Viewing Reports and Logs : Checking Domain Health
  
Checking Domain Health
You run Windows domain diagnostic tests on a SteelHead in the Reports > Diagnostics: Domain Health Check page.
The RiOS Windows domain health check executes a variety of tests that provide diagnostics about the status of domain membership, end-to-end Kerberos replication, both manual and automatic constrained delegation, and DNS resolution. This information enables you to resolve issues quickly.
Before running domain diagnostic delegation or replication tests, choose Optimization > Active Directory: Auto Config or Optimization > Active Directory: Service Accounts to configure a Windows user account that you can use for delegation or replication purposes. The Windows domain health check on the SteelHead doesn’t create the delegate or replication user; the Windows domain administrator must create the account in advance. For details, see Easy Domain Authentication Configuration or Windows Domain Authentication.
To run domain health tests
1. Choose Reports > Diagnostics: Domain Health Check to display the Domain Health Check page.
Figure: Domain Health Check Page
 
Control
Description
Test DNS
Checks SteelHead DNS settings, which must be correct for Windows domain authentication, SMB signing, SMB2/3 signing, and encrypted MAPI optimization. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
•  Domain/Realm - Specify the fully qualified Active Directory domain in which the SteelHead is a member. Typically, this is your company domain name.
•  Test DNS - Click to run the test. The Management Console dims this button until you specify the domain name.
Test Join
Confirms that the SteelHead is correctly joined to the Windows domain by verifying that the domain join configuration of the SteelHead is valid on the backend domain controller in Active Directory. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
•  Test Join - Click to run the test.
Test Delegation Setup
Checks whether an account has the necessary Active Directory privileges for delegation or automatic delegation. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
•  Delegation Domain/Realm - Select the fully qualified domain in which the SteelHead is a member. Typically, this is your company domain name.
•  Domain Controller - Specify the host that provides user login service in the domain.
•  Test Delegation Setup - Click to run the test. The Management Console dims this button until you specify all required information.
Test Delegation Privileges
Confirms delegation privileges for a particular server by verifying that the correct privileges are set to perform constrained delegation. Within SMB signing, SMB2/3 signing, and encrypted MAPI in delegation mode, the SteelHead and the AD environment must have correct privileges to obtain Kerberos tickets for the CIFS or Exchange Server and perform the subsequent authentication. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
•  Delegation Domain/Realm - Select the domain in which the SteelHead is a member. Typically, this is your company domain name.
•  Server - Specify a delegate server hostname.
•  Server IP - Specify the delegate server IP address.
•  Service - Select either CIFS or Exchange MDB.
•  Account to Delegate - Specify a domain username.
•  Test Delegation Privileges - Click to run the test. The Management Console dims this button until you specify all required information.
Test NTLM Authentication
Tests whether NTLM can successfully authenticate a user to the joined domain. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
•  Username - Specify an Active Directory domain username.
•  Password - Specify a password.
•  Domain/Realm - Specify the fully qualified domain of the Active Directory in which the SteelHead is a member. Typically, this is your company domain name.
•  Short Domain Name - Specify the short domain (NetBIOS) name if it doesn’t match the first portion of the Active Directory domain name. Case matters; NBTTECH isn’t the same as nbttech.
•  Test NTLM Authentication - Click to run the test. The Management Console dims this button until you specify all required information.
Test Replication Setup
Tests the ability to replicate the server account by attempting to replicate a server account using the replication user for the domain. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
•  Delegation Domain/Realm - Select the fully qualified domain of the Active Directory in which the replication user is a trusted member. For example, REPLICATION.TEST.
•  Short Domain Name - Specify the short domain (NetBIOS) name (or replication server) if it doesn’t match the first portion of the Active Directory domain name. Case matters; NBTTECH isn’t the same as nbttech.
•  Replication Server - Specify a CIFS or Exchange replication server hostname.
•  Test Replication Setup - Click to run the test. The Management Console dims this button until you specify all required information.
Test Replication PRP
Ensures that the server account can be replicated as per the password replication policy (PRP) on the domain controller. This test only works for Windows 2008 and later domains. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
•  Replication Domain/Realm - Select the fully qualified domain of the Active Directory in which the replication user is a trusted member: for example, REPLICATION.TEST
•  Domain Controller - Specify the host that provides user login service in the domain.
•  Replication Server - Specify a CIFS or Exchange replication server hostname.
•  Test Replication PRP - Click to run the test. The Management Console dims this button until you specify all required information.
Viewing the Test Status
The time and date of the last test appears after Last Run.
When the test runs, the status In Progress appears. After the test completes, the test logs and test result appear.
Viewing the Test Results
The test can report one of these results:
•  Passed
•  Undetermined - A test with an undetermined status indicates that the test couldn’t accurately determine a pass or fail test status.
To view diagnostic test logs
•  Click Show logs. The number of lines in the log appear after Show logs or Hide logs.
The test logs are usually interesting only after a test fails.
An abbreviated form of the time stamp appears in the left margin of each line. To see the original, full time stamp in the form of a tooltip, hover the mouse over a time stamp. Not all log lines have time stamps, because third-party applications generate some of the logging data.
The log lines highlight errors in red and warnings in yellow.
Common Domain Health Errors
This section describes common problems that can occur when joining a Windows domain.
System Time Mismatch
The number one cause of failing to join a domain is a significant difference in the system time on the Windows domain controller and the SteelHead. When the time on the domain controller and the SteelHead don’t match, this error message appears:
lt-kinit: krb5_get_init_creds: Clock skew too great
We recommend using NTP time synchronization to synchronize the client and server clocks. It is critical that the SteelHead time is the same as on the Active Directory controller. Sometimes an NTP server is down or inaccessible, in which case there can be a time difference. You can also disable NTP if it isn’t being used and manually set the time. You must also verify that the time zone is correct. For details, see Configuring the Date and Time.
Note: Select the primary DNS IP address to view the Networking > Networking: Host Settings page.
Invalid Domain Controller IP
A domain join can fail when the DNS server returns an invalid IP address for the Domain Controller. When a DNS misconfiguration occurs during an attempt to join a domain, these error messages appear:
Failed to join domain: failed to find DC for domain <domain name>
Failed to join domain: No Logon Servers
Additionally, the Domain Join alarm triggers and messages similar to these appear in the logs:
Oct 13 14:47:06 bravo-sh81 rcud[10014]: [rcud/main/.ERR] - {- -} Lookup for bravo-sh81.GEN-VCS78DOM.COM Failed
Oct 13 14:47:06 bravo-sh81 rcud[10014]: [rcud/main/.ERR] - {- -} Failed to join domain: failed to find DC for domain GEN-VCS78DOM.COM
When you encounter this error, choose Networking > Networking: Host Settings and verify that the DNS settings are correct.