Configuring a Computer for Troubleshooting Active Directory

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before you can use advanced troubleshooting techniques to identify and fix Active Directory problems, you must configure your computer for troubleshooting and have a basic understanding of Windows Server 2003 troubleshooting concepts, procedures, and tools. For information about monitoring tools for Windows Server 2003, see Monitoring and Status Tools on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=59526).

Configuration Tasks for Troubleshooting

To configure your computer for troubleshooting, perform the following tasks:

Install Windows Server 2003 SP1

Install Windows Support Tools

Install Network Monitor

Set logging levels

Install Windows Server 2003 SP1

If possible, upgrade domain controllers to Windows Server 2003 Service Pack 1 (SP1). To install this service pack, go to the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=9999) and follow instructions for downloading the service pack.

The advantages of running Windows Server 2003 with SP1 with regard to troubleshooting include enhancements to the Ntdsutil command-line tool. Ntdsutil.exe has new functionality that makes it easier to remove domain controller metadata and to authoritatively restore directory objects.

Install Windows Support Tools

For improved diagnostic support, install Windows Support Tools that ship with Windows Server 2003 SP1. The SP1 version of Windows Support Tools includes enhanced versions of the Dcdiag.exe and Repadmin.exe tools. The Dcdiag.exe command-line tool now provides new reporting on the overall health of replication with respect to Active Directory security, as well as new Domain Name System (DNS) diagnostic tests. You can use Repadmin.exe to manage replication consistency settings on multiple domain controllers instead of editing the registry on individual computers.

Make sure that the SP1 version of Windows Support Tools is installed on all domain controllers that are running Windows Server 2003 with SP1.

Options for Running SP1 Windows Support Tools

You can run Windows Support Tools that ship with Windows Server 2003 SP1 on computers running the following operating systems:

  • Windows Server 2003 with SP1

  • Windows Server 2003 without SP1

You can also run some tools, such as Repadmin.exe and Dcdiag.exe, on computers running Windows XP Professional, Windows XP Professional with SP1, or Windows XP Professional with Service Pack 2 (SP2). Options for other tools vary by tool. In this guide, the operating system that is required for running a tool is specified as a prerequisite for each procedure.

Options for Installing SP1 Windows Support Tools

The SP1 version of Windows Support Tools can be installed as an .msi package only on computers running Windows Server 2003 with SP1. To run Repadmin and Dcdiag from computers running Windows Server 2003 without SP1 or from computers running Windows XP Professional, you must copy the respective executable files to those computers.

Requirements

  • Administrative credentials: To complete this procedure, you must be a member of the Builtin Administrators group.

  • Operating system: Windows Server 2003 with SP1. You cannot use suptools.msi to install the SP1 version of Windows Support Tools on a computer that is not running Windows Server 2003 with SP1.

To install Windows Support Tools

  1. Insert the Windows CD into your CD-ROM drive.

  2. If you are prompted to reinstall Windows, click No.

  3. When the Welcome screen appears, click Perform additional tasks, and then click Browse this CD.

  4. Go to the \Support\Tools folder. For complete setup information, see the Readme.htm file in this folder.

  5. Double-click suptools.msi.

  6. Follow the instructions that appear on your screen.

Install Network Monitor

Use Network Monitor to troubleshoot connectivity issues by tracing network traffic between computers. For information about installing and using Network Monitor, see Network Monitor on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=42987).

Set Logging Levels

If the information that you receive in the Directory Service log in Event Viewer is not sufficient for troubleshooting, raise the logging levels by using the appropriate registry entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.

By default, the logging levels for all entries are set to 0, which provides the minimum amount of information. The highest logging level is 5. Increasing the level for an entry causes additional events to be logged in the Directory Service event log. The following diagram shows the diagnostic entries that are available.

NTDS Diagnostics options for logging levels

Use the following procedure to change the logging level for a diagnostic entry.

Warning

It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

Requirements

  • Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group in the domain of the domain controller on which you are setting the logging level.

  • Tools: Regedit.exe

To change the logging level for a diagnostic entry

  1. Click Start, click Run, type regedit, and then click OK.

  2. Navigate to the entry for which you want to set logging in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.

  3. Double-click the entry, and for the Base click Decimal.

  4. In the Value data box, type an integer from 0 through 5, and then click OK.