Some troblshootings in DC/AD to save some life time...
1. Cannot set aduser password
"The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements"Resolution: change the strong Password Policy.
1)set in gpmc.msc-> expand the target domain edit:Default Domain Policy and navigate to:
Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy
disable 'Password must meet complexity requirements'
set 'minimum password length - 0'
2)Then go to the command line and type:
gpupdate /target:computer /force
2 . Active Directory Service does not start after reboot,
1) do cmd 'netdiag /test:ldap' shows 'no such domain'/'service not started'...
2) check log, find DS cannot start after reboot and 'netlog service is paused'
3) start regedit and go to HKLM->system->CurrentControlSet->services->ntds->parameters and delete the key of 'DSA not writtable'
4) damned reboot
3. Cannot create aduser/grp,
"Cannot create the object because directory service was unable to allocate a relative identifier".
1) test the cmd:'dcdiag /test:ridmanager /v' it may show, 'cannot contact to ridmanager' or 'less than x% rid'
2) causes:
1]cannot contact to ridmanager,
2]or the ridmanager service does not work well.
3) Resolution:
1] check the network and service relationship between current machine and the rid master,aka,the ridmanager service provider, find its address by: cmd 'netdom query fsmo'
2] if your dc is the one desolated from a forest, that is the local machine will not contact to the rid master you may need
seize the rid master fsmo role to local machine:
http://technet.microsoft.com/en-us/library/cc784077%28v=ws.10%29.aspx
besides your may also need to seize pdc,domain naming and schema master role.
3] check the seizure by 'netdom query fsmo', then if the rid is still 0% left, you should clean the dead replication links and do metadata cleanup for the dead info to other dc:
http://support.microsoft.com/kb/839879
4] always needs reboot in f**ked Windows
4. Cannot pass authentication in child domain with parent domain usr/password and vice versa.
in the log you can find:kerberos error:
"Decrypt integrity check failed"
the reason is here,
http://www.faqs.org/faqs/kerberos-faq/general/section-73.html
you know what it says, and how to resolve it?
If yes, please do teach me for this, much grateful of this!
If not, follow me to rebuild the child domain:
1) remove the child domain
in the child domain dc machine, cmd 'dcpromo' and go on, if you fail, do 'dcpromo /forceremoval'
2) remove the trust and metadata from the parent domain
in the parent domain dc machine,
1] remove trust to the child domain from 'Domain services and trusts'
2] do metadata clean up for the child servers/domains, if fail, do the naming context cleanup
http://support.microsoft.com/kb/887424
the 'domain management' subcmd here has a marvellous new name in smk2k8: 'partition management'!
3) recreate the child domain and set the dns server of it
create child domain:
http://technet.microsoft.com/en-us/library/cc787706%28v=ws.10%29.aspx
dns Settings:
http://support.microsoft.com/kb/255248
repadmin /options servername - disable_inbound_repl
repadmin /options servername - disable_outbound_repl
to enable the replication.
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
