لطفا منتظر باشید ...
Publisher| Active DirectoryNotes |
Directory; since this is a complicated topic, you'll
definitely want to read this section.
Active Directory Users and Computers
If you try to connect to a domain
controller using this console and receive an error message that the
domain can't be contacted or
doesn't exist, check to make sure the Windows Time
Service is running on the domain controller.If the console connects to a domain but performs slowly or hangs, you
may have a DNS problem. Check to make sure your DNS server contains
the proper SRV records for the domain. Another possibility is that
your DNS server may have records pointing to nonexistent or
unavailable domain controllers (check to make sure all your domain
controllers are running too).Normally, when you start Active Directory Users and Computers, it
automatically connects to an available domain controller in the
domain to which you are currently logged on. If desired, you can
start this console from the command line to connect to a different
domain or a specific domain controller. Suppose you are currently
logged on to the mtit.local domain as
Administrator. To open the console and connect to a domain named
usa.mtit.local:
dsa.msc /domain=usa.mtit.local
To open the console and connect to a domain controller named
dc5 in the domain
canada.mtit.local:
dsa.msc /server=dc5.canada.mtit.local
|
Client Computers
If you want
Windows 98, Windows Me, or NT 4.0 post-SP3 computers to participate
in an Active Directory-based network, you need to download and
install the Active Directory Client Extensions for these operating
systems from Microsoft's web site. This feature
allows these machines to take advantage of advanced features like SMB
signing that are available only when these extensions are installed.
Computers running Windows 95 or NT 4.0 with SP3 or earlier
can't log on to WS2003 domains unless SMB signing is
disabled on WS2003 domain controllers by doing the following:Default Domain Controller Policy
Computer Configuration Windows Settings Security Settings Local Policies Security Options Microsoft network server: Digitally sign communications (always) DisabledCompacting Active Directory
Active Directory automatically performs periodic
garbage collection to optimize its performance, but this online
defragmentation process doesn't compact the
datastore to reclaim disk space. If you frequently make changes to
Active Directory, you may want to supplement this with occasional
offline defragmentation. To do this, press F8 during startup to open
the Windows Advanced Options Menu and select the option to start your
domain controller in Directory Services Restore Mode. Then log on
using the local Administrator account for the machine and use the
ntdsutil utility to perform the offline
defragmentation. Note that the password for the local Administrator
account is set during dcpromo.New in WS2003 is the ability to manually initiate an online
defragmentation of Active Directory. To do this, first install the
WS2003 Support Tools from \SUPPORT\TOOLS on the
product CD. Run the Ldp tool, bind to your
domain as an administrator, select Browse
Modify, andenter the following information:
- Dn
Leave this blank- Attribute
DoOnlineDefrag- Value
180
Leave Add selected, click Enter
Run, and an onlinedefragmentation process is initiated and is run once for 180 seconds.
Enable Diagnostic Logging
If you're experiencing
problems with certain aspects of Active Directory, such as directory
replication, you can enable various levels of diagnostic logging to
help troubleshoot its operation. Open Registry Editor
and select the following
key:
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
Then open the appropriate value (in this case 5 Replication
Events) and change the level of diagnostic logging from 0
(none) to 1 (minimum), 3 (medium), or 5 (maximum), as appropriate.
Diagnostic events are recorded in the directory service log in Event
Viewer. Be sure you don't enable too high a level of
diagnostic logging for too many aspects of Active Directory or your
log will fill rapidly and performance of your domain controller may
degrade.
Failure During Active Directory Installation
Active Directory
installation can fail
if your server doesn't have network connectivity, so
make sure your server's network card is securely
attached to a switch or hub using a cable. If installation still
fails, try uninstalling the following network components:
- Client for Microsoft Networks
- File and Printer Sharing for Microsoft Networks
- TCP/IP Protocol
Reinstall these components and try installing Active Directory again.
LDAP Queries
Note that Active Directory
on WS2003 doesn't allow anonymous LDAP operations to
be performed against it, with the exception of binds and rootDSE
searches. Instead, you must be an authenticated user to successfully
issue an LDAP request against Active Directory. You can override this
behavior; see Knowledge Base article 326690 on support.microsoft.com.
Publishing Resources
If your network includes slow WAN links, publish
only resources that change relatively infrequently to prevent
unnecessary replication traffic from consuming valuable network
bandwidth. If you move a published resource to a different server on
the network, update the information about the resource in Active
Directory to reflect this. In this way, users can still connect to
the resource without needing to know its new location. This is really
the main benefit of publishing resources in Active Directory: it
frees users from the need to memorize which server the resource is
located on in the network.
See Also
adprep, Backup ,
csvde, Delegation , DNS,
Domain , Domain Controller ,
dsadd, dsget,
dsmod, dsmove,
dsquery, dsrm,
Groups , Forest ,
Group Policy , ldifde,
OU , Printing ,
Site , Trusts ,
Users
