The previous article talked about how to perform the Active Directory health check. This article mainly lists several examples of Active Directory troubleshooting.
1. Event codeError 1864
Log name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 20:19:22
Event ID: 1864
Task Type: Copy
Level: Error
Keyword: Classic
User: Anonymous Logon
COMPUTER: dc01.contoso.com
Description:
This is the replication status of the following directory partitions on the Directory Server.
Directory partition:
Dc = forestdnszones, Dc = contoso, Dc = com
This directory server has not received any replication information from a series of directory servers recently. Shows the number of directory servers, divided into the following time intervals. More than 24 hours: 5 more than one week: 2 more than one month: 1 more than two months: 0 more than tombstone survival time: 0 tombstone survival time (days): 180
Directory servers that do not replicate in time may encounter errors. They may miss password change and cannot perform authentication. A dc that has not been replicated within the tombstone life time may miss the deletion of some objects, so it may be automatically blocked in future replication until it is coordinated.
Solution
1. Change HKLM \ System \ CurrentControlSet \ Services \ NTDs \ Parameters and set "allow replication with divergent and upt partner" to 1.
2. Restart After the registry key value is modified.
3. Open "Active Directory site and service" and force copy all DC.
A. Set the SITE/servers/Server/NTDs to be forcibly copied when you open the Active Directory site and service/sites/contain the copied directory information.
B. In the details pane, right-click the connection you used to copy the directory information, and then click Copy now ".
4. Enter "repadmin/showrepl" at the DC command prompt to check whether the replication between DC instances is normal.
2. There are two win2003 domain servers, A and B, and B is equivalent to backing up the Domain Server. manually execute the copy Copy of AD from A to B, the following prompt appears. Server A and server B can access each other. DNS resolution should be normal, but the ad data of server a and server B is no longer synchronized.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/41/08/wKioL1PQg2egrDWxAAI0QLe-Blk805.jpg "style =" width: 731px; Height: 260px; "Title =" Unnamed image .png "width =" 731 "Height =" 260 "border =" 0 "hspace =" 0 "vspace =" 0 "alt =" wKioL1PQg2egrDWxAAI0QLe-Blk805.jpg "/>, first, check whether the DC can be connected to GC, use the NSLookup command to parse the SRV records of GC. For details, refer:
Http://support.microsoft.com /? Id = 816587
B. Run net time/set/Y ON A DC without replication for a long time to synchronize the DC time with the PDC.
C. Run the following command on a DC that has not been started for a long time:
Repadmin/removelingeringobjects servername serverguid directorypartition/advisory mode
Note: servername is the DNS name of the DC that has not been started for a long time, serverguid is the guid name of the DC, and directorypartition is the partition name, similar to DC = example, Dc = com.
Run the following command to determine the DC guid:
Repadmin/showreplservername
DNT run regedit.exe to edit the registry and locate the following location:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ NTDs \ Parameters
Edit strict replicationconsistency to 1.
Note: Before performing operations on the registry, you should back up the Registry. Improper use of the Registry Editor may cause serious problems. These problems may require reinstalling the operating system. Microsoft does not guarantee that it can solve problems caused by improper use of the Registry Editor. You are at your own risk to use the Registry Editor.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/41/08/wKiom1PQgk3CsC0kAARoSm_CuyU730.jpg "style =" width: 730px; Height: pixel PX; "Title =" Unnamed image 1.png "width =" 730 "Height =" 380 "border =" 0 "hspace =" 0 "vspace =" 0 "alt =" wkiom1pqgk3csc0kaarosm_cuyu730.jpg "/>
E. perform the following operations on both DC servers:
Run regedit and find HKLM \ System \ CurrentControlSet \ Services \ NTDs \ Parameters \ allowreplication with divergent and upt partner. Set this key value to 1.
If not, create allowreplication with divergent and upt partner manually. The data type is DW (dubyte value ).
After completing the preceding operations, restart the DC to view the DC replication status.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/41/08/wKiom1PQgk3D-bYdAARP0NIYMOE659.jpg "style =" width: 730px; Height: pixel PX; "Title =" Unnamed image 2.png "width =" 730 "Height =" 380 "border =" 0 "hspace =" 0 "vspace =" 0 "alt =" wKiom1PQgk3D-bYdAARP0NIYMOE659.jpg "/>
F. After restarting the two DC servers, the replication is normal.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/41/08/wKioL1PQg2iBVnLJAAG95pnoD7A516.jpg "style =" width: 732px; Height: 288px; "Title =" Unnamed image 3.png "width =" 732 "Height =" 288 "border =" 0 "hspace =" 0 "vspace =" 0 "alt =" wkiol1pqg2ibvnljaag95pnod7a516.jpg "/>
This article is from the "fly_eagle" blog, please be sure to keep this source http://liuying1001.blog.51cto.com/3323507/1529585