強制移除DC主機

 環境:

網域中某台DC有狀況，已無法正常與其他DC同步提供服務，或無法在登入使用之類的狀況。

因無法以正常的方式降級DC角色(dc-a)，必須以其他方式移除該DC主機角色

解決過程:

假設五大角色並是在正常的DC主機(dc-b)中，我們就到該DC主機中做下列兩個步驟:

1. 開啟"Active Directory站台及服務" ，這邊會有每台DC，還有它跟哪些DC同步。

在裡面找到需移除的DC，都它們都刪掉，這樣正常的DC才不會去找它做同步。

2. 在DNS裡，正向對應區域裡，需移除的DC，通通移除掉(包含底下其他資料夾底下的資料)，這樣才能確認其他主機透過DNS要詢問資訊時，不會回應錯誤的資訊。

ad帳號鎖定查修

 偶爾都會遇到ad帳號一直被鎖的問題，就要去查明原因，下面就列出清查的方式。

事情準備 : dc主機上相關log功能一定要開。

1. 在gpo->domain controllers policy裡，要啟用下列三個稽核功能，這樣在事件檢視器裡的安全性事件裡，才能找到登入失敗的相關訊息。

2. 在gpo->domain controllers policy裡，NTLM的稽核也要開啟，這樣在事件檢視器裡的NTLM裡面，才能找到更準確的登入失敗訊息。

3. 要設定帳號鎖定的log產生時，發信通知相關人員，這樣才會知道是否有某帳號一直被鎖定的異狀發生。

清查流程 : 當發現某帳號一直被鎖定時

1. 先查安全性事件，找4625，4771，4776，如果能在這裡面找到來源的ip，那就趕快找到該電腦做處理。

2. 如果在安全性事件裡的log，找不到來源電腦，就要去NTLM的log裡，那邊也會顯示來源電腦。

最近遇到比較特別的狀況是a網域的帳號被鎖定，但從NTLM的log查到的安全通道名稱，是另一個信任網域b的dc主機，但上面顯示的工作站名稱，在b網域裡都查不到，而且會變來變去。

這時後就再去b網域的dc主機上，查詢NTLM log。結果log裡安全通道名稱，是顯示一台網域內的電腦。

後來發現是這台電腦有開放對外服務，有一些來自外部的異常連線，關閉服務後，帳號被鎖定的問題就解除了。

We occasionally encounter issues where an AD account keeps getting locked, and we need to investigate the cause. Below are the steps for troubleshooting.

Preparation:
Make sure the relevant logging features are enabled on the domain controller (DC).

1. In GPO -> Domain Controllers Policy, enable the following three audit policies. This will allow you to find failed login information under the Security events in Event Viewer.

2. Also in GPO -> Domain Controllers Policy, enable NTLM auditing. This helps you locate more accurate failed login details under the NTLM section in Event Viewer.

3. Configure alerts to notify relevant personnel via email when an account lockout log is generated. This ensures you're aware when an account is repeatedly getting locked.

---

Troubleshooting Process:
When you discover that a certain account keeps getting locked:

1. First, check the Security event logs for event IDs 4625, 4771, and 4776. If you can find the source IP there, locate the corresponding computer and take action.

2. If the source computer cannot be identified in the Security logs, check the NTLM logs. These also show the source machine involved in the failed login.

---

A recent unusual case:
An account from domain A was being locked, but the NTLM log showed that the secure channel name was a domain controller from trusted domain B. However, the workstation name shown could not be found in domain B and kept changing.

In this case, we checked the NTLM logs on the domain controller in domain B. The secure channel name in the logs pointed to a computer within the domain.

We later found that this computer was running a public-facing service, and there were some abnormal external connection attempts. After shutting down the service, the account lockout issue was resolved.

查詢使用者帳號可以設定電腦加入網域次數

在ad環境中，每個使用者帳號可以設定電腦加入網域10次，如果要查這個帳號剩次數可以用，可以用下列這個powershell，它會顯示已經使用幾次，下圖就是某帳號已用掉3次，還剩7次。

$UserName = "account"  # 替換為你的帳號名稱

$UserSID = (Get-ADUser $UserName).SID

Get-ADComputer -Filter * -Property ms-DS-CreatorSID | Where-Object { $_.'ms-DS-CreatorSID' -eq $UserSID } | Measure-Object