Tag Archives: troubelshooting

Review Active Directory Domain Service Events with PowerShell

There are different ways to review Active Directory service related logs in a domain controller. Most common way is to review events under Event Viewer mmc. 

event1

We can review events using server manager too. 

event2

We also can use PowerShell commands to review event logs or filter events from local and remote computers without any additional service configurations. Get-EventLog is the primary cmdlet we can use for this task. 

Get-EventLog -List

Above command will list down the details about the log files in your local system including the log file name, max log file size, number of entries. 

Get-EventLog -LogName ‘Directory Service’ | fl

Above command will list down all the events under the log file Directory Service

we also can limit the number of events we need to list down. As an example, if we only need to list down the latest 5 events from the Directory Service log file, we can use,

Get-EventLog -Newest 5 -LogName ‘Directory Service’

We can further filter down it by listing down evens according to entry type. 

Get-EventLog -Newest 5 -LogName ‘Directory Service’ -EntryType Error

Above command will list down first five “errors” in the Directory Service log file.

We also can add time limit to filter events more. 

Get-EventLog -Newest 5 -LogName ‘Directory Service’ -EntryType Error –After (Get-Date).AddDays(-1)

Above command will list down the events with error type ‘error’ with in last 24 hours under Directory Service log.

We also can get the events from the remote computers. 

Get-EventLog -Newest 5 -LogName ‘Directory Service’ -ComputerName ‘REBEL-SRV01’ | fl -Property *

Above command will list down the first five log entries in Directory Service log file from REBEL-SRV01 remote computer. 

event3

We also can extract events from few computers in same time. 

Get-EventLog -Newest 5 -LogName ‘Directory Service’ -ComputerName “localhost”,“REBEL-SRV01”

Above command will list down the log entries from local computer and the REBEL-SRV01 remote computer. 

When it comes to filtering, we can further filter events using the event source. 

Get-EventLog -LogName ‘Directory Service’ -Source “NTDS KCC”

Above command will list down the events with the source NTDS KCC

It also allows to search for the specific event ids. 

Get-EventLog -LogName ‘Directory Service’ | where {$_.eventID -eq 1000}

Above command will list down the events with event id 1000. 

Note – There are recommended list of events which we need to audit periodically to identify potential issues in active directory environment. The complete list is available for review under https://docs.microsoft.com/en-gb/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.  

Group policy Troubleshooting – Part 01

When comes to the group policy troubleshooting in DC environment, mainly it can be one of following issues.

1)    Group policies not applied as expected – it can be to a OU or even to entire domain
2)    Group policies applied but it’s not doing what expected

So where we start? How we can find exact issue and fix it?

Most of the time when it comes to group policy troubleshooting admins jumps in to the group policy mmc. But I recon it’s not the way to start.

1)    Check Event viewer – its good place to start. Check for any event viewer errors, warnings to see if there is error related to GPO
2)    Check if the DC can reachable – if it’s testing from a user pc or server check if it’s can reach the DC properly.
3)    Check the network connectivity and DNS – check if the network connection is okay and also dns settings are correct. If it’s between different subnets make sure dc can reach the target users or computers.

After that we can use the tools provides by the windows server 2012 to analysis the problem. Windows server 2012 provides 3 tools help with GP troubleshooting.

1)    The Group Policy Result Wizard
2)    GPResult.exe command
3)    Group Policy Modelling Wizard

Group Policy Result Wizard

Using the wizard we can identify and GPO related issues against a user computer or a server. To run this tool following requirements need to be fulfilled.

1)    Target should run windows xp operating system or newer
2)    Target must be online and should be able to contact by from source without issue
3)    Need administrative rights to target computer
4)    WMI must be running on target and port 135 and 445 should be open

Let’s see how we can run this tool.

1)    Log in to DC as domain admin or enterprise admin
2)    Open server manager
3)    Then go to tools > group policy management

gpt1

4)    Then expand the tree and go to group policy results

gpt2

5)    Right click on it and click group policy result wizard

gpt3

6)    Then it will open the wizard. Click next to continue

gpt4

7)    In next page select another computer option and click on brows to select the target computer

gpt5

8)    In next window it ask which user you need to check, select the user and click next

gpt6

9)    Then it gives the summary and click next to proceed

gpt7

10)    Then click finish to exit from the wizard

gpt8

11)    then we can see the result page from console

gpt9

gpt10

gpt11

gpt12

This is the end of part 01 and in next post let’s see how we can use other 2 tools.

If you have any questions about the post feel free to contact me on rebeladm@live.com