# Troubleshooting Scenarios for Decision Tree App

## Scenario 1: FSLogix Profile Not Loading

### Issue Details
**Issue Name:** FSLogix Profile Not Loading
**Category:** Citrix/Virtual Desktop
**Estimated Time:** 10-15 minutes
**Common For:** Warner Robins City, other Citrix environments

### First Thing You Check
Can the user log into the server at all?

### Decision Tree

**Step 1: Can user log into server?**
- **YES** → Step 2: Check FSLogix service status
- **NO** → Different tree (AD account/licensing issue)

**Step 2: Is FSLogix service running on the server?**
- **RUNNING** → Step 3: Check frxtray.exe in user's task manager
- **STOPPED** → Step 4: Start service and check event log for cause
- **STUCK (Starting/Stopping)** → Step 5: Kill service process and restart

**Step 3: Is frxtray.exe running in user's task manager?**
- **YES** → Step 6: Check if profile VHD exists in share
- **NO** → Step 7: Check FSLogix agent installation
- **MULTIPLE INSTANCES** → Step 8: Kill all frxtray.exe, log user off, try again

**Step 4: Service Start Result**
*Action: Start-Service -Name 'frxsvc'*
- **Started successfully** → Step 9: Check Event Viewer for previous failure reason
- **Failed to start** → Step 10: Check service dependencies (NetLogon, RPC)
- **Started but stopped again** → Step 11: Check for file locks or permissions

**Step 5: Service Kill and Restart**
*Action: Stop-Process -Name frxsvc -Force; Start-Service frxsvc*
- **Service now running** → Step 3: Verify frxtray.exe
- **Still stuck** → Step 12: Check for corrupt profile or registry

**Step 6: Does user have a profile VHD in the share?**
*Check: \\server\fslogix\username\Profile_username.vhdx*
- **YES, file exists** → Step 13: Check VHD file permissions
- **NO, file missing** → Step 14: Check FSLogix registry path configuration
- **YES, but 0 bytes** → Step 15: Delete corrupt VHD, recreate profile

**Step 7: Is FSLogix agent installed?**
*Check: C:\Program Files\FSLogix\Apps\frxsvc.exe exists*
- **YES** → Step 16: Repair FSLogix agent
- **NO** → Step 17: Install FSLogix agent

**Step 8: Multiple frxtray instances**
*Action: Get-Process frxtray | Stop-Process -Force*
- **Killed successfully** → Log user off, have them log back in
- **Cannot kill** → Step 18: Check for file/folder locks

**Step 9: Check Event Viewer**
*Action: Check Application log for FSLogix errors*
- **Error 50 (Can't access network path)** → Step 19: Verify network path accessible
- **Error 13 (VHD locked)** → Step 20: Check for locks on VHD from other servers
- **Error 52 (Profile path not found)** → Step 14: Check registry settings

**Step 10: Check Service Dependencies**
*Action: Get-Service NetLogon, RpcSs status*
- **All running** → Step 21: Check antivirus blocking
- **NetLogon stopped** → Start NetLogon, then retry FSLogix
- **RPC stopped** → Critical issue, escalate to senior engineer

**Step 11: Check for File Locks**
*Action: Run Chihlas file lock checker on profile share*
- **No locks** → Step 22: Check disk space on profile server
- **Locked by another server** → Step 20: Release lock or force user logoff from other session

**Step 13: Check VHD Permissions**
*Action: Get-Acl on Profile_username.vhdx*
- **User has Full Control** → Step 23: Try mounting VHD manually
- **User missing permissions** → Step 24: Grant user full control
- **Everyone has permission but still fails** → Step 25: Check parent folder permissions

**Step 14: Check FSLogix Registry Path**
*Check: HKLM\SOFTWARE\FSLogix\Profiles - VHDLocations*
- **Path is correct** → Step 26: Check DNS resolution of server name
- **Path has typo** → Fix registry path, log user off and back on
- **Path uses old server** → Update to correct server path

**Step 15: Delete Corrupt VHD**
*Action: Delete 0-byte VHD file*
- **Deleted successfully** → User will get new profile on next login
- **Cannot delete (in use)** → Step 20: Check locks, force release

**Step 17: Install FSLogix Agent**
*Action: Run FSLogix installer from network share*
- **Installed successfully** → Reboot server, have user try again
- **Installation failed** → Step 27: Check server OS version compatibility

**Step 19: Verify Network Path**
*Action: Test-Path \\server\fslogix from problem server*
- **Accessible** → Step 28: Check firewall between servers
- **Not accessible** → Check DNS, check network connectivity
- **Accessible but slow** → Step 29: Check network performance

**Step 20: Check VHD Locks**
*Action: Use openfiles /query or handle.exe to check locks*
- **Locked by same server** → Kill locking process
- **Locked by different server** → Log user off from that server
- **Lock from crashed session** → Clear stale session, release lock

**Step 21: Check Antivirus**
*Action: Check if AV is scanning/blocking FSLogix folders*
- **FSLogix folders excluded** → Step 30: Check Windows Defender exclusions too
- **Not excluded** → Add exclusions, restart FSLogix service
- **Exclusions present but still blocking** → Temporarily disable AV to test

**Step 23: Try Mounting VHD Manually**
*Action: Mount-VHD -Path \\server\fslogix\...\Profile.vhdx*
- **Mounts successfully** → Profile is good, issue elsewhere (back to Step 2)
- **Fails to mount** → Step 31: Check VHD integrity
- **Mounts but takes forever** → Step 29: Network performance issue

**Step 24: Grant User Permissions**
*Action: icacls add full control for user on VHD*
- **Permissions granted** → Have user log off and back on
- **Cannot modify permissions** → Check if admin has access, check share permissions

**Step 31: Check VHD Integrity**
*Action: Test-VHD -Path ... in PowerShell*
- **VHD is healthy** → Issue is mounting or permissions
- **VHD is corrupt** → Step 15: Delete and recreate
- **Cannot test (access denied)** → Permission issue on share

**RESOLUTION: Profile loads successfully**

### Common Pitfalls
- VHD file locked by another server (user has session on multiple servers)
- Profile path in registry has typo or uses old server name
- Antivirus blocking VHD access or scanning profile folder
- NetLogon service stopped preventing network authentication
- Disk full on profile share
- DNS not resolving profile server name
- Stale sessions from crashed RDP connections

### Resolution Indicators
- User can log in successfully
- Profile loads within 30 seconds
- No FSLogix errors in Event Viewer
- frxtray.exe running in task manager
- User's desktop, documents appear correctly

### Documentation Links
- FSLogix Profile Troubleshooting: https://docs.microsoft.com/en-us/fslogix/troubleshooting-profile-container
- Event Log Error Codes: https://docs.microsoft.com/en-us/fslogix/profile-container-configuration-reference
- VHD Troubleshooting: Internal KB #FSL-001

---

## Scenario 2: Citrix VDA Not Registering

### Issue Details
**Issue Name:** Citrix VDA Not Registering with Delivery Controller
**Category:** Citrix/Virtual Desktop
**Estimated Time:** 10-20 minutes
**Common For:** Warner Robins City, all Citrix environments

### First Thing You Check
Can you ping the VDA from the Delivery Controller?

### Decision Tree

**Step 1: Can you ping VDA from DDC?**
*Action: Test-Connection -ComputerName VDA-HOSTNAME*
- **YES (replies)** → Step 2: Check VDA service status
- **NO (request timed out)** → Step 3: Network connectivity issue

**Step 2: What is VDA service status?**
*Action: Get-Service -Name 'BrokerAgent' on VDA*
- **RUNNING** → Step 4: Check DDC connection from VDA
- **STOPPED** → Step 5: Start VDA service
- **STUCK** → Step 6: Force kill and restart service

**Step 3: Network Connectivity Issue**
*Troubleshooting network layer*
- **VDA powered off** → Power on VDA, wait for boot
- **VDA on different subnet** → Step 7: Check routing/firewall
- **DNS not resolving** → Step 8: Check DNS configuration
- **Network cable unplugged** → Physical layer issue

**Step 4: Can VDA reach DDC on port 80/443?**
*Action: Test-NetConnection -ComputerName DDC-HOSTNAME -Port 80*
- **Port 80 success** → Step 9: Check VDA registration in Studio
- **Port 80 blocked** → Step 10: Check firewall rules
- **DNS fails** → Step 8: Check DNS

**Step 5: Start VDA Service**
*Action: Start-Service -Name 'BrokerAgent'*
- **Started successfully** → Step 11: Wait 60 seconds, check registration
- **Failed to start** → Step 12: Check Event Viewer for error
- **Started then stopped** → Step 13: Check service dependencies

**Step 6: Force Kill VDA Service**
*Action: Stop-Process -Name BrokerAgent -Force*
- **Killed successfully** → Step 5: Start service normally
- **Cannot kill (access denied)** → Restart VDA server
- **Killed but immediately respawns** → Step 14: Check for loops

**Step 7: Check Routing/Firewall**
*Between VDA and DDC*
- **Different VLANs** → Verify inter-VLAN routing configured
- **SonicWall between them** → Step 15: Check SonicWall rules
- **Switches involved** → Check VLAN tagging, trunk ports

**Step 8: Check DNS Configuration**
*Action: Resolve-DnsName DDC-HOSTNAME from VDA*
- **Resolves correctly** → DNS is fine, go back to network troubleshooting
- **Does not resolve** → Step 16: Check VDA DNS server settings
- **Resolves to wrong IP** → Step 17: Check DNS A record

**Step 9: Check VDA in Citrix Studio**
*Action: Open Studio > Machine Catalogs*
- **VDA shows "Registered"** → Issue resolved!
- **VDA shows "Unregistered"** → Step 18: Check ListOfDDCs registry
- **VDA not in catalog** → Step 19: Add VDA to catalog

**Step 10: Check Firewall Rules**
*Between VDA and DDC*
- **Windows Firewall blocking** → Create rule to allow DDC traffic
- **Hardware firewall blocking** → Step 15: Update SonicWall rules
- **NSG rules (if Azure)** → Add allow rule for ports 80, 443, 1494, 2598

**Step 11: Wait and Verify Registration**
*Action: Wait 60 seconds, refresh Studio*
- **Now registered** → Resolution confirmed!
- **Still unregistered** → Step 18: Check ListOfDDCs
- **Shows error in Studio** → Step 20: Check specific error code

**Step 12: Check Event Viewer**
*Action: Application log, filter for Citrix*
- **Error 1001 (cannot contact DDC)** → Step 4: Check connectivity
- **Error 1006 (auth failure)** → Step 21: Check machine account
- **Error 1035 (database connection failed)** → Escalate to DDC troubleshooting

**Step 13: Check Service Dependencies**
*Action: Check dependent services*
- **NetLogon stopped** → Start NetLogon first
- **Remote Registry stopped** → Start Remote Registry
- **Windows Event Log stopped** → Critical, may need reboot

**Step 15: Check SonicWall Rules**
*Between VDA subnet and DDC subnet*
- **No rule exists** → Create LAN→LAN allow rule for Citrix ports
- **Rule exists but wrong ports** → Add ports 80, 443, 1494, 2598
- **Rule exists, looks correct** → Check packet capture on SonicWall

**Step 16: Check VDA DNS Settings**
*Action: Get-DnsClientServerAddress on VDA*
- **Points to wrong DNS** → Set to correct DNS server
- **Points to correct DNS** → Step 17: Check DNS server itself
- **No DNS configured** → Configure DNS, restart VDA

**Step 17: Check DNS A Record**
*On DNS server*
- **A record correct** → Clear DNS cache on VDA
- **A record wrong IP** → Update A record, clear cache
- **A record missing** → Create A record for DDC

**Step 18: Check ListOfDDCs Registry**
*Action: Check HKLM\Software\Citrix\VirtualDesktopAgent - ListOfDDCs*
- **Points to correct DDC** → Step 22: Re-register VDA manually
- **Points to old/wrong DDC** → Update registry to correct DDC name
- **Registry key missing** → Run Citrix VDA installer repair

**Step 19: Add VDA to Catalog**
*In Citrix Studio*
- **Added successfully** → VDA should register within 60 seconds
- **Cannot add (not found)** → Step 1: Network connectivity issue
- **Cannot add (duplicate)** → VDA may be in different catalog, search

**Step 21: Check Machine Account**
*In Active Directory*
- **Account exists, enabled** → Step 23: Check computer trust relationship
- **Account disabled** → Enable account, restart VDA
- **Account missing** → Re-join VDA to domain

**Step 22: Re-register VDA Manually**
*Action: Run "C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe" -RegisterWithDDC*
- **Registration successful** → Verify in Studio
- **Registration failed** → Check error message, return to Step 4
- **Command not found** → VDA install corrupted, reinstall

**Step 23: Check Computer Trust Relationship**
*Action: Test-ComputerSecureChannel on VDA*
- **Trust relationship good** → Back to Step 2
- **Trust relationship broken** → Repair: Reset-ComputerMachinePassword
- **Repair failed** → Re-join domain

**RESOLUTION: VDA shows as Registered in Studio**

### Common Pitfalls
- Firewall blocking ports 80/443 between VDA and DDC
- DNS not resolving DDC hostname
- ListOfDDCs registry points to old/decommissioned DDC
- Machine account password expired or trust relationship broken
- VDA service won't stay running due to corrupt installation
- Network routing issue between VDA and DDC subnets
- VDA trying to register to wrong DDC in multi-site setup

### Resolution Indicators
- VDA shows "Registered" in Citrix Studio
- Users can successfully launch sessions to VDA
- No Citrix errors in Event Viewer
- VDA appears in correct delivery group

### Documentation Links
- VDA Registration: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-deployment/vda-registration
- Troubleshooting: https://support.citrix.com/article/CTX136668
- Event Log Errors: https://support.citrix.com/article/CTX127348

---

## Scenario 3: User Cannot Access File Share

### Issue Details
**Issue Name:** User Cannot Access Network File Share
**Category:** File Services / Permissions
**Estimated Time:** 5-15 minutes
**Common For:** All clients with file servers

### First Thing You Check
Can the user ping the file server?

### Decision Tree

**Step 1: Can user ping file server by name?**
*Action: ping FILE-SERVER-NAME*
- **YES (replies)** → Step 2: Can user access share path
- **NO (timeout/host unreachable)** → Step 3: Network connectivity issue
- **Unknown host** → Step 4: DNS resolution issue

**Step 2: Can user access \\server\share in File Explorer?**
*Action: Navigate to \\SERVER\SHARE*
- **YES, opens** → Step 5: Check specific folder permissions
- **NO, access denied** → Step 6: Check share permissions
- **NO, network path not found** → Step 7: Check SMB service

**Step 3: Network Connectivity Issue**
*Troubleshooting layer 3*
- **User on VPN** → Step 8: Check VPN tunnel status
- **User on different site** → Step 9: Check site-to-site connectivity
- **Server on different VLAN** → Check inter-VLAN routing
- **Cable unplugged** → Physical issue

**Step 4: DNS Resolution Issue**
*Action: nslookup FILE-SERVER-NAME*
- **Resolves to correct IP** → Try accessing by IP: \\192.168.1.10\share
- **Does not resolve** → Step 10: Check DNS configuration
- **Resolves to wrong IP** → Step 11: Update DNS record

**Step 5: Can user access specific folder?**
*Action: Open \\server\share\specific-folder*
- **YES** → Issue resolved!
- **NO, access denied** → Step 12: Check NTFS permissions on folder
- **Folder doesn't exist** → Verify correct path, check if moved

**Step 6: Check Share Permissions**
*Action: Right-click share > Properties > Sharing > Permissions*
- **User has Read or Change** → Step 12: Check NTFS permissions
- **User not in permissions** → Step 13: Add user to share permissions
- **Everyone has Full Control** → Share perms OK, issue is NTFS

**Step 7: Check SMB Service**
*Action: Get-Service -Name LanmanServer on file server*
- **Running** → Step 14: Check SMB signing requirements
- **Stopped** → Start service, verify user can access
- **Disabled** → Enable and start service

**Step 8: Check VPN Tunnel**
*If user is remote*
- **VPN connected** → Step 15: Check VPN routing for file server subnet
- **VPN disconnected** → Reconnect VPN, retry
- **VPN connected but can't reach internal** → Step 16: Check split tunneling

**Step 9: Site-to-Site Connectivity**
*Between user's site and file server site*
- **Ping works between sites** → Not a site link issue
- **Ping fails between sites** → Step 17: Check VPN tunnel between sites
- **Some services work, files don't** → Check port 445 specifically

**Step 10: Check User's DNS Settings**
*Action: ipconfig /all on user's PC*
- **DNS points to DC** → Step 18: Check DNS server health
- **DNS points to wrong server** → Set correct DNS via DHCP or static
- **No DNS configured** → Configure DNS

**Step 12: Check NTFS Permissions**
*Action: Right-click folder > Properties > Security*
- **User has Read & Execute** → User should have access
- **User not listed** → Step 19: Check group memberships
- **User has Deny** → Step 20: Remove explicit Deny

**Step 13: Add User to Share Permissions**
*Action: Add user or user's group with appropriate access*
- **Added successfully** → User should now be able to access
- **Cannot add (grayed out)** → Check if Advanced Sharing is needed
- **Added but still fails** → Step 12: Check NTFS permissions

**Step 14: Check SMB Signing**
*Action: Check SMB server/client signing requirements*
- **Client requires signing, server doesn't** → Enable signing on server
- **Mismatch in SMB versions** → Step 21: Enable SMB 2.0/3.0
- **Settings match** → Not SMB signing issue

**Step 15: Check VPN Routing**
*Verify file server subnet is routed through VPN*
- **Route exists** → Check firewall rules on VPN
- **Route missing** → Add route for file server subnet
- **Route exists but traffic blocked** → Step 22: Check firewall

**Step 17: Check Site-to-Site VPN**
*Between locations*
- **Tunnel up** → Step 23: Check Phase 2 includes port 445
- **Tunnel down** → Troubleshoot VPN (separate tree)
- **Tunnel flapping** → Check for routing loops

**Step 18: Check DNS Server**
*On domain controller/DNS server*
- **DNS service running** → Check if A record exists for file server
- **DNS service stopped** → Start DNS service
- **High CPU/memory** → May need DNS server restart

**Step 19: Check Group Memberships**
*Action: Check what groups user belongs to*
- **User in correct group** → Step 24: Run gpupdate to refresh token
- **User not in group** → Add user to appropriate group
- **User added recently** → User needs to log off and back on

**Step 20: Remove Explicit Deny**
*Deny permissions override all allows*
- **Deny removed** → User should now have access
- **Deny is inherited** → Step 25: Check parent folder permissions
- **Cannot remove (grayed out)** → Disable inheritance, then remove

**Step 21: Enable SMB 2.0/3.0**
*Action: Enable SMB versions on server*
- **Enabled successfully** → User should now connect
- **Already enabled** → Check Windows version compatibility
- **Cannot enable** → OS version too old, may need upgrade

**Step 24: Refresh User Token**
*Action: Have user log off and back on (or run klist purge)*
- **After logoff/logon, works** → Resolution confirmed
- **Still fails after logoff** → Step 26: Check effective permissions

**Step 26: Check Effective Permissions**
*Action: Advanced Security > Effective Access*
- **Shows user should have access** → Step 27: Check for inheritance issues
- **Shows user has no access** → Permission configuration error
- **Tool shows access but user still can't** → Clear SMB cache

**RESOLUTION: User can access share and specific folders**

### Common Pitfalls
- User has NTFS permissions but not share permissions (or vice versa)
- User added to group but hasn't logged off/on to refresh token
- Explicit Deny permission overriding Allow permissions
- DNS not resolving file server name
- Firewall blocking port 445 (SMB)
- DFS namespace issues (different issue, separate tree)
- Offline Files caching causing stale view

### Resolution Indicators
- User can open \\server\share
- User can create/modify files if they should have write access
- File Explorer shows correct folders
- No "Access Denied" or "Network Path Not Found" errors

### Documentation Links
- SMB Troubleshooting: https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/
- File Permissions: Internal KB #NTFS-PERMS-001
- DFS Issues: Internal KB #DFS-TROUBLESHOOT

---

## Scenario 4: Active Directory Replication Failure

### Issue Details
**Issue Name:** Active Directory Replication Not Working
**Category:** Active Directory / Infrastructure
**Estimated Time:** 15-30 minutes
**Common For:** Multi-DC environments, especially after DC issues

### First Thing You Check
Can the DCs ping each other?

### Decision Tree

**Step 1: Can DCs ping each other by name?**
*Action: Test-Connection between all DCs*
- **YES, all reply** → Step 2: Check replication status
- **NO, some don't reply** → Step 3: Network connectivity issue
- **Name doesn't resolve** → Step 4: DNS issue

**Step 2: What does replicadmin /showrepl show?**
*Action: repadmin /showrepl on each DC*
- **Last replication: recent (< 1 hour)** → Replication working
- **Last replication: old (> 3 hours)** → Step 5: Check for specific errors
- **Replication failing with error** → Step 6: Identify error code

**Step 3: Network Connectivity Between DCs**
*Layer 3 troubleshooting*
- **Different sites** → Step 7: Check site link configuration
- **Firewall between DCs** → Step 8: Check firewall rules
- **Same site but can't reach** → Check switches, VLANs

**Step 4: DNS Issues Between DCs**
*Action: nslookup DC-NAME from other DC*
- **Resolves correctly** → Not DNS issue, back to Step 1
- **Doesn't resolve** → Step 9: Check DNS zone replication
- **Resolves to wrong IP** → Step 10: Update DNS A record

**Step 5: Check for Specific Replication Errors**
*Review repadmin output*
- **"Last attempt was successful"** → False alarm, replication OK
- **Shows specific error code** → Step 6: Identify error code
- **No errors but time is old** → Step 11: Force replication

**Step 6: Identify Replication Error Code**
*Common error codes*
- **Error 8606 (insufficient attributes)** → Step 12: Metadata cleanup needed
- **Error 8451/8452 (naming context)** → Step 13: Name server not advertising
- **Error 1722 (RPC server unavailable)** → Step 14: RPC/firewall issue
- **Error 1256 (domain trust issue)** → Step 15: Secure channel problem
- **Error 8614 (version mismatch)** → Step 16: Schema version issue

**Step 7: Check Site Link Configuration**
*Action: Check AD Sites and Services*
- **Site link exists** → Step 17: Check site link schedule
- **No site link** → Create site link between sites
- **Link cost too high** → Adjust link cost if needed

**Step 8: Check Firewall Rules Between DCs**
*Required ports for AD replication*
- **Ports 135, 389, 636, 3268, 49152+ open** → Not firewall issue
- **Some ports blocked** → Step 18: Open required AD ports
- **All ports open but still fails** → Back to Step 6 for errors

**Step 9: Check DNS Zone Replication**
*Action: Check _msdcs zone on both DCs*
- **Zone present on both** → Step 19: Check SRV records
- **Zone missing on one DC** → Step 20: Force DNS zone replication
- **Zone present but not replicating** → Check DNS application partition

**Step 11: Force Replication**
*Action: repadmin /syncall /AdeP*
- **Replication succeeded** → Check if ongoing or one-time issue
- **Still failing** → Step 6: Check specific error
- **Partially succeeded** → Identify which DCs failing

**Step 12: Metadata Cleanup for Error 8606**
*Action: ntdsutil metadata cleanup*
- **Phantom DC found** → Remove phantom DC object
- **No phantoms** → Step 21: Check USN rollback
- **Cleanup completed** → Force replication, verify

**Step 13: Name Server Not Advertising (8451/8452)**
*DC not advertising itself properly*
- **netlogon service stopped** → Start netlogon service
- **netlogon running** → Step 22: Re-register netlogon DNS records
- **After reregister, still fails** → Check DNS zone for SRV records

**Step 14: RPC Server Unavailable (1722)**
*RPC connectivity issue*
- **Port 135 blocked** → Step 8: Open port 135
- **Port open but RPC fails** → Step 23: Check RPC service status
- **RPC service running** → Check endpoint mapper

**Step 15: Secure Channel Problem (1256)**
*Computer account trust issue*
- **Password mismatch** → Step 24: Reset computer account
- **Account locked** → Unlock computer account in AD
- **Account missing** → Serious issue, may need DC demotion/promotion

**Step 16: Schema Version Mismatch (8614)**
*Schema versions don't match*
- **One DC has older schema** → Step 25: Update schema on older DC
- **Schema versions match** → May be false positive, check metadata

**Step 17: Check Site Link Schedule**
*Action: Site link properties > Change Schedule*
- **Replication blocked in current time** → Wait or adjust schedule
- **Schedule allows replication** → Step 26: Check site link cost
- **Schedule set to never** → Configure proper schedule

**Step 18: Open Required AD Ports**
*On firewall between DCs*
- **Rules added** → Test replication after 5 minutes
- **Cannot add rules** → Escalate to network team
- **Rules exist but traffic blocked** → Check for other firewalls

**Step 19: Check SRV Records**
*Action: nslookup -type=SRV _ldap._tcp.dc._msdcs.DOMAIN*
- **Both DCs listed** → DNS is good
- **One DC missing** → Step 22: Re-register DNS
- **No DCs listed** → Critical DNS issue, Step 20

**Step 20: Force DNS Zone Replication**
*Action: repadmin /replicate for DNS partitions*
- **DNS replicated** → Verify SRV records now present
- **DNS replication failed** → Check for DNS-specific errors
- **Partial replication** → May need multiple attempts

**Step 22: Re-register Netlogon DNS Records**
*Action: nltest /dsregdns on problem DC*
- **Registration succeeded** → Check DNS for new SRV records
- **Registration failed** → Check DNS service, Event Viewer
- **Succeeded but records still missing** → Manual creation needed

**Step 23: Check RPC Service**
*Action: Get-Service RPCSS*
- **Running** → Step 27: Check RPC port range
- **Stopped** → Start RPCSS service (critical!)
- **Stuck starting** → Reboot DC (after-hours if possible)

**Step 24: Reset Computer Account**
*Action: Reset-ComputerMachinePassword -Server PDC*
- **Reset successful** → Force replication, verify
- **Reset failed** → May need to reset from authoritative DC
- **After reset, still fails** → Deeper trust issue, may need demotion

**Step 27: Check RPC Port Range**
*Action: Check dynamic port range*
- **Default range (49152-65535)** → Range is fine
- **Custom restricted range** → Step 28: Ensure both DCs use same range
- **No dynamic ports available** → Exhaustion issue, investigate

**RESOLUTION: repadmin /showrepl shows recent successful replication on all DCs**

### Common Pitfalls
- Firewall blocking high ports (49152+) needed for RPC
- DNS SRV records missing or incorrect
- Phantom domain controller objects in AD Sites and Services
- Secure channel broken between DCs
- Time skew between DCs (> 5 minutes causes Kerberos failures)
- Antivirus blocking AD replication traffic
- Incorrect site link configuration

### Resolution Indicators
- repadmin /showrepl shows successful replication within last hour
- No replication errors in Directory Services event log
- dcdiag /test:replications passes
- Changes propagate between DCs within expected timeframe
- No Event ID 2042 (too long since last replication)

### Documentation Links
- AD Replication: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/troubleshoot/
- Repadmin Guide: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc770963(v=ws.11)
- Error Codes: Internal KB #AD-REPL-ERRORS

---

## Scenario 5: Password Reset Request (Simple Example)

### Issue Details
**Issue Name:** User Forgot Password - Needs Reset
**Category:** Account Management
**Estimated Time:** 2-5 minutes
**Common For:** Daily helpdesk task

### First Thing You Check
Verify user's identity

### Decision Tree

**Step 1: Can you verify user's identity?**
*Check against company verification policy*
- **YES (verified via phone/email/manager)** → Step 2: Locate user account
- **NO (cannot verify)** → Deny request, inform user of verification process
- **User is contractor** → Step 3: Check if manager approval required

**Step 2: Can you find user account in AD?**
*Action: Search Active Directory for username*
- **Account found** → Step 4: Check account status
- **Account not found** → Step 5: Check if name spelled correctly
- **Multiple accounts** → Step 6: Identify correct account

**Step 3: Manager Approval for Contractor**
*Per company policy*
- **Manager approves** → Step 2: Proceed with reset
- **Manager denies** → Inform contractor, deny request
- **Cannot reach manager** → Escalate to IT manager

**Step 4: Is account enabled?**
*Check account status*
- **Enabled** → Step 7: Reset password
- **Disabled** → Step 8: Check why disabled
- **Locked out** → Step 9: Unlock and reset

**Step 5: Check Name Spelling**
*Verify with user*
- **Found with correct spelling** → Step 4: Check status
- **Still not found** → Check if account exists, may need creation
- **User doesn't have account** → Route to new user request process

**Step 6: Identify Correct Account**
*Multiple John Smiths, etc.*
- **Identified by employee ID** → Step 4: Proceed
- **Identified by department** → Step 4: Proceed
- **Cannot identify** → Ask user for more info (start date, manager, etc.)

**Step 7: Reset Password**
*Action: Set temporary password in AD*
- **Reset successful** → Step 10: Communicate new password to user
- **Cannot reset (permission denied)** → Escalate to higher-level admin
- **Reset but user still can't login** → Step 11: Check for other issues

**Step 8: Account Disabled - Check Why**
*Look at account notes or ticket history*
- **Disabled for termination** → Do not enable, inform requester
- **Disabled for inactivity** → Step 12: Verify if user still employed
- **Disabled in error** → Enable account and reset password

**Step 9: Unlock Account**
*Action: Unlock account in AD*
- **Unlocked successfully** → Step 7: Reset password
- **Unlock failed** → Wait 15 minutes (lockout duration), try again
- **Immediately locks again** → Step 13: Check for automated login attempts

**Step 10: Communicate New Password**
*Securely provide temp password*
- **Told user over phone** → Instruct user must change at login
- **Sent via secure portal** → Provide portal link
- **User received password** → Step 14: Verify user can login

**Step 11: Reset Success But Login Failed**
*After reset, user still can't login*
- **Wrong username** → Provide correct username
- **Caps Lock on** → Inform user
- **Password not synced yet** → Wait 2-3 minutes, retry
- **MFA issue** → Different troubleshooting path

**Step 12: Verify User Still Employed**
*Check with HR or manager*
- **Still employed** → Enable account, reset password
- **Terminated** → Do not enable, close ticket
- **Unknown status** → Escalate to IT manager

**Step 13: Check for Automated Login Attempts**
*Saved credentials somewhere*
- **Old laptop auto-logging** → Have user change password on laptop
- **Mobile device** → Remove saved password on phone
- **Service account** → Update service account password
- **Can't identify source** → Change password multiple times

**Step 14: Verify User Can Login**
*Confirm with user*
- **Login successful** → Step 15: Set user must change password
- **Still cannot login** → Return to Step 11
- **Login works but can't access email** → Different issue

**Step 15: Force Password Change at Next Login**
*If not already set*
- **User will be prompted** → Document ticket, close
- **User successfully changed** → Resolution confirmed!
- **User locked out again** → May be complexity requirement issue

**RESOLUTION: User successfully logged in with new password**

### Common Pitfalls
- Not verifying user identity properly
- Forgetting to check if account is locked (not just disabled)
- Not telling user to change password at next login
- Multiple accounts for same name, resetting wrong one
- Account syncs slowly to other systems (email, VPN, etc.)
- User typing username incorrectly after reset

### Resolution Indicators
- User confirms successful login
- Account shows last login timestamp updated
- No subsequent lockout or password reset requests
- User able to access all required systems

### Documentation Links
- Password Policy: Internal KB #PWD-POLICY
- Identity Verification: Internal KB #ID-VERIFY
- Account Management: Internal KB #AD-ACCOUNTS