找出問題Identify the problem

適用於: Windows Server 2016、 Windows Server 2012 和 2012 R2、 Windows Server 2008 和 2008 R2Applies To: Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2

樹系失敗的問題出現時,例如事件登或其他監視方案,使用 Microsoft 支援服務來判斷失敗的原因,評估任何可能的救濟權利。When symptoms of a forest-wide failure appear, such as in event logs or other monitoring solutions, work with Microsoft Support to determine the cause of the failure, and evaluate any possible remedies.

樹系失敗的範例Examples of forest-wide failures

  • 所有網域控制站已邏輯損壞或實體損壞的業務持續性不; 點例如,所有 AD DS 而定,應用程式都也將無法運作。All DCs have been logically corrupted or physically damaged to a point that business continuity is impossible; for example, all business applications that depend on AD DS are nonfunctional.

  • 系統管理員已洩露 Active Directory 環境。A rogue administrator has compromised the Active Directory environment.

  • 攻擊者刻意 — 或系統管理員的身分不小心-執行散播資料損壞跨樹系的指令碼。An attacker intentionally—or an administrator accidentally—runs a script that spreads data corruption across the forest.

  • 攻擊者刻意 — 或系統管理員的身分不小心-延伸包含惡意或衝突變更 Active Directory 架構。An attacker intentionally—or an administrator accidentally—extends the Active Directory schema with malicious or conflicting changes.

  • 攻擊已安裝 Dc,惡意軟體所管理,以及您已從備份還原樹系建議由 Microsoft 支援服務。An attacker has managed to install malicious software on DCs, and you have been advised by Microsoft Support to recover the forest from backup.

    重要

    本文件不包含了解如何復原駭客入侵或受到危害的樹系安全性建議。This paper does not cover security recommendations about how to recover a forest that has been hacked or compromised. 一般而言,最好是依照 Pass--Hash 降低技術強化環境。In general, it is recommended to follow Pass-the-Hash mitigation techniques to harden the environment. 如需詳細資訊,請查看Mitigating Pass--Hash (PtH) 攻擊和其他認證竊取技術For more information, see Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.

  • 網域控制站皆可以複製他們複寫合作夥伴。None of the DCs can replicate with their replication partners.

  • 找不到任何網域控制站 AD DS 進行的變更。Changes cannot be made to AD DS at any domain controller.

  • 無法安裝新的網域控制站在任何網域。New DCs cannot be installed in any domain.

後續步驟Next Steps