Some troblshootings in DC/AD

Some troblshootings in DC/AD to save some life time...

1. Cannot set aduser password

"The password does not meet the password  policy requirements. Check the minimum password length, password  complexity and password history requirements"
Resolution: change the strong Password Policy.
    1)set in gpmc.msc-> expand the target domain edit:Default Domain Policy and navigate to:
    Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy
    disable 'Password must meet complexity requirements'
    set 'minimum password length - 0'
    2)Then go to the command line and type:
    gpupdate /target:computer /force

2 . Active Directory Service does not start after reboot,
  1) do cmd 'netdiag /test:ldap' shows 'no such domain'/'service not started'...
  2) check log, find DS cannot start after reboot and 'netlog service is paused'
  3) start regedit and go to HKLM->system->CurrentControlSet->services->ntds->parameters and delete the key of 'DSA not writtable'
  4) damned reboot

3. Cannot create aduser/grp,
  "Cannot create the object because directory service was unable to allocate a relative identifier".
  1) test the cmd:'dcdiag /test:ridmanager /v' it may show, 'cannot contact to ridmanager' or 'less than x% rid'
  2) causes:
      1]cannot contact to ridmanager,
      2]or the ridmanager service does not work well.
  3) Resolution:
      1] check the network and service relationship between current machine and the rid master,aka,the ridmanager service provider, find its address by: cmd 'netdom query fsmo'
      2] if your dc is the one desolated from a forest, that is the local machine will not contact to the rid master you may need
      seize the rid master fsmo role to local machine:
      http://technet.microsoft.com/en-us/library/cc784077%28v=ws.10%29.aspx
      besides your may also need to seize pdc,domain naming and schema master role.
      3] check the seizure by 'netdom query fsmo', then if the rid is still 0% left, you should clean the dead replication links and do metadata cleanup for the dead info to other dc:
      http://support.microsoft.com/kb/839879
      4] always needs reboot in f**ked Windows

4. Cannot pass authentication in child domain with parent domain usr/password and vice versa.
  in the log you can find:kerberos error:
  "Decrypt integrity check failed"
  the reason is here,
  http://www.faqs.org/faqs/kerberos-faq/general/section-73.html
  you know what it says, and how to resolve it?
  If yes, please do teach me for this, much grateful of this!
  If not, follow me to rebuild the child domain:
  1) remove the child domain
  in the child domain dc machine, cmd 'dcpromo' and go on, if you fail, do 'dcpromo /forceremoval'
  2) remove the trust and metadata from the parent domain
  in the parent domain dc machine,
  1] remove trust to the child domain from 'Domain services and trusts'
  2] do metadata clean up for the child servers/domains, if fail, do the naming context cleanup  
  http://support.microsoft.com/kb/887424
  the 'domain management' subcmd here has a marvellous new name in smk2k8: 'partition management'!
  3) recreate the child domain and set the dns server of it

  create child domain:

   http://technet.microsoft.com/en-us/library/cc787706%28v=ws.10%29.aspx
  dns Settings:

  http://support.microsoft.com/kb/255248

  if you get "The source server is currently rejecting replication requests.", you shall go to the parent domain and do the cmd:
  repadmin /options servername - disable_inbound_repl
  repadmin /options servername - disable_outbound_repl
  to enable the replication.