3. netdom to client domain and trust Relationship Management Example:netdom Query netdom query FSMO 5%-10% error is due to incorrect knowledge of the network structure. 4, Netdiag example:netdiag/debug >netdiag041218.txt (add debug parameter to the most detailed record) Notepad Netdiag0411218.txt 5% error is caused by network configuration Part two: Three common faults in AD maintenance:
DNS configuration-related failures
1. Summary: In AD, DNS plays the role of Signpost and led, at least 50% of the ad fault originates from DNS. The most important of DNS is the SRV record instead of a record, which usually has a record of SRV records example: _ldap._tcp,dc._msdcs.xyz.com.600 in SRV 0 389 dcserver1.xyz When a. com user logs on to a domain through a DNS server to find a DC, the _MSDCS zone contains the service records of all DCs, which is to locate the domain controller and the global catalog server, and if there are multiple domains in the Win2K, there is only one region in the root domain and not in the subdomain. 2. Several authentication and repair tools (1) Use Nslookup to record the integrity of the DNS records (2) If a DNS record is missing, you can do so by: A: Restarting Net Logon service B: using Nltest.exe/seregdns (Install support The Tools tool will be available later. Note DNS configuration requirements: Allow dynamic Update, zone name and ad domain names consistent, DNS server itself needs to configure DNS domain name suffix 3, instance Demo: Verifying and repairing DNS failure 2003 the _MSDCS zone exists as an independent region, If the machine login domain is very slow, 90% DNS is out of the question. (1) If the record is missing: Stop Netlogon & start Netlogon Restart the service, in fact, the service will restart every time the shutdown restarts. (2) If there is no record area, the new record area, if the operation of the process can not be deleted and refused to be prompted, it may be because the state of multiple DCs is not synchronized, just wait a moment. In a multi-domain environment, the _MSDCS zone must be created separately, otherwise only the DCs of this domain can be found, and the GC servers (3) of the other domains in the forest are not found. Nltest.exe/dzregdns Features: Fast and does not affect the user from a security perspective, It is best to configure DNS as an Active Directory integration zone, with a new conditional forwarding attribute in 2003. Ii. replication failures between DCs
NT4 one-way replication, PDC->BDC, there are many drawbacks. Content replicated between DCs: (1) directory service replication: primarily database replication (AD objects, including users, computers, etc.) (2) File Replication Service (FRS) Sysvol folder, including Group Policy entities. 2, Debugging Tools (1) AD Replication Monitor graphics tools A. To check for AD Replication B. Graphical display replication topology c. Force replication (2) command line tool repadmin a. Diagnose replication failures between DCs B. Confirm replication Partner C. Confirm Active Directory object replication source D. Strong Copy the SYSVOL shared folder between the File Replication service DC between the replication DCs (1) Netlogon share: Logon scripts and system policies for lower-version clients (2) SYSVOL share: Group Policy for Win2K and future clients, resulting in unsuccessful Group Policy distribution Command-Line debugging Tool: Ntfsutil 3, common Replication failure: (1) Deny access: Clock is not synchronized, network failure (2) DNS lookup failure, DSA operation cannot continue (3) operation is queued or no replication link is displayed (4) Replication access is denied or the name context is being deleted (5) Duplicate connection objects exist between sites (6) Group Policy inconsistencies applied in multiple domain controls (7) The directory service is too busy to complete the operation 3-7 of the recommendations waiting for a period of time will generally automatically resolve 4, example demo: Using tools to diagnose replication failures (1) The Loop replication topology is usually automatically generated in AD , the replication interval between the domain servers is 5 minutes, and the synchronization between 3 DCs takes approximately 15 minutes (based on 100M Ethernet) and is operated using sites and services. (2) If you cannot replicate successfully, you can use the Replication Monitor tool to control replication. Forces a replication topology and display replication topology to see if the operations master role is working correctly, to view the USN (update serial number) of the replicated object, and to look at some errors in the copy process (3) Dsastat Iii. Operation Master Roles (FSMO)
1. When the operations master role needs to be transferred. 2, determine operations master role owners: graphical interface tools and Ntdsutil 3, transfer mode: Transfer (online transfer) and seize (forced transfer) 4, transfer tool: Graphical interface tools (AD Users and computers, ad domain and trust relationships, ad schemas) 5, To transfer FSMO roles under command-line mode: Ntdsutil.exe roles connections connect to server servername quit seize PDC RID master Infras Tructure Master schema master domain naming master transfer quit to use transfer instead of seize as much as possible, ServerName is about to become an operation master Machine role Server, in graphical mode, you need to connect to other domain controllers before you can change the operations master role Part III: Troubleshooting Case Study
1, the problem of ad is generally divided into four levels: network problems, Active Directory Support Services (DNS/WINS/ETC), Active Directory replication problems, the individual reasons for domain controllers. 2, typical cases: case (1): Time source synchronization problems (2): The problem background: User login or access to the server, often appear "due to time differences, Access denied" prompt problem resolution: With the Kerveros protocol, used to replace the original NTLM agreement, All computers (including client and Server,os) will automatically use the PDC emulator of the root domain as a time server, and the W32Time service will be calibrated to the clock in a certain cycle: starting with computer startup, try to contact the clock server at 45 minutes as an interval, Synchronize the clock, and if the sync succeeds, synchronize with the 8-hour interval, and if the sync fails, start trying to sync the clock. To ensure that the time server is working properly, it is recommended that you set an external time source on the PDC emulator of the root domain, point to a time server on the Internet, and ensure that the Windows Time service starts correctly on other computers. Specific requirements: The time difference between DCs can not exceed 5 minutes, the difference between client and DC can not exceed 30 minutes root cause: Kerberos protocol requires computer clock synchronization after analysis, found that the client computer to start an application, The clock is calibrated to the server (a UNIX computer) at startup, and the server clock differs from the DC for about 45 minutes, synchronizing the domain controller clock with the server, and recommending that the same time source be set. Case (3) Problem Description: A customer report, the client computer started slowly, in the "Preparing network Connections" prompt, there will be a long stay, after checking that the client computer, although the DNS server address has been correctly configured, but at the same time as a domain controller DNS server, found no corresponding records, the customer uses the Somedomain form of the domain name. Problem reason: Win2K sp4/winxp/2003 does not register for DNS record resolution under the top-level domain: Modify the registry and use Group Policy (client local Computer Policy/admin template/Network/dns client), at the customer site, Temporary use of the method of manually loading the Netlogon.dns file (a DNS record that should be registered)%systemroot%/system32/config/netlogon.dns (should be written to a record within the DNS server), Copy the records to the DNS server database. The integrated DNS zone should be converted to the primary zone, then pasted into the DNS database record file, and then modified to the ad-integrated DNS zone (a large workload with multiple domains) case (4) forcibly uninstalls the DC by modifying the registry: Key valuesLocation: Hklm/system/controlsset/control/productoptions/producttype lanmannt modified to/servernt, reboot the machine and then you can uninstall DC now. The principle is to start to check the key value, if it is servernt, will not start the DC required the corresponding services, but also some side effects, such as the intersitemesseging service will be the error, should be it will still start, and its associated services have been stopped so there is an error message, This service should be set to manual or disabled, and after the DC has been forcibly unloaded, the metadata cleanup in the Ntdsutil tool should be used on the reserved DC to clear out the unwanted information. Possible reasons not to uninstall: network problems, unable to connect to the operation of the mainframe; long time no sync, etc. Original AddressHttp://www.99191.com/Article/windows/200712/4770.html
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
