Ramblings from an IT manager and long time developer.


Troubleshooting 502 Errors in ARR

Taken from here:

Troubleshooting 502 Errors in ARR

by Richard Marr

Tools Used in this Troubleshooter:

  • IIS Failed Request Tracing
  • Network Monitor
  • Winhttp Tracing

This material is provided for informational purposes only. Microsoft makes no warranties, express or implied.

HTTP 502 – Overview

When working with IIS Application Request Routing (ARR) deployments, one of the errors that you may see is “HTTP 502 – Bad Gateway”. The 502.3 error means that – while acting as a proxy – ARR was unable to complete the request to the upstream server and send a response back to the client. This can happen for multiple reasons – for example: failure to connect to the server, no response from the server, or the server took too long to respond (time out). If you are able to reproduce the error by browsing the web farm from the controller, and detailed errors are enabled on the server, you may see an error similar to the following:

Click to Expand

Figure 1 (Click image to expand)

The root cause of the error will determine the actions you should take to resolve the issue.

502.3 Timeout Errors

The error code in the screenshot above is significant because it contains the return code from WinHTTP, which is what ARR uses to proxy the request and identifies the reason for the failure.

You can decode the error code with a tool like err.exe. In this example, the error code maps to ERROR_WINHTTP_TIMEOUT. You can also find this information in the IIS logs for the associated website on the ARR controller. The following is an excerpt from the IIS log entry for the 502.3 error, with most of the fields trimmed for readability:

sc-status sc-substatus sc-win32-status time-taken
502 3 12002 29889

The win32 status 12002 maps to the same ERROR_WINHTTP_TIMEOUT error reported in the error page.

What exactly timed-out?

We investigate this a bit further by enabling Failed Request Tracing on the IIS server. The first thing we can see in the failed request trace log is where the request was sent to in the ARR_SERVER_ROUTED event. The second item I have highlighted is what you can use to track the request on the target server, the X-ARR-LOG-ID. This will help if you are tracing the target or destination of the HTTP request:

77. ARR_SERVER_ROUTED RoutingReason=”LoadBalancing”, Server=”″, State=”Active”, TotalRequests=”3″, FailedRequests=”2″, CurrentRequests=”1″, BytesSent=”648″, BytesReceived=”0″, ResponseTime=”15225″ 16:50:21.033
78. GENERAL_SET_REQUEST_HEADER HeaderName=”Max-Forwards”, HeaderValue=”10″, Replace=”true” 16:50:21.033
79. GENERAL_SET_REQUEST_HEADER HeaderName=”X-Forwarded-For”, HeaderValue=”″, Replace=”true” 16:50:21.033
80. GENERAL_SET_REQUEST_HEADER HeaderName=”X-ARR-SSL”, HeaderValue=””, Replace=”true” 16:50:21.033
81. GENERAL_SET_REQUEST_HEADER HeaderName=”X-ARR-ClientCert”, HeaderValue=””, Replace=”true” 16:50:21.033
82. GENERAL_SET_REQUEST_HEADER HeaderName=”X-ARR-LOG-ID”, HeaderValue=”dbf06c50-adb0-4141-8c04-20bc2f193a61″, Replace=”true” 16:50:21.033
83. GENERAL_SET_REQUEST_HEADER HeaderName=”Connection”, HeaderValue=””, Replace=”true” 16:50:21.033

The following example shows how this might look on the target server\’s Failed Request Tracing logs; you can validate that you have found the correct request by matching up the “X-ARR-LOG_ID” values in both traces.

185. GENERAL_REQUEST_HEADERS Headers=”Connection: Keep-Alive Content-Length: 0 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US Host: test Max-Forwards: 10 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0) X-Original-URL: /time/ X-Forwarded-For: X-ARR-LOG-ID: dbf06c50-adb0-4141-8c04-20bc2f193a61
345. GENERAL_FLUSH_RESPONSE_END BytesSent=”0″, ErrorCode=”An operation was attempted on a nonexistent network connection. (0x800704cd)” 16:51:06.240

In the above example, we can see that the ARR server disconnected before the HTTP response was sent. The timestamp for GENERAL_FLUSH_RESPONSE_END can be used as a rough guide to find the corresponding entry in the IIS logs on the destination server.

date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username sc-status sc-substatus sc-win32-status time-taken
2011-07-18 16:51:06 GET /time/ - 80 - 200 0 64 45208

Note that IIS on the destination server logged an HTTP 200 status code, indicating that the request completed successfully. Also note that the win32 status has changed to 64, which maps to ERROR_NETNAME_DELETED. This generally indicates that the client (ARR being the \’client\’ in this case) had disconnected before the request completed.

What happened?

Only the ARR server is reporting a timeout, so that is where we should look first.

In the IIS log entry from the ARR server, we can see that the time-taken is very close to 30 seconds, but the member server log shows that it took 45 seconds (45208 ms) to send the response. This suggests that ARR is timing the request out, and if we check the proxy timeout in the server farm\’s proxy settings, we will see that it is set to 30 seconds by default.

So in this case we can clearly see that the ARR timeout was shorter than the execution of the request. Therefore, you would want to investigate whether this execution time was normal or whether you would need to look at why the request was taking longer than expected. If this execution time was expected and normal, increasing the ARR timeout should resolve the error.

Other possible reasons for ERROR_WINHTTP_TIMEOUT include:

  • ResolveTimeout: This occurs if name resolution takes longer than the specified timeout period.
  • ConnectTimeout: This occurs if it takes longer than the specified timeout period to connect to the server after the name resolved.
  • SendTimeout: If sending a request takes longer than this time-out value, the send operation is canceled.
  • ReceiveTimeout: If a response takes longer than this time-out value, the request is canceled.

Looking at the first two examples, ResolveTimeout and ConnectTimeout, the troubleshooting methodology outlined above would not work. This is because you would not see any traffic on the target server and therefore would not know the error code. Thus in this case of ResolveTimeout or ConnectTimeout you would want to capture a WinHTTP trace for additional insight. See the WinHTTP/WEBIO Tracing section of this troubleshooter as well as the following blogs for additional examples on troubleshooting and tracing:

502.3 Connection Termination Errors

502.3 errors are also returned when the connection between ARR and the member server is disconnected mid-stream. To test this type of problem, create a simple .aspx page that calls Response.Close(). In the following example there is a directory called “time” which is configured with a simple aspx page as the default document of that directory. When browsing to the directory, ARR will display this error:

Click to Expand

Figure 2 (Click image to expand)

The error 0x80072efe corresponds to ERROR_INTERNET_CONNECTION_ABORTED. The request can be traced to the server that actually processed it using the same steps used earlier in this troubleshooter, with one exception; while Failed Request Tracing on the destination server shows the request was processed on the server, the associated log entry does not appear in the IIS logs. Instead, this request is logged in the HTTPERR log as follows:

HTTP/1.1 GET /time/ - 1 Connection_Dropped DefaultAppPool

The built-in logs on the destination server do not provide any additional information about the problem, so the next step would be to gather a network trace from the ARR server. In the example above, the .aspx page called Response.Close() without returning any data. Viewing this in a network trace would show that a Connection: close HTTP header was coming from the destination server. With this information you could now start an investigation into why the Connection: close header was sent.

The error below is another example of an invalid response from the member server:

Click to Expand

Figure 3 (Click image to expand)

In this example, ARR started to receive data from the client but something went wrong while reading the request entity body. This results in the 0x80072f78 error code being returned. To investigate further, use Network Monitor on the member server to get a network trace of the problem. This particular error example was created by calling Response.Close() in the page after sending part of the response and then calling Response.Flush(). If the traffic between the ARR server and the member servers is over SSL, then WinHTTP tracing on Windows Server 2008 or WebIO tracing on Windows Server 2008 R2 may provide additional information. WebIO tracing is described later in this troubleshooter.

502.4 No appropriate server could be found to route the request

The HTTP 502.4 error with an associated error code of 0x00000000 generally indicates that all the members of the farm are either offline, or otherwise unreachable.

Click to Expand

Figure 4 (Click image to expand)

The first step is to verify that the member servers are actually online. To check this, go to the “servers” node under the farm in the IIS Manager.

Click to Expand

Figure 5 (Click image to expand)

Servers that are offline can be brought back online by right-clicking on the server name and choosing “Add to Load Balancing”. If you cannot bring the servers back online, verify the member servers are reachable from the ARR server. The “trace Messages” pane on the “servers” page may also provide some clues about the problem. If you are using Web Farm Framework (WFF) 2.0, you may receive this error if the application pool restarts. You will need to restart the Web Farm Service to recover.

WinHTTP/WebIO Tracing

Usually, Network Monitor will provide you with the information you need to identify exactly what is timing out, however there are times (such as when the traffic is SSL encrypted) that you will need to try a different approach. On Windows 7 and Windows Server 2008R2 you can enable WinHTTP tracing using the netsh tool by running the following command from an administrative command prompt:

netsh trace start scenario=internetclient capture=yes persistent=no level=verbose tracefile=c:\temp\net.etl

Then, reproduce the problem. Once the problem is reproduced, stop the tracing by running the following command from the command prompt:

netsh trace stop

The stop command will take a few seconds to finish. When it is done, you will find a net.etl file and a file in C:\temp. The .cab file contains event logs and additional data that may prove helpful in analyzing the .etl file.

To analyze the log, open it in Netmon 3.4 or later. Make sure you have set up your parser profile as described here. Scroll through the trace until you find the w3wp.exe instance where ARR is running by correlating with the “UT process name” column. Right click on w3wp and choose “Add UT Process name to display filter”. This will set the display filter similar to:

 UTProcessName == "w3wp.exe (1432)

You can further filter the results by changing it to the following:

UTProcessName == "w3wp.exe ()" AND ProtocolName == "WINHTTP_MicrosoftWindowsWinHttp"
You will need to scroll through the output until you find the timeout error. In the example below, a request timed out because it took more than 30 seconds (ARR\'s default timeout) to run.
336 2:32:22 PM 7/22/2011 32.6380453 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver starts in _INIT state
337 2:32:22 PM 7/22/2011 32.6380489 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::current thread is not impersonating
340 2:32:22 PM 7/22/2011 32.6380584 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver processing WebReceiveHttpResponse completion (error-cdoe = ? (0x5b4), overlapped = 003728F0))
341 2:32:22 PM 7/22/2011 32.6380606 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver failed to receive headers; error = ? (1460)
342 2:32:22 PM 7/22/2011 32.6380800 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::ERROR_WINHTTP_FROM_WIN32 mapped (?) 1460 to (ERROR_WINHTTP_TIMEOUT) 12002
343 2:32:22 PM 7/22/2011 32.6380829 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-recver returning ERROR_WINHTTP_TIMEOUT (12002) from RecvResponse()
344 2:32:22 PM 7/22/2011 32.6380862 w3wp.exe (1432) WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:32:23.123 ::sys-req completes recv-headers inline (sync); error = ERROR_WINHTTP_TIMEOUT (12002)

In this next example, the content server was completely offline:

42 2:26:39 PM 7/22/2011 18.9279133 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::WinHttpReceiveResponse(0x11d23d0, 0x0) {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
43 2:26:39 PM 7/22/2011 18.9279633 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver starts in _INIT state {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
44 2:26:39 PM 7/22/2011 18.9280469 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::current thread is not impersonating {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
45 2:26:39 PM 7/22/2011 18.9280776 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver processing WebReceiveHttpResponse completion (error-cdoe = WSAETIMEDOUT (0x274c), overlapped = 003728F0)) {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
46 2:26:39 PM 7/22/2011 18.9280802 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver failed to receive headers; error = WSAETIMEDOUT (10060) {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
47 2:26:39 PM 7/22/2011 18.9280926 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::ERROR_WINHTTP_FROM_WIN32 mapped (WSAETIMEDOUT) 10060 to (ERROR_WINHTTP_TIMEOUT) 12002 {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}
48 2:26:39 PM 7/22/2011 18.9280955 WINHTTP_MicrosoftWindowsWinHttp WINHTTP_MicrosoftWindowsWinHttp:12:26:39.704 ::sys-recver returning ERROR_WINHTTP_TIMEOUT (12002) from RecvResponse() {WINHTTP_MicrosoftWindowsWinHttp:4, NetEvent:3}

Other Resources


Cisco AnyConnect

Cisco AnyConnect is an SSL VPN client that provides reliable and easy-to-deploy encrypted (SSL) network connectivity for Windows.

Typically, the Cisco AnyConnect client would be downloaded from the VPN site, but the version currently available from that location is not compatible with current versions of Windows 7 and Windows 8 and will not function properly due to Microsoft Windows security updates.

Note: Remember to verify you are running the most recent version of java (

Download Link



This is a bunch of command line tools for troubleshooting Microsoft Active Directory. Shared from the website.

FSMO Roles

ntdsutilroles Connections “Connect to server %logonserver%” Quit
“selectOperation Target” “List roles for conn server” Quit Quit Quit

[JDH: This is really a series of steps, not a single command


Domain Controllers

Nltest /dclist:%userdnsdomain%

Domain Controller IP Configuration

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do psexec \%i ipconfig /all

Stale computer accounts

dsquery computer domainroot -stalepwd 180 -limit 0

Stale user accounts

dsquery user domainroot -stalepwd 180 -limit 0

Disabled user accounts

dsquery user domainroot -disabled -limit 0

AD Database disk usage

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do dir \%iadmin$ntds

Global Catalog Servers from DNS

dnscmd %logonserver% /enumrecords %userdnsdomain% _tcp | find /i “3268”

Global Catalog Servers from AD

dsquery * “CN=Configuration,DC=forestRootDomain” -filter “(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))”

Users with no logon script

dsquery * domainroot
0 -attr sAMAccountName sn givenName pwdLastSet distinguishedName

User accounts with no pwd required

dsquery * domainroot -filter “(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))”

User accounts with no pwd expiry

dsquery * domainroot -filter”(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))”

User accounts that are disabled

dsquery * domainroot -filter “(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))”

DNS Information

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do dnscmd %i /info

DNS Zone Detailed information

dnscmd /zoneinfo %userdnsdomain%

Garbage Collection and tombstone

dsquery * “cn=Directory
-attrgarbageCollPeriod tombstoneLifetime

Netsh authorised DHCP Servers

netsh dhcp show server

DSQuery authorised DHCP Servers

Dsquery * “cn=NetServices,cn=Services,cn=Configuration, DC=forestRootDomain” -attr dhcpServers

DHCP server information

netsh dhcp server \DHCP_SERVER show all

DHCP server dump

netsh dhcp server \DHCP_SERVER dump

WINS serer information

Netsh wins server \WINS_SERVER dump

Group Policy Verification Tool

gpotool.exe /checkacl /verbose

AD OU membership

dsquery computer -limit 0

AD OU membership

dsquery user -limit 0

List Service Principal Names

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do setspn -L %i

Compare DC Replica Object Count

dsastat ?s:DC1;DC2;… ?b:Domain ?gcattrs:objectclass ?p:999

Check AD ACLs

acldiag dc=domainTree

NTFRS Replica Sets

for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do ntfrsutl sets %i


for /f %i in (‘dsquery server -domain %userdnsdomain% -o rdn’) do ntfrsutl ds %i

Domain Controllers per site

Dsquery * “CN=Sites,CN=Configuration,DC=forestRootDomain” -filter (objectCategory=Server)

DNS Zones in AD

for /f %i in (‘dsquery server -o rdn’) do Dsquery * -s %i domainroot -filter (objectCategory=dnsZone)

Enumerate DNS Server Zones

for /f %i in (‘dsquery server -o rdn’) do dnscmd %i /enumzones

Subnet information

Dsquery subnet ?limit 0

List Organisational Units

Dsquery OU

ACL on all OUs

For /f “delims=|” %i in (‘dsquery OU’) do acldiag %i

Domain Trusts

nltest /domain_trusts /v

Print DNS Zones

dnscmd DNSServer /zoneprint DNSZone

Active DHCP leases

For /f %i in (DHCPServers.txt) do for /f “delims=- ” %j in
(‘”netshdhcp server \%i show scope | find /i “active””’) do netsh dhcp
server\%i scope %j show clientsv5

DHCP Server Active Scope Info

For /f %i in (DHCPServers.txt) do netsh dhcp server \%i show scope | find /i “active”

Resolve DHCP clients hostnames

for /f “tokens=1,2,3 delims=,” %i in (Output from ‘Find Subnets
fromDHCP clients’) do @for /f “tokens=2 delims=: ” %m in (‘”nslookup %j
|find /i “Name:””’) do echo %m,%j,%k,%i

Find two online PCs per subnet

Echo. > TwoClientsPerSubnet.txt & for /f
“tokens=1,2,3,4delims=, ” %i in (‘”find /i “pc” ‘Output from Resolve
DHCP clientshostnames’”’) do for /f “tokens=3 skip=1 delims=: ” %m in
(‘”Find /i /c”%l” TwoClientsPerSubnet.txt”’) do If %m LEQ 1 for /f %p in
(‘”ping -n1 %i | find /i /c “(0% loss””’) do If %p==1 Echo %i,%j,%k,%l

AD Subnet and Site Information

dsquery * “CN=Subnets,CN=Sites,CN=Configuration,DC=forestRootDomain” -attr cn siteObject description location

AD Site Information

dsquery * “CN=Sites,CN=Configuration,DC=forestRootDomain” -attr cn description location -filter (objectClass=site)

Printer Queue Objects in AD

dsquery * domainroot -filter “(objectCategory=printQueue)” -limit 0

Group Membership with user details

dsget group “groupDN” -members | dsget user -samid -fn -mi -ln -display -empid -desc -office -tel -email -title -dept -mgr

Total DHCP Scopes

find /i “subnet” “Output from DHCP server information” | find /i “subnet”

Site Links and Cost

dsquery * “CN=Sites,CN=Configuration,DC=forestRootDomain” -attr cn
costdescription replInterval siteList -filter (objectClass=siteLink)

Time gpresult

timethis gpresult /v

Check time against Domain

w32tm /monitor /computers:ForestRootPDC

Domain Controller Diagnostics

dcdiag /s:%logonserver% /v /e /c

Domain Replication Bridgeheads

repadmin /bridgeheads

Replication Failures from KCC

repadmin /failcache

Inter-site Topology servers per site

Repadmin /istg * /verbose

Replication latency

repadmin /latency /verbose

Queued replication requests

repadmin /queue *

Show connections for a DC

repadmin /showconn *

Replication summary

Repadmin /replsummary

Show replication partners

repadmin /showrepl * /all

All DCs in the forest

repadmin /viewlist *

ISTG from AD attributes

dsquery * “CN=NTDS Site Settings,CN=siteName,CN=Sites,CN=Configuration,DC=forestRootDomain” -attr interSiteTopologyGenerator

Return the object if KCC Intra/Inter site is disabled for each site

Dsquery site | dsquery * -attr * -filter “(|(Options:1.2.840.113556.1.4.803:=1)(Options:1.2.840.113556.1.4.803:=16))”

Find all connection objects

dsquery * forestRoot -filter (objectCategory=nTDSConnection) ?attr distinguishedName fromServer whenCreated displayName

Find all connection schedules

adfind -b “cn=Configuration,dc=qraps,dc=com,dc=au” -f “objectcategory=ntdsConnection” cn Schedule -csv

Software Information for each server

for /f %i in (Output from ‘Domain Controllers’) do psinfo \%i
&filever \%iadmin$explorer.exe

Check Terminal Services Delete Temp on Exit flag

For /f %i in (Output from ‘Domain Controllers’) do Reg
/v DeleteTempDirsOnExit


or each XP workstation, query the current site and what Group Policy info

@dsquery * domainroot
XPProfessional))” -limit 0 -attr cn > Workstations.txt & @For
/f%i in (Workstations.txt) do @ping %i -n 1 >NUL & @if
ErrorLevel0 If NOT ErrorLevel 1 @Echo %i & for /f “tokens=3” %k in
/v DCName | Find /i “DCName””’) do @for /f %m in(‘”nltest /server:%i
/dsgetsite | find /i /v “completedsuccessfully””’) do @echo %i,%k,%m

Information on existing GPOs

dsquery * “CN=Policies,CN=System,domainRoot”
-filter”(objectCategory=groupPolicyContainer)” -attr displayName
cnwhenCreated gPCFileSysPath

Copy all Group Policy .pol files

for /f “tokens=1-8 delims=” %i in (‘dir /b
/s\%userdnsdomain%sysvol%userdnsdomain%policies*.pol’) do @echo
copy\%i%j%k%l%m%n%o %m_%n.pol

Domain Controller Netlogon entries

for /f %i in (‘dsquery server /o rdn’) do echo %i & reg query\%ihklmsystemcurrentcontrolsetservicesnetlogonparameters

WINS Statistics

for /f “tokens=1,2 delims=,” %i in (WINSServers.txt) do netsh wins server \%i show statistics

WINS Record counts per server

for /f “tokens=1,2 delims=,” %i in (WINSServers.txt) do netsh wins server \%i show reccount %i

WINS Server Information

for /f “tokens=2 delims=,” %i in (WINSServers.txt) do netsh wins server \%i show info

WINS Server Dump

for /f “tokens=2 delims=,” %i in (WINSServers.txt) do netsh wins server \%i dump

WINS Static Records per Server

netsh wins server \LocalWINSServer show database servers={} rectype=1

Find policy display name given the GUID

dsquery * “CN=Policies,CN=System,DC=domainRoot” -filter (objectCategory=groupPolicyContainer) -attr Name displayName

Find empty groups

dsquery * -filter “&(objectCategory=group)(!member=*)” -limit
0-attr whenCreated whenChanged groupType sAMAccountNamedistinguishedName

Find remote NIC bandwidth

wmic /node:%server% path Win32_PerfRawData_Tcpip_NetworkInterface GET Name,CurrentBandwidth

Find remote free physical memory

wmic /node:%Computer% path Win32_OperatingSystem GET FreePhysicalMemory

Find remote system information

SystemInfo /s %Computer%

Disk statistics, including the number of files on the filesystem

chkdsk /i /c

Query IIS web sites

iisweb /s %Server% /query “Default Web Site”

Check port state and connectivity

portqry -n %server% -e %endpoint% -v

Forest/Domain Functional Levels

ldifde -d cn=partitions,cn=configuration,dc=%domain%
-lmsds-behavior-version,dnsroot,ntmixeddomain,NetBIOSName -p subtree

Forest/Domain Functional Levels

dsquery * cn=partitions,cn=configuration,dc=%domain%

Name dnsroot ntmixeddomain NetBIOSName

Find the parent of a process

wmic path Win32_Process WHERE Name=’notepad.exe’ GET Name,ParentProcessId

Lookup SRV records from DNS

nslookup -type=srv _ldap._tcp.dc._msdcs.{domainRoot}

Find when the AD was installed

dsquery * cn=configuration,DC=forestRootDomain -attr whencreated -scope base

Enumerate the trusts from the specified domain

dsquery * “CN=System,DC=domainRoot” -filter “(objectClass=trustedDomain)” -attr trustPartner flatName

Find a DC for each trusted domain

for /f “skip=1” %i in (‘”dsquery * CN=System,DC=domainRoot
-filter(objectClass=trustedDomain) -attr trustPartner”’) do nltest

Check the notification packages installed on all DCs

for /f %i in (‘dsquery server /o rdn’) do @for /f “tokens=4″ %m
/v”Notification Packages” | find /i “Notification””’) do @echo %i,%m

List ACLs in SDDL format

setacl -on %filepath% -ot file -actn list -lst f:sddl

Find out if a user account is currently enabled or disabled

dsquery user DC=%userdnsdomain:.=,DC=% -name %username% | dsget user -disabled -dn

Find servers in the domain

dsquery * domainroot -filter “(&(objectCategory=Computer)(objectClass=Computer)(operatingSystem=*Server*))” -limit 0

Open DS query window

rundll32 dsquery,OpenQueryWindow


Don’t rejoin to fix the trust relationship between this

Copied from here:


f you Google “the trust relationship between this workstation and the primary domain failed”, you get plenty of information from support blogs and Microsoft articles; however, most of them ask you to rejoin your machine to the domain. That’s not always possible.

The underlying problem when you see this error is that the machine you are trying to access can no longer communicate securely with the Active Directory domain to which it is joined.  The machine’s private secret is not set to the same value store in the domain controller.  You can think of this secret as a password but really it’s some bits of cryptographic data called a Kerberos keytab stored in the local security authority.  When you try to access this machine using a domain account, it fails to verify the Kerberos ticket you receive from Active Directory against the private secret that it stores locally.  I think you can also come across this error if for some reason the system time on the machine is out of sync with the system time on the domain controller.  This solution also fixes that problem.

This problem can be caused by various circumstances, but I most commonly run into it when I reset a virtual machine to a system snapshot that I made months or even years before.  When the machine is reset, it is missing all of the automatic password changes that it executed against the domain controller during the intervening months.  The password changes are required to maintain the security integrity of the domain.


Support blogs and Microsoft will generally tell you to rejoin the domain to restore the trust relationship.  Another option they will give is to delete the computer object and recreate it without a password and rejoin.

Microsoft support article on the topic:

I’m not a fan of any of these options.  This seems heavy handed and sometimes they aren’t even possible.

Recently, when I ran into this problem, the virtual machine that reset was an enterprise certificate authority joined to my test domain.  Well, guess what, Microsoft will not allow you to rename or unjoin a computer that is a certificate authority—the button in the computer property page is greyed out.  There may be another way to unjoin but I wasn’t going to waste time on it when it isn’t even necessary.

Just change your computer password using netdom.exe! 

netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

<user> = DOMAINUser format with rights to change the computer password

Here are the full steps:

  1. You need to be able to get onto the machine. I normally just log in with the local Administrator account by typing, “.Administrator” in the logon window. I hope you remember the password. If you’re creative and resourceful you can hack your way in without the password. Another option is to unplug the machine from the network and log in with domain user. You will be able to do disconnected authentication, but in the case of a reset machine, remember that you may have to use an old password. Your domain user’s cached credential has the same problem as the machine’s private secret.
  2. You need to make sure you have netdom.exe. Where you get netdom.exe depends on what version of Windows you’re running. Windows Server 2008 and Windows Server 2008 R2 ship with netdom.exe you just have to enable the Active Directory Domain Services role. On Windows Vista and Windows 7 you can get it from the Remote Server Administration Tools (RSAT). Google can help you get them. For other platforms see this link:”
  3. Extra steps if the machine is a domain controller. If the broken machine is a domain controller it is a little bit more complicated, but still possible to fix the problem. I haven’t done this for a while, but I think this works:
    1. Turn off the Kerberos Key Distribution Center service. You can do this in the Services MMC snap-in. Set the startup type to Manual. Reboot.
    2. Remove the Kerberos ticket cache. A reboot will do this for you, or you can remove them using KerbTray.exe. You can get that tool here:
    3. Post change steps. Do these in conjunction with 5 below. Turn the Kerberos Key Distribution Center Service back on before rebooting. You should reboot the domain controller and then force replication in the Active Directory Sites and Services MMC snap-in.
  4. Run netdom.exe to change the password.
    1. Open an administrative command prompt. On Windows platforms with UAC enabled, you will need to right-click on cmd.exe and select “run as Administrator”.
    2. Type the following command: netdom.exe resetpwd /s:<server> /ud:<user> /pd:*
  5. Reboot the machine.

Here is more information on netdom.exe:


I hope this is helpful.  This problem comes up every few months for me, so I wanted to document it for my own use.  It is difficult to find when you just search for the error you get in the login window.


Connection via Cisco VPN Client stops local DNS resolution

Reprint from here…
If you use the Cisco VPN Client with Windows XP, you may have noticed that all of your DNS requests go via the VPN, rather than the local network. You can test which DNS server you are using through the use of the NSLOOKUP command. The Cisco VPN Client creates a disabled Local Area Connection, to which it assigns null values until connected. When you connect using the client this connection profile becomes enabled and is set with the appropriate DNS, WINS, gateway and IP address from the other end of the VPN, usually by a DHCP server. By default when you install the client the priority of the Cisco VPN connection is higher than the default local connection assigned to your ethernet NIC or wireless card and it is this that causes two major problems for users:

  1. You cannot connect to local named servers, but you can access them by IP. The only common workaround suggested for this (see Google Groups) is to manually add them to your HOSTS file. This is not a solution that you could widely roll out to a network of users, and is a dirty hack.
  2. Your DNS resolution is SLOW. This is because your request has to go to the DNS server at the other end of the VPN, before being returned to you locally, whereby it sends you out over your local LAN to the internet as normal via your broadband router.

To test which DNS server you are using by default when connected normally, first disconnect from the VPN client and pop open a command window:

  • Start -> Run -> type “cmd”
  • type “nslookup”.

You’ll see something along the lines of:

C:Documents and SettingsAdministrator>nslookup
Default Server:


Type “exit” and then open up your Cisco VPN Client, connect via VPN, and repeat the NSLOOKUP command. You’ll see the change to your default DNS server:

C:Documents and SettingsAdministrator>nslookup
Default Server:


Now all DNS requests will go through the VPN, and not your local router. Slow and pointless (security caveats aside). Why does the Cisco VPN Client change this, and can we alter it at the client level? We don’t really want to bother our over worked Cisco technician back in the office, and often he’s an expensive contract resource anyway.

Most importantly why does the Cisco VPN Client connection always seem to have a higher priority than the standard local ethernet connection or wireless connection under Windows XP? My initial thought was that Cisco designed it to be this way, and there was no way to change it, but now I believe that the simple answer is one of installation order. Hence, as the connections are installed, the last one to be installed seems to be given the highest priority. Someone more knowledgeable with XP networking might be able to clarify this.
Whether or not this is true or not, the fix is to change the priority of the connections. A bit of digging around gives you some advanced settings to network connections:

  • Start -> Control Panel -> Network Connections
  • Then under the menu option Advanced -> Advanced Settings
  • Change the priority of your default local connection, to be above that of the Cisco VPN Client. The Cisco VPN Client often installs for most people as “Local Area Connection 2”.

Now try the NSLOOKUP command again. You’ll see something along the lines of:

C:Documents and SettingsAdministrator>nslookup
Default Server:


You’re back to using your local DNS server, but still connected to the VPN. Problem solved. Nice! You should now be able to see your local servers inside your LAN by name, plus general browsing should be faster.
Some caveats:

  1. There may be security considerations to allowing DNS requests via the local LAN rather than the VPN. DNS works so that it rolls down the list of DNS servers, so the local LAN will ask the world for an internal DNS name first. That could give information away in terms of your local private LAN set up.
  2. I’m using an up-to-date-patched version of Windows XP Professional SP2
  3. I’m using the Cisco Client 4.0.4. Newer versions have given me grief.
  4. In the properties of the VPN profile in question (Cisco VPN Client -> Connection Entry -> Modify) the Transport tab has the option “Allow Locale LAN Access” checked.
  5. This may also be a solution for other VPN clients, but I haven’t tried it.