Common Misconfigurations of Active Directory

So as my first blog post, I thought I would create a running list of misconfigurations that we see on a daily basis. While these are not the only cause, they are the most common. Solving these misconfigurations are simple things that can really keep an admin from pulling out all of his/her hair. Check back for updates as misconfiguration issues arise.


Misconfiguration 1.

    Issue: Administrator cannot join workstation to domain.
Common Cause:
DHCP is provided by gateway router that receives and subsequently hands the ISP’s DNS servers to clients. Clients there for are unable to query DNS for the AD SRV records.
Fix1: Log into the routers interface, under the DHCP settings, change the dns handed out to point to the Active Directory server(s). Note: If you only have one AD server, hand out only that IP for DNS – do not have an ISP DNS server for a secondary
Fix2:
If the router cannot be changed then move the DHCP function to a windows server and configure the appropriate options in the scope
    Fix3: Statically set each client’s DNS settings to the server – this is really the option of last resort, I never recommend manually touching each PC – commonly called sneakerware


Misconfiguration 2.

Issue: SRV records for DC are missing in DNS
Common Cause: DC points to invalid DNS server or Nic does not have the checkbox to Register in DNS selected.
Fix1: Change the DNS to a valid DC if only one DC then point to its IP Address as primary DNS and its loopback (127.0.0.1) as secondary DNS
Fix2: Check the box under TCPIPV4 to Register in DNS
Note: After either of these fixes are applied run the following highlighted commands from an administrative command prompt
 



Misconfiguration 3.

    Issue: Multiple IP’s are registered for the same domain controller – replication and authentication issues ensue.
Common Cause: Multiple nics in the server, whether or not they are used.
Fix1: Under network and sharing center, disable all unused nics – delete all invalid dns records for this server in DNS
Fix2: If this is a multi-homed server (more than 1 nic enabled and ip’d), select 1 nic to register in DNS and disable registering in DNS for the other nic(s) – delete all invalid dns records for this server in dns
Fix3: If this is a multi-homed server (more than 1 nic enabled and ip’d) and the goal is for load balancing or redundancy – look at the teaming options on the nic which will allow the redundancy and load balancing under a single IP (Windows 2012+ does this natively now)


Misconfiguration 4.

    Issue: Adding a new domain controller to replace old domain controller, when old domain controller is shut down nobody can login
Common Cause:
Sysvol and Netlogon not shared due 
Fix1:
Old DC is in journal wrap for the sysvol folder http://blogs.msmvps.com/acefekay/2013/08/28/how-to-recover-a-journal-wrap-error-jrnl_wrap_error-and-a-corrupted-sysvol-from-a-good-dc-what-option-do-i-use-d4-or-d2-whats-the-difference-between-d4-and-d2/
Fix2:
If replicating via DFS-r, source server may be in dirty shutdown, check for 2213 events in the event log. http://support.microsoft.com/kb/2846759/en-us
Fix3:


Misconfiguration 5
Issue: Multiple issues joining domain controllers, AD stops replicating
Common Cause: IPv6 has been disabled or uninstalled
Fix 1: Re-enable or reinstall ipv6 Go here for more information


Advertisements
Tagged with: , ,
Posted in Active Directory, Design, Troubleshooting

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: