can be set between 1 and 1024 Mb using the Configure Maximum Event Log Read dialog. Command Line Equivalent: None. The Event Viewer can be used to connect to the domain controller to read its event logs. Ports: 135, 445, 1025/1026 or above

Site Configuration

Description: The Site Configuration test checks and displays site level configurations for one or more sites, including a list of the domain controllers located in the site and the domains within the site, and details on topology generation, universal group caching, and site links. Object Type: Site Command Line Equivalent: None. Ports: 389, 135, 1025 or above


26

Site Information

Description: The Site Information test gathers and displays information about associated subnets, schedules, site links, site link bridges for the specified site. Results include the following for Site Links: Name, Cost, Replication Interval and Transport. Object Type: Site Command Line Equivalent: None. However, the Active Directory Sites and Services snap-in can be used to retrieve similar information. Ports: 389, 135, 1025 or above

Site Link Information

Description: The Site Link Information test gathers and displays information about associated sites, replication schedules, costs, intervals, and transports for the specified site. Results include the following details for site links: Name, Transport, Cost, Interval, Associated Sites and Schedule. Object Type: Site Command Line Equivalent: None. Ports: 389, 135, 1025 or above

Site Messaging

Description: The Site Messaging test gathers and displays inter-site messaging configuration for the specified site. Results include the following information for each transport and for each site found: Bridgehead server(s) (for specified Site), Cost, Interval and Schedule. Object Type: Site Command Line Equivalent: repadmin / showism Ports: 389, 135, 1025 or above

System Event Log

Description: Each domain controller in Active Directory stores events into six log files, which are stored locally on the server. These log files are used for auditing, reporting and troubleshooting. The System Event Log report retrieves and displays events from the System Event Log for the specified domain controller.



Configuration Option: By default, this test retrieves the last 1 Mb of the System Event Log for the specified domain controller. The size is restricted for performance issues, but can be set between 1 and 1024 Mb using the Configure Maximum Event Log Read dialog.


27

Command Line Equivalent: None. The Event Viewer can be used to connect to the domain controller to read its event logs. Ports: 135, 1025/1026 or above

SYSVOL Attach

Description: The SYSVOL Attach report tests attaching to the SYSVOL of the specified domain controller. Results show the path for which the attempt was made, as well as the actual path after connecting. Object Type: Domain Controller Command Line Equivalent: dcdiag /s:<servername> /test:frssysvol /v Ports: 135, 445, 1025/1026 or above

SYSVOL Consistency

Description: The SYSVOL Consistency test performs a Cyclic Redundancy Check (CRC) of the SYSVOL content on two or more domain controllers. The report groups data based on the Policies (Group Policy Objects) and Scripts directories stored on the SYSVOL. Object Type: Domain Controller Configuration Options:

• File types (Scripts and/or GPOs) to be included (Default: Both file types) • Domain controllers to be included (Default: All domain controllers)

Command Line Equivalent: None. Ports: 389, 135, 445, 1025 or above

Time Synchronization Description: The Time Synchronization test verifies time synchronization for the specified domain controller. The results include:

• For the specified DC: SNTP Server (yes/no), UTC Time, Local Time, Forest Root Domain (yes/no), PDC (yes/no) and Time Servers.

• For the specified DC’s Time Server: Name, SNTP Server (yes/no), UTC Time, Local Time and Difference (in seconds between Time Server and specified DC).

• If the Time Server is not a DC in the forest, the information for the Time Server will be limited to Name and SNTP Server (yes).

Command Line Equivalent: None. However, the following utilities can be used to retrieve similar information: To get time:

• repadmin /showtime • net time /querySNTP

To check time sync: • netdom time <servername> /verify

Ports: 389, 135, 1025/1026 or above


28

Tombstoned Items Description: The Tombstoned Items test enumerates tombstoned items. A tombstoned item is an object that has been marked for deletion by Active Directory, but whose tombstone lifetime has not expired. Tombstone lifetime is the number of days before a deleted item is removed from Active Directory (default is 60 days). The results reported are grouped by Object Class and includes the following information:

• Object Name • Relative Distinguished Name (RDN) • Last Known Parent (only populated if the item was deleted from a Windows 2003

server) • Expiration Date and Time

NOTE: This report is NOT available for the Schema Naming Context. The Schema Naming Context does not need tombstoned items or a lost and found container because items cannot be deleted from the Schema.

Object Type: Domain or Configuration Naming Context Command Line Equivalent: None. Ports: 389, 135, 1025 or above

Unlinked Group Policy Objects

Description: The Unlinked Group Policy Objects report looks at all the GPOs for a given domain and searches the forest to determine which GPOs are not linked at the site, domain or organizational unit level. Being a forest-wide search, it will detect cross-domain linking of GPOs. The results returned are the display name of the group policy and its unique ID (CN). Object Type: Domain Command Line Equivalent: None. Ports: 389, 135, 1025 or above

User Consistency

Description: The User Consistency test checks the consistency of user objects between two or more domain controllers in a domain. This report verifies that each user object exists and that its group member list and other attributes are the same on each domain controller. Object Type: Domain Controller Configuration Options:

• Users to be included (Default: All users) • Domain controllers to be included (Default: All domain controllers)

Command Line Equivalent: None. Ports: 389, 135, 1025 or above


29

DirectoryTroubleshooter Job Descriptions

Directory Service Replication Troubleshooter

Description: The Directory Service Replication Troubleshooter performs a series of actions to assist in troubleshooting replication problems. These actions include:

• show the subject domain controller’s replication partners and the data and results of the last replication, consecutive failures, last errors, etc.

• show the connection objects for the subject domain controller and highlight any missing connection objects

• query the DNS servers for the subject domain controller for the object and each replication partner

• ping the subject domain controller and its replication partners using the IP addresses gleaned from DNS

• compare each domain controller’s adapter’s IP address with the entries in the subject’s DNS server

• compare each subject’s IP address with the entries in its replication partner’s DNS servers

• determine whether the IP address for the replication partners in the subject’s DNS server matches the replication partner’s adapter information

• optionally, run a replica consistency check against the subject to automatically regenerate missing connection objects

• optionally, try to force any failed replication to retry Configuration Option: By default, the replication troubleshooter will run a replica consistency check against the selected domain controller and attempt to force a replication with any partners that failed. To disable either of these options, use the Configure button at the top of the Test Progress dialog. This will display the Replication Troubleshooter dialog where you can enable/disable either of these options. Object Type: Domain Controller Command Line Equivalent: repadmin or replmon Ports: 389, 135, 1025/1026 or above

Enable or Disable Domain Controller Replication

Description: The Enable or Disable Domain Controller Replication job allows you to enable or disable inbound and/or outbound replication on a domain controller. This job will launch the Enable or Disable Domain Controller Replication dialog allowing you to specify the appropriate inbound and outbound replication options for your environment. Object Type: Domain Controller Command Line Equivalent:

repadmin /options (+/-)DISABLE_INBOUND_REPL repadmin /options (+/-)DISABLE_OUTBOUND_REPL

Configuration Required: Yes Ports: 389, 135, 1025 or above


30

Enhance AdminSDHolder Security

Description: The Enhance AdminSDHolder Security job allows you to remove read access for Authenticated Users from the security descriptor on the AdminSDHolder object to tighten security. In addition, to mitigate the risk of removing the read access for Authenticated Users, the Enhance AdminSDHolder Security dialog, which is used to configure this test, allows you to create a new group or select a pre-configured group with the required access. Object Type: Domain Command Line Equivalent: None Configuration Required: Yes Ports: 389, 135, 445, 1025 or above

FRS Troubleshooter

Description: The FRS Troubleshooter compliments the Directory Service Replication Troubleshooter, checking to see if FRS is functioning and replicating properly. This job gets FRS replication partners, testing them for connectivity and for system volume information. Configuration Option: By default, this job will not restart FRS service on any domain controller if the service is not running. To change this default setting, launch the FRS Troubleshooter dialog. In addition, from this dialog, you can specify to check the SYSVOL files for filtering and size if some files are not replicating as expected. Object Type: Domain Controller Command Line Equivalent: None Ports: 389, 135, 445, 1025/1026 or above

Manage User Account

Description: The Manage User Account job allows you to perform the following actions on a user account against the specified domain:

• Unlock account • Enable/disable account • Set “User must change password at next logon” • Set account expiration information • Reset the password

Object Type: Domain Command Line Equivalent: None. Configuration Required: Yes Ports: 389, 135, 445, 1025/1026 or above


31

Metadata Cleanup (Q216498)

Description: The Metadata Cleanup job removes data in Active Directory after an unsuccessful domain controller demotion. The DCPROMO (Dcpromo.exe) utility is used to promote a server to a domain controller and to demote a domain controller to a member server (or a stand alone server in a workgroup when the domain controller is the last one in the domain). When a server is promoted to a domain controller, configuration data is added to Active Directory. This information indicates how the domain controller is recognized by its replication partners, what Active Directory naming contexts are stored on that domain controller, whether it’s a global catalog, and its default query policy, etc. As part of the demotion process, the DCRPROMO utility removes the configuration data for the domain controller from Active Directory. Sometimes when a domain controller is no longer needed or exhibits a failure, this configuration information is not removed. This typically happens when:

• Something fails in the process during the demotion of a domain controller. • A hardware or software failure prevents an administrator from using the DCPROMO

utility. • Test machines or other domain controllers are taken offline without being properly

demoted. Object Type: Domain Controller Command Line Equivalent: NTDSUTIL Configuration Required: Yes Ports: 389, 135, 445, 1025/1026 or above

Service Management

Description: The Service Management job allows you to manage Windows servers across multiple domain controllers, which includes performing the following tasks:

• starting/stopping/pausing/resuming a service on a DC • adding a service • setting/modifying the startup type of a service

Object Type: Domain Controller Command Line Equivalent: None. However, the Services MMC snap-in displays all the services installed on a domain controller and allows a user to start, stop, pause and resume these services. Configuration Required: Yes Ports: 389, 135, 445, 1025/1026 or above


32

Set Domain Controller Site Coverage

Description: The Set Domain Controller Site Coverage job allows you to set the sites that a domain controller will cover and enable/disable automatic site coverage for the domain controller. Object Type: Domain Controller Command Line Equivalent: None. However, regedit.exe can be used to modify the following registry key: HKLM\\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. Configuration Required: Yes Ports: 389, 135, 1025/1026 or above

Set Domain Controller Visibility

Description: The Set Domain Controller Visibility job allows you to set the SRV weight of DNS records, change the record priorities to control how clients within a site use domain controllers, and/or control the visibility of domain controllers in a site. Object Type: Domain Controller Command Line Equivalent: None. However, regedit.exe can be used to modify the following registry key: HKLM\\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. Configuration Required: Yes Ports: 389, 135, 1025/1026 or above

Set DS Log Levels (Q314980)

Description: The Set DS Log Levels job displays the current DS log levels and allows you to modify these log levels. By default, Active Directory records only critical events and error events in the Directory Service log. To configure Active Directory to record other events, you must increase the log level. The following list includes the type of events that can be written to the Directory Service event log.

• Knowledge Consistency Checker (KCC) • Security Events • ExDS Interface Events • MAPI Interface Events • Replication Events • Garbage Collection • Internal Configuration • Directory Access • Global Catalog • Inter-site Messaging • Internal Processing • Setup • Initialization/Termination • Service Control • Name Resolution • Backup


33

• Field Engineering • LDAP Interface Events • Performance Counters 1 • Performance Counters 2

Each of these entries can be assigned a value of 0 - 5. These log levels are described below:

• 0 (none) – Only critical events and error events are logged. This is the default setting for all entries, and should not be modified unless a problem occurs that you want to investigate.

• 1 (minimal) – Logs very high-level events. Events may include one message for each major task that is performed by the service. Use this setting to start an investigation when you do not know the location of the problem.

• 2 (basic) - Logs some detailed information for each task performed by the service. • 3 (medium) – Logs more detailed information than the lower levels, such as steps

that are performed to complete a task. Use this setting when you have narrowed the problem to a service or group of categories.

• 4 (verbose) - Logs even more details for each step performed to complete a task. • 5 (maximum) – The most verbose debugging level.

Object Type: Domain Controller Command Line Equivalent: None. However, regedit.exe can be used to modify the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Configuration Required: Yes Ports: 135, 1025/1026 or above

Set NetLogon Parameters

Description: The Set NetLogon Parameters job allows you to set values under the following registry key: HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters. The following parameters can be altered:

• AllowRepInNonMixed • AutoSiteCoverage • AvoidPdcOnWan • BackgroundRetryInitialPeriod • BackgroundRetryMaximumPeriod • BackgroundRetryQuitTime • BackgroundSuccessfulRefreshPeriod • ChangeLogSize • CloseSiteTimeout • DisablePasswordChange • DNSRefreshInterval • DNSTtl • DnsUpdateOnAllAdapters


34

• DuplicateEventLogTimeout • ExpectedDialupDelay • MailslotDuplicateTimeout • MailslotMessageTimeout • MaxConcurrentApi • MaximumLogFileSize • MaximumMailslotMessages • MaximumPasswordAge • NegativeCachePeriod • NonBackgroundSuccessfulRefreshPeriod • RefusePasswordChange • RegisterDnsARecords • RequireSignorSeal • RequireStrongKey • ScavengeInterval • SealSecureChannel • SignSecureChannel • SiteNameTimeout • UseDynamicDns

Object Type: Domain Controller Command Line Equivalent: None. However, you could use the regedit.exe utility. Configuration Required: Yes Ports: 135, 1025/1026 or above

Set NTDS Parameters

Description: The Set NTDS Parameters job allows you to set values under the following registry key: HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\NTDS\ Parameters The following parameters can be altered:

• CriticalLinkFailuresAllowed • Expensive Search Results Threshold • GlobalCatalogDelayAdvertisement (sec) • Hierarchy Table Recalculation interval (minutes) • Inefficient Search Results Threshold • IntersiteFailuresAllowed • KCC site generator renewal interval (minutes) • KCC site generator fail-over (minutes) • Max Threads (ExDS+NSP+DRA) • MaxFailureTimeForCriticalLink • MaxFailureTimeForIntersiteLink (secs) • MaxFailureTimeForNonCriticalLink • NonCriticalLinkFailuresAllowed • Repl topology update delay (secs) • Repl topology update period (secs)


35

• Replicator notify pause after modify (secs) • Replicator notify pause between DSAs (secs) • Replicator async inter site packet size (bytes) • Replicator async inter site packet size (objects) • Replicator intra site packet size (bytes) • Replicator intra site packet size (objects) • Replicator inter site packet size (bytes) • Replicator inter site packet size (objects) • Schema Update Allowed • TCP/IP Port

Object Type: Domain Controller Command Line Equivalent: None. However, you could use the regedit.exe utility. Configuration Required: Yes Ports: 389, 135, 1025/1026 or above

Set NTFRS Parameters

Description: The Set NTFRS Parameters job creates log files for troubleshooting NTFRS replication problems. The Set NTFRS Parameters job allows you to enable or disable logging and set logging options under the following registry key:

HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters Object Type: Domain Controller Command Line Equivalent: None. However, you could use the regedit.exe utility Configuration Required: Yes Ports: 389, 135, 445, 1025/1026 or above

Set Startup and Recovery Options

Description: The Set Startup and Recovery Options job allows you to view or modify the system startup, system failure and debugging information for the selected domain controller. This job must be configured individually for each domain controller; that is, you cannot select multiple domain controllers to execute this job against. When this job is selected, the Set Startup and Recovery Options Editor will be launched, which is a wizard that presents you with a variety of options that can be added to your boot.ini file. Upon completing the wizard, you will be presented with both your current boot.ini file and the new proposed one. Select the Finish button when you are satisfied with the proposed changes. DirectoryTroubleshooter will backup your current boot.ini file on the subject domain controller and replace it with the newly configured file. Object Type: Domain Controller Command Line Equivalent: None. Configuration Required: Yes Ports: 389, 135, 445, 1025/1026 or above


36

Start Online Defragmentation

Description: The Start Online Defragmentation job allows you to initiate a garbage collection and/or online defragmentation for the Active Directory database on the selected domain controller(s). When this job is selected, the Online Defragmentation dialog will be displayed allowing you to select whether to initiate the garbage collection process prior to running the online defragmentation or just perform an online defragmentation. Object Type: Domain Controller Command Line Equivalent: None. Command Line Equivalent: None. Ports: 389, 135, 1025/1026 or above

Date post:	28-Mar-2018
Category:	Documents
Upload:	lamkhanh
View:	216 times
Download:	1 times

DirectoryTroubleshooter Test Reference and Port...

Documents