U-Tools: Unique Tools for Windows System Administrators
U-Move Help

Troubleshooting AD Errors

If Dcdiag reports a failed test you will need to troubleshoot the problem.

When cloning Active Directory, almost all failed tests are due to network configuration errors, or DNS configuration errors, or other configuration errors already present on the source computer. This is because U-Move clones an exact byte-for-byte copy of the AD database. Any internal AD database errors were simply copied to the new DC.

U-Move does not correct or repair internal AD database errors.

Common Problem: No Loopback Connectivity

A common problem is no loopback connectivity. The domain controller acts as is its own client. The NETLOGON service on the DC performs a network connection to the LDAP service (on the same DC) to query AD in order to validate logon passwords from client computers. This is called a loopback connection.

The local DC queries DNS to look up its own name on the network in order to connect back to itself. If DNS is misconfigured then the domain controller cannot “see” itself on the network, and users will not be able to log on.

The problem is usually due to a DNS configuration error that prevents loopback connectivity.

Another common cause is a configuration error with the DC's network interface connection (NIC) settings. For example the NIC might have been assigned the wrong static Internet address or the wrong netmask. To troubleshoot see Troubleshooting a Remote Connection.

Another common cause is disabling the network interface controller (NIC) in Device Manager. Doing so will prevent loopback connectivity within the domain controller itself and AD will appear to be non-functional. (Instead of disabling the NIC, either disconnect the network cable or block the guest VM's network connectivity at the host level.)

Common Problem: Old Backup

If you are restoring AD from an old backup snapshot (more than 60 days old), and if there are other domain controllers in the domain that you did not also restore, the DC shared secret will likely no longer match, preventing the restored DC from replicating with the other (non-restored) DCs.

The symptoms are error messages in the Event Log for Directory Services that report Access denied or Failed to authenticate during replication.

To fix the problem, you need to resynchronize the DC shared secret with the other domain controllers. See Resetting the DC Shared Secret.

More Information

For more information on how to troubleshoot Active Directory errors see the following topics: