It is not possible to answer each question related to troubleshooting Active Directory. (It is Microsoft Knowledge Base that tries to solve these problems, and usually, it does so with success!) I'd rather like to consider a few relatively simple tips here, which, nevertheless, could be very useful in various real-life situations. (Do not let the brevity of the tips fool you; this information is quite profound. Try it for yourself.)
On Active Directory domain controllers, the HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics registry key contains diagnostic entries (total 19 on Windows 2000, and 24 on Windows .NET) that represent the events that Active Directory can register in the Directory Service log. Each entry has a REG_DWORD value ranging from 0 to 5, which corresponds to the level of granularity of logged events.
When the default level 0 is set, only critical events are logged. This is the normal value for most entries. "Super-verbose" level 5 should be used with care, since it causes all events to be logged and is only used for debugging specific problems. If you have encountered an Active Directory-related problem, try to slightly increase the value of the appropriate registry value and to reproduce the problem. Do not forget to restore the default value after the problem has been solved.
There are no strict rules for selecting an entry value. You can do this in an experimental way. Use of the Replication Events entry has been discussed above. If, for example, the value of the Garbage Collection entry is set to 3, you can see when the garbage collection starts and completes, as well as the volume of free space in the directory database file. When the value is set to 5, each object deletion will also be logged.
There is a kind of replication error that happens when a specific object "prevents" a replication request from being completed. (Remember that you cannot simply delete this object, since deleted objects are also replicated.) The Q265090 article from the Microsoft Knowledge Base describes troubleshooting similar errors that may appear during the replication phase of the server promotion process. A similar approach can also be used for other cases of internal errors related to replication. (You can also consider this article as an example of troubleshooting replication issues.) To solve the problem, you should delete the interfering object, decrease the tombstone lifetime to the lowest value possible (2 days), and wait until the garbage collection entirely deletes the object. In Windows 2000, this trick has saved my network a few times, when all other means did not help at all. Windows .NET systems seem to be more proof against similar problems.
As you know, a server running Windows 2000 or Windows .NET systems can advertise itself as a domain controller (if it has been promoted to perform such a role), and an Active Directory domain controller can also advertise itself as a Global Catalog (GC) server. There are quite a few cases when you may wish to be sure that this process has been successfully completed.
For example, if the File Replication Service (FRS) encounters some trouble, it does not initialize the system volume, and the Netlogon service thus cannot share the SYSVOL volume. (The NETLOGON volume also cannot be shared in that case.) This results in problems with applying group policies, as well as many other replication and authentication problems.
Here is another situation. The promotion of a DC to a GC server is normally delayed for 5 minutes. However, due to replication problems this process can last longer.
In both cases, before you begin to locate connectivity, authentication, or other potential problems, you need to be sure that your server really acts as a domain controller or a GC server.
Here are the methods that will allow you to identify whether a Windows 2000- or Windows .NET-based server is a domain controller after its promotion or normal reboot:
The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry key must contain the NTDS subkey.
Enter net accounts at the command prompt. The "Computer role" of a domain controller is "PRIMARY", while standalone servers identify themselves as "SERVERS".
Enter net start at the command prompt. The list of running services must contain the Kerberos Key Distribution Center (KDC) service.
Enter nbtstat −n at the command prompt. The domain name with the <1C> type must be registered.
Enter net share at the command prompt. The SYSVOL (%SystemRoot%\SYSVOL\sysvol) and NETLOGON (%SystemRoot%\SYSVOL\sysvol\<DomainDNSName>\scripts) shares must exist.
Use Ldp.exe to view the isSynchronized attribute of the RootDSE object. (For additional information, see Chapter 1, "LDAP Basics" and Chapter 12, "Manipulating Active Directory Objects".) After a server promotion, the system must perform a full synchronization of all directory partitions. When this process is completed, the isSynchronized attribute is set to TRUE.
Use NLtest.exe. (More details are in Chapter 11, "Verifying Network and Distributed Services".)
Use NTDSutil.exe to connect to the domain controller and verify its responding to LDAP queries. (For more information, see Chapter 10, "Diagnosing and Maintaining Domain Controllers".) You can also use this tool to verify whether the DC knows about the FSMO roles in its domain.
Assigning a domain controller as a Global Catalog server (for example, in the Active Directory Sites and Services snap-in) and advertising this DC as a GC server are not the same things. A domain controller can advertise itself as a Global Catalog server only after it has replicated in all domain partitions existing in the forest at the moment.
You can use the following methods to verify advertising of a DC in the role of Global Catalog server:
After a DC has been promoted to a GC server, the event with ID 1110 (Event Source: NTDS General; Event Category: Replication) appears in the Directory Service log. The advertising process completes with the ID 1119 event: "This domain controller is now a global catalog."
The Global Catalog Promotion Complete registry value under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key must be equal to 1.
Use Ldp.exe to view the isGlobalCatalogReady attribute of the RootDSE object. (For more information, see Chapter 1 and Chapter 12.)
Use NLtest.exe. (More details are in Chapter 11.)