How to create or move a global catalog in Windows Server 2003, Windows 2000, or Small Business Server 2000

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/313994

SUMMARY

This article explains how to create a new global catalog server. This may be necessary if you need additional global catalog servers (e.g. to support an Exchange 2000 roll out) or if you want to move the global catalog server role to a different domain controller.

There may be occasions when it is necessary to create a new global catalog to replace an existing one, or to add a new global catalog. Microsoft recommends the following method:

  1. Create a new global catalog on a second domain controller.
  2. Wait for the account and the schema information to replicate to the new global catalog. For single domains, this is relatively straightforward. For multiple domain networks, full replication will take additional time, depending on the complexity of the network. The new global catalog will be created by normal Active Directory (AD) replication and depending on the structure of your AD forest, this replication could take considerable time.
  3. Remove the global catalog from the original domain controller (optional).

By default, Windows 2000 will only place a Global catalog on the first Domain Controller in each AD forest.
Continue reading ‘How to create or move a global catalog in Windows Server 2003, Windows 2000, or Small Business Server 2000’ »

点击量:53

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/255504

SUMMARY

This article describes how to use the Ntdsutil.exe utility to transfer or to seize Flexible Single Master Operations (FSMO) roles.

MORE INFORMATION

Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.

The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:

  • Schema master - The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
  • Domain naming master - The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
  • RID master - The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
  • Continue reading ‘Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller’ »

点击量:58

How to remove data in Active Directory after an unsuccessful domain controller demotion

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/216498

SUMMARY

This article describes how to remove data in Active Directory after an unsuccessful domain controller demotion.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

The Active Directory Installation Wizard (Dcpromo.exe) is used for promoting a server to a domain controller and for demoting a domain controller to a member server (or to a stand-alone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the wizard removes the configuration data for the domain controller from Active Directory. This data takes the form of an NTDS Settings object that exists as a child of the server object in Active Directory Sites and Services.

Continue reading ‘How to remove data in Active Directory after an unsuccessful domain controller demotion’ »

点击量:83

Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/332199

SYMPTOMS

Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controllers may not gracefully demote by using the Active Directory Installation Wizard (Dcpromo.exe).

CAUSE

This behavior may occur if a required dependency or operation fails. These include network connectivity, name resolution, authentication, Active Directory directory service replication, or the location of a critical object in Active Directory.

RESOLUTION

To resolve this behavior, determine what is preventing the graceful demotion of the Windows 2000 or the Windows Server 2003 domain controller, and then try to demote the domain controller by using the Active Directory Installation Wizard again.

Continue reading ‘Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server’ »

点击量:84

How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/875495

SUMMARY

This article describes a condition that occurs when a domain controller that is running Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 starts from an Active Directory database that has been incorrectly restored or copied into place. This condition is known as an update sequence number rollback, or USN rollback.

When a USN rollback occurs, modifications to objects and attributes that occur on one domain controller do not replicate to other domain controllers in the forest. Because replication partners believe that they have an up-to-date copy of the Active Directory database, monitoring and troubleshooting tools such as Repadmin.exe do not report any replication errors.

After hotfix 875495 or Windows Server 2003 Service Pack 1 is installed, a Microsoft Windows Server 2003 domain controller logs Directory Services event 2095 when it encounters a USN rollback. The text of the event message directs administrators to this article to learn about recovery options.

Continue reading ‘How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2’ »

点击量:60

域用户被锁定问题

1 前言

当用户密码输错次数达到设定值以后,会触发账户锁定,用户在一定的时间长度内无法再尝试登录。这是一种安全策略,拉长密码重试的时间长度,增加暴力破解密码的难度。

公司是古老的Windows2000域控制器,前一段时间出现用户账户莫名其妙被锁定的情况,锁定时间不固定,被锁定的账户不固定。解决这个问题颇费了些功夫。下面简单说一下解决方法。

2 开启账户审计

开启账户审计后,在域控制器事件查看器的安全性日志中会保存每个账户登录成功失败的记录,这是排除问题的基础。 Continue reading ‘域用户被锁定问题’ »

点击量:34