Quick reference for diagnosing and resolving Active Directory issues in enterprise environments.

Domain Controller Health

Check DC Status

Quick Health Check

Lang: powershell 
# Check DC services
Get-Service -Name ADWS,KDC,NTDS,DNS

# Check replication status
repadmin /replsummary

# Show all DCs in domain
Get-ADDomainController -Filter *

DCDiag - Comprehensive Tests

Lang: cmd 
# Run all diagnostic tests
dcdiag /v

# Test specific DC
dcdiag /s:DC01 /v

# Test DNS
dcdiag /test:DNS

# Test replication
dcdiag /test:Replications

Check FSMO Roles

View FSMO Role Holders

Lang: powershell 
# Show all FSMO roles
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

# Alternative using netdom
netdom query fsmo

Transfer FSMO Roles

Lang: powershell 
# Transfer PDC Emulator role
Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole PDCEmulator

# Transfer all roles
Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,DomainNamingMaster,SchemaMaster

Seize FSMO Roles (Use only if original DC is permanently offline)

Lang: cmd 
ntdsutil
roles
connections
connect to server DC02
quit
seize rid master
quit
quit

Replication Issues

Check Replication Status

View Replication Partners

Lang: cmd 
repadmin /showrepl

Check Replication Errors

Lang: cmd 
# Show replication failures
repadmin /showrepl /errorsonly

# Show replication summary
repadmin /replsummary

# Queue status
repadmin /queue

Force Replication

Replicate from Specific DC

Lang: cmd 
# Replicate all partitions
repadmin /syncall /AdeP

# Replicate from specific DC
repadmin /replicate DC02 DC01 DC=domain,DC=com

Trigger KCC to Generate Topology

Lang: cmd 
repadmin /kcc

Common Replication Errors

Error CodeIssueSolution
8524DNS lookup failureCheck DNS configuration
8453Replication access deniedCheck service account permissions
1722RPC server unavailableCheck firewall, RPC service
8606Insufficient attributesCheck object permissions
8614Replication blocked by policyCheck site link schedule

Fix Replication

Reset Replication

Lang: cmd 
# Remove replication metadata for dead DC
repadmin /removelingeringobjects DC01.domain.com <GUID> DC=domain,DC=com /advisory_mode

User Account Issues

Account Lockouts

Check Lockout Status

Lang: powershell 
# Check if user is locked out
Get-ADUser -Identity username -Properties LockedOut,LastBadPasswordAttempt

# Unlock account
Unlock-ADAccount -Identity username

# Find lockout source
Get-EventLog -LogName Security -InstanceId 4740 -Newest 10

Find Lockout Source

Lang: powershell 
# Check all DCs for lockout events
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Get-WinEvent -ComputerName $DC.HostName -FilterHashtable @{
        LogName='Security'
        ID=4740
    } -MaxEvents 5 -ErrorAction SilentlyContinue
}

Password Issues

Reset Password

Lang: powershell 
# Reset user password
Set-ADAccountPassword -Identity username -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewP@ssw0rd!" -Force)

# Force password change at next logon
Set-ADUser -Identity username -ChangePasswordAtLogon $true

Check Password Policy

Lang: powershell 
# View default password policy
Get-ADDefaultDomainPasswordPolicy

# View fine-grained password policies
Get-ADFineGrainedPasswordPolicy -Filter *

# Check which policy applies to user
Get-ADUserResultantPasswordPolicy -Identity username

Account Expiration

Check Account Expiration

Lang: powershell 
# Check if account is expired
Get-ADUser -Identity username -Properties AccountExpirationDate

# Set expiration date
Set-ADAccountExpiration -Identity username -DateTime "12/31/2025"

# Remove expiration
Clear-ADAccountExpiration -Identity username

Group Policy Issues

GPUpdate and Refresh

Force Group Policy Update

Lang: cmd 
# Update all policies
gpupdate /force

# Update computer policies only
gpupdate /target:computer /force

# Update user policies only  
gpupdate /target:user /force

View Applied Policies

Lang: cmd 
# Show resultant set of policies (RSoP)
gpresult /r

# Generate HTML report
gpresult /h c:\temp\gpresult.html

# Detailed verbose output
gpresult /v

Group Policy Troubleshooting

Check GP Processing

Lang: powershell 
# View GP event logs
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" -MaxEvents 20

# Check specific error events
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" | Where-Object {$_.LevelDisplayName -eq "Error"}

Reset Group Policy

Lang: cmd 
# Remove local GP cache
rd /s /q "%WinDir%\System32\GroupPolicy"
rd /s /q "%WinDir%\System32\GroupPolicyUsers"

# Re-register GP engine
gpupdate /force

Check SYSVOL Replication

Lang: cmd 
# Check SYSVOL replication status
dfsrdiag replicationstate /all

# Check SYSVOL backlog
dfsrdiag backlog /rgname:"Domain System Volume" /rfname:"SYSVOL Share" /smem:DC01 /rmem:DC02

DNS Issues in AD

Check AD-Integrated DNS

Verify DNS Zones

Lang: powershell 
# List all DNS zones
Get-DnsServerZone

# Check AD-integrated zone
Get-DnsServerZone -Name "domain.com"

Test DNS SRV Records

Lang: cmd 
# Check domain SRV records
nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.com

# Check site-specific SRV records
nslookup -type=SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.com

# Check Kerberos SRV records
nslookup -type=SRV _kerberos._tcp.dc._msdcs.domain.com

Re-register DNS Records

Lang: cmd 
# Register DC DNS records
ipconfig /registerdns

# Force netlogon to re-register
net stop netlogon
net start netlogon

Fix Missing DNS Records

Recreate SRV Records

Lang: cmd 
# Stop netlogon service
net stop netlogon

# Delete netlogon.dns file (will be recreated)
del c:\windows\system32\config\netlogon.dns

# Start netlogon (recreates records)
net start netlogon

Authentication Issues

Kerberos Problems

Check Kerberos Tickets

Lang: cmd 
# List current tickets
klist

# Purge all tickets
klist purge

# Request new ticket
kinit username@DOMAIN.COM

Test Kerberos Authentication

Lang: cmd 
# Test with setspn
setspn -Q */computername

# List SPNs for service account
setspn -L serviceaccount

Fix Time Sync Issues (Kerberos requires time sync within 5 min)

Lang: cmd 
# Check time on DC
w32tm /query /status

# Force time sync
w32tm /resync /rediscover

# Configure time source (on PDC)
w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time

Trust Relationship Failures

Test Trust

Lang: powershell 
# Test trust to domain
Test-ComputerSecureChannel -Verbose

# Repair trust relationship
Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

Reset Computer Account

Lang: cmd 
# Reset secure channel
nltest /sc_reset:domain.com

# Reset computer password
netdom resetpwd /s:DC01 /ud:DOMAIN\Administrator /pd:*

Computer Account Issues

Check Computer Account Status

View Computer Account

Lang: powershell 
# Get computer object
Get-ADComputer -Identity COMPUTERNAME -Properties *

# Check if account is enabled
Get-ADComputer -Identity COMPUTERNAME -Properties Enabled

# Check password last set
Get-ADComputer -Identity COMPUTERNAME -Properties PasswordLastSet

Find Inactive Computers

Lang: powershell 
# Find computers not logged in for 90 days
$Date = (Get-Date).AddDays(-90)
Get-ADComputer -Filter {LastLogonDate -lt $Date} -Properties LastLogonDate | Select-Object Name,LastLogonDate

Move Computer to Different OU

Lang: powershell 
Move-ADObject -Identity "CN=COMPUTER01,OU=OldOU,DC=domain,DC=com" -TargetPath "OU=NewOU,DC=domain,DC=com"

Site and Subnets

Check Site Configuration

View Sites

Lang: powershell 
# List all sites
Get-ADReplicationSite -Filter *

# List subnets
Get-ADReplicationSubnet -Filter *

# Show which site a subnet belongs to
Get-ADReplicationSubnet -Filter {Name -eq "192.168.1.0/24"}

Create Subnet

Lang: powershell 
New-ADReplicationSubnet -Name "10.0.1.0/24" -Site "Branch-Office" -Location "Branch Office"

View Site Links

Lang: powershell 
Get-ADReplicationSiteLink -Filter *

# View specific site link
Get-ADReplicationSiteLink -Identity "DEFAULTIPSITELINK"

Active Directory Database Maintenance

NTDS Database

Check NTDS Database Size

Lang: cmd 
dir c:\windows\ntds\ntds.dit

Compact NTDS Database (Requires AD to be offline)

Lang: cmd 
# Reboot into Directory Services Restore Mode (DSRM)
bcdedit /set safeboot dsrepair
shutdown -r -t 0

# After reboot, compact database
ntdsutil
activate instance ntds
files
compact to c:\temp
quit
quit

# If successful, replace old database
copy c:\temp\ntds.dit c:\windows\ntds\ntds.dit

# Reboot normally
bcdedit /deletevalue safeboot
shutdown -r -t 0

Tombstone Lifetime

Check Tombstone Lifetime

Lang: powershell 
# View tombstone lifetime (default 180 days)
Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com" -Properties tombstoneLifetime

Backup and Recovery

System State Backup

Backup System State

Lang: cmd 
wbadmin start systemstatebackup -backuptarget:E:

Restore System State

Lang: cmd 
# Restore to original location
wbadmin start systemstaterecovery -version:MM/DD/YYYY-HH:MM

# Restore to alternate location
wbadmin start systemstaterecovery -version:MM/DD/YYYY-HH:MM -recoverytarget:D:\Restore

Active Directory Recycle Bin

Enable AD Recycle Bin (Cannot be reversed)

Lang: powershell 
Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope ForestOrConfigurationSet -Target "domain.com"

Restore Deleted Object

Lang: powershell 
# Find deleted objects
Get-ADObject -Filter {isDeleted -eq $true} -IncludeDeletedObjects

# Restore specific user
Get-ADObject -Filter {DisplayName -eq "John Doe"} -IncludeDeletedObjects | Restore-ADObject

Performance Issues

Check AD Performance Counters

Monitor Key Metrics

Lang: powershell 
# LDAP searches per second
Get-Counter "\NTDS\LDAP Searches/sec"

# LDAP binds per second
Get-Counter "\NTDS\LDAP Successful Binds/sec"

# DRA pending replication operations
Get-Counter "\NTDS\DRA Pending Replication Operations"

Check Domain Controller Disk Space

Critical Paths to Monitor

  • C:\Windows\NTDS\ - AD database
  • C:\Windows\SYSVOL\ - SYSVOL share
  • Event logs
Lang: powershell 
Get-PSDrive C | Select-Object Used,Free

Quick Diagnostic Scripts

One-Liner Health Check

Lang: powershell 
# Quick DC health overview
dcdiag /test:DNS /test:Replications /test:Services /test:Connectivity

Find PDC Emulator

Lang: powershell 
(Get-ADDomain).PDCEmulator

Get All User Lockouts Today

Lang: powershell 
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=(Get-Date).Date} | Select-Object TimeCreated,@{Name='User';Expression={$_.Properties[0].Value}}

Common AD Error Codes

ErrorDescriptionCommon Cause
1326Logon failure: unknown username or bad passwordWrong credentials
1722RPC server is unavailableFirewall, network issue
5Access is deniedPermissions issue
8524DSA operation unable to proceedReplication DNS issue
1311No logon servers availableDC unreachable
2453No authority could be contacted for authenticationTrust failure

Essential AD PowerShell Commands

Lang: powershell 
# Import AD module
Import-Module ActiveDirectory

# Get AD info
Get-ADDomain
Get-ADForest
Get-ADDomainController -Filter *

# User operations
Get-ADUser -Identity username -Properties *
Set-ADUser -Identity username -Description "New description"
New-ADUser -Name "John Doe" -SamAccountName jdoe

# Group operations
Get-ADGroup -Identity "Domain Admins" -Properties *
Add-ADGroupMember -Identity "GroupName" -Members username
Get-ADGroupMember -Identity "GroupName"

# Computer operations
Get-ADComputer -Identity COMPUTERNAME
Enable-ADAccount -Identity COMPUTERNAME
Disable-ADAccount -Identity COMPUTERNAME

Additional Resources