Microsoft Azure AZ-801 — Section 20: Troubleshoot Active Directory Part 2

123. Troubleshoot hybrid authentication issues

Let’s talk now about issues that we could have involving hybrid authentication.

So, we’ve connected our on-premises domain, maybe, with Azure AD Right. So, we’ve got a synchronization service that’s running between our machine on-premises and the cloud. And of course, our users are supposed to synchronize., maybe, we have a situation where a user is not synchronizing, and it could be because the user has an invalid character. For example, if the user has a space in its name, then at that point it’s not going to synchronize.

Now, there is a tool that I’ll just point out to you because you should already be a little bit aware of this, but I’m refreshing your memory. It’s called the ID Fix tool so you can download the ID fix tool. And this little tool right here will allow you to run a scan against Active Directory and it will let you know if there are any accounts that are invalid, like if there’s invalid characters. And it’ll also help you fix the fix those accounts. You can’t run this on server. You can run it on a client operating system though, so you’d have to bring up a client operating system to run it.

So, that’s the first thing to think to think about here.

The next would be to look at Azure itself and see if we’ve got an Azure Connect problem. So, we’ll go here to and I know we do because I’ve removed Azure AD connect off my server and it’s generated some error. So, I want to look at that with you.

So, I’m going to go to Portal.com, I’m going to click the menu button here. We’re going to go to Azure Active Directory, and then from there we’ll go and take a look at this Azure AD Connect blade that we have. All right. So we’ll scroll down. Once this is done loading, we’ll click on Azure AD Connect and it’s going to tell you that synchronization hasn’t happened for a while.

So, it says more than a day. Right? And you should already be aware that one of the troubleshooting techniques here would be to go look at Azure AD Connect Health. All right. This is something that has been discussed before. I should be able to go here to sync errors, and I can see that there’s synchronization here.

One of the reasons why authentication may not work for users that have on-premises accounts into Azure AD is because synchronization hasn’t been occurring. So, if I go here, I can see that we got says duplicate attribute for one of our users. So, Jane Doe would definitely have a problem because there’s duplicate attribute there. But also if we go here to sync services, we can see that it’s unhealthy, it’s not syncing. All right. So, synchronization has not been occurring with the NYC-SVR1 server and Azure AD. All right.

The thing you can also do is you can check the event viewer, you can go into the event viewer on the server, look at the system log, look for errors. And the next step would be to just and you can do this, this is what’s great about it. You can just simply remove the Azure AD, connect software off of your server and re install it. You can just start over, you can do a repair as well, but if you ever want to change anything, you’re going to have to remove and re install it anyway.

That’s actually what I’ve done here. I’ve removed Azure AD Connect. You can go into programs and feature control panel and just remove it and then you can re download the tool and just run it again, right? And you just basically go through the exact same scenario that you’ve seen, you’ve seen me go through already as far as installing this goes. So, you just go through and you install it, you go through the wizard and then at that point it should start rethinking again. All right. And. And you’ve seen me do this before.

So, it’s the same exact steps that you’ve seen me do previously, but that is going to be one of your major ways that you can troubleshoot an issue like that is to go out there and just reestablish the synchronization connection. All right. From there, you should be able to refresh all this. And after you do the synchronization, it may take 15, 20 minutes, but you should be able to refresh all this and it should show that you have an active connection going, that it’s all working. And I should at that point, too, I should be able to go back into Azure Active Directory and I should be able to see my users and all of that popping up here from on-premises.

Big thing, check your logs. If you’re dealing with specific users that are not getting synced, run the ID fix tool. And then one of the most important ways of fixing problems with Azure Connect is just remove it and put it back on there. If you run Azure Connect again while it’s still on the machine, there is a repair option that you can try, but if you’re wanting to change anything or add anything, it’s better just to remove it and re install it.

124. Troubleshoot on-premises Active Directory

Let’s talk about troubleshooting on-premises Active Directory.

Now, I’m going to start with probably the most common problem that people have in Active Directory Microsoft. There’s no telling how many phone calls, thousands and thousands of phone calls they’ve had over the years in dealing with this one problem right here, and that is DNS. Active Directory absolutely requires you to have a DNS server set up to host these special records called service records or service location records. Without those records, Active Directory absolutely will not function correctly.

In our case, when we installed Active Directory, we sold it. Go ahead and set up DNS. So, if I go right here. And I go Tools I should be able to see dance right there. All right. And go to forward lookups. And there is our database right there, exam lab practice,.com. And it has to be named after your domain.

The mistake that a lot of people make when they set up their domain controller for the first time is they don’t point to their DNS server for DNS. They’re pointing to their ISP. So, when you come over here and you look at. You look at your TCP IP configuration, what you’ll find is nine times out of ten somebody’s pointing to their ISP for DNS, and this causes a big, big problem. And the reason they’re pointing to their ISP for DNS, their router or whatever is because they’re using that to get out to the Internet. Right. Oops. Wrong. Nick. It is this one.

So, if I go right here and I go to properties right now, maybe, I did make sure I chose the right one here. Yeah. Okay. And so you’ve got to make sure because I’m using DHCP in this case to get an address. But what you’ve got to do is you’ve got to make sure that you are pointing to the correct DNS if I go IP config. All right. You can see right now this adapter is not pointing to the correct to the correct server for DNS is pointing to my router and that’s not going to work. That’s the mistake a lot of people make.

How can I fix that? Well, first off, in the real world, normally you’re going to give static addresses for your servers. Now, in the lab, I didn’t do that because I didn’t want to be putting IP addresses in here and you copy me and have the wrong information. This is the reason I did it this way. But my DNS, I’m just going to put my loop back 120.7.0.0.1, which means that’s I’m pointing to myself for DNS and so now I’ve got the correct dance in there.

The other thing that happens is people will install Active Directory while they’re pointing to the wrong dance. And what happens? This is the killer right here in dance. This right here does not get created. It does not get created. And that’s a problem. That’s a huge problem. Is the most common problem. Probably for 15 years I could have made a living as a consultant on just fixing this one problem for people in Active Directory.

What happens if you don’t have that right? What do you do? For example, if I just delete this database, I tell it to delete the database. Oh, no, it just warned me. Active Directory is not happy that I just deleted that database. It’s going to cause all kinds of problems. If I have any clients join to the domain, it’s no longer they’re no longer going to authenticate. But here’s what you do. You can create another database. You come in here, New zone. Primary zone store and Active Directory leave this as the default and then give it the same name as your domain. Exam lab practice.com. Next. All right. You can allow dynamic updates. That means computers can register their names. Click, finish. Look how easy that was. All right. But I’m still missing a bunch of stuff. All right, so what you can do is we can go into services. Go to services. And we’re going to find the service called the net Log on service. There it is right there. We’re just going to stop that service. Give it a second here and then start it back up. All right. So, stop the service. Give it a moment and then we’re going to start it back up. So, the net long service is now started Back up. We’ll close out of that. And I’m going to close DNS and I’m going to reopen it. All right. So, tools DNS. Go back into it. And look what shows up. All the stuff that was missing was recreated. All right. So, Active Directory has the ability to fix itself. You just have to point it.

Of course, in the real world, a lot of times people couldn’t remember what service to restart. You could just reboot the server that would have fixed the problem as well. And so same thing would happen if you had another domain controller that was supposed to be playing or another server that was supposed to be pointing this and it wasn’t registering. You can you could stop and restart the net log on service and any services, any records that are missing these service location records, they’ll get recreated.

That’s the thing to make to consider. You’ve got to make sure all machines are pointing to a server that’s got a copy of this DNS database.

Now, can multiple servers have copies of the DNS database? Sure. Absolutely. In fact, you should have that knowledge coming into this already that you can set replicas of the database up that’s not covered in this course, but it has been covered in the prerequisite knowledge. Hopefully coming into this, you can set up multiple copies of that database, but that’s how you fix that problem. And that is, again, one of the most common problems is DNS. That’s always where you need to kind of be the starting point. All right. And of course, the next problem with on-premises Active Directory is replication. You should already be aware of this as well. But there is the dcdiag command run that and it’ll tell you if there’s any replication problems. And because I wasn’t pointing to Das and all that, you can see it’s generating some errors here, some problems because I was messing with my DNS.

Now, eventually that’ll it’ll fix itself because I’ve now fixed the DNS problem but that’s the dcdiag command is going to let you know if there’s any kind of issues with Active Directory application. And then of course the old favorite always go into event viewer check your check your system log. Look at your system log, look at your directory services log. This is going to help you with troubleshooting Active Directory.

So, those are the techniques to keep in mind when it comes to troubleshooting on-premises Active Directory issues.

Related posts:

  1. Amazon AWS Certifications: 12 Pillars of Your Success in 2021
  2. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 28
  3. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 39
  4. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 60
  5. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 7
  6. Microsoft Azure AZ-800 — Section 10: Manage Windows Server and workloads by using Azure services
  7. Microsoft Azure AZ-800 — Section 13: Manage Azure Virtual Machines that run Windows Server Part 2
  8. Microsoft Azure AZ-800 — Section 19: Configure Windows Server storage Part 4
  9. Microsoft Azure AZ-800 — Section 4: Configure and manage multi-site, multi-domain, and multi-forest environments
  10. Microsoft Azure AZ-801 — Section 16: Migrate workloads from previous versions to Server 2022, IIS workloads, & AD DS Part 2