Describe 首頁/work/CD-AD-CHECK here. <> = Event ID = grep EventID *.txt | awk -F"。" '{ print $2 }' | sort -n | uniq -c {{{ $ grep EventID *.txt | awk -F"。" '{ print $2 }' | sort -n | uniq -c 1 EventID: 0x000003F6 11 EventID: 0x0000165B 12 EventID: 0x000016AD 18 EventID: 0x00002734 18 EventID: 0x00009017 8 EventID: 0x80000023 111 EventID: 0x80000025 1 EventID: 0x80000434 1 EventID: 0x800034C4 }}} = Warning :There is less than 14% available RIDs in the current pool = I have seen this warning in my environment. This basically states that the RID pool is about to exhaust in that specific domain controller. When the RID pool is completely exhausted, the Domain Controller in question will contact the RID master to get a new pool allocated to it. All these run in background and you may not even notice it. We have a Monitoring / Dashboard tool that picks up this warning and display it. I have seen warnings at 0% RIDs available in RID pool. All I did to fix it is connect to that DC using ADUC and created a dummy computer object. This way I force the DC to contact RID Master and get a new pool. By default the RID pool will have 500 IDs. As and when it exhausts, the DC would get a new pool allocated automatically. If you feel that the RID pool is depleting very rapidly, the link GSS1 posted is a very good starting point. == Solution == This states that the RID pool is about to exhaust **in that specific domain controller. ** When the RID pool is completely exhausted, the Domain Controller in question will contact the RID master to get a new pool allocated to it. For now, it is suggested to check if the RID Master have any issues. You can check FSMO holders by run command: {{{ Netdom query fsmo }}} You may run following command to confirm the status of all your DCs. {{{ ipconfig /all Results of a dcdiag /v > c:\dcdiag.txt Repadmin /showrepl >C:\repl.txt Repadmin /showreps * }}} Check if there are any event log errors on all the DCs = 0x000016AD = The “0x0000165B and 0x000016AD” Event ID appeared for a computer account(s) that had been disabled for some time before it was re-enabled. It had probably become invalid. == Resolution == Disable the Windows XP Firewall. Remove and re-join the computer to the domain. Consider deleting the computer object in Active Directory users and computers in-between to delete any sub-components of the computer object. = 0x00009017 = = 0xC0000071 = == info == 4776,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Sat May 01 13:00:12 2021,No User,计算机试图验证帐户的凭据。 验证包: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 登录帐户: kkzhang1 源工作站: DLA0191 错误代码: 0xc0000071 == CASE == User logon with expired password = EventID: 0x0000165 = 从计算机 'WIN10-249' 设置会话失败,因为安全数据库 没有包含指定计算机引用的信任帐户 'WIN10-249$'。 == CASE == = A single Domain with more than two Domain Controllers = 1. Choose a healthy DC / DNS server 1. Make the other Domain Controllers point to the private IP address of the chosen Domain Controller as primary DNS server 1. For each DC/DNS server except the chosen one, make it point to its private IP address as secondary DNS server 1. For each DC/DNS server except the chosen one, make it point to its 127.0.0.1 as third DNS server 1. You can make the chosen Domain Controller point to its private IP address as primary DNS server and 127.0.0.1 as secondary one (After solving the AD replication issue resolution, I recommend to make it point to another Domain Controller as primary DNS server) = Security日志中的错误代码 = for i in 'ls *Security*.txt'; do piconv -f gbk -t utf8 $i; done | tee Security.info grep -i '错误代码' Security.info | awk -F"错误代码:" '{ print $2 }' | sort -n | uniq -c {{{ $ grep -i '错误代码' Security.info | awk -F"错误代码:" '{ print $2 }' | sort -n | uniq -c 3477 0xc0000064 98012 0xc000006a 8908 0xc0000071 362 0xc0000072 2521 0xc0000234 }}} == 票证选项: 0x40810010 失败代码: 0x18 == {{{ 4771,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Tue Mar 09 03:35:57 2021,No User,Kerberos 预身份验证失败。 帐户信息: 安全 ID: S-1-5-21-1708537768-1993962763-725345543-14887 帐户名称: bzeng 服务信息: 服务名称: krbtgt/suntakpcb.com 网络信息: 客户端地址: ::ffff:10.3.133.155 客户端端口: 63863 附加信息: 票证选项: 0x40810010 失败代码: 0x18 预身份验证类型: 2 证书信息: 证书颁发者名称: 证书序列号: 证书指纹: 仅当证书用于预身份验证时才会提供证书信息。 预身份验证类型、票证选项和失败代码在 RFC 4120 中定义。 如果票证在传递过程中格式错误或者损坏因而无法解密,则可能无法提供此事件中的很多字段。 }}} 关于方案的完善要求如下: 1. 补充Windows 2016兼容性官方说明 2. 完善规划细节和相关操作说明. 项目实施前要求进行验证: 1. AD备份和回退操作验证. 2. Windows XP登录Windows 2016 AD环境验证. 3. 部分应用绑定了固定的单个DNS服务器(在AD中), 需要尽量避免影响业务 待跟进事项: 需要确认直接修改主域控IP是否可行( 主要涉及DC2,DC3,DC4) . 如果不可行, 提供建议的解决方案.