Some tools for troubleshooting Active Directory setups

I was recently asked to help investigating an issue where an Active Directory (AD) setup, and wanted to share some good-to-know utilities that can help solving problems in AD setups.

In simple setups with just a single domain and a single domain controller, everything usually "just works". However, in more complex setups where there are multiple domain controllers, multiple domains and segmented networks, sometimes there are issues that need adjustment.

In many cases, I've found that issues are either related to DNS configuration errors or certain mandatory domain role ("Operations Master") not being available. With this in mind, I'm listing a couple of useful utilities (tools) and commands that can be used to get more information about the issue at hand.

The tools I can recommend are (in no special order):

• DNSLint: a command-line utility for checking that DNS setup is correct.
• Netdom, especially with the ”query” option: allows you to gather information about the domain. Try for instance “netdom query fsmo” for a list of operation mode servers.
• DSGet, similar to NetDom: allows you to query information about objects in the directory. For example, to detect if your Global Catalog (GC) works okay, try querying properties of objects with “dsget user”.
• NTDSUtil: an utility to view and manage domain setups, such as Operations Masters (old name FSMO).

All these tools are either part of the operating system or free. Good luck!