AD域加入和认证常见问题处理.doc

文档名称文档密级安徽电信企业信息化安全项目FAQ及注意事项：1为什么用帐号A加入的机器退出域后，再用帐号B无法将此计算机加入域？用户的帐号和计算机在加入域后会形成一个绑定关系，此关系在域服务器中保存。如果确需要解决，则要在服务器上将计算机帐号删除。强烈建议“谁使用本计算机就使用谁的帐号加入域”。加入成功后，不要随意退出域。2为什么用域帐号登录到域会提示“正在创建列表”？一般用户加入域后，用域帐号第一次登录到计算机有时会有此提示，此为正常现象，用户需要耐心等待。如果长时间计算机没有帐号应，请重新启动机器。3为什么用户在加入域的时候提示“未知的用户名或错误的密码”？请先确认输入的密码是否正确，如果确认无误，请联系管理员查找该帐号是否存在。4Win98的机器可以加入域吗？Win98的机器可以打上DSclient补丁，用域帐号登录到域，但由于win98机器没有组策略等组件，接受不到域服务器下发的策略。严格的说，win98机器是不能加入到AD域中的，用域帐号登录也没有实际的意义。5加入域的过程中报错：53号错误代码，是什么意思？操作系统提示53号错误的含义是：找不到网络路径。请首先确认本计算机上是否开启了防火墙。确定Server服务、Workstation服务、TCP/IP NETBIOS Helper和Computer Browser服务已启动；在Windows系统中，选中“网上邻居”，右键选择“属性”，在“本地连接”的图标上右键选择“属性”中，确定“Microsoft网络客户端”、“Microsoft网络的文件和打印机共享”和“Internet协议（TCP/IP）”已安装。6为什么使用工具加入域，在改动“用户配置目录”的时候，出现错误提示?如果是加入域后第一次运行此程序，“更改配置目录”的按钮可能是灰色，这时需要再次运行一次工具，查看按钮颜色，正常情况应该可以点击。但是，此工具不是100能够将用户的配置目录更改过来。如果在更改后提示错误，则只有将用户的配置目录里的文件拷贝到现有的域目录中了，相应的程序需要重装。7为什么有时代理界面会显示“连接Numen消息服务器中断”？1. 首先要保证网络是通的，可以ping通Numen服务器，正常解析DNS；2. 确认代理软件中的“系统信息”中的版本是”1”，如果不是，到04服务器上更新最新版本；3确认代理软件中的“系统设置”中的“消息服务器地址”是存在，且正确；8. 为什么安装代理后，部分应用程序不能访问网络？查看代理界面中系统设置/系统设置/是否启用主机防火墙中是否启用防火墙。如果已启用防火墙，需要在安全防护/主机防火墙界面中删除限制该应用程序访问网络的规则。9. 为什么进行用户认证时，显示“身份认证不通过”？身份认证不通过的原因有如下几点：用户选择的认证方式正确，部署域的计算机应该选择“域用户”，直接点认证了。WIN98及HOME版的机器及因没有工号未部署域的机器使用“用户名认证”，请输入正确的用户名和密码。目前针对这种情况，给每个地市分配了临时帐号，如下表：地市帐号密码地市帐号密码省公司L055100123456阜阳L055801123456滁州L055001123456黄山L055901123456合肥L055101123456淮北L056101123456蚌埠L055201123456铜陵L056201123456芜湖L055301123456宣城L056301123456淮南L055401123456六安L056401123456马鞍山L055501123456巢湖L056501123456安庆L055601123456池州L056601123456宿州L055701123456亳州L05670112345610当代理提示“未找到注册的网络接入控制器”时，应该如何处理？由于终端用户计算机未接入相应的网络所致。请再次确认计算机是否已接入相应网络。如果依然不能解决该问题，请与网络管理员联系。11为什么正式接入后，认证未通过，访问不了网络？NUMEN代理的认证分为身份认证和安全策略检查两部分。身份认证通过，但强制策略检查结果不达标，仍然显示为不能够通过认证，用户网络不通。解决办法，必须依照提示，使本机达到安全标准。12加入AD域的计算机名称和网络识别都是灰色的，无法更改计算机名称，也无法退域，并且网络共享资源无法使用首先在Windows系统中选择“我的电脑”，然后点击鼠标右键选择“管理”，再选择“本地用户和组”，展开该项后点击“组”，在右侧内容中选中“Administrators”组，双击打开后确定当前用户已属于该组；如果当前用户已属于管理员组，请参考以下提供方法解决：造成以上现象是由某些系统服务未能正常启用引起的，可以通过以下几步：l在Windows系统中点击“开始运行”，输入“Services.msc”，然后点击“确定”打开系统服务；l检查Server服务、Workstation服务、TCP/IP NETBIOS Helper服务和Computer Browser服务是否启动；l如上述服务有任何一个没有启动，请点击“启动”选项，使服务启动；l再次查看计算机名和网络识别，发现已经可以对计算机名称、网络识别等进行正常的操作了13. Windows XP无法通过网络连接共享打印机l首先检查安装了打印机的计算机防火墙软件是否处于关闭状态要，建议安装有打印机的并启用了打印机共享的计算机不安装个人防火墙软件； l检查Server服务、Workstation服务和TCP/IP NETBIOS Helper服务是否已正常启动，如果没有启动，请按照第1道问题给出的方法解决；l使用杀毒软件清除病毒；l用运行Net Share命令检查IPC$默认共享是否启动，如果没有启用，请使用Net Share IPC$命令来启动（一般Windows XP系统不存在此问题）；l如要在AD中发布打印机，必须确保所有域中的打印机共享名唯一，即打印机名称也应该像计算机名一样统一规范。14. 已加入域的计算机，用户无法登入到AD域，提示为计算机帐号遗失或指定的域不存在出现这种问题是由于终端计算机与AD域之间的认证无法通过，必须重新加入到AD域，恢复与AD域的认证关系，操作步骤如下：在Windows系统中，选中“我的电脑”，然后右键选择“属性”，在弹出的系统属性中，选择“计算机名”页；点击“更改”，在弹出的计算机名称更改中，选择工作组，输入工作组名称为“Workstation”点击“确定”后将计算机退入域，然后重新启动，再用加入域的工具执行加入AD域的操作。15.终端计算机无法加入到AD域，提示找不到网络路径l确定DNS正确设置，可以正常解析终端计算机名，方法如下：l在Windows系统中，点击“开始运行”，输入“CMD”后按确定，在弹出的命令提示字元中，输入“nslookup”，可以正常解析DNS的名称；l确定用户拥有加入域的权限，此权限由域管理员统一管理，在未对其设定群组策略的情况下，默认情况下所有的用户帐号都可以加入到AD域中；l确定相关服务启动正常，同时默认共享开启： Workstation服务，TCP/IP NETBIOS Helper服务和Server服务为启动状态；默认的共享IPC$及ADMIN$启用（前面提到的使用Net Share命令来检查）；l检查是否病毒感染：通过清除病毒，发现很多计算机可以加入到域中，因此必须有统一的防毒体系的部署，同时及时更新病毒定义码。16.客户端使用domain user登陆后权限不足，使用很不方便，请问怎么才能提升权限在使用加入域工具进行加入域操作后，默认情况下，加入域的使用者帐号会自动加入到本地管理员组中；如果未使用工具或使用者帐号不在本地管理员组中，可以通过以下方法解决：n在Windows系统中选择“我的电脑”，然后点击鼠标右键选择“管理”，再选择“本地用户和组”，展开该项后点击“组”，在右侧内容中选中“Administrators”组，双击打开。n在Administrators组中，如果没有当前使用者帐号，请使用本地管理员帐号登录到本机中，然后按照以上方法打开Administrators属性内容，点击“添加”，增加使用者域帐号到本地管理员组中。n或在命令提示字元中使用“net localgroup administrators domainuser1 /add”来添加。17一台机器，使用NTFS分区，提示“和Numen服务器中断“，不能认证通过；看诊断日志，是代理不能够到Numen服务器提取配置数据, 由于NTFS有安全保护机制，终端用户使用权限不够，解决方法是在numen代理安装目录下，把使用者加入到管理组中。18操作系统是windows2000,加入域后，网络打印机不可用，找不到此网络打印机；在DOS命令下输入”net share”, 发现是IPC$没有启用；由于IPC$是用来作共享文件用的，把IPC$打开，问题解决；19PC的操作系统是windows2000,提示“未被Numen服务器接管“首先要确认版本和消息服务器地址都是正确的，windows 补丁是最新的，然后在DOS里面输入“telnet Numen服务器地址 1788”，发现1788端口被封掉，由于代理和消息服务器通讯使用1788端口，故一直显示“未被Numen服务器接管”，经定位是病毒导致.20地市反应电信”网上大学”有部分模块不能使用.对于此类问题, 首先关闭所有网页，重新打开一个空白网页，在IE浏览器中输入要解析的网址，打开这个网页，然后用 netstat -n |more 命令查看本机和对端服务器80或8080端口建立连接的IP，记录这些IP，将这些IP在MA5200F中开放，用户就可打开这个主页面的连接了。21.PC重装系统,在软件中”安全代理ID”显示为乱码,认证不能通过.正常情况下”安全代理ID”应该显示字母和数字的组全,如果显示为乱码,是代理软件和操作系统有冲突,不能在数据库中正常提取安全代理ID.处理办法:卸载代理软件,重新安装代理,再次获取正确的安全代理ID.22.关于加入域后原来的桌面文件找不到的处理办法。有用户反应加入域后，原来管理者的桌面文件找不到，由于加入域在winxp操作系统相当于新建一用户，为保持原有桌面设置及个性化设置，工具会提示用户是否采用当前用户的配置目录，如果使用原有的用户目录，请点击是，否则新建一个用户目录，原有桌面上的文件将不能转移过来。23. 网络类和安全类问题分类。安全系统问题主要如下：1 用户密码错，认证不通过；2 用户重装系统，需删除其计算机名；3 用户不能加入域；4 用户认证不通过（排除网络故障后）网络类问题1. 不能ping通,不能解析地址；看能不能ping通网关，DNS有没有设置；2. ping公私网地址有大量丢包；因为可以ping通，认证可以通过，公私网都走BAS侧，认证可以通过，BAS认证问题，一般是上层出口（例如防火墙）问题3. 可以认证通过，不能上公网；有可能是DNS没有设置好，或者PC作了代理；4. 地市增加新的使用网段（MA5200F做配合）；BAS增加相关三层认证数据。两者要分开，各自找相关的处理人，不能混淆24. 对于加入域提示“未和网络控制器连接”问题处理。对于此类问题，首先要按照操作指导书里面的步骤启用四个服务，然后保证网络连通，解析地址要正确，如果不正确，要把网卡禁用，重新安装网卡驱动。25微软官方加入域代码，供参考：PlatformSDK:DebuggingandErrorHandling1 System Error CodesThe following table provides a list of system error codes. They are returned by the GetLastError function when many functions fail.CodeDescriptionName0The operation completed successfully. ERROR_SUCCESS1Incorrect function. ERROR_INVALID_FUNCTION2The system cannot find the file specified. ERROR_FILE_NOT_FOUND3The system cannot find the path specified. ERROR_PATH_NOT_FOUND4The system cannot open the file. ERROR_TOO_MANY_OPEN_FILES5Access is denied. ERROR_ACCESS_DENIED6The handle is invalid. ERROR_INVALID_HANDLE7The storage control blocks were destroyed. ERROR_ARENA_TRASHED8Not enough storage is available to process this command. ERROR_NOT_ENOUGH_MEMORY9The storage control block address is invalid. ERROR_INVALID_BLOCK10The environment is incorrect. ERROR_BAD_ENVIRONMENT11An attempt was made to load a program with an incorrect format. ERROR_BAD_FORMAT12The access code is invalid. ERROR_INVALID_ACCESS13The data is invalid. ERROR_INVALID_DATA14Not enough storage is available to complete this operation. ERROR_OUTOFMEMORY15The system cannot find the drive specified. ERROR_INVALID_DRIVE16The directory cannot be removed. ERROR_CURRENT_DIRECTORY17The system cannot move the file to a different disk drive. ERROR_NOT_SAME_DEVICE18There are no more files. ERROR_NO_MORE_FILES19The media is write protected. ERROR_WRITE_PROTECT20The system cannot find the device specified. ERROR_BAD_UNIT21The device is not ready. ERROR_NOT_READY22The device does not recognize the command. ERROR_BAD_COMMAND23Data error (cyclic redundancy check). ERROR_CRC24The program issued a command but the command length is incorrect. ERROR_BAD_LENGTH25The drive cannot locate a specific area or track on the disk. ERROR_SEEK26The specified disk or diskette cannot be accessed. ERROR_NOT_DOS_DISK27The drive cannot find the sector requested. ERROR_SECTOR_NOT_FOUND28The printer is out of paper. ERROR_OUT_OF_PAPER29The system cannot write to the specified device. ERROR_WRITE_FAULT30The system cannot read from the specified device. ERROR_READ_FAULT31A device attached to the system is not functioning. ERROR_GEN_FAILURE32The process cannot access the file because it is being used by another process. ERROR_SHARING_VIOLATION33The process cannot access the file because another process has locked a portion of the file. ERROR_LOCK_VIOLATION34The wrong diskette is in the drive. Insert %2 (Volume Serial Number: %3) into drive %1. ERROR_WRONG_DISK36Too many files opened for sharing. ERROR_SHARING_BUFFER_EXCEEDED38Reached the end of the file. ERROR_HANDLE_EOF39The disk is full. ERROR_HANDLE_DISK_FULL50The request is not supported. ERROR_NOT_SUPPORTED51Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator.ERROR_REM_NOT_LIST52You were not connected because a duplicate name exists on the network. Go to System in the Control Panel to change the computer name and try again.ERROR_DUP_NAME53The network path was not found. ERROR_BAD_NETPATH54The network is busy. ERROR_NETWORK_BUSY55The specified network resource or device is no longer available. ERROR_DEV_NOT_EXIST56The network BIOS command limit has been reached. ERROR_TOO_MANY_CMDS57A network adapter hardware error occurred. ERROR_ADAP_HDW_ERR58The specified server cannot perform the requested operation. ERROR_BAD_NET_RESP59An unexpected network error occurred. ERROR_UNEXP_NET_ERR60The remote adapter is not compatible. ERROR_BAD_REM_ADAP61The printer queue is full. ERROR_PRINTQ_FULL62Space to store the file waiting to be printed is not available on the server. ERROR_NO_SPOOL_SPACE63Your file waiting to be printed was deleted. ERROR_PRINT_CANCELLED64The specified network name is no longer available. ERROR_NETNAME_DELETED65Network access is denied. ERROR_NETWORK_ACCESS_DENIED66The network resource type is not correct. ERROR_BAD_DEV_TYPE67The network name cannot be found. ERROR_BAD_NET_NAME68The name limit for the local computer network adapter card was exceeded. ERROR_TOO_MANY_NAMES69The network BIOS session limit was exceeded. ERROR_TOO_MANY_SESS70The remote server has been paused or is in the process of being started. ERROR_SHARING_PAUSED71No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept. ERROR_REQ_NOT_ACCEP72The specified printer or disk device has been paused. ERROR_REDIR_PAUSED80The file exists. ERROR_FILE_EXISTS82The directory or file cannot be created. ERROR_CANNOT_MAKE83Fail on INT 24. ERROR_FAIL_I2484Storage to process this request is not available. ERROR_OUT_OF_STRUCTURES85The local device name is already in use. ERROR_ALREADY_ASSIGNED86The specified network password is not correct. ERROR_INVALID_PASSWORD87The parameter is incorrect. ERROR_INVALID_PARAMETER88A write fault occurred on the network. ERROR_NET_WRITE_FAULT89The system cannot start another process at this time. ERROR_NO_PROC_SLOTS100Cannot create another system semaphore. ERROR_TOO_MANY_SEMAPHORES101The exclusive semaphore is owned by another process. ERROR_EXCL_SEM_ALREADY_OWNED102The semaphore is set and cannot be closed. ERROR_SEM_IS_SET103The semaphore cannot be set again. ERROR_TOO_MANY_SEM_REQUESTS104Cannot request exclusive semaphores at interrupt time. ERROR_INVALID_AT_INTERRUPT_TIME105The previous ownership of this semaphore has ended. ERROR_SEM_OWNER_DIED106Insert the diskette for drive %1. ERROR_SEM_USER_LIMIT107The program stopped because an alternate diskette was not inserted. ERROR_DISK_CHANGE108The disk is in use or locked by another process. ERROR_DRIVE_LOCKED109The pipe has been ended. ERROR_BROKEN_PIPE110The system cannot open the device or file specified. ERROR_OPEN_FAILED111The file name is too long. ERROR_BUFFER_OVERFLOW112There is not enough space on the disk. ERROR_DISK_FULL113No more internal file identifiers available. ERROR_NO_MORE_SEARCH_HANDLES114The target internal file identifier is incorrect. ERROR_INVALID_TARGET_HANDLE117The IOCTL call made by the application program is not correct. ERROR_INVALID_CATEGORY118The verify-on-write switch parameter value is not correct. ERROR_INVALID_VERIFY_SWITCH119The system does not support the command requested. ERROR_BAD_DRIVER_LEVEL120This function is not supported on this system. ERROR_CALL_NOT_IMPLEMENTED121The semaphore timeout period has expired. ERROR_SEM_TIMEOUT122The data area passed to a system call is too small. ERROR_INSUFFICIENT_BUFFER123The filename, directory name, or volume label syntax is incorrect. ERROR_INVALID_NAME124The system call level is not correct. ERROR_INVALID_LEVEL125The disk has no volume label. ERROR_NO_VOLUME_LABEL126The specified module could not be found. ERROR_MOD_NOT_FOUND127The specified procedure could not be found. ERROR_PROC_NOT_FOUND128There are no child processes to wait for. ERROR_WAIT_NO_CHILDREN129The %1 application cannot be run in Win32 mode. ERROR_CHILD_NOT_COMPLETE130Attempt to use a file handle to an open disk partition for an operation other than raw disk I/O. ERROR_DIRECT_ACCESS_HANDLE131An attempt was made to move the file pointer before the beginning of the file. ERROR_NEGATIVE_SEEK132The file pointer cannot be set on the specified device or file. ERROR_SEEK_ON_DEVICE133A JOIN or SUBST command cannot be used for a drive that contains previously joined drives. ERROR_IS_JOIN_TARGET134An attempt was made to use a JOIN or SUBST command on a drive that has already been joined. ERROR_IS_JOINED135An attempt was made to use a JOIN or SUBST command on a drive that has already been substituted. ERROR_IS_SUBSTED136The system tried to delete the JOIN of a drive that is not joined. ERROR_NOT_JOINED137The system tried to delete the substitution of a drive that is not substituted. ERROR_NOT_SUBSTED138The system tried to join a drive to a directory on a joined drive. ERROR_JOIN_TO_JOIN139The system tried to substitute a drive to a directory on a substituted drive. ERROR_SUBST_TO_SUBST140The system tried to join a drive to a directory on a substituted drive. ERROR_JOIN_TO_SUBST141The system tried to SUBST a drive to a directory on a joined drive. ERROR_SUBST_TO_JOIN142The system cannot perform a JOIN or SUBST at this time. ERROR_BUSY_DRIVE143The system cannot join or substitute a drive to or for a directory on the same drive. ERROR_SAME_DRIVE144The directory is not a subdirectory of the root directory. ERROR_DIR_NOT_ROOT145The directory is not empty. ERROR_DIR_NOT_EMPTY146The path specified is being used in a substitute. ERROR_IS_SUBST_PATH147Not enough resources are available to process this command. ERROR_IS_JOIN_PATH148The path specified cannot be used at this time. ERROR_PATH_BUSY149An attempt was made to join or substitute a drive for which a directory on the drive is the target of a previous substitute. ERROR_IS_SUBST_TARGET150System trace information was not specified in your CONFIG.SYS file, or tracing is disallowed. ERROR_SYSTEM_TRACE151The number of specified semaphore events for DosMuxSemWait is not correct. ERROR_INVALID_EVENT_COUNT152DosMuxSemWait did not execute; too many semaphores are already set. ERROR_TOO_MANY_MUXWAITERS153The DosMuxSemWait list is not correct. ERROR_INVALID_LIST_FORMAT154The volume label you entered exceeds the label character limit of the target file system. ERROR_LABEL_TOO_LONG155Cannot create another thread. ERROR_TOO_MANY_TCBS156The recipient process has refused the signal. ERROR_SIGNAL_REFUSED157The segment is already discarded and cannot be locked. ERROR_DISCARDED158The segment is already unlocked. ERROR_NOT_LOCKED159The address for the thread ID is not correct. ERROR_BAD_THREADID_ADDR160The argument string passed to DosExecPgm is not correct. ERROR_BAD_ARGUMENTS161The specified path is invalid. ERROR_BAD_PATHNAME162A signal is already pending. ERROR_SIGNAL_PENDING164No more threads can be created in the system. ERROR_MAX_THRDS_REACHED167Unable to lock a region of a file. ERROR_LOCK_FAILED170The requested resource is in use. ERROR_BUSY173A lock request was not outstanding for the supplied cancel region. ERROR_CANCEL_VIOLATION174The file system does not support atomic changes to the lock type. ERROR_ATOMIC_LOCKS_NOT_SUPPORTED180The system detected a segment number that was not correct. ERROR_INVALID_SEGMENT_NUMBER182The operating system cannot run %1. ERROR_INVALID_ORDINAL183Cannot create a file when that file already exists. ERROR_ALREADY_EXISTS186The flag passed is not correct. ERROR_INVALID_FLAG_NUMBER187The specified system semaphore name was not found. ERROR_SEM_NOT_FOUND188The operating system cannot run %1. ERROR_INVALID_STARTING_CODESEG189The operating system cannot run %1. ERROR_INVALID_STACKSEG190The operating system cannot run %1. ERROR_INVALID_MODULETYPE191Cannot run %1 in Win32 mode. ERROR_INVALID_EXE_SIGNATURE192The operating system cannot run %1. ERROR_EXE_MARKED_INVALID193%1 is not a valid Win32 application. ERROR_BAD_EXE_FORMAT194The operating system cannot run %1. ERROR_ITERATED_DATA_EXCEEDS_64k195The operating system cannot run %1. ERROR_INVALID_MINALLOCSIZE196The operating system cannot run this application program. ERROR_DYNLINK_FROM_INVALID_RING197The operating system is not presently configured to run this application. ERROR_IOPL_NOT_ENABLED198The operating system cannot run %1. ERROR_INVALID_SEGDPL199The operating system cannot run this application program. ERROR_AUTODATASEG_EXCEEDS_64k200The code segment cannot be greater than or equal to 64K. ERROR_RING2SEG_MUST_BE_MOVABLE201The operating system cannot run %1. ERROR_RELOC_CHAIN_XEEDS_SEGLIM202The operating system cannot run %1. ERROR_INFLOOP_IN_RELOC_CHAIN203The system could not find the environment option that was entered. ERROR_ENVVAR_NOT_FOUND205