Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller

发表于2016年6月7日菜包子

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/255504

SUMMARY

This article describes how to use the Ntdsutil.exe utility to transfer or to seize Flexible Single Master Operations (FSMO) roles.

MORE INFORMATION

Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.

The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:

  • Schema master - The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
  • Domain naming master - The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
  • RID master - The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
  • 继续阅读

Visits: 1471

发表在 Windows | 标签为 , | 留下评论

How to remove data in Active Directory after an unsuccessful domain controller demotion

发表于2016年6月7日菜包子

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/216498

SUMMARY

This article describes how to remove data in Active Directory after an unsuccessful domain controller demotion.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

The Active Directory Installation Wizard (Dcpromo.exe) is used for promoting a server to a domain controller and for demoting a domain controller to a member server (or to a stand-alone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the wizard removes the configuration data for the domain controller from Active Directory. This data takes the form of an NTDS Settings object that exists as a child of the server object in Active Directory Sites and Services.

继续阅读

Visits: 4217

发表在 Windows | 标签为 , | 留下评论

Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server

发表于2016年6月7日菜包子

公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/332199

SYMPTOMS

Microsoft Windows 2000 or Microsoft Windows Server 2003 domain controllers may not gracefully demote by using the Active Directory Installation Wizard (Dcpromo.exe).

CAUSE

This behavior may occur if a required dependency or operation fails. These include network connectivity, name resolution, authentication, Active Directory directory service replication, or the location of a critical object in Active Directory.

RESOLUTION

To resolve this behavior, determine what is preventing the graceful demotion of the Windows 2000 or the Windows Server 2003 domain controller, and then try to demote the domain controller by using the Active Directory Installation Wizard again.

继续阅读

Visits: 722

发表在 Windows | 标签为 , | 留下评论

How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2

发表于2016年6月7日菜包子
公司域控制器是Windows2000系统,虚拟化过程中遇到USN Rollback问题,根据此文解决,于是转载之。
原文链接:https://support.microsoft.com/en-us/kb/875495

SUMMARY

This article describes a condition that occurs when a domain controller that is running Windows 2000, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 starts from an Active Directory database that has been incorrectly restored or copied into place. This condition is known as an update sequence number rollback, or USN rollback.

When a USN rollback occurs, modifications to objects and attributes that occur on one domain controller do not replicate to other domain controllers in the forest. Because replication partners believe that they have an up-to-date copy of the Active Directory database, monitoring and troubleshooting tools such as Repadmin.exe do not report any replication errors.

After hotfix 875495 or Windows Server 2003 Service Pack 1 is installed, a Microsoft Windows Server 2003 domain controller logs Directory Services event 2095 when it encounters a USN rollback. The text of the event message directs administrators to this article to learn about recovery options.

继续阅读

Visits: 1467

发表在 Windows | 标签为 , | 留下评论

树莓派安装OpenWrt

发表于2016年5月12日菜包子

1 前言

当初买树莓派回来,是想用它做2件事:一是编个程序,用传感器自动检测温湿度;二是想通过它,用手机实现远程开关电灯。结果2年多下来,大部分时间它处于闲置状态,一直也没有积攒起足够的兴趣去做这两件事。直到由于工作原因和自己的需要,先后两次刷入OpenWrt,把它当作路由器使,才最终物尽其用。

2 软硬件环境及目标

2.1 软件

Windows 10 x64

Cygwin x64

OpenWrt Chaos Calmer 15.05.1

2.2 硬件

树莓派B+ x1

UNITEK Y-1466 USB百兆网卡(芯片应该是ASIX AX88772C) x1

Netcore NW362无线网卡(芯片Realtek rtl8192cu) x1

具有AV接口或HDMI接口的显示器 x1 (可选) 继续阅读

Visits: 4785

发表在 树莓派 | 标签为 | 留下评论

OpenVPN连接两个局域网(使用Windows主机)

发表于2015年7月12日菜包子

1 前言

工作原因,又要在宿舍和公司间搭建VPN通道。这一次还是用OpenVPN,用两台Windows主机分别作服务器和客户端,下面是拓扑图。

openvpn-connect-two-lan-on-windows-hosts_01如果所示,服务端在A网络,客户端在B网络。不用去考虑路由器是如何连接到Internet的,只要路由器能上网,就能用OpenVPN通道把192.168.0.0/24和192.168.1.0/24两个局域网连接起来,让其中的主机能够互相访问对方。 继续阅读

Visits: 14798

发表在 网络 | 标签为 | 4条评论

Linode KVM VPS使用系统自带内核

发表于2015年6月16日菜包子

1 前言

阴差阳错的,在重装系统过程中,把我的VPS由XEN升级为了KVM。系统装好后,一个问题让我犯了难:如何使用Debian 8自带内核?说实话,我不喜欢Linode的内核。

Linode文档库中的相关文档已经不适用了,自己研究了半天,没有头绪。还好,在Linode论坛上找到了解决方法,测试可行。

操作系统:Debain 8 amd64

2 设置

2.1 安装官方内核及grub-pc。在安装grub的时候会出现一个界面,让选择把grub安装到哪个设备(如/dev/sda),不要选择任何一个设备;当询问“Continue without installing GRUB?”时,选“Yes”。 继续阅读

Visits: 319

发表在 Linux | 标签为 | 留下评论

域用户被锁定问题

发表于2015年6月16日菜包子

1 前言

当用户密码输错次数达到设定值以后,会触发账户锁定,用户在一定的时间长度内无法再尝试登录。这是一种安全策略,拉长密码重试的时间长度,增加暴力破解密码的难度。

公司是古老的Windows2000域控制器,前一段时间出现用户账户莫名其妙被锁定的情况,锁定时间不固定,被锁定的账户不固定。解决这个问题颇费了些功夫。下面简单说一下解决方法。

2 开启账户审计

开启账户审计后,在域控制器事件查看器的安全性日志中会保存每个账户登录成功失败的记录,这是排除问题的基础。 继续阅读

Visits: 476

发表在 Windows | 标签为 | 留下评论

重做VPS系统

发表于2015年6月14日菜包子

Debian 8 “Jessie”发布了,我博客的操作系统也需要升级了。但Debian7时代磁盘镜像用的是ext3文件系统,心里总觉得不爽,一直打算把文件系统改为ext4。终于在昨天下定决心,把整个服务器系统重新做一遍。备份配置文件,备份网站及数据库,花了差不多一天。今天又用了一天时间安装及配置系统。

这次重做系统的过程中,把Linode上的虚拟机由Xen升级成了KVM,还用MariaDB替换掉了MySQL,其他配置基本维持不变。至此,事情先告一段落,接下来要做的是重新配置数据库同步,检测同步的完整性,然后更新《设置MySQL数据库同步》,并写一篇检测同步完整性的文章。

Visits: 242

发表在 杂记 | 留下评论

Fedora 21共享NTFS分区下的目录

发表于2015年5月23日菜包子

1 前言

我的需求很简单,用安卓平板看电脑上的720p电影。试验了几种方式,还是SMB共享最靠谱,外挂字幕和电影内的音轨都能完美支持。

2 /etc/samba/smb.conf

[global]
	workgroup = MYGROUP
	server string = Samba Server Version %v

	# log files split per-machine:
	log file = /var/log/samba/log.%m
	# maximum size of 50KB per log file, then rotate:
	max log size = 50

	security = user
	map to guest = Bad User
	passdb backend = tdbsam

	load printers = yes
 继续阅读

Visits: 272

发表在 Linux | 标签为 | 留下评论