DC Troubleshooting

Last updated: January 30, 2023
Audience: IT Staff / Technical

There are a wide diversity of problems you might encounter that involve your domain controllers. This document seeks to give you a general set of tools and ideas to help diagnose those problems.

  • Research error messages. Google some distinctive portion of the error message. As you read threads, think about how the symptoms that other people with the same error message might relate to your environment. Also think broadly in terms of how the cause of their problem might relate to your environment.
  • Investigate the eventlog. Pay particular attention to the NTDS, System, and Application eventlogs (in that order). You should have *no* recurring NTDS Error events. Use google, and http://eventid.net to research events that aren’t self-explanatory. Use the Exchange Error Code Look-up Tool (not specific to Exchange) to research error codes–pretty much every hex and decimal error code that you’ll see Windows produce is covered (e.g. 0xc000020c OR -1073741300). See the Microsoft Exchange Server Error Code Look-up
  • Run self-diagnostic checks to verify that your DCs are configured to the minimum acceptable level:
    • netdiag /v /l should produce netdiag.log file
    • dcdiag /v /c /f:c:\dcdiag.log should produce dcdiag.log file

Investigate and resolve any errors in these log files.

  • Manually verify that *all* DNS records are in the authoritative DNS servers for the relevant DNS zones. There are many ways to do this. They include:
    • Run the DNS Tool
    • Grab %systemroot%\system32\config\netlogon.dns, and use nslookup or ISC’s Windows based dig tool to look up each record.
  • Use Microsoft’s portqry.exe tool to verify connectivity, and rule out that firewalls might be causing the problem. Verify that ports 135, 139, 389, and 445 are listening on your DCs from the computer that has issues with your DC.
  • If your problem is access related (“access denied” error messages), consider:
    • Group policy settings
    • Demotion and re-promotion
    • Applying the default security template for domain controllers to remove any restrictive ACLs (or user rights) you may have set. See Predefined security templates