Troubleshooting Active Directory

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting Active Directory

What problem are you having?

  • Cannot add or remove a domain.

  • Cannot create security principals in Active Directory.

  • Changes to group memberships are not taking effect.

  • Clients without Active Directory client software installed fail to authenticate.

  • Receiving "Domain not found," "Server not available," or "RPC server is unavailable" error messages.

  • User is unable to log on locally to a domain controller.

  • Cannot enable auditing.

  • Cannot remove Active Directory from a domain controller.

  • Cannot connect to a domain controller running Windows 2000.

Cannot add or remove a domain.

Cause:  The domain naming master is not available. This may be caused by a network connectivity problem or an Active Directory Installation Wizard failure. It may also be due to a failure of the computer holding the domain naming master role. Or, the user who is attempting to add or remove the domain does not have the necessary administrative credentials.

Solution:  Identify the computer holding the domain naming master role by using the command netdom query fsmo and repair or replace the domain naming master computer. It may be necessary to seize the domain naming master role. Or, resolve the network connectivity problem. If this does not help solve the issue, see article Q223787, "Flexible Single Master Operation Transfer and Seizure Process," in the Microsoft Knowledge Base.

See also:  Diagnose Connections; Operations master roles; Responding to operations master failures; Transfer the domain naming master role; Seize the domain naming master role

Cannot create security principals in Active Directory.

Cause:  The RID master is not available or failed to replicate. This may be caused by a network connectivity problem or may be due to a failure of the computer holding the RID master role. This behavior can also occur when the Access this computer from the network user right is not assigned to the appropriate groups on the RID master. Or, the user who is attempting to create the security principal does not have the necessary administrative credentials.

Solution:  Identify the computer holding the RID master role by using the command netdom query fsmo and repair or replace the computer holding the RID master role. It may be necessary to seize the RID master role. Or, resolve the network connectivity problem. If this does not help solve the issue, see articles Q223787, "Flexible Single Master Operation Transfer and Seizure Process," and Q248410 "Err Msg: The Account-Identifier Allocator Failed To..." in the Microsoft Knowledge Base.

See also:  Access this computer from the network; Diagnose Connections; Operations master roles; Responding to operations master failures; Transfer the RID master role; Seize the RID master role

Changes to group memberships are not taking effect.

Cause:  The infrastructure master is not available. This may be caused by a network connectivity problem. It may also be due to a failure of the computer holding the infrastructure master role. Or, the user who is attempting to change group membership does not have the necessary administrative credentials.

Solution:  Identify the computer holding the infrastructure master role by using the command netdom query fsmo and repair or replace the computer holding the infrastructure master role. It may be necessary to seize the infrastructure master role.Or, resolve the network connectivity problem. If this does not help solve the issue, see article Q223787, "Flexible Single Master Operation Transfer and Seizure Process," in the Microsoft Knowledge Base.

See also:  Diagnose Connections; Operations master roles; Responding to operations master failures; Transfer the infrastructure master role; Seize the infrastructure master role

Clients without Active Directory client software installed fail to authenticate.

Cause:  The end user's password has expired and the primary domain controller (PDC) emulator master is not available. This may be caused by a network connectivity problem. It may also be due to a failure of the computer holding the PDC emulator master role.

Solution:  Identify the computer holding the PDC emulator master role by using the command netdom query fsmo and repair or replace the computer holding the PDC emulator master role. It may be necessary to seize the PDC emulator master role. Or, resolve the network connectivity problem. If this does not help solve the issue, see articles Q223787, "Flexible Single Master Operation Transfer and Seizure Process," and Q239869, "How to Enable NTLM 2 Authentication for Windows 95, Windows 98, Windows NT Server 4.0, and Windows 2000 Advanced Server," in the Microsoft Knowledge Base.

See also:  Diagnose Connections; Operations master roles; Responding to operations master failures; Transfer the PDC emulator role; Seize the PDC emulator role

Receiving "Domain not found," "Server not available," or "RPC server is unavailable" error messages.

Cause:  Name registration or name resolution problem.

Solution:  Verify that Domain Name System (DNS) is available and functioning correctly. Run the Netdiag /debug command on the server in question. This will evaluate the registration of NetBIOS, DNS, and services. If this does not help solve the issue, see article Q265706, "DCDiag/NetDiag Facilitate Join and DC Creation," in the Microsoft Knowledge Base.

See also: Active Directory support tools; Install Windows Support Tools

User is unable to log on locally to a domain controller.

Cause:  The ability to log on locally to a domain controller is controlled by security policies, which are established in Group Policy settings.

Solution:  In the default Domain Controller Policy object, assign the particular user or group the Allow log on locally user right. If this does not help solve the issue, see article Q234237, "Assign "Log On locally" Rights to Windows Domain Controller," in the Microsoft Knowledge Base.

See also:  Allow log on locally; Logon rights; Permit users to log on locally to a domain controller

Cannot enable auditing.

Cause:  For servers running Windows Server 2003, auditing must be enabled in the Group Policy object. Or, the user who is attempting to enable auditing does not have the necessary administrative credentials.

Solution:  Run GPEdit.msc to enable auditing or monitoring of system events.

See also:  Define or modify auditing policy settings for an event category

Cannot remove Active Directory from a domain controller.

Cause:  The NTDS Settings object could not be properly removed. Or, the user who is attempting to remove the domain controller does not have the necessary administrative credentials.

Solution:  Use the Ntdsutil command-line tool to manually remove the NTDS Settings object. If this does not help solve the issue, see article Q216498, "Remove Data in Active Directory After an Unsuccessful Demotion," in the Microsoft Knowledge Base.

See also:  Delete extinct server metadata

Cannot connect to a domain controller running Windows 2000.

Cause:  You are trying to connect to a domain controller running Windows 2000 that does not have Service Pack 3 or later installed.

Solution:  Upgrade domain controllers running Windows 2000 to Service Pack 3 or later.

See also: Connecting to domain controllers running Windows 2000