• "Book - Tips and Tricks Guide to Active Directory Troubleshouting - Pages 8-10"
  Published by Don Jones (relatimepulishers.com)
  http://de.scribd.com/doc/46636938/Active-Dir-Troubleshooting

Operating System

Windows Server 2008

Problem

Various troubleshooting methods and analysis for PDC Emulator issues in Windows Server 2008

Solution

The PDC emulator plays a vital role in the operation of any Active Directory domain. It is responsible for time synchronization, processing account lockouts, and more. If the PDC Emulator fails, several key domain functions, including security functions, can stop functioning properly.

If our domain exhibits any of the following symptoms, you need to verify the status of the PDC emulator role:

• Users are unable to log on—this symptom can occur if the domain’s time Synchronization becomes more than about 5 minutes out of sync. The reason is that the PDC emulator is the central source for time sync; a general lack of domain time synchronization can often be traced to the PDC emulator.

• User accounts that should be locked out aren’t locked out—The PDC emulator processes

            account lockouts for the entire domain.

• Pre-Windows 2000 (Win2K) clients are unable to change their passwords—The PDC emulator provides password-change processing for non-Active Directory client computers.

• Windows NT Backup Domain Controllers (BDCs) are not receiving updates to the domain user lists—The PDC emulator is responsible for replicating these updates to down-level domain controllers.

Some of the symptoms of a PDC emulator failure can be traced to a replication failure, network failure, or other condition unrelated to the PDC emulator. To verify proper operation of the PDC emulator, follow these steps:

• Identify the domain controller that has the PDC emulator role. From the command line of any domain controller, run

dsquery server –hasfsmo pdc

The output shows as like in the below picture

The command-line utility will report the fully qualified name of the domain controller believed to hold the role. Note that server is an actual dsquery parameter and not the name of a particular server on your network.

Here, from the above output we come to know that the computer name is MASTERSERVER and domain controller which holds the PDC emulator is itoc.com.

• Verify network connectivity to the domain controller by using the ping command. Then attempt to connect to the domain controller by using the Active Directory Users and Computer console from another domain controller or client computer. If either of these steps fail, troubleshoot the domain controller for basic network connectivity. Also ensure that all domain controllers in the domain are running the same Windows service pack

level.

• Verify that Active Directory replication is working properly. On the domain controller holding the PDC emulator role, run 

                                     Repadmin /showreps servername

Supplying the server name of the domain controller that holds the PDC emulator role. Any errors indicate a problem with Active Directory replication, which you should resolve.

Here we put our server name as MASTERSERVER.

The output looks like as shown in below figure

The Repadmin tool is provided as part of the Support Tools, which are available on the Windows

Server product CD/DVD-ROM.

• Verify that the PDC emulator role is functioning. On the domain controller holding the PDC emulator role, force a user account to lock out (by logging on with a bad password multiple times, for example).

• Verify that the account appears locked out in Active Directory Users and Computers on the domain controller. If not, the PDC emulator has failed. If the account locks out, verify that the locked out status replicates to other domain controllers in the domain. If it does not replicate to some domain controllers, troubleshoot for Active Directory replication failure.
• If it does not replicate to any domain controllers, the PDC emulator role might have failed.
• We will need to be familiar with your domain’s account lockout policy in order to effect an account lockout. Note that disabling an account is not the same as the account being locked out, and will not be handled the same by the PDC emulator.

If we determine that the PDC emulator has failed, try these corrective actions:

• If the domain controller believed by Active Directory to hold the PDC emulator role no longer exists, seize the role on another domain controller in the domain.

• If the domain controller containing the PDC emulator role is still functioning, restart it. Re-verify the proper function of the PDC emulator. If it is still not working properly, attempt to transfer the PDC emulator role to another domain controller. If you cannot, remove the domain controller from the network and seize the PDC emulator role on another domain controller.

• If the domain controller that holds the PDC emulator role has failed, seize the PDC emulator role on another domain controller. Remove the original domain controller from the network and do not reconnect it until it has been repaired and demoted to member server status in the domain.