由于本文实在太长,故读者们只有自己慢慢看了 :)
SUMMARY
Some common issues that you may encounter with Active Directory installation and configuration can cause a partial or complete loss of functionality in Active Directory. These issues may include, but not be limited to:
This article describes how to troubleshoot Active Directory issues by identifying common configuration issues. For more information about any of the issues described in this article, consult the Help system in Windows 2000, and the Deployment Planning Guide, which is located on the following Microsoft Web site:
Chapter 9 of the Deployment Planning Guide describes the design of the Active Directory structure, which is essential to a successful Windows 2000 Active Directory deployment. Chapter 9 of the Deployment Planning Guide is available on the Internet at the following Microsoft Web site:
| • | Domain Name System (DNS) configuration errors |
| • | Network configuration problems |
| • | Difficulties when you upgrade from Microsoft Windows NT |
| • | http://www.microsoft.com/windows2000/library/resources/reskit/dpg/default.asp (http://www.microsoft.com/windows2000/library/resources/reskit/dpg/default.asp) |
| • | http://www.microsoft.com/windows2000/library/resources/reskit/dpg/chapt-9.asp (http://www.microsoft.com/windows2000/library/resources/reskit/dpg/chapt-9.asp) |
MORE INFORMATION
Consider the following items when you are investigating Active Directory Setup issues.
Start the DNS Management console. There should be a host record (an "A" record in Advanced view) for the computer name. There should also be a Start of Authority (SOA in Advanced view) record pointing to the domain controller (DC) as well as a Name Server record (NS in Advanced view).
Use the following steps to ensure that DNS is registering the Active Directory DNS records:
To repair the Active Directory DNS record registration:
If the Active Directory DNS records still do not exist, there may be a disjointed DNS namespace. If you suspect that there is a disjointed DNS namespace, see the "Disjointed DNS Namespace" section in this article.
For more troubleshooting information about DNS configuration for Active Directory, see the following Microsoft Knowledge Base articles:
To configure the DNS suffix information in Windows NT before you upgrade the computer to a Windows 2000-based Active Directory domain controller:
If you must change the DNS domain information after you install Active Directory, you must run the Dcpromo utility on the computer to remove it from the domain and make it a stand-alone server.
To determine if a disjointed namespace exists on an existing Windows 2000-based domain controller:
If these two entries do not contain identical suffix information, a disjointed DNS namespace exists. This condition prevents proper registration of any Active Directory DNS records.
Note The only supported method to recover from a disjointed namespace is to use Dcpromo to remove the computer from the domain and make it a stand-alone server. You can then correct the DNS namespace information and run Dcpromo again to promote the computer back to a domain controller.
Warning Exercise caution if you determine that this process is necessary on an existing Windows 2000-based domain. The process of running Dcpromo to remove the computer from a domain, and then re-creating an Active Directory domain results in a total loss of all the computer account information and user account information for the domain. You must manually re-create all user account information and computer account information after using this process.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Domain Name System (DNS)
You must configure DNS correctly to ensure that Active Directory will function properly. For a more in-depth treatment of DNS configuration for Active Directory, see the following Microsoft Knowledge Base article:
237675
(http://support.microsoft.com/kb/237675/EN-US/) Setting Up the Domain Name System for Active Directory
Review the following configuration items to ensure that DNS is healthy and that the Active Directory DNS entries will be registered correctly:
| • | DNS IP configuration |
| • | Active Directory DNS registration |
| • | Dynamic zone updates |
| • | DNS forwarders |
DNS IP Configuration
An Active Directory server that is hosting DNS must have its TCP/IP settings configured properly. TCP/IP on an Active Directory DNS server must be configured to point to itself to allow the server to register with its own DNS server. To view the current IP configuration, open a command window and type ipconfig /all to display the details. You can modify the DNS configuration by following these steps:| 1. | Right-click My Network Places, and then click Properties. | ||||||||
| 2. | Right-click Local Area Connection, and then click Properties. | ||||||||
| 3. | Click Internet Protocol (TCP/IP), and then click Properties. | ||||||||
| 4. | Click Advanced, and then click the DNS tab. Configure the DNS information as follows:
| ||||||||
| 5. | At a command prompt, type ipconfig /flushdns to purge the DNS resolver cache, and then type ipconfig /registerdns to register the DNS resource records. |
Active Directory DNS Registration
The Active Directory DNS records must be registering in DNS. The DNS zone can be either a standard primary or an Active Directory-integrated zone. An Active Directory-integrated zone is different from a standard primary zone in several ways. An Active Directory-integrated zone provides the following benefits:| • | The Windows 2000 DNS service stores zone data in Active Directory. This causes DNS replication to create multiple masters, and it allows any DNS server to accept updates for a directory service-integrated zone. Using Active Directory integration also reduces the need to maintain a separate DNS zone transfer replication topology. |
| • | Secure dynamic updates are integrated with Windows security. This allows an administrator to precisely control which computers can update which names, and it prevents unauthorized computers from obtaining existing names from DNS. |
| 1. | Start the DNS Management console. |
| 2. | Expand the zone information under the server name. |
| 3. | Expand Forward Lookup Zones, right-click the name of the Active Directory domain's DNS zone, click Properties, and then verify that Allow Dynamic Updates is set to Yes. |
| 4. | Four folders with the following names are present when DNS is correctly registering the Active Directory DNS records. These folders are labeled:
_msdcs If these folders do not exist, DNS is not registering the Active Directory DNS records. These records are critical to Active Directory functionality and must appear within the DNS zone. You should repair the Active Directory DNS record registration. _sites _tcp _udp |
| • | Check for the existence of a Root Zone entry. View the Forward Lookup zones in the DNS Management console. There should be an entry for the domain. Other zone entries may exist. There should not be a dot (".") zone. If the dot (".") zone exists, delete the dot (".") zone. The dot (".") zone identifies the DNS server as a root server. Typically, an Active Directory domain that needs external (Internet) access should not be configured as a root DNS server. The server probably needs to reregister its IP configuration (by using Ipconfig) after you delete the dot ("."). The Netlogon service may also need to be restarted. Further details about this step are listed later in this article. | ||||||||||||||||||||||||
| • | Manually repopulate the Active Directory DNS entries. You can use the Windows 2000 Netdiag tool to repopulate the Active Directory DNS entries. Netdiag is included with the Windows 2000 Support tools. At a command prompt, type netdiag /fix. To install the Windows 2000 Support tools:
NOTE: The server may need to reregister its IP configuration (by using Ipconfig) after you run Netdiag. The Netlogon service may also need to be restarted. If the Active Directory DNS records do not appear, you may need to manually re-create the DNS zone. | ||||||||||||||||||||||||
| • | After you run the Netdiag utility, refresh the view in the DNS Management console. The Active Directory DNS records should then be listed.Manually re-create the DNS zone:
|
Dynamic Zone Updates
Microsoft recommends that the DNS Lookup zone accept dynamic updates. You can configure this by right-clicking the name of the zone, and then clicking Properties. On the General tab, the Allow Updates setting should be set to Yes, or for an Active Directory-integrated zone, either Yes or Only secure updates. If dynamic updates are not allowed, all host registration must be completed manually.DNS Forwarders
To ensure network functionality outside of the Active Directory domain (such as browser requests for Internet addresses), configure the DNS server to forward DNS requests to the appropriate Internet service provider (ISP) or corporate DNS servers. To configure forwarders on the DNS server:| 1. | Start the DNS Management console. |
| 2. | Right-click the name of the server, and then click Properties. |
| 3. | Click the Forwarders tab. |
| 4. | Click to select the Enable Forwarders check box. NOTE: If the Enable Forwarders check box is unavailable, the DNS server is attempting to host a root zone (usually identified by a zone named only with a period, or dot ("."). You must delete this zone to enable the DNS server to forward DNS requests. In a configuration in which the DNS server does not rely on an ISP DNS server or a corporate DNS server, you can use a root zone entry. |
| 5. | Type the appropriate IP addresses for the DNS servers that will accept forwarded requests from this DNS server. The list reads from the top down in order; if there is a preferred DNS server, place it at the top of the list. |
| 6. | Click OK to accept the changes. |
249868
(http://support.microsoft.com/kb/249868/) Replacing Root Hints with the Cache.dns File
237675
(http://support.microsoft.com/kb/237675/EN-US/) Setting Up the Domain Name System for Active Directory
241505
(http://support.microsoft.com/kb/241505/) SRV Records Missing After Implementing Active Directory and DNS
241515
(http://support.microsoft.com/kb/241515/EN-US/) How to Verify the Creation of SRV Records for a Domain Controller
Network Configuration
You must configure specific network components properly to ensure proper operation of Active Directory on the network, and to ensure that computers will be able to join the domain.File and Printer Sharing Must Be Enabled
If the File and Printer Sharing component is disabled on the Windows 2000-based domain controller, error messages occur when attempts are made to join the domain. For more information, see the following Microsoft Knowledge Base article:
254680
(http://support.microsoft.com/kb/254680/) DNS Namespace Planning
Note that there are situations in which it is preferable to disable File and Printer Sharing on a Windows 2000-based computer. For example, when a Windows 2000-based computer is accessible over the Internet. In this case, you should disable File and Printer Sharing only on the network adapter that is accessible on the Internet.
NetBIOS over TCP/IP Must Be Enabled for Other Clients
If clients that are not running Windows 2000 (for example, clients that are running Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows NT) will participate in the Active Directory domain, they should be able to perform NetBIOS name resolution. NetBIOS name resolution does not work if NetBIOS over TCP/IP is disabled.
258500
(http://support.microsoft.com/kb/258500/) Error Message When Attempting to Join a Windows 2000 Domain
Upgrade Installation Considerations
Earlier (Legacy) DNS Server
DNS servers that run Windows NT 4.0 cannot dynamically register the Active Directory DNS records. The best solution in this case is to install DNS on the Active Directory domain controller to ensure that Active Directory DNS records will be registered for the domain.Disjointed DNS Namespace
You must configure the correct DNS suffix information before you begin a Windows 2000 upgrade installation. You cannot change the server name and DNS domain information after Active Directory is installed.To configure the DNS suffix information in Windows NT before you upgrade the computer to a Windows 2000-based Active Directory domain controller:
| 1. | Right-click Network Neighborhood, and then click Properties. |
| 2. | Click the Protocols tab, click TCP/IP Protocol, and then click Properties. |
| 3. | Click the DNS tab. |
| 4. | In the Domain box, type the complete Active Directory domain name. |
| 5. | Click Apply, and then click OK. |
| 6. | Click OK to quit the Network tool. |
| 7. | Restart the computer. |
| 8. | To verify the settings, open a command window, and then type ipconfig /all. The Host Name line shows the fully qualified domain name. |
To determine if a disjointed namespace exists on an existing Windows 2000-based domain controller:
| 1. | Right-click My Computer, and then click Properties. |
| 2. | Click the Network Identification tab. |
| 3. | Compare the DNS suffix section of the full computer name to that of the domain name listing. The full computer name reads as follows: hostname.dns_suffix. These two entries should contain identical suffix information. |
Note The only supported method to recover from a disjointed namespace is to use Dcpromo to remove the computer from the domain and make it a stand-alone server. You can then correct the DNS namespace information and run Dcpromo again to promote the computer back to a domain controller.
Warning Exercise caution if you determine that this process is necessary on an existing Windows 2000-based domain. The process of running Dcpromo to remove the computer from a domain, and then re-creating an Active Directory domain results in a total loss of all the computer account information and user account information for the domain. You must manually re-create all user account information and computer account information after using this process.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
258832
(http://support.microsoft.com/kb/258832/) Cannot Join Windows 2000 Client to a Windows NT Domain
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
