有的時候您會遇到 NTBackup 無法備份 DC 的 System State 或是你在系統日誌裡發現:

Event Type:          Error
Event Source:      NTBackup
Event Category:  None
Event ID:               8012
Description:
The 'Active Directory' returned '發生讀取驗證錯誤。
' from a call to 'BackupRead()' additional data '-'

Event Type:          Error
Event Source:      ESENT
Event Category:  Logging/Recovery
Event ID:               474
Description:
lsass (504) The database page read from the file "C:\WINDOWS\NTDS\ntds.dit" at offset 77594624 (0x0000000004a00000) for 8192 (0x00002000) bytes failed verification due to a page checksum mismatch.  The expected checksum was 3561104104 (0xd44222e8) and the actual checksum was 3920450040 (0xe9ad51f8).  The read operation will fail with error -1018 (0xfffffc06).  If this condition persists then please restore the database from a previous backup.  This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.

針對此問題請您檢查資料庫檔案的一致性。
請您重開機按 F8 並進入 Directory Service Restore Mode 安全模式
1. Enter "Directory Service Restore Mode"
2. Open "cmd" prompt
3. Run "ntdsutil" and enter
4. Run "files" and enter
5. Run "info" and enter
6. Open regedit
    - Go to HKLM\System\CurrentControlSet\Services\ntds\paramaters
    - Make sure the path info matches:

7. Make sure System and Administrators have full control of the "\%windir%\ntds" folder

如果上述資料確認無誤，請繼續執行以下步驟:
1. Open "cmd" prompt
2. Run "ntdsutil" and enter
3. Run "files"
4. Run "integrity"
5. Run "recover"
6. Run "q"
7. Run "sem d a"
8. Run "go fix"

如果 "go fix" 指令執行時遇到錯誤，代表資料庫有問題，請執行:
9. Run "esentutl /p C:\winnt\ntds\ntds.dit /!10240 /8 /v /x /o" (this attempts to repair the database)

如果 "esentutl" 指令依然修復不了資料庫，建議您將 DC 降級，重新升級該 DC。

請您用 ADSIEdit.msc 檢視 CN=Domain System Volume (SYSVOL share) 下面的複寫 Member 物件是否不見了。如果物件遺失，就會導致 DC 無法進行 FRS 抄寫。請您跟著以下步驟操作，手動把 FRS Member 物件建置回來。

參考 KB 文件: Recovering missing FRS objects and FRS attributes in Active Directory http://support.microsoft.com/kb/312862/en-us

Recovering deleted FRS member objects (此段文章擷取於部份 KB 312862 內容)
===============================================
In the following procedure, you are using ADSIedit to re-create a deleted member object for the domain controller \\DC1 in the SYSVOL replica set of the A.COM domain where \\DC1 is the name of the domain controller and A.COM is the domain name.

Note ADSIedit is the preferred tool for creating missing objects and attributes because it has a drop-down list of attributes and objects that you can use to help avoid syntax errors.

To recover a deleted FRS member object:
1. Start ADSIedit. Connect to the domain partition on a domain controller that is a member of the domain that is hosting the missing FRS member object.
2. Review the required attributes and the optional attributes for a healthy member object in the same replica set.

For a SYSVOL replica set in the A.COM domain, the DN path is:
DN Path                                                                                  ObjectClass
DC=A,DC=COM                                                                     Root Domain NC
 CN=SYSTEM,                                                                          Container
   CN=File Replication Service                                            nTFRSSettings
      CN=Domain System Volume (SYSVOL share)        nTFRSReplicaSet
Note LDP is the preferred tool in this step because you can look at all of the attributes in a single screen. ADSIedit works better for small attribute sets.

3. In ADSIedit, in the console tree, right-click the name of the FRS replica set to which you want to add the missing member, \\DC1, click New, and then click Object:
(CN=Domain System Volume (SYSVOL share),CN=File Replication Service...) 

4. In the Create Object Wizard, click nTFRSMember, and then click Next.

5. Type the host name of the computer (DC1 in this example) in the Value box, and then click Next.

6. Click More Attributes, and then click BOTH in the Select which properties to view list.

7. Under Edit Attribute, configure the following attributes. Click SET after each entry:
‧ Frs-Computer-Reference:
    ‧ Expected Value: DN path of computer account in domain NC
    ‧ Example: CN=DC1,OU=Domain Controllers,DC=a,DC=com

‧ InstanceType:
    ‧ Expected Value: 4 for SYSVOL, 2 for DFS replica sets
    ‧ Example: 4

‧ Server-Reference:
    ‧ Expected Value: DN path of NTDS Settings object from Configuration partition
    ‧ Example: CN=NTDS Settings,CN=DC1,CN=Servers,CN=USA-CORP,CN=Sites,CN=Configuration,DC=a,DC=com

8. Update the FrsMemberReference attribute on the NtFrsSubscriber object:
a.  In ADSIedit, in the console tree, navigate to the NtFrsSubscriber object for same replica set that you used in step 2:
     CN=NTFRS Subscriptions,CN=ARRENC1,OU=Domain Controllers,DC=a,DC=com 
b.  Right-click NtFrsSubscriber, and then click Properties. You can view the properties in the detail pane:
     CN=Domain System Volume (SYSVOL share),CN=NTFRS Subscriptions 
c.  On the Attributes tab, set Select which properties to view to OPTIONAL.

9. Under Edit Attribute, configure the following attributes. Click SET after each entry:
‧ FrsMemberReference:
    ‧ Expected Value: The DN path of the FRS member object for the matching replica set, which is SYSVOL in this example.
    ‧ Example: CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=a,DC=com
    ‧ Result: Populates the fRSMemberReferenceBL attribute on the member object in:
        CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=a,DC=com 

其它參考知識文件：
How To Configure Site Link Attributes
===============================
1. Open the Active Directory Sites and Services console
2. Open the Sites folder, and then open the Inter-Site Transports folder.
3. Open the IP folder or SMTP folder which contains the site link that you want to configure site link attributes for.
4. Right-click the particular site link and then select Properties from the shortcut menu.
    a. In the Description box in the General tab of the Properties dialog box for the site, you can enter a description for the site link.
    b. In the Cost box, you can change the default cost for the site link, and assign a cost to the link. The default cost setting is 100.
    c. In the Replicate Every box, you can change the default replication interval. This is basically the number of minutes between replications. The default setting is 180 minutes. The shortest replication interval that can be set is 15 minutes, and the longest interval that can be specified is 10,080 minutes.
    d. Click the Change Schedule button to configure when the site link is available for replication.
    e. When the Schedule dialog box for the site link opens, you can set when the site link is available for replication, or when it is not available for replication.
    f. Click OK to save configuration changes you made in the Schedule dialog box.
5. Click OK to save changes in the Properties dialog box of the site.
http://technet.microsoft.com/en-us/library/cc755994.aspx#w2k3tr_repto_how_bwzg

發生原因 :可能為大量建立帳號或是使用非正常方式還原DC導致，原來RID pool序號應該每台是根據RID Master發出的序號
如何看DC RID Pool是否正常可以由Dcdiag /v log找到以下

客戶在在AD2上是可以建立帳號的，因為pool ID 正確
Starting test: RidManager
         * Available RID Pool for the Domain is 5111 to 1073741823
         * ads.pglamer.com.tw is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4611 to 5110
         * rIDPreviousAllocationPool is 4611 to 5110
         * rIDNextRID: 4611
         ......................... AD2 passed test RidManager

而AD1的下一個要發的 ID是 4610 目前Pool值已經空了
Starting test: RidManager
         * Available RID Pool for the Domain is 5111 to 1073741823
         * ads.pglamer.com.tw is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4111 to 4610
         * rIDPreviousAllocationPool is 4111 to 4610
         * rIDNextRID: 4610
         * Warning :Next rid pool not allocated
         * Warning :There is less than 0% available RIDs in the current pool

此問題通常由程式建立大量帳號DC來不及跟RID要取500 ID pool，或是這台DC曾經做過system states的還原

解決方式
請在AD1上執行以下步驟

a-1. Please add the following registry value on the domain controller MERCURY. (If your OS is Windows 2000)

          HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow System Only
Change
          Type: REG_DWORD
          Value: 0x1 

a-2. If OS is Windows 2003 server, please install support tools from Windows 2003 source CD
It will be there <CD-Rom Driver>:\SUPPORT\TOOLS\SUPTOOLS.MSI
After install support tools, please following below steps.
1. Start LDP.exe and go to Connection and choose Connect. Then go to Connection and choose Bind to the DS server that you want to modify. Make sure that you are a schema administrator.
2. After you connect to and then authenticate your computer that has the selected Lightweight Directory Access Protocol (LDAP), locate the Browse menu. Then, select the Modify option.
3. Leave the DN blank. Then, type "schemaUpgradeInProgress" (without the quotation marks) in the Attribute field. In the Values field, type "1" (without the quotation marks).
4. Select the "Add" operation, and then press the ENTER button. Note When you press the ENTER button, you add this command to the entry list.
5. Select Run. Note You will receive a "Modified" message when you have finished.

b. Don't reboot the server. We can modify the RID pools attributes now.
We can see DCDIAG Log

Starting test: RidManager
         * Available RID Pool for the Domain is 5111 to 1073741823
         * ads.pglamer.com.tw is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4111 to 4610
         * rIDPreviousAllocationPool is 4111 to 4610
         * rIDNextRID: 4610
         * Warning :Next rid pool not allocated
         * Warning :There is less than 0% available RIDs in the current pool
c. Please set the values as below:
We will ignore the 4611 to 5110 pool, and start it from 5111 pool. The number of the RIDs added is 500.

The NextRID should be: 5111.
The ridallocationpool should also be: 15EA000013F7 (24094766535671) 5111-5610  新的<--------(5111+499=5610)
15EA=5610
13F7=5111

15EA000013F7=24094766535671

The ridpreviousallocationpool should be: 12020000100F (19799799238671) 4111-4610  舊的 <--------
1202=4610
100F=4111
12020000100F =19799799238671

d.Use Adsiedit.msc midify value:

1. Open Adsiedit.msc on the domain controller ADS.
2. Expand to Domain NC -> OU=Domain Controllers -> CN=AD1.
3. Go to the right pane, and right click CN=RID Set.

Example:

Choose properties.
4. In the Attributes tab, choose Mandatory for the type, and then in the property
field, choose the above 3 attributes in color:

rIDAllocationPool: 24094766535671 <-----------------5111-5610 
rIDNextRID: 5111
rIDPreviousAllocationPool: 19799799238671<-----------------4111-4610 

5. Set their value the same as listed above in color. Click the Apply button to make the resetting successful.
6.After changing the three attribute values, let's expand other object: 
Domain NC Partition,DC=pglamer,DC=com,DC=tw,CN=System.
On the right panel, you can see the object CN=RID Manager$.

Example:

Right click on it, choose Properties.
7. Locate the attribute rIDAvailablePool. Make sure its value is Then change the value to 4611686014132425719 (5111 to 1073741823).
5111 to 1073741823
5111=13F7
1073741823=3FFFFFFF
3FFFFFFF000013F7=4611686014132425719
rIDAvailablePool=4611686014132425719

8.Reboot machine
d.change the value back:

a-1. Please add the following registry value on the domain controller MERCURY. (If your OS is Windows 2000)

          HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow System Only
Change
          Type: REG_DWORD
          Value: 0x0 

a-2. If OS is Windows 2003 server, please install support tools from Windows 2003 source CD
It will be there <CD-Rom Driver>:\SUPPORT\TOOLS\SUPTOOLS.MSI
After install support tools, please following below steps.
1. Start LDP.exe and go to Connection and choose Connect. Then go to Connection and choose Bind to the DS server that you want to modify. Make sure that you are a schema administrator.
2. After you connect to and then authenticate your computer that has the selected Lightweight Directory Access Protocol (LDAP), locate the Browse menu. Then, select the Modify option.
3. Leave the DN blank. Then, type "schemaUpgradeInProgress" (without the quotation marks) in the Attribute field. In the Values field, type "0" (without the quotation marks).
4. Select the "Add" operation, and then press the ENTER button. Note When you press the ENTER button, you add this command to the entry list.
5. Select Run. Note You will receive a "Modified" message when you have finished.

PROBLEM:
========
Cache file is occupying all available space

CAUSE:
======
Momcache.mdb file is growing up without control for any of the users that uses your OpsMgr console.

RESOLUTION:
==========
workaround

Try start the console with the /clearcache switch 

or

Delete C:\Documents and Settings\<user>\Local Settings\Application Data\Microsoft\Microsoft.Mom.UI.Console\momcache.mdb

症狀

User無法變更密碼，該無法變更密碼的帳號ACL list裡沒有變更密碼權限，並非所有的帳號都會發生，並且這些帳號分布在各個OU，無法變更帳號本身安全性設定，變更後大約1個小時內恢復未變更的狀態

發生原因

當您委派使用權限使用委派的控制項精靈， 依賴這些使用權限從父容器， 繼承使用權限使用者物件。 不會的受保護的群組的成員從父容器繼承使用權限。 因此， 如果您設定使用的 委派控制精靈， 權限這些使用權限是不適用於的受保護的群組的成員。
請注意 受保護的群組中的成員資格定義為直接成員資格或使用一或多個安全性或發佈群組成員資格可轉移的。 通訊群組是包含的， 因為它們可以轉換成安全性群組。

無法變更密碼可能是adminSDHolder權限不正確所導致

請在PDC安裝support tools然後在命令提示字元移動到DSACLs所在的路徑下執行以下指令

dsacls CN=ADMINSDHOLDER,CN=system,DC=Domain,DC=com,DC=tw /G Everyone:CA;"Change Password"

dsacls CN=ADMINSDHOLDER,CN=system, DC=Domain,DC=com,DC=tw /G Self:CA;"Change Password"

DC=Domain,DC=com,DC=tw : 請根據實際環境設置

參考資訊

Delegated permissions are not available and inheritance is automatically disabled

http://support.microsoft.com/kb/817433/en-us