🔐

AD Authentication Troubleshooting

Jun 20, 2025

Overview

This lecture covers common Active Directory (AD) authentication issues and introduces essential troubleshooting steps and tools for resolving user login problems.

Common Authentication Issues

  • Users may fail to log in due to incorrect passwords, account lockouts, or accidental system setting changes.
  • Authentication failure may also result from network or software issues unrelated to AD.
  • Forgetting passwords is a frequent cause, often requiring admin assistance.
  • If a domain computer cannot find a domain controller, AD authentication and related services will not work.

Troubleshooting Steps

  • Start by identifying the exact error messages and circumstances of the failure.
  • Always check for simple causes first, such as network connectivity problems.
  • Ensure the computer is connected to a network that can reach the domain controller and DNS servers.
  • Verify DNS configuration, as AD relies on DNS SRV records to locate domain controllers.

DNS and Active Directory

  • Computers use DNS SRV records to find domain controllers, specifically __ldap._tcp.dc._msdcs.domain.name.
  • Use the Resolve-DnsName -Type SRV _ldap._tcp.dc._msdcs.example.com command in PowerShell to check SRV records.
  • Misconfigured DNS servers or using the wrong DNS server can prevent finding domain controllers._

Local Authentication vs. Domain Authentication

  • Cached credentials allow local logins even if the network is disconnected, but domain resources remain inaccessible.
  • A successful local login does not mean domain authentication was achieved.

Time Synchronization Issues

  • Kerberos authentication depends on synchronized UTC time between the computer and the domain controller (within five minutes).
  • Time sync failures may happen if disconnected from the domain or if local time changes excessively.
  • Use the w32tm /resync command to manually resync time with domain controllers.

Key Terms & Definitions

  • Active Directory (AD) — Microsoft's directory service for managing user and computer authentication.
  • Domain Controller — A server that responds to authentication requests in AD.
  • DNS (Domain Name System) — Service that translates domain names, used by AD to locate controllers.
  • SRV Record — A DNS record specifying the location of servers for specific services.
  • Kerberos — Authentication protocol used by AD, requires synchronized time.
  • Cached Credentials — Locally stored login info for offline login.

Action Items / Next Steps

  • Practice using Resolve-DnsName and w32tm /resync on a test machine.
  • Review DNS and time settings on AD domain computers.
  • Document your domain's correct DNS server configuration.

View note sourcehttps://d3c33hcgiwev3.cloudfront.net/UJUFibNuROO7ctfHUlbOMQ.processed/full/720p/index.mp4?Expires=1750550400&Signature=IaGlbnT3rB~wJvIZHHDk88jC2Q7xQrUmAMuuwyU2SX5EM0WrdUqtEFl-5Ee2Xm0xvtyePO1A01zMBEFoTN5p9EDQPu9gb853lDCN6RhqkBWWEYhsMyMbMQLUajUDvez0vASg5dWRQYYb4ZF8Hkz0YLwrzYaBymSlQnWSA8lFTCc_&Key-Pair-Id=APKAJLTNE6QMUY6HBC5A