環境:
DC主機作業系統: win2022 & win2025
網域&樹系功能等級: 2016
異常狀況:
win2025dc剛登入系統後,連線任何dc的共用資料夾都是正常的,但大概半小時後,就無法連線,會跳出存取被拒的視窗,要求重新輸入帳號密碼。而且畫面右下角還會跳出"windows需要您目前的認證"
環境:
DC主機作業系統: win2012r2
網域&樹系功能等級: 2003
升級流程:
1. 新增win2022 DC主機,設定5大角色
2. 移除win2012r2 DC主機
3. 網域&樹系功能等級升級到2016
4. 新增win2025 DC主機,出現異常
異常狀況:
不管新增幾台win2025 DC主機,升級成DC角色重開機後,win2025 DC主機遠端桌面或本機無法登入,都會出現帳號密碼有錯,安裝最新的windows更新,使用不同的domain admin帳號登入都一樣無法登入
解決過程:
上網查詢相關解法,可以先在win2022DC主機上,用ps session連到win2025DC主機,把KDC服務關閉,就可以登入win2025DC,但登入後,就算把KDC服務開啟,也是無法正常與其他DC主機同步。
試過ChatGPT提供的很多方法,都無法解決,但在一些文件上有看到重設krbtgt這個系統帳號的密碼,就可以解決問題了,很多人建議去下載一個重設krbtgt密碼的powershell,做重設密碼。
先請微軟連線確認問題,收集完相關log,也是判斷KDC服務的一些加密協定不支援,造成登入失敗,DC同步失敗等問題,因此建議重設krbtgt這個系統帳號的密碼,用ADUC去重設,沒有提供powershell來做重設。
在第一次重設krbtgt密碼後,新建的win2025主機升成DC後,就可正常登入運作了,不用等第二次重設。
但微軟有建議,要在10小時後重設第二次,所有隔天有再重設一次。
Existing DC Operating System: Windows Server 2012 R2
Domain & Forest Functional Level: Windows Server 2003
Added a new Windows Server 2022 domain controller and transferred all five FSMO roles to it.
Removed the Windows Server 2012 R2 domain controller.
Upgraded the domain and forest functional levels to Windows Server 2016.
Added a new Windows Server 2025 domain controller — issue occurred.
After promoting any Windows Server 2025 machine to a domain controller and rebooting, it becomes impossible to log in either locally or via Remote Desktop.
The system reports that the username or password is incorrect.
Installing the latest Windows updates or using different domain administrator accounts does not resolve the problem — all attempts to log in fail.
Based on online findings, a temporary workaround was discovered:
From the Windows Server 2022 DC, use PowerShell remoting (PSSession) to connect to the affected Windows Server 2025 DC and stop the KDC service.
After stopping the KDC service, login becomes possible.
However, once logged in, re-enabling the KDC service does not restore normal replication or synchronization with other domain controllers.
Multiple potential solutions provided by ChatGPT and other sources were tested but did not resolve the issue.
Several documents mentioned that resetting the “krbtgt” system account password could resolve similar problems. Many users recommended using a PowerShell script to perform the reset.
Microsoft was then engaged for remote troubleshooting. After reviewing the collected logs, Microsoft determined that the issue was caused by unsupported encryption protocols within the KDC service, which led to authentication and replication failures.
Microsoft advised resetting the krbtgt account password using Active Directory Users and Computers (ADUC), rather than via PowerShell.
After performing the first krbtgt password reset, newly promoted Windows Server 2025 DCs were able to log in and operate normally.
A second reset was not immediately required for functionality.
However, Microsoft still recommended performing a second krbtgt password reset after 10 hours, which was carried out the following day as advised.
netapp(8.2.3P3 )建立iscsi磁碟步驟(web console操作),並在windows server掛載:
1 在netapp的Storage -> Volumes ,執行Create,建立過程要選iscsi,並設定容量。
2 在netapp的Configuration-> iSCSI,啟用iscsi服務,要輸入目標節點名稱,會是iqn開頭的值。
3 在Windows 執行iscsi啟動器,輸入netapp的IP進行連線,連線成功,此時會在目標的頁籤看到netapp的節點名稱,如果剛剛在第二步沒找到節點名稱,就是輸入這個。
4 在設定這個頁籤,可以看到Windows 的啟動器名稱,也是iqn開頭的值,但跟netapp的節點名稱不一樣。
5 在netapp的Storage-> LUN,LUN管理裡執行Create一個LUN,這邊會連結到第一步建立的Volumes。
6 在netapp的Storage-> LUN,Initiator Group建立一個Group,建立時,會需要輸入第四步的Windows 的啟動器名稱。
7 在netapp的Storage-> LUN,LUN管理裡剛剛建立的LUN,連結到第六步建立的Initiator Group。
8 回到Windows 執行iscsi啟動器,重新連線,這時後再去磁碟管理中,就會看到多了一個新的磁碟,就是Netapp上iscsi分享出來的空間。
Create a Volume on NetApp
Go to Storage → Volumes → Create
Select iSCSI during the creation process and set the desired capacity.
Enable iSCSI Service on NetApp
Go to Configuration → iSCSI → Enable iSCSI
Enter the Target Name, which will start with iqn.
Connect from Windows using iSCSI Initiator
Open the iSCSI Initiator on Windows and enter the NetApp IP to connect.
Once connected, you will see the NetApp Target Name under the Targets tab.
If you couldn’t find the Target Name in step 2, enter the one displayed here.
Check Windows Initiator Name
In the Configuration tab of the iSCSI Initiator, you can see the Windows Initiator Name, which also starts with iqn but is different from the NetApp Target Name.
Create a LUN on NetApp
Go to Storage → LUNs → Create
Link the new LUN to the Volume created in step 1.
Create an Initiator Group (igroup) on NetApp
Go to Storage → LUNs → Initiator Groups → Create
Enter the Windows Initiator Name from step 4 when creating the igroup.
Map the LUN to the Initiator Group
In Storage → LUNs, select the newly created LUN and map it to the igroup created in step 6.
Mount the LUN on Windows
Go back to Windows and reconnect using the iSCSI Initiator.
Then open Disk Management, and you should see a new disk representing the iSCSI space shared from NetApp.
網域的DNS主機中,發現有一些電腦已取到其他IP,但DNS上還會保留舊記錄,不會自動清除,其他電腦後來取得該IP時,DNS上就有兩台電腦對應同一個IP。
這就會造成連線電腦時,會連錯電腦。
檢查過DHCP,已經設定成動態更新DNS了,還是不會更新DNS記錄,後來查發現,DNS的設定中,也要把啟用動清除過時的記錄打勾,DNS裡的舊記錄才會被清除。
On the domain DNS server, it was found that some computers had already obtained new IP addresses, but the DNS still kept their old records without automatically clearing them. When another computer later obtained that same IP, the DNS ended up showing two computers mapped to the same IP address.
This caused connection issues, as attempts to connect to one computer could actually connect to the wrong one.
After checking the DHCP settings, it was confirmed that dynamic DNS update was already enabled, but the DNS records were still not being updated. Further investigation revealed that in the DNS settings, the option “Enable scavenging of stale records” must also be checked; only then will outdated DNS records be cleared.
在WINDOWS2019下載windows 的更新檔要進行安裝,但執行後都沒任何反應,或是要等很久才會跳出smart screnn的警告視窗。
這是因為系統設定中,有做安全性控管,設成警告。
只要先把它調成關閉,重新登入一次系統,這時後在點選安裝,視窗就會正常跳出,讓我們點進下一步進行安裝。
如果要查詢m365 office 帳號在哪一台設備啟用了,就要先進到Microsoft 365 admin center。
在"作用中的使用者",點選該帳號,左邊會出現相關資訊,在最下面就有一個"檢視 Microsoft 365 啟用"。
裡面就會顯示在哪些裝置上啟用了這個帳號。
在ad環境中,每個使用者帳號可以設定電腦加入網域10次,如果要查這個帳號剩次數可以用,可以用下列這個powershell,它會顯示已經使用幾次,下圖就是某帳號已用掉3次,還剩7次。
$UserName = "account" # 替換為你的帳號名稱
$UserSID = (Get-ADUser $UserName).SID
Get-ADComputer -Filter * -Property ms-DS-CreatorSID | Where-Object { $_.'ms-DS-CreatorSID' -eq $UserSID } | Measure-Object
最近win10下載framework3.5安裝時,一直失敗,都是在下載必要原件的地方失敗,改機碼也沒用。
後來看到一招,就是找一個win server2012以上的安裝iso,把裡面的sxs資料夾複製到win10的c槽,然後用powershell執行下列指令,就成功了。
dism.exe /online /enable-feature /featurename:netfx3 /Source:c:\sxs
Recently, I kept failing to install Framework 3.5 on Windows 10. The failure always occurred at the stage of downloading the necessary components, and modifying the registry didn't help.
Later, I found a method that worked. You need to find an installation ISO for Windows Server 2012 or later, copy the "sxs" folder from the ISO to the C drive of your Windows 10 machine, and then execute the following powershell command. This solved the problem:
dism.exe /online /enable-feature /featurename:netfx3 /Source:c:\sxs
某台asus win10的筆電內建麥克風跟外接耳麥,都收不到音。
但在裝置管理員裡都有找到設備,所以就更新驅動,結果還是沒用。
後來拿閒置硬碟換上去裝了win11後,居然都沒問題,那表示硬體沒故障。
在換回win10 後,突然想到,去設定裡面看看,結果發現在"隱私權"裡面有一個"麥克風"的設定,有一個"存取此裝置的麥克風"居然是關閉的,改成開啟後,麥克風就正常了。
An ASUS laptop running Windows 10 had issues with both the built-in microphone and external headset not picking up any sound. Even though the devices were detected in the Device Manager, updating the drivers didn't solve the problem.
Later, when a spare hard drive was installed and Windows 11 was installed on it, surprisingly, there were no issues with the microphone. This suggested that there was no hardware fault.
Upon reverting back to Windows 10, checked the settings. It was discovered that under "Privacy," there was a setting for "Microphone," and the option to "Allow apps to access your microphone" was inexplicably turned off. After toggling it on, the microphone started working properly again.
有台win7電腦有時後會突然連不到所有的共用資料夾都連不上 ,錯誤代碼都是0x80004005。
但上網都正常,去ping那些共用資料夾的主機也正常。
經查才發現,那個win7電腦的網卡內容裡,少了很多項目,正常的應該要像下圖一樣,但那台電腦裡的網卡內容只剩ipv4的設定。
要把其他功能找回來,就只要按下左下方的"安裝",裡面就有其他項目可以選,選好後馬上就會裝回來了,但是要重開機後,會生效。
有時後用EDGE在瀏覽網頁時,看到一些PDF檔,EDGE可以直接顯示,不用另存成PDF檔,再用 PDF reader開啟。
如果希望直接存在PDF檔,不要在EDGE中直接開啟,可以調整機碼來達行。
機碼位置如下,如果沒有的話,可以自行手動新增,設定好要重開機才會生效。
Sometimes, when browsing web pages using EDGE, you may come across PDF files that EDGE can display directly without the need to save them as PDF files and then open them with a PDF reader.
If you prefer to save the PDF file directly instead of opening it in EDGE, you can adjust the registry to achieve this.
If you cannot find this registry entry, you can manually add it yourself and ensure that the changes take effect after restarting your computer.
win10在裝framework 3.5一直失敗,錯誤代碼是 0X800F0954 。
有人說要去HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ 裡面調機碼,把UseWUServer的值改成0。
但發現自己的電腦裡並沒有這個機碼,所以就手動新增,設定好重開機,就可以成功安裝。
Windows 10 fails to install Framework 3.5, and the error code is 0X800F0954.
Some suggest modifying the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ by changing the value of UseWUServer to 0.
However, it was found that the registry key was not present on the computer, so it was manually added. After configuring and restarting, the installation was successful.
如果要把A資料夾整個完整複製,包含裡面的權限跟所有資料,然後名稱變成B資料夾。
而且B資料夾本身的權限必須跟A資料夾相同,可以使用robocopy這個內建指令。
執行指令前要確認B資料夾不存在,再執行指令。
指令: robocopy D:\A D:\B /E /COPYALL
If you want to completely copy the entire A folder, including its permissions and all data inside, and rename it to B folder, you can use the built-in command robocopy.
Ensure that the B folder does not exist before executing the command.
Command: robocopy D:\A D:\B /E /COPYALL
使用者反應,他在檔案總管裡,開啟一個pdf檔案時很正常,然後再點其他pdf檔案後,檔案不會馬上開啟,要等個幾十秒,他認為是程式有問題。
把程式重新安裝後,還是一樣,後來發現在檔案總管內,是有開啟預覽窗格的功能,如果這個功能關閉,連續開啟不同檔案時,就不會有緩慢的問題了。
User feedback indicates that when he opens a PDF file in File Explorer, it works fine. However, when he tries to open another PDF file after that, the file doesn't open immediately; instead, it takes several seconds. He believes there is an issue with the program.
Even after reinstalling the program, the problem persists. Later, it was discovered that within File Explorer, there is a feature to open a preview pane. When this feature is disabled, there is no longer a delay issue when opening different files consecutively.
某台win2012的電腦使用本機登入,要連到一個共用資料夾。
使用 \\電腦名稱\ 連線,會跳出帳號密碼驗證,接著輸入 網域\使用者帳號 做登入,沒問題。
但使用 \\IP\ 連線,會跳出帳號密碼驗證,接著輸入 網域\使用者帳號 做登入,會跳錯誤,代碼是 0x80004005。
查了網路上一些方法,改機碼,改gpedit安全性都沒用。
後來是會跳出帳號密碼驗證時,輸入 使用者帳號@網域,就成功了,很特別的狀況。
A Windows 2012 computer logged in locally attempts to connect to a shared folder.
When connecting to \\HostName\, a username and password prompt appears. Entering Domain\Username works without issue.
However, when connecting to \\IP\, a username and password prompt appears. Entering Domain\Username results in an error code of 0x80004005.
After trying some methods found online, such as changing registry keys and Group Policy security, the issue was not resolved.
Finally, entering Username@Domain at the username and password prompt resolved the issue.
When opening an internal web page in IE mode of Edge, the content cannot be displayed normally. The error message "Internet Explorer has modified this page to help prevent cross-site scripting attacks" appears below.
At this time, go to the Internet Options in Control Panel, find the area to which this page belongs in Security, open the Custom Level, find Enable XSS Filter, and disable it.
在WORD程式內,透過插入物件的功能,要插入一個PDF檔,卻跳出"此物件是使用程式Acrobat建立。您的電腦並未安裝此程式......請安裝Acrobat或確定已關閉Acrobat中任何的對話"
先確認PDF檔都是可直接用Acrobat PDF Reader開啟,WORD試著插入EXCEL物件也正常。
所以就決定先重裝Acrobat PDF Reader,結果就解決問題了。
When trying to insert a PDF file into a Word document using the "Insert Object" function, the following error message appears: "This object was created using the Acrobat program. This program is not installed on your computer. Please install Acrobat or make sure that all Acrobat dialog boxes are closed."
I confirmed that the PDF files could be opened directly using Acrobat Reader. I also tried inserting an Excel object into a Word document, and that worked fine.
Based on these findings, I decided to reinstall Acrobat Reader. After doing so, the problem was resolved.
原本有透過GPO在使用者的電腦,佈署EDGE政策,讓EDGE在開啟一些特定網頁時,會啟用IE瀏覽模式。
但這兩天開始有電腦的IE瀏覽模式沒被啟用,查看GPO確定是有套用沒錯,所以不是GPO的問題。
開啟EDGE查看設定,發現套用的政策被略過了,但只有少數人有這個狀況。
Originally, we deployed EDGE policies via GPO on users' computers to enable IE browsing mode when opening certain websites.
However, in the past two days, some computers have failed to enable IE browsing mode. After checking the GPO, we confirmed that it is being applied correctly. Therefore, the issue is not with the GPO.
When we opened EDGE and checked the settings, we found that the applied policies were being ignored. However, this was only happening for a small number of users.
After some investigation, we learned that this is because EDGE was recently updated. If a user is logged in to a personal account in EDGE, the policies deployed via GPO will be ignored. Simply logging out of the account will restore normal behavior.
如果是windows2012,powershell 4.0裡面有get-dhcp的指令把DHCP目前租用IP的清單做匯出。
但在windows2008,powershell 1.0沒這個指令,不想升級powershell,可以用netsh來完成,指令如下:
@echo off
netsh dhcp server scope 172.16.11.0 show clients > "%DATE:~0,4%%DATE:~5,2%%DATE:~8,2%_dhcp_clients.txt"
exit
指令會把172.16.11.0這個領域的IP租用匯出到txt中,檔名是會以當天的日期呈現。
如果要把每個領域都匯出,就把指令重覆貼上,改掉scope後面的領域IP就行了。
If you are using Windows 2012, PowerShell 4.0 includes the get-dhcp command to export a list of currently leased IP addresses from DHCP.
However, in Windows 2008, PowerShell 1.0 does not have this command. If you do not want to upgrade PowerShell, you can use netsh to complete the task. The command is as follows:
@echo off
netsh dhcp server scope 172.16.11.0 show clients > "%DATE:~0,4%%DATE:~5,2%%DATE:~8,2%_dhcp_clients.txt"
exit
This command will export the IP leases for the 172.16.11.0 scope to a text file. The file name will be in the format of YYYYMMDD_dhcp_clients.txt.
To export leases for all scopes, simply copy and paste the command, and change the scope IP address after scope.
