Microsoft Windows Server

Active
Directory

A complete reference for AD architecture, objects, authentication, Group Policy, replication, security hardening, and PowerShell administration.

~90% of Fortune 500 use AD
LDAP / Kerberos core protocols
NTDS.dit central database
DC — Domain Controller
🗂️
Active Directory
Domain Services
01

Architecture — Forest, Tree, Domain & OU

AD Logical Hierarchy
FOREST
corp.lfg.com
Forest Root Domain · Schema Master
us.ad.lfg.com
Root Domain
Primary DC
OU=Servers
OU=Users
OU=Workstations
OU=Service Accounts
eu.ad.lfg.com
Child Domain
Regional DC
OU=Servers
OU=Users
partner.ext
External Forest
One-way Trust
◄─ one-way trust ─
🏛️ Logical Structure Components
F
Forest — top boundary of AD. Shares a single schema, global catalog, and configuration partition. Multiple trees can exist in one forest. corp.lfg.com — security and replication boundary
T
Tree — one or more domains sharing a contiguous DNS namespace. Child domains inherit the parent DNS suffix. us.ad.lfg.com is a child of corp.lfg.com
D
Domain — administrative and replication unit. Contains OUs, users, computers, and GPOs. Kerberos authentication boundary. us.ad.lfg.com — with its own DCs and policies
O
Organizational Unit (OU) — container for organizing objects. GPOs link here. Delegates admin rights. No security boundary. OU=Servers,DC=us,DC=ad,DC=lfg,DC=com
C
Container — built-in (CN=Users, CN=Computers). Cannot have GPOs linked directly. Migrate objects to OUs. CN=Computers is default drop for domain joins
🗄️ Physical Structure & Components
DC
Domain Controller — holds a full writable copy of the domain's AD partition. Authenticates users, applies GPO, handles replication. Minimum 2 DCs per domain for redundancy
GC
Global Catalog (GC) — DC that holds a partial read-only copy of all objects in the forest. Required for logon and universal group resolution. Port 3268 (LDAP) / 3269 (LDAPS) for GC queries
RO
Read-Only DC (RODC) — holds a read-only copy of AD. For branch offices / DMZ. No passwords cached by default (except explicitly allowed accounts). Prevents credential theft if physical DC is compromised
DB
NTDS.dit — the AD database file. Located at %SystemRoot%\NTDS\ntds.dit Backed up via Windows Server Backup / VSS. Never copy directly — use ntdsutil or IFM.
S
Sites & Subnets — physical topology. Controls DC selection, replication scheduling, and DFS referrals. One DC per site recommended. Site link cost + replication interval controls traffic
02

AD Objects — Users, Groups, Computers & Schema

👤 User Object
sAMAccountNameStringPre-Win2K logon name (max 20 chars)
userPrincipalNameStringUPN: jdoe@corp.lfg.com (used for logon)
distinguishedNameDNFull LDAP path to object
objectSIDSIDUnique security identifier — immutable
memberOfDN[]Groups the user belongs to
pwdLastSetInt64Password last changed timestamp
userAccountControlInt32Bitmask: enabled/disabled/locked/etc.
lastLogonTimestampInt64Replicated — accurate to ~14 days
👥 Group Types & Scopes
Group Types
S
Security — used for permissions and GPO filtering
D
Distribution — email lists only, no permissions
Group Scopes
DL
Domain Local — assign permissions to resources in the same domain. Can contain users from any domain.
G
Global — organize users in the same domain. Use for role-based grouping.
U
Universal — spans forest. Stored in GC. Use sparingly — triggers GC replication on changes.
Best practice: AGDLP
Accounts → Global → Domain Local → Permissions
🖥️ Computer Object
cnStringComputer name (NetBIOS, max 15 chars)
dNSHostNameStringFQDN: server01.us.ad.lfg.com
operatingSystemStringWindows Server 2022 Standard
lastLogonTimestampInt64Last domain logon (~14-day accuracy)
servicePrincipalNameString[]SPNs registered for Kerberos
userAccountControlInt320x1000 = WORKSTATION_TRUST_ACCOUNT
Computer accounts have a machine password that auto-rotates every 30 days. Secure channel maintained by Netlogon service.
📐 Schema — The Blueprint of AD

The AD Schema defines every object class and attribute in the forest. It is forest-wide and stored in the Schema naming context. Once an attribute is added it cannot be deleted — only deactivated.

Schema partitionCN=Schema,CN=Configuration,DC=corp,DC=lfg,DC=com
Schema MasterOne per forest (FSMO role)
Schema extensionExchange, Lync, SCCM all extend schema
Schema adminsHigh-privilege — keep empty when not in use
View schemaADSI Edit → Schema NC
Common Schema Attributes (LDAP display names)
# User class attributes sAMAccountName — pre-Win2K logon userPrincipalName — UPN logon mail — email address telephoneNumber — phone department — org unit manager — DN of manager # Group class attributes groupType — security/distribution + scope member — list of member DNs managedBy — group owner DN # Computer class attributes dNSHostName — FQDN operatingSystem — OS string servicePrincipalName— registered SPNs
03

Authentication — Kerberos & NTLM

🎟️ Kerberos Authentication Flow
1
AS-REQ — Authentication Service Request
Client sends username + timestamp encrypted with password hash to the Key Distribution Center (KDC) — runs on every DC.
2
AS-REP — Ticket Granting Ticket (TGT) issued
KDC verifies credentials and returns a TGT encrypted with the krbtgt account hash. Valid for 10 hours by default.
3
TGS-REQ — Service Ticket Request
Client presents TGT to KDC and requests a Service Ticket (ST) for a specific resource (e.g., \\fileserver\share).
4
TGS-REP — Service Ticket issued
KDC issues ST encrypted with the service account's hash (identified by SPN). No password sent over the network.
5
AP-REQ — Application Request to resource
Client presents ST to the target service. Service decrypts with its own hash and validates. Access granted based on PAC (Privilege Attribute Certificate).
🔑 Kerberos Key Facts
Default ticket lifetime10 hours (TGT) · 10 hours (ST)
Max ticket renewal7 days
Clock skew tolerance±5 minutes — sync NTP or auth fails
KDC locationAll DCs — found via DNS SRV records
krbtgt accountEncrypts all TGTs — reset after security breach
SPN formatserviceClass/host:port/serviceName
Kerberos portTCP/UDP 88
PACPrivilege Attribute Certificate — carries SIDs for authorization
⚠ Golden Ticket Attack
Attacker with krbtgt hash can forge TGTs for any user, including Domain Admin. Mitigation: reset krbtgt password twice (required due to password history). Enable Protected Users group. Deploy Microsoft Defender for Identity.
🔓 NTLM — Legacy Authentication (Avoid Where Possible)
1
Client sends username to server
No hash sent yet — just the account name.
2
Server sends 8-byte Challenge (nonce)
Random value unique to this session.
3
Client responds with NT hash of (Challenge + password hash)
The NT hash is derived from the user's password. NTLMv2 also includes a client nonce and timestamp.
4
Server verifies via DC (pass-through auth)
Server passes credentials to DC via Netlogon Secure Channel. DC validates and returns success/failure.
When NTLM is usedIP address auth · local accounts · Kerberos unavailable
VersionsNTLMv1 (insecure) · NTLMv2 (required min)
Attack vectorsPass-the-hash · NTLM relay · Responder
Disable NTLMv1GPO: LAN Manager Auth Level = NTLMv2 only
Monitor NTLMEvent ID 4776 (credential validation)
Restrict NTLM via GPO: Network security: Restrict NTLM → Deny all in Kerberos-capable environments. Test first with audit mode.
04

Group Policy — GPO Structure & Application Order

GPO Processing Order — Last Write Wins
1
Local Group Policy
Stored on the local machine. Applied first — lowest precedence. Managed via gpedit.msc
LOCAL
2
Site GPOs
Linked to an AD site. Applied after local. Rarely used — typically for bandwidth-dependent settings.
SITE
3
Domain GPOs
Linked at domain root. Default Domain Policy (password policy, account lockout) must live here for effect on domain accounts.
DOMAIN
4
OU GPOs (parent → child)
Applied from parent OU to child OU. Child OU settings win. Multiple GPOs at same level: highest link order wins.
OU
↑ Applied last = Highest precedence (OU wins)
⚙️ GPO Modifiers
E
Enforced (No Override) — parent GPO wins, cannot be blocked by child OUs
B
Block Inheritance — prevents GPOs from parent OUs from applying. Enforced GPOs still apply.
F
Security Filtering — GPO only applies to users/computers in the DACL with Read + Apply Group Policy
W
WMI Filtering — applies GPO only to machines matching a WMI query (e.g., OS version, RAM)
📋 GPO Key Settings Reference
Password min lengthComputer Cfg → Windows Settings → Security → Account Policies
Account lockoutSame path — threshold, duration, observation window
Audit policiesSecurity Settings → Advanced Audit Policy Configuration
Startup scriptsComputer Cfg → Windows Settings → Scripts
Software installComputer/User Cfg → Software Settings → Software Installation
Folder RedirectionUser Cfg → Windows Settings → Folder Redirection
Drive mapsUser Cfg → Preferences → Windows Settings → Drive Maps
Firewall rulesComputer Cfg → Policies → Windows Firewall with Advanced Security
💻 GPO Troubleshooting Commands
Diagnose GPO application
# Force immediate GPO refresh gpupdate /force # Show applied GPOs and settings (detailed) gpresult /h C:\gpreport.html /f gpresult /r # summary to console gpresult /scope computer /v # Check GPO on remote machine gpresult /s SERVER01 /h C:\report.html # Check GPO replication across DCs Get-GPO -All -Domain us.ad.lfg.com Get-GPOReport -All -ReportType HTML -Path C:\all-gpos.html
05

AD Replication

🔄 Replication Fundamentals
M
Multi-master replication — all DCs (except RODC) are writable and replicate changes to each other. No single point of failure. Changes originate on any DC — propagate via replication topology
USN
Update Sequence Numbers (USN) — each change is stamped with a USN. DCs track the highest USN received from each partner to detect new changes. Per-DC counter — not global. Stored in NTDS.dit
TS
Originating Timestamps — used to resolve conflicts. When two DCs modify the same attribute, the later originating timestamp wins. Tie-breaker: highest GUID of DC wins
KCC
Knowledge Consistency Checker (KCC) — automatically builds the replication topology (connection objects). Runs every 15 minutes on each DC. Creates spanning tree with max 3 hops between any two DCs
SL
Site Links — control inter-site replication schedule and cost. Default schedule: every 180 minutes. Can be set to 15-minute minimum. DEFAULTIPSITELINK — default site link used if none configured
📂 Naming Contexts (Partitions)
Domain NCDC=us,DC=ad,DC=lfg,DC=com — domain objects
Replicates toAll DCs in same domain
Schema NCCN=Schema,CN=Configuration — schema definitions
Replicates toAll DCs in forest
Configuration NCCN=Configuration — sites, services, partitions
Replicates toAll DCs in forest
App Directory NCCustom partitions (DNS zones stored here)
Replicates toSelective DCs only
🔧 Replication Troubleshooting
Diagnose replication issues
# Check replication status across all DCs repadmin /replsummary # Show replication failures repadmin /showrepl # current DC repadmin /showrepl DC02 # Force replication now repadmin /syncall /AdeP # Check for errors across all DCs repadmin /replicate DC02 DC01 "DC=us,DC=ad,DC=lfg,DC=com" # DCDiag — full DC health check dcdiag /test:replications dcdiag /test:netlogons dcdiag /test:services dcdiag /v # verbose — all tests
06

Trust Relationships

🤝 Trust Types
PA
Parent-Child Trust — automatically created when a child domain is added. Two-way, transitive. us.ad.lfg.com ↔ corp.lfg.com (auto-created)
TR
Tree-Root Trust — between the forest root and a new tree root. Two-way, transitive. Auto-created. Allows resources across trees in same forest
F
Forest Trust — between two forest roots. Can be one-way or two-way, transitive within each forest. Must be created manually. Requires both forest functional level ≥ Win2003
E
External Trust — to a domain in a different forest (non-transitive). One-way or two-way. Use forest trust when possible. SID filtering enabled by default — prevents SID injection
S
Shortcut Trust — manually created between domains in the same forest to speed up cross-domain auth. Transitive. Useful in large forests with many levels
R
Realm Trust — between AD domain and a non-Windows Kerberos realm (e.g., MIT Kerberos on Linux/Unix). Can be transitive or non-transitive
↔️ Trust Direction vs. Access Direction
Domain A
Trusting
◄──────►
TWO-WAY
Domain B
Trusted
Key rule: Trust direction is opposite to access direction. If Domain A trusts Domain B, then users in Domain B can access resources in Domain A — not the other way around.

Transitivity: If A trusts B and B trusts C, and the trusts are transitive, A also trusts C. Forest trusts are transitive within each forest.
🔒 SID Filtering & Security
SID Filtering is enabled on external trusts by default — strips SIDs from the trusting forest's domain SID space to prevent privilege escalation via SID history injection.
!
SID History — migrated accounts carry SIDs from old domain. Attackers abuse this to smuggle admin SIDs across trusts. Verify with Get-ADUser -Filter * -Properties SIDHistory
Selective Authentication — limits which resources a trusted domain's users can access. More secure than forest-wide auth on external trusts.
07

FSMO Roles — Flexible Single Master Operations

🌲 Schema Master Forest

Only DC allowed to write changes to the AD schema. Required online only during schema extensions (Exchange, SCCM installs).

Quantity1 per forest
Impact if offlineLow — schema rarely changes
Find holdernetdom query fsmo
⚙️ Domain Naming Master Forest

Controls adding/removing domains and application partitions in the forest. Must be a GC server.

Quantity1 per forest
Low impact if offline
TransferActive Directory Domains and Trusts MMC
🔢 RID Master Domain

Allocates pools of Relative IDs (RIDs) to DCs. Every object SID = domain SID + RID. DCs request new RID pools when running low (default pool = 500 RIDs).

Quantity1 per domain
Impact if offlineMedium — object creation may fail when RID pools exhaust
🔐 PDC Emulator Domain

Most critical FSMO role for day-to-day operations.

Authoritative time source for the domain — sync NTP here
🔒
Account lockout — lockouts reported here first
🔑
Password changes — urgent replication to PDC Emulator
📋
GPO editing — GPMC targets PDC Emulator by default
Impact if offlineHIGH — auth delays, lockout issues, time skew
🔗 Infrastructure Master Domain

Maintains cross-domain object references (phantom records) — updates references when objects in other domains are renamed or moved.

Quantity1 per domain
RuleShould NOT be on a GC server (unless all DCs are GCs)
Impact if offlineLow in single-domain forest
⚡ FSMO Transfer vs. Seize
Transfer FSMO roles (graceful — old DC online)
# Transfer all roles to target DC Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole 0,1,2,3,4 # 0=PDCEmulator 1=RIDMaster 2=InfrastructureMaster # 3=SchemaMaster 4=DomainNamingMaster # Check current role holders netdom query fsmo Get-ADDomain | Select *Master* Get-ADForest | Select *Master*
Seize FSMO roles (forceful — old DC permanently offline)
# Use ntdsutil to seize (emergency only) ntdsutil roles connections connect to server DC02 quit seize PDC seize RID master seize infrastructure master quit # Never bring old DC back online after seize
08

DNS & Sites / Services

🌐 AD-Integrated DNS

AD depends entirely on DNS. Every AD function — DC location, Kerberos, replication, logon — is resolved via DNS SRV records. Use AD-integrated zones for secure dynamic updates and replication via AD instead of zone transfers.

Critical SRV records_kerberos._tcp, _ldap._tcp, _gc._tcp
DC locator SRV_ldap._tcp.dc._msdcs.domain.com
PDC SRV_ldap._tcp.pdc._msdcs.domain.com
GC SRV_gc._tcp.domain.com port 3268
Zone typeAD-Integrated (preferred) — zone stored in AD
Dynamic updateSecure only — prevents unauthorized DNS registration
ScavengingEnable to remove stale DNS records (7-day aging)
nslookup -type=SRV _ldap._tcp.dc._msdcs.us.ad.lfg.com dcdiag /test:DNS /v ipconfig /registerdns # re-register DNS records
🗺️ Sites & Services
S
Sites — represent physical locations with well-connected subnets. Used for DC selection, replication scheduling, and DFS referrals. AD Sites and Services MMC / Set-ADReplicationSite
SN
Subnets — IP subnets mapped to sites. When a client contacts a DC, AD finds the matching subnet to determine its site. New-ADReplicationSubnet -Name "10.10.5.0/24" -Site "HQ"
SL
Site Links — define replication paths between sites. Configure cost (lower = preferred) and schedule. DEFAULTIPSITELINK auto-connects all sites
SLB
Site Link Bridges — for non-fully-routed topologies. By default, all site links are bridged (transitive). Disable only if you need manual routing control
DC
DC Locator process — client queries DNS for SRV records, gets list of DCs, pings for closest DC in same site. Event 5807 in NETLOGON log = no DC in site
09

AD Security Hardening & Attack Awareness

☠️ Common AD Attack Techniques
🎟️ Pass-the-Hash (PtH)
Attacker captures NTLM hash from memory (via Mimikatz / lsass dump) and authenticates as that user without knowing the plaintext password.
Enable Credential Guard · Protected Users group · Restrict NTLM · Disable WDigest (KB2871997)
🎫 Kerberoasting
Any domain user can request service tickets for SPNs. Attacker requests TGS for SPN, extracts RC4/AES-encrypted ticket offline, cracks service account password.
Use MSAs/gMSAs for service accounts · Enforce AES-only · 25+ char service account passwords · Monitor Event 4769
👻 AS-REP Roasting
Accounts with "Do not require Kerberos preauthentication" enabled return AS-REP encrypted with password hash — crackable offline.
Audit: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} · Remove flag · Strong passwords
🔑 Golden / Silver Ticket
Golden: forged TGT using krbtgt hash. Silver: forged ST using service account hash. Both allow persistent access even after password resets.
Reset krbtgt twice · Implement MDI / Defender for Identity · Monitor privileged account logons
🔗 DCSync Attack
Attacker with Replicating Directory Changes All permission uses DRS API to pull all password hashes from DC as if they were another DC.
Audit DS-Replication-Get-Changes-All rights · Alert on non-DC performing DCSync (Event 4662)
🛡️ AD Hardening Checklist
Tier model (Admin Tiering) — Tier 0 (DCs/AD), Tier 1 (servers), Tier 2 (workstations). No credential overlap between tiers. Privileged Access Workstations (PAWs) for Tier 0 admin
Protected Users Security Group — removes NTLM, RC4, CredSSP, WDigest for members. Forces Kerberos AES only. Apply to all privileged accounts. No delegation — no cached credentials offline
gMSA for service accounts — auto-rotating 240-char passwords. No human knows the password. Prevents Kerberoasting. New-ADServiceAccount -Name "svc-iis" -DNSHostName ...
LAPS (Local Administrator Password Solution) — unique auto-rotating local admin passwords per machine. Stored in AD. Deploy Windows LAPS (built into Win 2019+/Win 11)
Enable Audit Policies — Advanced Audit via GPO. Critical events: 4624/4625 (logon), 4740 (lockout), 4728/4732/4756 (group changes), 4672 (special privs). Forward to SIEM — retain 90 days minimum
Microsoft Defender for Identity (MDI) — AD sensor on DCs monitors for Golden Ticket, DCSync, Kerberoasting, lateral movement. Formerly Azure ATP — integrates with Defender XDR
Keep Domain Admins empty when not in use — use JIT elevation via PIM or time-limited group membership. Never use DA for daily tasks or logging into workstations
AD Recycle Bin — enable at forest level. Allows restoring accidentally deleted objects for 180 days (tombstone lifetime). Enable-ADOptionalFeature -Identity "Recycle Bin Feature"
📋 Critical Security Event IDs to Monitor
Event IDSourceDescriptionAction
4624SecuritySuccessful logon — Type 3 (network) is most common for lateral movementBaseline and alert on anomalies
4625SecurityFailed logon — monitor for brute force (many failures from same source)Alert on threshold (10+ in 5 min)
4740SecurityAccount locked out — appears on PDC EmulatorAlert immediately
4672SecuritySpecial privileges assigned to new logon (admin logon)Alert on non-admin accounts
4728SecurityMember added to a global security groupAlert on Domain Admins changes
4732SecurityMember added to a local security groupAlert on privileged groups
4756SecurityMember added to universal security groupAlert
4769SecurityKerberos service ticket requested — RC4 encryption = Kerberoasting indicatorAlert on RC4 for SPN accounts
4771SecurityKerberos pre-authentication failed — failed logon for domain accountsMonitor volume
4776SecurityNTLM credential validation on DC — monitor for unusual sourcesAlert on unexpected NTLM
4662SecurityOperation performed on AD object — watch for DS-Replication-Get-Changes-All (DCSync)Alert immediately
7045SystemNew service installed — common malware persistence techniqueAlert on unexpected services
10

PowerShell — AD Administration Reference

👤 User Management
Common user operations
# Create new user New-ADUser -Name "John Doe" -SamAccountName jdoe ` -UserPrincipalName jdoe@us.ad.lfg.com ` -Path "OU=Users,DC=us,DC=ad,DC=lfg,DC=com" ` -AccountPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) ` -Enabled $true # Find stale accounts (no logon in 90 days) Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 -UsersOnly # Unlock locked-out user Unlock-ADAccount -Identity jdoe # Force password reset at next logon Set-ADUser -Identity jdoe -ChangePasswordAtLogon $true # Disable account Disable-ADAccount -Identity jdoe # Get user with all properties Get-ADUser -Identity jdoe -Properties * # Find users with password never expires Get-ADUser -Filter {PasswordNeverExpires -eq $true} -Properties PasswordNeverExpires # Move user to different OU Move-ADObject -Identity "CN=John Doe,OU=Users,DC=us,DC=ad,DC=lfg,DC=com" ` -TargetPath "OU=ServiceAccounts,DC=us,DC=ad,DC=lfg,DC=com"
👥 Group Management
Group operations
# Create security group New-ADGroup -Name "GRP-IT-Admins" -GroupScope Global ` -GroupCategory Security -Path "OU=Groups,DC=us,DC=ad,DC=lfg,DC=com" # Add members to group Add-ADGroupMember -Identity "GRP-IT-Admins" -Members jdoe, bsmith # Get all members (recursive) Get-ADGroupMember -Identity "Domain Admins" -Recursive # Find groups user belongs to Get-ADUser -Identity jdoe -Properties MemberOf | Select -ExpandProperty MemberOf # Find empty groups Get-ADGroup -Filter * -Properties Members | Where {-not $_.Members}
🖥️ Computer & Domain Management
Computer and domain operations
# Find stale computer accounts (90+ days) Get-ADComputer -Filter * -Properties LastLogonDate | Where {$_.LastLogonDate -lt (Get-Date).AddDays(-90)} # Get all DCs in domain Get-ADDomainController -Filter * | Select Name, Site, IPv4Address, IsGlobalCatalog # Check AD functional levels Get-ADDomain | Select DomainMode Get-ADForest | Select ForestMode # Get OU structure Get-ADOrganizationalUnit -Filter * | Select DistinguishedName # Test AD connectivity Test-ComputerSecureChannel -Verbose # test machine secure channel Test-ComputerSecureChannel -Repair # repair broken secure channel # Get AD replication metadata for an object Get-ADReplicationAttributeMetadata -Object "CN=jdoe,OU=Users,DC=us,DC=ad,DC=lfg,DC=com" -Server DC01
🔒 Security Auditing Queries
Security and audit queries
# Find accounts with SID history (migration residue) Get-ADUser -Filter * -Properties SIDHistory | Where {$_.SIDHistory} # Find accounts with Kerberos pre-auth disabled Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} # Find service accounts with SPNs (Kerberoasting targets) Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName # Find domain admins Get-ADGroupMember "Domain Admins" -Recursive | Get-ADUser -Properties LastLogonDate # Audit AdminSDHolder protected accounts Get-ADUser -LDAPFilter "(adminCount=1)" | Select Name, DistinguishedName # Check fine-grained password policies Get-ADFineGrainedPasswordPolicy -Filter * Get-ADUserResultantPasswordPolicy -Identity jdoe # Find accounts that haven't changed password in 365 days Get-ADUser -Filter * -Properties PasswordLastSet | Where {$_.PasswordLastSet -lt (Get-Date).AddDays(-365)} | Select Name, PasswordLastSet
11

Troubleshooting — Common Issues & AD Ports

🔧 Common Issues & Fixes
!
Kerberos auth failures — check NTP sync (±5 min tolerance). Check DNS SRV records. Verify SPN not duplicated (setspn -X -F) Event ID 4771 on DC · Event 6 in System log on client
!
Account lockouts — use Microsoft Lockout Status Tool or find source via Event 4740 on PDC Emulator. Common culprits: mapped drives, cached creds, mobile devices. Fine-tune lockout observation window before lowering threshold
!
Replication failures — run repadmin /replsummary and dcdiag /test:replications. Check firewall rules for AD replication ports. Error 8453 = replication access denied · Error 8606 = lingering objects
!
GPO not applying — run gpresult /h. Check SYSVOL replication (DFS-R health). Verify security filtering. Check WMI filter. Event 1085, 1086 in Group Policy log = GPO processing failure
!
DC not advertising — run dcdiag /test:advertising. Check Netlogon service. Verify DNS registrations. nltest /dsgetdc:domain — find DC for domain
Lingering objects — objects that exist on one DC but were deleted on another beyond tombstone lifetime. Causes replication failures. repadmin /removelingeringobjects to clean
🔌 AD Required Ports
PortProtoServiceNotes
53TCP/UDPDNSCritical — DC location, Kerberos, everything
88TCP/UDPKerberosAuthentication tickets
135TCPRPC Endpoint MapperRequired for AD replication & RPC
137-139UDPNetBIOSLegacy — disable where possible
389TCP/UDPLDAPDirectory queries. Use 636 for LDAPS
445TCPSMB / SYSVOLGPO/SYSVOL replication, Netlogon
464TCP/UDPKerberos kpasswdPassword change via Kerberos
636TCPLDAPSEncrypted LDAP — require for all AD queries
3268TCPGC LDAPGlobal Catalog queries
3269TCPGC LDAPSEncrypted GC queries
49152–65535TCPRPC DynamicAD replication, DCOM — restrict via GPO
5722TCPDFS-RSYSVOL replication (Windows 2008+)
9389TCPAD Web ServicesPowerShell AD module, ADAC
⚡ Essential Diagnostic Commands
# ── DC Health ───────────────────────────── dcdiag /v # full DC health check dcdiag /test:netlogons # Netlogon service dcdiag /test:advertising # DC advertising in DNS dcdiag /test:replications # AD replication dcdiag /test:fsmocheck # FSMO role holders dcdiag /test:DNS # DNS configuration # ── FSMO / Domain Info ──────────────────── netdom query fsmo # show FSMO holders nltest /dsgetdc:us.ad.lfg.com# find DC for domain nltest /sc_verify:us.ad.lfg.com# verify secure channel nltest /dbflag:0x2080ffff # enable netlogon debug
# ── Replication ─────────────────────────── repadmin /replsummary # replication health repadmin /showrepl # detailed replication repadmin /syncall /AdeP # force full sync repadmin /queue # replication queue repadmin /showutdvec DC01 # UTD vector # ── LDAP / Kerberos ────────────────────── klist # show cached Kerberos tickets klist purge # clear Kerberos ticket cache ldp.exe # LDAP browser / test queries adfind -b DC=us,DC=ad,DC=lfg,DC=com -f "(sAMAccountName=jdoe)" setspn -X -F # find duplicate SPNs (forest-wide)