问题
Step 1
Start the server in Directory Services Restore Mode
Windows Server 2003/2008 Directory Service opens its files in exclusive mode. This means that the files cannot be managed while the server is operating as a domain controller. To perform any files movement related activities using ntdsutil, we need to start the server in Directory Services Restore Mode.
To start the server in Directory Services Restore mode, follow these steps:
Restart the computer.
After the BIOS information is displayed, press F8.
Use the DOWN ARROW to select Directory Services Restore Mode, and then press ENTER.
Log on with your local administrative account and password. (Not Domain Administrative account)
Note: using service control (SC.exe) you can verify quickly ntds services are running or stopped. In command prompt type SC query ntds
Step 2
How to Move Active Directory Database and Logs
You can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that Directory Service uses the new location when you restart the server.
To move the data file to another folder, follow these steps:
Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
At the Ntdsutil command prompt, type activate instance ntds, and then press ENTER.
At the Ntdsutil command prompt, type files, and then press ENTER.
At the file maintenance command prompt, type move DB to <new location> (where new location is an existing folder that you have created for this purpose) and then press ENTER.
In this case, the new location for database is C:ADDatabase
Now to move logs , at the file maintenance command prompt, type move logs to <new location> (where new location is an existing folder that you have created for this purpose) and then press ENTER. In our case, the new location for database is C:ADLogs
To quit file maintenance, type quit. Again to Ntdsutil, type quit to close the prompt
Restart the computer. AD database and Logs are moved successfully to new location.
问题2
问题3
To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps:
1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
2. Type: ntdsutil
3. Type: Ac in ntds
4. Type: partition management
5. Type: connections
6. Type: Connect to server DC_Name
7. Type: quit
8. Type: list
The following partitions will be listed:
0 CN=Configuration,DC=Contoso,DC=com
1 DC=Contoso,DC=com
2 CN=Schema,CN=Configuration,DC=Contoso,DC=com
3 DC=DomainDnsZones,DC=Contoso,DC=com
4 DC=ForestDnsZones,DC=Contoso,DC=com
9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com ConDc1.contoso.com
10. Run the list command again to refresh the list of partitions.
问题4
To run GPResult on your own computer:
1. Click Start, Run, and enter cmd to open a command window.
2. Type gpresult and redirect the output to a text file as shown in Figure 1 below:
Figure 1. Directing GPResult data to a text file
3. Enter notepad gp.txt to open the file. Results appear as shown in the figure below.
Figure 2. Verifying policies with GPResult
Administrators can also direct GPResult to other users and computers.
问题5
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.
5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain where forest_root_domain is the distinguished name of your forest root domain.
6. Double-click CN=ForestUpdates.
7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.
8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.
9. Click ADSI Edit, click Action, and then click Connect to.
10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.
11. Double-click Schema.
12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.
13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.
问题6
This article contains descriptions of various security-related and auditing- related events, and tips for interpreting them.
These events will all appear in the Security event log and will be logged with a source of "Security."
Event ID: 529
Type: Failure Audit
Description: Logon Failure:
Reason: Unknown user name or bad password
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 530
Type: Failure Audit
Description: Logon Failure:
Reason: Account logon time restriction violation
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 531
Type: Failure Audit
Description: Logon Failure:
Reason: Account currently disabled
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 532
Type: Failure Audit
Description: Logon Failure:
Reason: The specified user account has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 533
Type: Failure Audit
Description: Logon Failure:
Reason: User not allowed to logon at this computer
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 534
Type: Failure Audit
Description: Logon Failure:
Reason: The user has not been granted the requested logon
type at this machine
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 535
Type: Failure Audit
Description: Logon Failure:
Reason: The specified account's password has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 536
Type: Failure Audit
Description: Logon Failure:
Reason: The NetLogon component is not active
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 537
Type: Failure Audit
Description: Logon Failure:
Reason: An unexpected error occurred during logon
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
问题7
1. Import-Module ActiveDirectory
2. import-csv e:users ewusers.csv |
3. New-ADUser -path "ou=test1,dc=contoso,dc=com" -passthru |
4. ForEach-Object {
5. $_ | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)
6. $_ | Enable-ADAccount }
问题8
Replmon had the option to generate a status report text file. It could tell you which servers were configured to replicate with each other, if they had any errors, and so on. It was pretty useful actually, and one of the main reasons people liked the tool.
Repadmin.exe offers similar functionality within a few of its command line options. For example, we can get a summary report:
Repadmin /replsummary *
Several DCs have been taken offline. Repadmin shows the correct error of 58 – that the other DCs are not available and cannot tell you their status.
You can also use more verbose commands with Repadmin to see details about which DCs are or are not replicating:
Repadmin /showrepl *
问题9
The easiest tool to use to verify that both the GPC and GPT have replicated is GPOTool. This tool is free and very easy to use. It comes with the operating system and can be run from a command prompt. Just type gpotool <dcname> /verbose from the command prompt, like you see in Figure 7.
dfsrdiag ReplicationState /member:CONTOSO-BRANCH
问题10
Performing Offline Defragmentation of Ntds.dit
These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.
1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.
2. Type ntdsutil, and then press Enter.
3. Type Activate instance NTDS, and press Enter.
4. At the resulting ntdsutil prompt, type Files (case sensitive) and then press Enter.
5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.
问题11
Creating a PSO using ldifde
You can use the ldifde command as a scriptable alternative for creating PSOs.
To create a PSO using ldifde
1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf:
dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com
changetype: add
objectClass: msDS-PasswordSettings
msDS-MaximumPasswordAge:-1728000000000
msDS-MinimumPasswordAge:-864000000000
msDS-MinimumPasswordLength:8
msDS-PasswordHistoryLength:24
msDS-PasswordComplexityEnabled:TRUE
msDS-PasswordReversibleEncryptionEnabled:FALSE
msDS-LockoutObservationWindow:-18000000000
msDS-LockoutDuration:-18000000000
msDS-LockoutThreshold:0
msDS-PasswordSettingsPrecedence:20
msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.
3. Type the following command, and then press ENTER:
ldifde –i –f pso.ldf
问题12
The following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest:
Set-ADForest -UPNSuffixes @{Add="headquarters.fabrikam.com"}
view the custom attribute value of 500 user accounts in a Microsoft Excel table.
CSVDE -f onlyusers.csv -r "objectCategory=person" -l"CN,<CustomAttributeName>"