resolutionflow/docs/archive/TS-EXAMPLES.md

Troubleshooting Scenarios for Decision Tree App

Scenario 1: FSLogix Profile Not Loading

Issue Details

Issue Name: FSLogix Profile Not Loading Category: Citrix/Virtual Desktop Estimated Time: 10-15 minutes Common For: Warner Robins City, other Citrix environments

First Thing You Check

Can the user log into the server at all?

Decision Tree

Step 1: Can user log into server?

• YES → Step 2: Check FSLogix service status
• NO → Different tree (AD account/licensing issue)

Step 2: Is FSLogix service running on the server?

• RUNNING → Step 3: Check frxtray.exe in user's task manager
• STOPPED → Step 4: Start service and check event log for cause
• STUCK (Starting/Stopping) → Step 5: Kill service process and restart

Step 3: Is frxtray.exe running in user's task manager?

• YES → Step 6: Check if profile VHD exists in share
• NO → Step 7: Check FSLogix agent installation
• MULTIPLE INSTANCES → Step 8: Kill all frxtray.exe, log user off, try again

Step 4: Service Start Result Action: Start-Service -Name 'frxsvc'

• Started successfully → Step 9: Check Event Viewer for previous failure reason
• Failed to start → Step 10: Check service dependencies (NetLogon, RPC)
• Started but stopped again → Step 11: Check for file locks or permissions

Step 5: Service Kill and Restart Action: Stop-Process -Name frxsvc -Force; Start-Service frxsvc

• Service now running → Step 3: Verify frxtray.exe
• Still stuck → Step 12: Check for corrupt profile or registry

Step 6: Does user have a profile VHD in the share? Check: \server\fslogix\username\Profile_username.vhdx

• YES, file exists → Step 13: Check VHD file permissions
• NO, file missing → Step 14: Check FSLogix registry path configuration
• YES, but 0 bytes → Step 15: Delete corrupt VHD, recreate profile

Step 7: Is FSLogix agent installed? Check: C:\Program Files\FSLogix\Apps\frxsvc.exe exists

• YES → Step 16: Repair FSLogix agent
• NO → Step 17: Install FSLogix agent

Step 8: Multiple frxtray instances Action: Get-Process frxtray | Stop-Process -Force

• Killed successfully → Log user off, have them log back in
• Cannot kill → Step 18: Check for file/folder locks

Step 9: Check Event Viewer Action: Check Application log for FSLogix errors

• Error 50 (Can't access network path) → Step 19: Verify network path accessible
• Error 13 (VHD locked) → Step 20: Check for locks on VHD from other servers
• Error 52 (Profile path not found) → Step 14: Check registry settings

Step 10: Check Service Dependencies Action: Get-Service NetLogon, RpcSs status

• All running → Step 21: Check antivirus blocking
• NetLogon stopped → Start NetLogon, then retry FSLogix
• RPC stopped → Critical issue, escalate to senior engineer

Step 11: Check for File Locks Action: Run Chihlas file lock checker on profile share

• No locks → Step 22: Check disk space on profile server
• Locked by another server → Step 20: Release lock or force user logoff from other session

Step 13: Check VHD Permissions Action: Get-Acl on Profile_username.vhdx

• User has Full Control → Step 23: Try mounting VHD manually
• User missing permissions → Step 24: Grant user full control
• Everyone has permission but still fails → Step 25: Check parent folder permissions

Step 14: Check FSLogix Registry Path Check: HKLM\SOFTWARE\FSLogix\Profiles - VHDLocations

• Path is correct → Step 26: Check DNS resolution of server name
• Path has typo → Fix registry path, log user off and back on
• Path uses old server → Update to correct server path

Step 15: Delete Corrupt VHD Action: Delete 0-byte VHD file

• Deleted successfully → User will get new profile on next login
• Cannot delete (in use) → Step 20: Check locks, force release

Step 17: Install FSLogix Agent Action: Run FSLogix installer from network share

• Installed successfully → Reboot server, have user try again
• Installation failed → Step 27: Check server OS version compatibility

Step 19: Verify Network Path Action: Test-Path \server\fslogix from problem server

• Accessible → Step 28: Check firewall between servers
• Not accessible → Check DNS, check network connectivity
• Accessible but slow → Step 29: Check network performance

Step 20: Check VHD Locks Action: Use openfiles /query or handle.exe to check locks

• Locked by same server → Kill locking process
• Locked by different server → Log user off from that server
• Lock from crashed session → Clear stale session, release lock

Step 21: Check Antivirus Action: Check if AV is scanning/blocking FSLogix folders

• FSLogix folders excluded → Step 30: Check Windows Defender exclusions too
• Not excluded → Add exclusions, restart FSLogix service
• Exclusions present but still blocking → Temporarily disable AV to test

Step 23: Try Mounting VHD Manually Action: Mount-VHD -Path \server\fslogix...\Profile.vhdx

• Mounts successfully → Profile is good, issue elsewhere (back to Step 2)
• Fails to mount → Step 31: Check VHD integrity
• Mounts but takes forever → Step 29: Network performance issue

Step 24: Grant User Permissions Action: icacls add full control for user on VHD

• Permissions granted → Have user log off and back on
• Cannot modify permissions → Check if admin has access, check share permissions

Step 31: Check VHD Integrity Action: Test-VHD -Path ... in PowerShell

• VHD is healthy → Issue is mounting or permissions
• VHD is corrupt → Step 15: Delete and recreate
• Cannot test (access denied) → Permission issue on share

RESOLUTION: Profile loads successfully

Common Pitfalls

• VHD file locked by another server (user has session on multiple servers)
• Profile path in registry has typo or uses old server name
• Antivirus blocking VHD access or scanning profile folder
• NetLogon service stopped preventing network authentication
• Disk full on profile share
• DNS not resolving profile server name
• Stale sessions from crashed RDP connections

Resolution Indicators

• User can log in successfully
• Profile loads within 30 seconds
• No FSLogix errors in Event Viewer
• frxtray.exe running in task manager
• User's desktop, documents appear correctly

Documentation Links

• FSLogix Profile Troubleshooting: https://docs.microsoft.com/en-us/fslogix/troubleshooting-profile-container
• Event Log Error Codes: https://docs.microsoft.com/en-us/fslogix/profile-container-configuration-reference
• VHD Troubleshooting: Internal KB #FSL-001

---

Scenario 2: Citrix VDA Not Registering

Issue Details

Issue Name: Citrix VDA Not Registering with Delivery Controller Category: Citrix/Virtual Desktop Estimated Time: 10-20 minutes Common For: Warner Robins City, all Citrix environments

First Thing You Check

Can you ping the VDA from the Delivery Controller?

Decision Tree

Step 1: Can you ping VDA from DDC? Action: Test-Connection -ComputerName VDA-HOSTNAME

• YES (replies) → Step 2: Check VDA service status
• NO (request timed out) → Step 3: Network connectivity issue

Step 2: What is VDA service status? Action: Get-Service -Name 'BrokerAgent' on VDA

• RUNNING → Step 4: Check DDC connection from VDA
• STOPPED → Step 5: Start VDA service
• STUCK → Step 6: Force kill and restart service

Step 3: Network Connectivity Issue Troubleshooting network layer

• VDA powered off → Power on VDA, wait for boot
• VDA on different subnet → Step 7: Check routing/firewall
• DNS not resolving → Step 8: Check DNS configuration
• Network cable unplugged → Physical layer issue

Step 4: Can VDA reach DDC on port 80/443? Action: Test-NetConnection -ComputerName DDC-HOSTNAME -Port 80

• Port 80 success → Step 9: Check VDA registration in Studio
• Port 80 blocked → Step 10: Check firewall rules
• DNS fails → Step 8: Check DNS

Step 5: Start VDA Service Action: Start-Service -Name 'BrokerAgent'

• Started successfully → Step 11: Wait 60 seconds, check registration
• Failed to start → Step 12: Check Event Viewer for error
• Started then stopped → Step 13: Check service dependencies

Step 6: Force Kill VDA Service Action: Stop-Process -Name BrokerAgent -Force

• Killed successfully → Step 5: Start service normally
• Cannot kill (access denied) → Restart VDA server
• Killed but immediately respawns → Step 14: Check for loops

Step 7: Check Routing/Firewall Between VDA and DDC

• Different VLANs → Verify inter-VLAN routing configured
• SonicWall between them → Step 15: Check SonicWall rules
• Switches involved → Check VLAN tagging, trunk ports

Step 8: Check DNS Configuration Action: Resolve-DnsName DDC-HOSTNAME from VDA

• Resolves correctly → DNS is fine, go back to network troubleshooting
• Does not resolve → Step 16: Check VDA DNS server settings
• Resolves to wrong IP → Step 17: Check DNS A record

Step 9: Check VDA in Citrix Studio Action: Open Studio > Machine Catalogs

• VDA shows "Registered" → Issue resolved!
• VDA shows "Unregistered" → Step 18: Check ListOfDDCs registry
• VDA not in catalog → Step 19: Add VDA to catalog

Step 10: Check Firewall Rules Between VDA and DDC

• Windows Firewall blocking → Create rule to allow DDC traffic
• Hardware firewall blocking → Step 15: Update SonicWall rules
• NSG rules (if Azure) → Add allow rule for ports 80, 443, 1494, 2598

Step 11: Wait and Verify Registration Action: Wait 60 seconds, refresh Studio

• Now registered → Resolution confirmed!
• Still unregistered → Step 18: Check ListOfDDCs
• Shows error in Studio → Step 20: Check specific error code

Step 12: Check Event Viewer Action: Application log, filter for Citrix

• Error 1001 (cannot contact DDC) → Step 4: Check connectivity
• Error 1006 (auth failure) → Step 21: Check machine account
• Error 1035 (database connection failed) → Escalate to DDC troubleshooting

Step 13: Check Service Dependencies Action: Check dependent services

• NetLogon stopped → Start NetLogon first
• Remote Registry stopped → Start Remote Registry
• Windows Event Log stopped → Critical, may need reboot

Step 15: Check SonicWall Rules Between VDA subnet and DDC subnet

• No rule exists → Create LAN→LAN allow rule for Citrix ports
• Rule exists but wrong ports → Add ports 80, 443, 1494, 2598
• Rule exists, looks correct → Check packet capture on SonicWall

Step 16: Check VDA DNS Settings Action: Get-DnsClientServerAddress on VDA

• Points to wrong DNS → Set to correct DNS server
• Points to correct DNS → Step 17: Check DNS server itself
• No DNS configured → Configure DNS, restart VDA

Step 17: Check DNS A Record On DNS server

• A record correct → Clear DNS cache on VDA
• A record wrong IP → Update A record, clear cache
• A record missing → Create A record for DDC

Step 18: Check ListOfDDCs Registry Action: Check HKLM\Software\Citrix\VirtualDesktopAgent - ListOfDDCs

• Points to correct DDC → Step 22: Re-register VDA manually
• Points to old/wrong DDC → Update registry to correct DDC name
• Registry key missing → Run Citrix VDA installer repair

Step 19: Add VDA to Catalog In Citrix Studio

• Added successfully → VDA should register within 60 seconds
• Cannot add (not found) → Step 1: Network connectivity issue
• Cannot add (duplicate) → VDA may be in different catalog, search

Step 21: Check Machine Account In Active Directory

• Account exists, enabled → Step 23: Check computer trust relationship
• Account disabled → Enable account, restart VDA
• Account missing → Re-join VDA to domain

Step 22: Re-register VDA Manually Action: Run "C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe" -RegisterWithDDC

• Registration successful → Verify in Studio
• Registration failed → Check error message, return to Step 4
• Command not found → VDA install corrupted, reinstall

Step 23: Check Computer Trust Relationship Action: Test-ComputerSecureChannel on VDA

• Trust relationship good → Back to Step 2
• Trust relationship broken → Repair: Reset-ComputerMachinePassword
• Repair failed → Re-join domain

RESOLUTION: VDA shows as Registered in Studio

Common Pitfalls

• Firewall blocking ports 80/443 between VDA and DDC
• DNS not resolving DDC hostname
• ListOfDDCs registry points to old/decommissioned DDC
• Machine account password expired or trust relationship broken
• VDA service won't stay running due to corrupt installation
• Network routing issue between VDA and DDC subnets
• VDA trying to register to wrong DDC in multi-site setup

Resolution Indicators

• VDA shows "Registered" in Citrix Studio
• Users can successfully launch sessions to VDA
• No Citrix errors in Event Viewer
• VDA appears in correct delivery group

Documentation Links

• VDA Registration: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-deployment/vda-registration
• Troubleshooting: https://support.citrix.com/article/CTX136668
• Event Log Errors: https://support.citrix.com/article/CTX127348

---

Scenario 3: User Cannot Access File Share

Issue Details

Issue Name: User Cannot Access Network File Share Category: File Services / Permissions Estimated Time: 5-15 minutes Common For: All clients with file servers

First Thing You Check

Can the user ping the file server?

Decision Tree

Step 1: Can user ping file server by name? Action: ping FILE-SERVER-NAME

• YES (replies) → Step 2: Can user access share path
• NO (timeout/host unreachable) → Step 3: Network connectivity issue
• Unknown host → Step 4: DNS resolution issue

Step 2: Can user access \server\share in File Explorer? Action: Navigate to \SERVER\SHARE

• YES, opens → Step 5: Check specific folder permissions
• NO, access denied → Step 6: Check share permissions
• NO, network path not found → Step 7: Check SMB service

Step 3: Network Connectivity Issue Troubleshooting layer 3

• User on VPN → Step 8: Check VPN tunnel status
• User on different site → Step 9: Check site-to-site connectivity
• Server on different VLAN → Check inter-VLAN routing
• Cable unplugged → Physical issue

Step 4: DNS Resolution Issue Action: nslookup FILE-SERVER-NAME

• Resolves to correct IP → Try accessing by IP: \192.168.1.10\share
• Does not resolve → Step 10: Check DNS configuration
• Resolves to wrong IP → Step 11: Update DNS record

Step 5: Can user access specific folder? Action: Open \server\share\specific-folder

• YES → Issue resolved!
• NO, access denied → Step 12: Check NTFS permissions on folder
• Folder doesn't exist → Verify correct path, check if moved

Step 6: Check Share Permissions Action: Right-click share > Properties > Sharing > Permissions

• User has Read or Change → Step 12: Check NTFS permissions
• User not in permissions → Step 13: Add user to share permissions
• Everyone has Full Control → Share perms OK, issue is NTFS

Step 7: Check SMB Service Action: Get-Service -Name LanmanServer on file server

• Running → Step 14: Check SMB signing requirements
• Stopped → Start service, verify user can access
• Disabled → Enable and start service

Step 8: Check VPN Tunnel If user is remote

• VPN connected → Step 15: Check VPN routing for file server subnet
• VPN disconnected → Reconnect VPN, retry
• VPN connected but can't reach internal → Step 16: Check split tunneling

Step 9: Site-to-Site Connectivity Between user's site and file server site

• Ping works between sites → Not a site link issue
• Ping fails between sites → Step 17: Check VPN tunnel between sites
• Some services work, files don't → Check port 445 specifically

Step 10: Check User's DNS Settings Action: ipconfig /all on user's PC

• DNS points to DC → Step 18: Check DNS server health
• DNS points to wrong server → Set correct DNS via DHCP or static
• No DNS configured → Configure DNS

Step 12: Check NTFS Permissions Action: Right-click folder > Properties > Security

• User has Read & Execute → User should have access
• User not listed → Step 19: Check group memberships
• User has Deny → Step 20: Remove explicit Deny

Step 13: Add User to Share Permissions Action: Add user or user's group with appropriate access

• Added successfully → User should now be able to access
• Cannot add (grayed out) → Check if Advanced Sharing is needed
• Added but still fails → Step 12: Check NTFS permissions

Step 14: Check SMB Signing Action: Check SMB server/client signing requirements

• Client requires signing, server doesn't → Enable signing on server
• Mismatch in SMB versions → Step 21: Enable SMB 2.0/3.0
• Settings match → Not SMB signing issue

Step 15: Check VPN Routing Verify file server subnet is routed through VPN

• Route exists → Check firewall rules on VPN
• Route missing → Add route for file server subnet
• Route exists but traffic blocked → Step 22: Check firewall

Step 17: Check Site-to-Site VPN Between locations

• Tunnel up → Step 23: Check Phase 2 includes port 445
• Tunnel down → Troubleshoot VPN (separate tree)
• Tunnel flapping → Check for routing loops

Step 18: Check DNS Server On domain controller/DNS server

• DNS service running → Check if A record exists for file server
• DNS service stopped → Start DNS service
• High CPU/memory → May need DNS server restart

Step 19: Check Group Memberships Action: Check what groups user belongs to

• User in correct group → Step 24: Run gpupdate to refresh token
• User not in group → Add user to appropriate group
• User added recently → User needs to log off and back on

Step 20: Remove Explicit Deny Deny permissions override all allows

• Deny removed → User should now have access
• Deny is inherited → Step 25: Check parent folder permissions
• Cannot remove (grayed out) → Disable inheritance, then remove

Step 21: Enable SMB 2.0/3.0 Action: Enable SMB versions on server

• Enabled successfully → User should now connect
• Already enabled → Check Windows version compatibility
• Cannot enable → OS version too old, may need upgrade

Step 24: Refresh User Token Action: Have user log off and back on (or run klist purge)

• After logoff/logon, works → Resolution confirmed
• Still fails after logoff → Step 26: Check effective permissions

Step 26: Check Effective Permissions Action: Advanced Security > Effective Access

• Shows user should have access → Step 27: Check for inheritance issues
• Shows user has no access → Permission configuration error
• Tool shows access but user still can't → Clear SMB cache

RESOLUTION: User can access share and specific folders

Common Pitfalls

• User has NTFS permissions but not share permissions (or vice versa)
• User added to group but hasn't logged off/on to refresh token
• Explicit Deny permission overriding Allow permissions
• DNS not resolving file server name
• Firewall blocking port 445 (SMB)
• DFS namespace issues (different issue, separate tree)
• Offline Files caching causing stale view

Resolution Indicators

• User can open \server\share
• User can create/modify files if they should have write access
• File Explorer shows correct folders
• No "Access Denied" or "Network Path Not Found" errors

Documentation Links

• SMB Troubleshooting: https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/
• File Permissions: Internal KB #NTFS-PERMS-001
• DFS Issues: Internal KB #DFS-TROUBLESHOOT

---

Scenario 4: Active Directory Replication Failure

Issue Details

Issue Name: Active Directory Replication Not Working Category: Active Directory / Infrastructure Estimated Time: 15-30 minutes Common For: Multi-DC environments, especially after DC issues

First Thing You Check

Can the DCs ping each other?

Decision Tree

Step 1: Can DCs ping each other by name? Action: Test-Connection between all DCs

• YES, all reply → Step 2: Check replication status
• NO, some don't reply → Step 3: Network connectivity issue
• Name doesn't resolve → Step 4: DNS issue

Step 2: What does replicadmin /showrepl show? Action: repadmin /showrepl on each DC

• Last replication: recent (< 1 hour) → Replication working
• Last replication: old (> 3 hours) → Step 5: Check for specific errors
• Replication failing with error → Step 6: Identify error code

Step 3: Network Connectivity Between DCs Layer 3 troubleshooting

• Different sites → Step 7: Check site link configuration
• Firewall between DCs → Step 8: Check firewall rules
• Same site but can't reach → Check switches, VLANs

Step 4: DNS Issues Between DCs Action: nslookup DC-NAME from other DC

• Resolves correctly → Not DNS issue, back to Step 1
• Doesn't resolve → Step 9: Check DNS zone replication
• Resolves to wrong IP → Step 10: Update DNS A record

Step 5: Check for Specific Replication Errors Review repadmin output

• "Last attempt was successful" → False alarm, replication OK
• Shows specific error code → Step 6: Identify error code
• No errors but time is old → Step 11: Force replication

Step 6: Identify Replication Error Code Common error codes

• Error 8606 (insufficient attributes) → Step 12: Metadata cleanup needed
• Error 8451/8452 (naming context) → Step 13: Name server not advertising
• Error 1722 (RPC server unavailable) → Step 14: RPC/firewall issue
• Error 1256 (domain trust issue) → Step 15: Secure channel problem
• Error 8614 (version mismatch) → Step 16: Schema version issue

Step 7: Check Site Link Configuration Action: Check AD Sites and Services

• Site link exists → Step 17: Check site link schedule
• No site link → Create site link between sites
• Link cost too high → Adjust link cost if needed

Step 8: Check Firewall Rules Between DCs Required ports for AD replication

• Ports 135, 389, 636, 3268, 49152+ open → Not firewall issue
• Some ports blocked → Step 18: Open required AD ports
• All ports open but still fails → Back to Step 6 for errors

Step 9: Check DNS Zone Replication Action: Check _msdcs zone on both DCs

• Zone present on both → Step 19: Check SRV records
• Zone missing on one DC → Step 20: Force DNS zone replication
• Zone present but not replicating → Check DNS application partition

Step 11: Force Replication Action: repadmin /syncall /AdeP

• Replication succeeded → Check if ongoing or one-time issue
• Still failing → Step 6: Check specific error
• Partially succeeded → Identify which DCs failing

Step 12: Metadata Cleanup for Error 8606 Action: ntdsutil metadata cleanup

• Phantom DC found → Remove phantom DC object
• No phantoms → Step 21: Check USN rollback
• Cleanup completed → Force replication, verify

Step 13: Name Server Not Advertising (8451/8452) DC not advertising itself properly

• netlogon service stopped → Start netlogon service
• netlogon running → Step 22: Re-register netlogon DNS records
• After reregister, still fails → Check DNS zone for SRV records

Step 14: RPC Server Unavailable (1722) RPC connectivity issue

• Port 135 blocked → Step 8: Open port 135
• Port open but RPC fails → Step 23: Check RPC service status
• RPC service running → Check endpoint mapper

Step 15: Secure Channel Problem (1256) Computer account trust issue

• Password mismatch → Step 24: Reset computer account
• Account locked → Unlock computer account in AD
• Account missing → Serious issue, may need DC demotion/promotion

Step 16: Schema Version Mismatch (8614) Schema versions don't match

• One DC has older schema → Step 25: Update schema on older DC
• Schema versions match → May be false positive, check metadata

Step 17: Check Site Link Schedule Action: Site link properties > Change Schedule

• Replication blocked in current time → Wait or adjust schedule
• Schedule allows replication → Step 26: Check site link cost
• Schedule set to never → Configure proper schedule

Step 18: Open Required AD Ports On firewall between DCs

• Rules added → Test replication after 5 minutes
• Cannot add rules → Escalate to network team
• Rules exist but traffic blocked → Check for other firewalls

Step 19: Check SRV Records Action: nslookup -type=SRV _ldap._tcp.dc._msdcs.DOMAIN

• Both DCs listed → DNS is good
• One DC missing → Step 22: Re-register DNS
• No DCs listed → Critical DNS issue, Step 20

Step 20: Force DNS Zone Replication Action: repadmin /replicate for DNS partitions

• DNS replicated → Verify SRV records now present
• DNS replication failed → Check for DNS-specific errors
• Partial replication → May need multiple attempts

Step 22: Re-register Netlogon DNS Records Action: nltest /dsregdns on problem DC

• Registration succeeded → Check DNS for new SRV records
• Registration failed → Check DNS service, Event Viewer
• Succeeded but records still missing → Manual creation needed

Step 23: Check RPC Service Action: Get-Service RPCSS

• Running → Step 27: Check RPC port range
• Stopped → Start RPCSS service (critical!)
• Stuck starting → Reboot DC (after-hours if possible)

Step 24: Reset Computer Account Action: Reset-ComputerMachinePassword -Server PDC

• Reset successful → Force replication, verify
• Reset failed → May need to reset from authoritative DC
• After reset, still fails → Deeper trust issue, may need demotion

Step 27: Check RPC Port Range Action: Check dynamic port range

• Default range (49152-65535) → Range is fine
• Custom restricted range → Step 28: Ensure both DCs use same range
• No dynamic ports available → Exhaustion issue, investigate

RESOLUTION: repadmin /showrepl shows recent successful replication on all DCs

Common Pitfalls

• Firewall blocking high ports (49152+) needed for RPC
• DNS SRV records missing or incorrect
• Phantom domain controller objects in AD Sites and Services
• Secure channel broken between DCs
• Time skew between DCs (> 5 minutes causes Kerberos failures)
• Antivirus blocking AD replication traffic
• Incorrect site link configuration

Resolution Indicators

• repadmin /showrepl shows successful replication within last hour
• No replication errors in Directory Services event log
• dcdiag /test:replications passes
• Changes propagate between DCs within expected timeframe
• No Event ID 2042 (too long since last replication)

Documentation Links

• AD Replication: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/troubleshoot/
• Repadmin Guide: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc770963(v=ws.11)
• Error Codes: Internal KB #AD-REPL-ERRORS

---

Scenario 5: Password Reset Request (Simple Example)

Issue Details

Issue Name: User Forgot Password - Needs Reset Category: Account Management Estimated Time: 2-5 minutes Common For: Daily helpdesk task

First Thing You Check

Verify user's identity

Decision Tree

Step 1: Can you verify user's identity? Check against company verification policy

• YES (verified via phone/email/manager) → Step 2: Locate user account
• NO (cannot verify) → Deny request, inform user of verification process
• User is contractor → Step 3: Check if manager approval required

Step 2: Can you find user account in AD? Action: Search Active Directory for username

• Account found → Step 4: Check account status
• Account not found → Step 5: Check if name spelled correctly
• Multiple accounts → Step 6: Identify correct account

Step 3: Manager Approval for Contractor Per company policy

• Manager approves → Step 2: Proceed with reset
• Manager denies → Inform contractor, deny request
• Cannot reach manager → Escalate to IT manager

Step 4: Is account enabled? Check account status

• Enabled → Step 7: Reset password
• Disabled → Step 8: Check why disabled
• Locked out → Step 9: Unlock and reset

Step 5: Check Name Spelling Verify with user

• Found with correct spelling → Step 4: Check status
• Still not found → Check if account exists, may need creation
• User doesn't have account → Route to new user request process

Step 6: Identify Correct Account Multiple John Smiths, etc.

• Identified by employee ID → Step 4: Proceed
• Identified by department → Step 4: Proceed
• Cannot identify → Ask user for more info (start date, manager, etc.)

Step 7: Reset Password Action: Set temporary password in AD

• Reset successful → Step 10: Communicate new password to user
• Cannot reset (permission denied) → Escalate to higher-level admin
• Reset but user still can't login → Step 11: Check for other issues

Step 8: Account Disabled - Check Why Look at account notes or ticket history

• Disabled for termination → Do not enable, inform requester
• Disabled for inactivity → Step 12: Verify if user still employed
• Disabled in error → Enable account and reset password

Step 9: Unlock Account Action: Unlock account in AD

• Unlocked successfully → Step 7: Reset password
• Unlock failed → Wait 15 minutes (lockout duration), try again
• Immediately locks again → Step 13: Check for automated login attempts

Step 10: Communicate New Password Securely provide temp password

• Told user over phone → Instruct user must change at login
• Sent via secure portal → Provide portal link
• User received password → Step 14: Verify user can login

Step 11: Reset Success But Login Failed After reset, user still can't login

• Wrong username → Provide correct username
• Caps Lock on → Inform user
• Password not synced yet → Wait 2-3 minutes, retry
• MFA issue → Different troubleshooting path

Step 12: Verify User Still Employed Check with HR or manager

• Still employed → Enable account, reset password
• Terminated → Do not enable, close ticket
• Unknown status → Escalate to IT manager

Step 13: Check for Automated Login Attempts Saved credentials somewhere

• Old laptop auto-logging → Have user change password on laptop
• Mobile device → Remove saved password on phone
• Service account → Update service account password
• Can't identify source → Change password multiple times

Step 14: Verify User Can Login Confirm with user

• Login successful → Step 15: Set user must change password
• Still cannot login → Return to Step 11
• Login works but can't access email → Different issue

Step 15: Force Password Change at Next Login If not already set

• User will be prompted → Document ticket, close
• User successfully changed → Resolution confirmed!
• User locked out again → May be complexity requirement issue

RESOLUTION: User successfully logged in with new password

Common Pitfalls

• Not verifying user identity properly
• Forgetting to check if account is locked (not just disabled)
• Not telling user to change password at next login
• Multiple accounts for same name, resetting wrong one
• Account syncs slowly to other systems (email, VPN, etc.)
• User typing username incorrectly after reset

Resolution Indicators

• User confirms successful login
• Account shows last login timestamp updated
• No subsequent lockout or password reset requests
• User able to access all required systems

Documentation Links

• Password Policy: Internal KB #PWD-POLICY
• Identity Verification: Internal KB #ID-VERIFY
• Account Management: Internal KB #AD-ACCOUNTS