chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
52e8190211b465cc57df94624c6cfe7cc7a82b4b
resolutionflow/TS-EXAMPLES.md
Michael Chihlas 52e8190211 Initial commit: Backend API Phase 1a complete 
- FastAPI backend with JWT auth
- PostgreSQL database schema
- Trees and Sessions CRUD APIs
- Export functionality (Markdown, Text, HTML)
- Docker setup for local development
- Alembic migrations
2026-01-22 14:38:53 -05:00

783 lines
32 KiB
Markdown
Raw Blame History

# Troubleshooting Scenarios for Decision Tree App
## Scenario 1: FSLogix Profile Not Loading
### Issue Details
**Issue Name:** FSLogix Profile Not Loading
**Category:** Citrix/Virtual Desktop
**Estimated Time:** 10-15 minutes
**Common For:** Warner Robins City, other Citrix environments
### First Thing You Check
Can the user log into the server at all?
### Decision Tree
**Step 1: Can user log into server?**
- **YES** → Step 2: Check FSLogix service status
- **NO** → Different tree (AD account/licensing issue)
**Step 2: Is FSLogix service running on the server?**
- **RUNNING** → Step 3: Check frxtray.exe in user's task manager
- **STOPPED** → Step 4: Start service and check event log for cause
- **STUCK (Starting/Stopping)** → Step 5: Kill service process and restart
**Step 3: Is frxtray.exe running in user's task manager?**
- **YES** → Step 6: Check if profile VHD exists in share
- **NO** → Step 7: Check FSLogix agent installation
- **MULTIPLE INSTANCES** → Step 8: Kill all frxtray.exe, log user off, try again
**Step 4: Service Start Result**
*Action: Start-Service -Name 'frxsvc'*
- **Started successfully** → Step 9: Check Event Viewer for previous failure reason
- **Failed to start** → Step 10: Check service dependencies (NetLogon, RPC)
- **Started but stopped again** → Step 11: Check for file locks or permissions
**Step 5: Service Kill and Restart**
*Action: Stop-Process -Name frxsvc -Force; Start-Service frxsvc*
- **Service now running** → Step 3: Verify frxtray.exe
- **Still stuck** → Step 12: Check for corrupt profile or registry
**Step 6: Does user have a profile VHD in the share?**
*Check: \\server\fslogix\username\Profile_username.vhdx*
- **YES, file exists** → Step 13: Check VHD file permissions
- **NO, file missing** → Step 14: Check FSLogix registry path configuration
- **YES, but 0 bytes** → Step 15: Delete corrupt VHD, recreate profile
**Step 7: Is FSLogix agent installed?**
*Check: C:\Program Files\FSLogix\Apps\frxsvc.exe exists*
- **YES** → Step 16: Repair FSLogix agent
- **NO** → Step 17: Install FSLogix agent
**Step 8: Multiple frxtray instances**
*Action: Get-Process frxtray | Stop-Process -Force*
- **Killed successfully** → Log user off, have them log back in
- **Cannot kill** → Step 18: Check for file/folder locks
**Step 9: Check Event Viewer**
*Action: Check Application log for FSLogix errors*
- **Error 50 (Can't access network path)** → Step 19: Verify network path accessible
- **Error 13 (VHD locked)** → Step 20: Check for locks on VHD from other servers
- **Error 52 (Profile path not found)** → Step 14: Check registry settings
**Step 10: Check Service Dependencies**
*Action: Get-Service NetLogon, RpcSs status*
- **All running** → Step 21: Check antivirus blocking
- **NetLogon stopped** → Start NetLogon, then retry FSLogix
- **RPC stopped** → Critical issue, escalate to senior engineer
**Step 11: Check for File Locks**
*Action: Run Chihlas file lock checker on profile share*
- **No locks** → Step 22: Check disk space on profile server
- **Locked by another server** → Step 20: Release lock or force user logoff from other session
**Step 13: Check VHD Permissions**
*Action: Get-Acl on Profile_username.vhdx*
- **User has Full Control** → Step 23: Try mounting VHD manually
- **User missing permissions** → Step 24: Grant user full control
- **Everyone has permission but still fails** → Step 25: Check parent folder permissions
**Step 14: Check FSLogix Registry Path**
*Check: HKLM\SOFTWARE\FSLogix\Profiles - VHDLocations*
- **Path is correct** → Step 26: Check DNS resolution of server name
- **Path has typo** → Fix registry path, log user off and back on
- **Path uses old server** → Update to correct server path
**Step 15: Delete Corrupt VHD**
*Action: Delete 0-byte VHD file*
- **Deleted successfully** → User will get new profile on next login
- **Cannot delete (in use)** → Step 20: Check locks, force release
**Step 17: Install FSLogix Agent**
*Action: Run FSLogix installer from network share*
- **Installed successfully** → Reboot server, have user try again
- **Installation failed** → Step 27: Check server OS version compatibility
**Step 19: Verify Network Path**
*Action: Test-Path \\server\fslogix from problem server*
- **Accessible** → Step 28: Check firewall between servers
- **Not accessible** → Check DNS, check network connectivity
- **Accessible but slow** → Step 29: Check network performance
**Step 20: Check VHD Locks**
*Action: Use openfiles /query or handle.exe to check locks*
- **Locked by same server** → Kill locking process
- **Locked by different server** → Log user off from that server
- **Lock from crashed session** → Clear stale session, release lock
**Step 21: Check Antivirus**
*Action: Check if AV is scanning/blocking FSLogix folders*
- **FSLogix folders excluded** → Step 30: Check Windows Defender exclusions too
- **Not excluded** → Add exclusions, restart FSLogix service
- **Exclusions present but still blocking** → Temporarily disable AV to test
**Step 23: Try Mounting VHD Manually**
*Action: Mount-VHD -Path \\server\fslogix\...\Profile.vhdx*
- **Mounts successfully** → Profile is good, issue elsewhere (back to Step 2)
- **Fails to mount** → Step 31: Check VHD integrity
- **Mounts but takes forever** → Step 29: Network performance issue
**Step 24: Grant User Permissions**
*Action: icacls add full control for user on VHD*
- **Permissions granted** → Have user log off and back on
- **Cannot modify permissions** → Check if admin has access, check share permissions
**Step 31: Check VHD Integrity**
*Action: Test-VHD -Path ... in PowerShell*
- **VHD is healthy** → Issue is mounting or permissions
- **VHD is corrupt** → Step 15: Delete and recreate
- **Cannot test (access denied)** → Permission issue on share
**RESOLUTION: Profile loads successfully**
### Common Pitfalls
- VHD file locked by another server (user has session on multiple servers)
- Profile path in registry has typo or uses old server name
- Antivirus blocking VHD access or scanning profile folder
- NetLogon service stopped preventing network authentication
- Disk full on profile share
- DNS not resolving profile server name
- Stale sessions from crashed RDP connections
### Resolution Indicators
- User can log in successfully
- Profile loads within 30 seconds
- No FSLogix errors in Event Viewer
- frxtray.exe running in task manager
- User's desktop, documents appear correctly
### Documentation Links
- FSLogix Profile Troubleshooting: https://docs.microsoft.com/en-us/fslogix/troubleshooting-profile-container
- Event Log Error Codes: https://docs.microsoft.com/en-us/fslogix/profile-container-configuration-reference
- VHD Troubleshooting: Internal KB #FSL-001
---
## Scenario 2: Citrix VDA Not Registering
### Issue Details
**Issue Name:** Citrix VDA Not Registering with Delivery Controller
**Category:** Citrix/Virtual Desktop
**Estimated Time:** 10-20 minutes
**Common For:** Warner Robins City, all Citrix environments
### First Thing You Check
Can you ping the VDA from the Delivery Controller?
### Decision Tree
**Step 1: Can you ping VDA from DDC?**
*Action: Test-Connection -ComputerName VDA-HOSTNAME*
- **YES (replies)** → Step 2: Check VDA service status
- **NO (request timed out)** → Step 3: Network connectivity issue
**Step 2: What is VDA service status?**
*Action: Get-Service -Name 'BrokerAgent' on VDA*
- **RUNNING** → Step 4: Check DDC connection from VDA
- **STOPPED** → Step 5: Start VDA service
- **STUCK** → Step 6: Force kill and restart service
**Step 3: Network Connectivity Issue**
*Troubleshooting network layer*
- **VDA powered off** → Power on VDA, wait for boot
- **VDA on different subnet** → Step 7: Check routing/firewall
- **DNS not resolving** → Step 8: Check DNS configuration
- **Network cable unplugged** → Physical layer issue
**Step 4: Can VDA reach DDC on port 80/443?**
*Action: Test-NetConnection -ComputerName DDC-HOSTNAME -Port 80*
- **Port 80 success** → Step 9: Check VDA registration in Studio
- **Port 80 blocked** → Step 10: Check firewall rules
- **DNS fails** → Step 8: Check DNS
**Step 5: Start VDA Service**
*Action: Start-Service -Name 'BrokerAgent'*
- **Started successfully** → Step 11: Wait 60 seconds, check registration
- **Failed to start** → Step 12: Check Event Viewer for error
- **Started then stopped** → Step 13: Check service dependencies
**Step 6: Force Kill VDA Service**
*Action: Stop-Process -Name BrokerAgent -Force*
- **Killed successfully** → Step 5: Start service normally
- **Cannot kill (access denied)** → Restart VDA server
- **Killed but immediately respawns** → Step 14: Check for loops
**Step 7: Check Routing/Firewall**
*Between VDA and DDC*
- **Different VLANs** → Verify inter-VLAN routing configured
- **SonicWall between them** → Step 15: Check SonicWall rules
- **Switches involved** → Check VLAN tagging, trunk ports
**Step 8: Check DNS Configuration**
*Action: Resolve-DnsName DDC-HOSTNAME from VDA*
- **Resolves correctly** → DNS is fine, go back to network troubleshooting
- **Does not resolve** → Step 16: Check VDA DNS server settings
- **Resolves to wrong IP** → Step 17: Check DNS A record
**Step 9: Check VDA in Citrix Studio**
*Action: Open Studio > Machine Catalogs*
- **VDA shows "Registered"** → Issue resolved!
- **VDA shows "Unregistered"** → Step 18: Check ListOfDDCs registry
- **VDA not in catalog** → Step 19: Add VDA to catalog
**Step 10: Check Firewall Rules**
*Between VDA and DDC*
- **Windows Firewall blocking** → Create rule to allow DDC traffic
- **Hardware firewall blocking** → Step 15: Update SonicWall rules
- **NSG rules (if Azure)** → Add allow rule for ports 80, 443, 1494, 2598
**Step 11: Wait and Verify Registration**
*Action: Wait 60 seconds, refresh Studio*
- **Now registered** → Resolution confirmed!
- **Still unregistered** → Step 18: Check ListOfDDCs
- **Shows error in Studio** → Step 20: Check specific error code
**Step 12: Check Event Viewer**
*Action: Application log, filter for Citrix*
- **Error 1001 (cannot contact DDC)** → Step 4: Check connectivity
- **Error 1006 (auth failure)** → Step 21: Check machine account
- **Error 1035 (database connection failed)** → Escalate to DDC troubleshooting
**Step 13: Check Service Dependencies**
*Action: Check dependent services*
- **NetLogon stopped** → Start NetLogon first
- **Remote Registry stopped** → Start Remote Registry
- **Windows Event Log stopped** → Critical, may need reboot
**Step 15: Check SonicWall Rules**
*Between VDA subnet and DDC subnet*
- **No rule exists** → Create LAN→LAN allow rule for Citrix ports
- **Rule exists but wrong ports** → Add ports 80, 443, 1494, 2598
- **Rule exists, looks correct** → Check packet capture on SonicWall
**Step 16: Check VDA DNS Settings**
*Action: Get-DnsClientServerAddress on VDA*
- **Points to wrong DNS** → Set to correct DNS server
- **Points to correct DNS** → Step 17: Check DNS server itself
- **No DNS configured** → Configure DNS, restart VDA
**Step 17: Check DNS A Record**
*On DNS server*
- **A record correct** → Clear DNS cache on VDA
- **A record wrong IP** → Update A record, clear cache
- **A record missing** → Create A record for DDC
**Step 18: Check ListOfDDCs Registry**
*Action: Check HKLM\Software\Citrix\VirtualDesktopAgent - ListOfDDCs*
- **Points to correct DDC** → Step 22: Re-register VDA manually
- **Points to old/wrong DDC** → Update registry to correct DDC name
- **Registry key missing** → Run Citrix VDA installer repair
**Step 19: Add VDA to Catalog**
*In Citrix Studio*
- **Added successfully** → VDA should register within 60 seconds
- **Cannot add (not found)** → Step 1: Network connectivity issue
- **Cannot add (duplicate)** → VDA may be in different catalog, search
**Step 21: Check Machine Account**
*In Active Directory*
- **Account exists, enabled** → Step 23: Check computer trust relationship
- **Account disabled** → Enable account, restart VDA
- **Account missing** → Re-join VDA to domain
**Step 22: Re-register VDA Manually**
*Action: Run "C:\Program Files\Citrix\Virtual Desktop Agent\BrokerAgent.exe" -RegisterWithDDC*
- **Registration successful** → Verify in Studio
- **Registration failed** → Check error message, return to Step 4
- **Command not found** → VDA install corrupted, reinstall
**Step 23: Check Computer Trust Relationship**
*Action: Test-ComputerSecureChannel on VDA*
- **Trust relationship good** → Back to Step 2
- **Trust relationship broken** → Repair: Reset-ComputerMachinePassword
- **Repair failed** → Re-join domain
**RESOLUTION: VDA shows as Registered in Studio**
### Common Pitfalls
- Firewall blocking ports 80/443 between VDA and DDC
- DNS not resolving DDC hostname
- ListOfDDCs registry points to old/decommissioned DDC
- Machine account password expired or trust relationship broken
- VDA service won't stay running due to corrupt installation
- Network routing issue between VDA and DDC subnets
- VDA trying to register to wrong DDC in multi-site setup
### Resolution Indicators
- VDA shows "Registered" in Citrix Studio
- Users can successfully launch sessions to VDA
- No Citrix errors in Event Viewer
- VDA appears in correct delivery group
### Documentation Links
- VDA Registration: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/manage-deployment/vda-registration
- Troubleshooting: https://support.citrix.com/article/CTX136668
- Event Log Errors: https://support.citrix.com/article/CTX127348
---
## Scenario 3: User Cannot Access File Share
### Issue Details
**Issue Name:** User Cannot Access Network File Share
**Category:** File Services / Permissions
**Estimated Time:** 5-15 minutes
**Common For:** All clients with file servers
### First Thing You Check
Can the user ping the file server?
### Decision Tree
**Step 1: Can user ping file server by name?**
*Action: ping FILE-SERVER-NAME*
- **YES (replies)** → Step 2: Can user access share path
- **NO (timeout/host unreachable)** → Step 3: Network connectivity issue
- **Unknown host** → Step 4: DNS resolution issue
**Step 2: Can user access \\server\share in File Explorer?**
*Action: Navigate to \\SERVER\SHARE*
- **YES, opens** → Step 5: Check specific folder permissions
- **NO, access denied** → Step 6: Check share permissions
- **NO, network path not found** → Step 7: Check SMB service
**Step 3: Network Connectivity Issue**
*Troubleshooting layer 3*
- **User on VPN** → Step 8: Check VPN tunnel status
- **User on different site** → Step 9: Check site-to-site connectivity
- **Server on different VLAN** → Check inter-VLAN routing
- **Cable unplugged** → Physical issue
**Step 4: DNS Resolution Issue**
*Action: nslookup FILE-SERVER-NAME*
- **Resolves to correct IP** → Try accessing by IP: \\192.168.1.10\share
- **Does not resolve** → Step 10: Check DNS configuration
- **Resolves to wrong IP** → Step 11: Update DNS record
**Step 5: Can user access specific folder?**
*Action: Open \\server\share\specific-folder*
- **YES** → Issue resolved!
- **NO, access denied** → Step 12: Check NTFS permissions on folder
- **Folder doesn't exist** → Verify correct path, check if moved
**Step 6: Check Share Permissions**
*Action: Right-click share > Properties > Sharing > Permissions*
- **User has Read or Change** → Step 12: Check NTFS permissions
- **User not in permissions** → Step 13: Add user to share permissions
- **Everyone has Full Control** → Share perms OK, issue is NTFS
**Step 7: Check SMB Service**
*Action: Get-Service -Name LanmanServer on file server*
- **Running** → Step 14: Check SMB signing requirements
- **Stopped** → Start service, verify user can access
- **Disabled** → Enable and start service
**Step 8: Check VPN Tunnel**
*If user is remote*
- **VPN connected** → Step 15: Check VPN routing for file server subnet
- **VPN disconnected** → Reconnect VPN, retry
- **VPN connected but can't reach internal** → Step 16: Check split tunneling
**Step 9: Site-to-Site Connectivity**
*Between user's site and file server site*
- **Ping works between sites** → Not a site link issue
- **Ping fails between sites** → Step 17: Check VPN tunnel between sites
- **Some services work, files don't** → Check port 445 specifically
**Step 10: Check User's DNS Settings**
*Action: ipconfig /all on user's PC*
- **DNS points to DC** → Step 18: Check DNS server health
- **DNS points to wrong server** → Set correct DNS via DHCP or static
- **No DNS configured** → Configure DNS
**Step 12: Check NTFS Permissions**
*Action: Right-click folder > Properties > Security*
- **User has Read & Execute** → User should have access
- **User not listed** → Step 19: Check group memberships
- **User has Deny** → Step 20: Remove explicit Deny
**Step 13: Add User to Share Permissions**
*Action: Add user or user's group with appropriate access*
- **Added successfully** → User should now be able to access
- **Cannot add (grayed out)** → Check if Advanced Sharing is needed
- **Added but still fails** → Step 12: Check NTFS permissions
**Step 14: Check SMB Signing**
*Action: Check SMB server/client signing requirements*
- **Client requires signing, server doesn't** → Enable signing on server
- **Mismatch in SMB versions** → Step 21: Enable SMB 2.0/3.0
- **Settings match** → Not SMB signing issue
**Step 15: Check VPN Routing**
*Verify file server subnet is routed through VPN*
- **Route exists** → Check firewall rules on VPN
- **Route missing** → Add route for file server subnet
- **Route exists but traffic blocked** → Step 22: Check firewall
**Step 17: Check Site-to-Site VPN**
*Between locations*
- **Tunnel up** → Step 23: Check Phase 2 includes port 445
- **Tunnel down** → Troubleshoot VPN (separate tree)
- **Tunnel flapping** → Check for routing loops
**Step 18: Check DNS Server**
*On domain controller/DNS server*
- **DNS service running** → Check if A record exists for file server
- **DNS service stopped** → Start DNS service
- **High CPU/memory** → May need DNS server restart
**Step 19: Check Group Memberships**
*Action: Check what groups user belongs to*
- **User in correct group** → Step 24: Run gpupdate to refresh token
- **User not in group** → Add user to appropriate group
- **User added recently** → User needs to log off and back on
**Step 20: Remove Explicit Deny**
*Deny permissions override all allows*
- **Deny removed** → User should now have access
- **Deny is inherited** → Step 25: Check parent folder permissions
- **Cannot remove (grayed out)** → Disable inheritance, then remove
**Step 21: Enable SMB 2.0/3.0**
*Action: Enable SMB versions on server*
- **Enabled successfully** → User should now connect
- **Already enabled** → Check Windows version compatibility
- **Cannot enable** → OS version too old, may need upgrade
**Step 24: Refresh User Token**
*Action: Have user log off and back on (or run klist purge)*
- **After logoff/logon, works** → Resolution confirmed
- **Still fails after logoff** → Step 26: Check effective permissions
**Step 26: Check Effective Permissions**
*Action: Advanced Security > Effective Access*
- **Shows user should have access** → Step 27: Check for inheritance issues
- **Shows user has no access** → Permission configuration error
- **Tool shows access but user still can't** → Clear SMB cache
**RESOLUTION: User can access share and specific folders**
### Common Pitfalls
- User has NTFS permissions but not share permissions (or vice versa)
- User added to group but hasn't logged off/on to refresh token
- Explicit Deny permission overriding Allow permissions
- DNS not resolving file server name
- Firewall blocking port 445 (SMB)
- DFS namespace issues (different issue, separate tree)
- Offline Files caching causing stale view
### Resolution Indicators
- User can open \\server\share
- User can create/modify files if they should have write access
- File Explorer shows correct folders
- No "Access Denied" or "Network Path Not Found" errors
### Documentation Links
- SMB Troubleshooting: https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/
- File Permissions: Internal KB #NTFS-PERMS-001
- DFS Issues: Internal KB #DFS-TROUBLESHOOT
---
## Scenario 4: Active Directory Replication Failure
### Issue Details
**Issue Name:** Active Directory Replication Not Working
**Category:** Active Directory / Infrastructure
**Estimated Time:** 15-30 minutes
**Common For:** Multi-DC environments, especially after DC issues
### First Thing You Check
Can the DCs ping each other?
### Decision Tree
**Step 1: Can DCs ping each other by name?**
*Action: Test-Connection between all DCs*
- **YES, all reply** → Step 2: Check replication status
- **NO, some don't reply** → Step 3: Network connectivity issue
- **Name doesn't resolve** → Step 4: DNS issue
**Step 2: What does replicadmin /showrepl show?**
*Action: repadmin /showrepl on each DC*
- **Last replication: recent (< 1 hour)** → Replication working
- **Last replication: old (> 3 hours)** → Step 5: Check for specific errors
- **Replication failing with error** → Step 6: Identify error code
**Step 3: Network Connectivity Between DCs**
*Layer 3 troubleshooting*
- **Different sites** → Step 7: Check site link configuration
- **Firewall between DCs** → Step 8: Check firewall rules
- **Same site but can't reach** → Check switches, VLANs
**Step 4: DNS Issues Between DCs**
*Action: nslookup DC-NAME from other DC*
- **Resolves correctly** → Not DNS issue, back to Step 1
- **Doesn't resolve** → Step 9: Check DNS zone replication
- **Resolves to wrong IP** → Step 10: Update DNS A record
**Step 5: Check for Specific Replication Errors**
*Review repadmin output*
- **"Last attempt was successful"** → False alarm, replication OK
- **Shows specific error code** → Step 6: Identify error code
- **No errors but time is old** → Step 11: Force replication
**Step 6: Identify Replication Error Code**
*Common error codes*
- **Error 8606 (insufficient attributes)** → Step 12: Metadata cleanup needed
- **Error 8451/8452 (naming context)** → Step 13: Name server not advertising
- **Error 1722 (RPC server unavailable)** → Step 14: RPC/firewall issue
- **Error 1256 (domain trust issue)** → Step 15: Secure channel problem
- **Error 8614 (version mismatch)** → Step 16: Schema version issue
**Step 7: Check Site Link Configuration**
*Action: Check AD Sites and Services*
- **Site link exists** → Step 17: Check site link schedule
- **No site link** → Create site link between sites
- **Link cost too high** → Adjust link cost if needed
**Step 8: Check Firewall Rules Between DCs**
*Required ports for AD replication*
- **Ports 135, 389, 636, 3268, 49152+ open** → Not firewall issue
- **Some ports blocked** → Step 18: Open required AD ports
- **All ports open but still fails** → Back to Step 6 for errors
**Step 9: Check DNS Zone Replication**
*Action: Check _msdcs zone on both DCs*
- **Zone present on both** → Step 19: Check SRV records
- **Zone missing on one DC** → Step 20: Force DNS zone replication
- **Zone present but not replicating** → Check DNS application partition
**Step 11: Force Replication**
*Action: repadmin /syncall /AdeP*
- **Replication succeeded** → Check if ongoing or one-time issue
- **Still failing** → Step 6: Check specific error
- **Partially succeeded** → Identify which DCs failing
**Step 12: Metadata Cleanup for Error 8606**
*Action: ntdsutil metadata cleanup*
- **Phantom DC found** → Remove phantom DC object
- **No phantoms** → Step 21: Check USN rollback
- **Cleanup completed** → Force replication, verify
**Step 13: Name Server Not Advertising (8451/8452)**
*DC not advertising itself properly*
- **netlogon service stopped** → Start netlogon service
- **netlogon running** → Step 22: Re-register netlogon DNS records
- **After reregister, still fails** → Check DNS zone for SRV records
**Step 14: RPC Server Unavailable (1722)**
*RPC connectivity issue*
- **Port 135 blocked** → Step 8: Open port 135
- **Port open but RPC fails** → Step 23: Check RPC service status
- **RPC service running** → Check endpoint mapper
**Step 15: Secure Channel Problem (1256)**
*Computer account trust issue*
- **Password mismatch** → Step 24: Reset computer account
- **Account locked** → Unlock computer account in AD
- **Account missing** → Serious issue, may need DC demotion/promotion
**Step 16: Schema Version Mismatch (8614)**
*Schema versions don't match*
- **One DC has older schema** → Step 25: Update schema on older DC
- **Schema versions match** → May be false positive, check metadata
**Step 17: Check Site Link Schedule**
*Action: Site link properties > Change Schedule*
- **Replication blocked in current time** → Wait or adjust schedule
- **Schedule allows replication** → Step 26: Check site link cost
- **Schedule set to never** → Configure proper schedule
**Step 18: Open Required AD Ports**
*On firewall between DCs*
- **Rules added** → Test replication after 5 minutes
- **Cannot add rules** → Escalate to network team
- **Rules exist but traffic blocked** → Check for other firewalls
**Step 19: Check SRV Records**
*Action: nslookup -type=SRV _ldap._tcp.dc._msdcs.DOMAIN*
- **Both DCs listed** → DNS is good
- **One DC missing** → Step 22: Re-register DNS
- **No DCs listed** → Critical DNS issue, Step 20
**Step 20: Force DNS Zone Replication**
*Action: repadmin /replicate for DNS partitions*
- **DNS replicated** → Verify SRV records now present
- **DNS replication failed** → Check for DNS-specific errors
- **Partial replication** → May need multiple attempts
**Step 22: Re-register Netlogon DNS Records**
*Action: nltest /dsregdns on problem DC*
- **Registration succeeded** → Check DNS for new SRV records
- **Registration failed** → Check DNS service, Event Viewer
- **Succeeded but records still missing** → Manual creation needed
**Step 23: Check RPC Service**
*Action: Get-Service RPCSS*
- **Running** → Step 27: Check RPC port range
- **Stopped** → Start RPCSS service (critical!)
- **Stuck starting** → Reboot DC (after-hours if possible)
**Step 24: Reset Computer Account**
*Action: Reset-ComputerMachinePassword -Server PDC*
- **Reset successful** → Force replication, verify
- **Reset failed** → May need to reset from authoritative DC
- **After reset, still fails** → Deeper trust issue, may need demotion
**Step 27: Check RPC Port Range**
*Action: Check dynamic port range*
- **Default range (49152-65535)** → Range is fine
- **Custom restricted range** → Step 28: Ensure both DCs use same range
- **No dynamic ports available** → Exhaustion issue, investigate
**RESOLUTION: repadmin /showrepl shows recent successful replication on all DCs**
### Common Pitfalls
- Firewall blocking high ports (49152+) needed for RPC
- DNS SRV records missing or incorrect
- Phantom domain controller objects in AD Sites and Services
- Secure channel broken between DCs
- Time skew between DCs (> 5 minutes causes Kerberos failures)
- Antivirus blocking AD replication traffic
- Incorrect site link configuration
### Resolution Indicators
- repadmin /showrepl shows successful replication within last hour
- No replication errors in Directory Services event log
- dcdiag /test:replications passes
- Changes propagate between DCs within expected timeframe
- No Event ID 2042 (too long since last replication)
### Documentation Links
- AD Replication: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/troubleshoot/
- Repadmin Guide: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc770963(v=ws.11)
- Error Codes: Internal KB #AD-REPL-ERRORS
---
## Scenario 5: Password Reset Request (Simple Example)
### Issue Details
**Issue Name:** User Forgot Password - Needs Reset
**Category:** Account Management
**Estimated Time:** 2-5 minutes
**Common For:** Daily helpdesk task
### First Thing You Check
Verify user's identity
### Decision Tree
**Step 1: Can you verify user's identity?**
*Check against company verification policy*
- **YES (verified via phone/email/manager)** → Step 2: Locate user account
- **NO (cannot verify)** → Deny request, inform user of verification process
- **User is contractor** → Step 3: Check if manager approval required
**Step 2: Can you find user account in AD?**
*Action: Search Active Directory for username*
- **Account found** → Step 4: Check account status
- **Account not found** → Step 5: Check if name spelled correctly
- **Multiple accounts** → Step 6: Identify correct account
**Step 3: Manager Approval for Contractor**
*Per company policy*
- **Manager approves** → Step 2: Proceed with reset
- **Manager denies** → Inform contractor, deny request
- **Cannot reach manager** → Escalate to IT manager
**Step 4: Is account enabled?**
*Check account status*
- **Enabled** → Step 7: Reset password
- **Disabled** → Step 8: Check why disabled
- **Locked out** → Step 9: Unlock and reset
**Step 5: Check Name Spelling**
*Verify with user*
- **Found with correct spelling** → Step 4: Check status
- **Still not found** → Check if account exists, may need creation
- **User doesn't have account** → Route to new user request process
**Step 6: Identify Correct Account**
*Multiple John Smiths, etc.*
- **Identified by employee ID** → Step 4: Proceed
- **Identified by department** → Step 4: Proceed
- **Cannot identify** → Ask user for more info (start date, manager, etc.)
**Step 7: Reset Password**
*Action: Set temporary password in AD*
- **Reset successful** → Step 10: Communicate new password to user
- **Cannot reset (permission denied)** → Escalate to higher-level admin
- **Reset but user still can't login** → Step 11: Check for other issues
**Step 8: Account Disabled - Check Why**
*Look at account notes or ticket history*
- **Disabled for termination** → Do not enable, inform requester
- **Disabled for inactivity** → Step 12: Verify if user still employed
- **Disabled in error** → Enable account and reset password
**Step 9: Unlock Account**
*Action: Unlock account in AD*
- **Unlocked successfully** → Step 7: Reset password
- **Unlock failed** → Wait 15 minutes (lockout duration), try again
- **Immediately locks again** → Step 13: Check for automated login attempts
**Step 10: Communicate New Password**
*Securely provide temp password*
- **Told user over phone** → Instruct user must change at login
- **Sent via secure portal** → Provide portal link
- **User received password** → Step 14: Verify user can login
**Step 11: Reset Success But Login Failed**
*After reset, user still can't login*
- **Wrong username** → Provide correct username
- **Caps Lock on** → Inform user
- **Password not synced yet** → Wait 2-3 minutes, retry
- **MFA issue** → Different troubleshooting path
**Step 12: Verify User Still Employed**
*Check with HR or manager*
- **Still employed** → Enable account, reset password
- **Terminated** → Do not enable, close ticket
- **Unknown status** → Escalate to IT manager
**Step 13: Check for Automated Login Attempts**
*Saved credentials somewhere*
- **Old laptop auto-logging** → Have user change password on laptop
- **Mobile device** → Remove saved password on phone
- **Service account** → Update service account password
- **Can't identify source** → Change password multiple times
**Step 14: Verify User Can Login**
*Confirm with user*
- **Login successful** → Step 15: Set user must change password
- **Still cannot login** → Return to Step 11
- **Login works but can't access email** → Different issue
**Step 15: Force Password Change at Next Login**
*If not already set*
- **User will be prompted** → Document ticket, close
- **User successfully changed** → Resolution confirmed!
- **User locked out again** → May be complexity requirement issue
**RESOLUTION: User successfully logged in with new password**
### Common Pitfalls
- Not verifying user identity properly
- Forgetting to check if account is locked (not just disabled)
- Not telling user to change password at next login
- Multiple accounts for same name, resetting wrong one
- Account syncs slowly to other systems (email, VPN, etc.)
- User typing username incorrectly after reset
### Resolution Indicators
- User confirms successful login
- Account shows last login timestamp updated
- No subsequent lockout or password reset requests
- User able to access all required systems
### Documentation Links
- Password Policy: Internal KB #PWD-POLICY
- Identity Verification: Internal KB #ID-VERIFY
- Account Management: Internal KB #AD-ACCOUNTS
Reference in New Issue View Git Blame Copy Permalink