Troubleshooting Active Directory

Advanced Troubleshooting 
Sample chapter from the Windows 2000 Resource Kit. Discusses troubleshooting the Active Directory™ directory service. Explains interactions between external services and protocols, such as DNS for name resolution, LDAP for directory access protocols, and TCP/IP for the transport protocol.

Backing up and restoring Active Directory
Backing up security information is a much more significant endeavor in Windows 2000 than in Windows NT. Before you begin, you have some important decisions to make. Source: EarthWeb (June 23, 2000)

Defragmentation of the Active Directory Database 
Microsoft Knowledge Base Article: 229602 - The underlying Extensible Storage engine (ESE) for the Active Directory database uses the quickest method to fill database pages, which is not always the most efficient method. Defragmentation is the process of taking this data and rearrange it in a more compact form. Windows 2000 Server supports both online defragmentation and offline defragmentation. 

Deletion of Critical Objects in Active Directory in Windows 2000 
Microsoft Knowledge Base Article: 298450 - This article describes the issues that may occur if you delete critical objects in Active Directory, the impact of such a deletion, and what Microsoft is doing to resolve these issues. This issue impacts all customers who use Windows 2000 and Active Directory. Microsoft Product Support Services (PSS) has received many calls from customers who have either inadvertently or intentionally deleted critical objects in Active Directory. 

Diagnosing and Troubleshooting Active Directory Problems
Microsoft whitepaper which discusses troubleshooting the Active Directory™ directory service. Explains interactions between external services and protocols, such as DNS for name resolution, LDAP for directory access protocols, and TCP/IP for the transport protocol.

How and Why to Monitor Active Directory Performance
Those of us who grew up with Windows NT are no stranger to performance monitoring. However, when making the transition from Windows NT to Windows 2000, it's easy to continue monitoring the same sorts of counters you monitored in Windows NT. Source: EarthWeb

HOW TO: Configure Active Directory Diagnostic Event Logging in Windows 2000 
Microsoft Knowledge Base Article: 314980 - This step-by-step article describes how to configure Active Directory diagnostic event logging in Microsoft Windows 2000. 

How to Clear Bad Information in Active Directory-Integrated DNS 
Microsoft Knowledge Base Article: 305967 - This article describes how to clear out bad information from Active Directory-integrated Domain Name System (DNS). You may need to do this if the DNS is damaged or if the DNS contains incorrect registration information.

How to Enable Auditing of Directory Service Access
Microsoft Knowledge Base Article: 232714 - Administrators can monitor access to Active Directory, causing successful and "failed" audit attempts to be logged in the Directory Service event log. This event log is present only on Windows 2000 domain controllers.

How to Enable Diagnostic Event Logging for Active Directory Services
Microsoft Knowledge Base Article: 220940 - You can enable enhanced event logging for certain Windows 2000 services. This may be useful for debugging purposes. This logging is set to disabled by default because the amount of data that can be logged can quickly fill the event log. 

How to Remove Data in the Active Directory After an Unsuccessful Domain Controller Demotion
Microsoft Knowledge Base Article: 216498 - This article describes how to remove data in the Active Directory after an unsuccessful domain controller demotion.

How to Troubleshoot an "Internal Error" Error Message During the Replication Phase of Dcpromo
Microsoft Knowledge Base Article: 265090 - This article describes how to troubleshoot an "internal error" error message that you may receive during the replication phase of the Active Directory Installation Wizard (Dcpromo).

Machine Account Security After Upgrade from Windows NT 4.0
Microsoft Knowledge Base Article: 222582 - This article describes the security on domain machine accounts before and after an upgrade to Windows 2000. This information can be used in troubleshooting permissions on machine account objects in the Active Directory and determining which user created the machine account before the upgrade.

Name Collision in Active Directory Causes Replication Errors
Microsoft Knowledge Base Article: 281485 - The following error message may be displayed when you attempt to replicate changes between replica partners in the Active Directory Sites and Services tool: The following error occurred during the attempt to synchronize the domain controllers. The naming context is in the process of being removed or is not replicated from the specified server. You may also find event ID 1226 or 1265 in the System event log.

Recovering a Customer from an Active Directory 'Denial of Service'
As your organization grows and evolves, technologies like Active Directory will become more and more critical to the smooth running of the operations - and any loss of availability will mean greater consequences for your business. Consider the risk of losing your Active Directory for an hour, or a day - what will happen if people can’t read their email, or gain access to those “single sign-on” business applications, or even sign on to their workstations? In such an environment, you really can’t afford not to protect your technological investments. In this article, you'll get a chance to view an attack scenario, and the steps taken to restore working order to the attacked system. Source: Microsoft.com

Registry Settings for Event Detail in the Dcpromoui.log File
Microsoft Knowledge Base Article: 221254 - Dcpromo builds two log files (Dcpromoui.Log and Dcpromo.log) in the %SystemRoot%\Debug folder on Windows 2000-based servers. Both files are useful for troubleshooting problems with the promotion or demotion of Active Directory servers. 

Tools You Can Use to Maintain Active Directory's Health
In Part 2 of this series, I began discussing the Replication Diagnostic Tool. In this article, I'll discuss this tool in greater detail. I'll then go on to discuss some other tools that you can use to keep your Active Directory healthy. Source: EarthWeb (Dec 26, 2000)

The Definitive Guide to Active Directory Troubleshooting
A free online eBook sponsored by NetPro Computing.

Troubleshooting Active Directory Replication
In the first three parts of this series, I explained the importance and techniques of breaking large organizations into sites for the purpose of Active Directory replication. As you've no doubt learned, a considerable amount of planning should go into dividing your network, because doing so can be complicated. Source: EarthWeb (Dec 14, 2000)

Troubleshooting Common Active Directory Setup Issues in Windows 2000
Microsoft Knowledge Base Article: 260371 - Some common issues that you may encounter with Active Directory installation and configuration can cause a partial or complete loss of functionality in Active Directory. 

Troubleshooting Windows 2000 DNS
Sample chapter from the Windows 2000 Resource Kit. Discusses new features of Windows 2000 DNS, such as Active Directory integration, multimaster replication, dynamic and secure dynamic update, and aging and scavenging. Also discusses integration with WINS and interoperability with other DNS servers.

Using Repadmin.exe to Troubleshoot Active Directory Replication
Microsoft Knowledge Base Article: 229896 - Repadmin.exe is a Microsoft Windows 2000 Resource Kit tool that is available in the Support Tools folder on the Windows 2000 CD-ROM. It is a command-line interface to Active Directory replication. This tool provides a powerful interface into the inner workings of Active Directory replication, and is useful for troubleshooting Active Directory replication problems. This article describes the basic use of the Repadmin.exe tool. 

Using Terminal Services for Remote Administration of Windows 2000 DCs in Directory Service Restore Mode 
Microsoft Knowledge Base Article: 256588 - Some low-level maintenance of the Windows 2000 Active Directory requires that Windows 2000 domain controllers (DCs) boot to Directory Service Restore mode. Configuring Windows 2000 domain controllers with Terminal Services in Remote Administration mode permits administrators to perform operations requiring Directory Service Restore mode without having to be present at the console of the server. This article describes the use of Terminal Services to transition a Windows 2000 domain controller between online and Directory Service Restore mode

Windows 2000 Terminal Services Issues in an Active Directory Domain Environment
Microsoft Knowledge Base Article: 250776 - Windows 2000 Terminal Services provides increased functionality for Windows 2000 domain environments, and affects all aspects of the domain environment. This article describes the affected areas, and provides links to Microsoft Knowledge Base articles that contain specific troubleshooting steps for those areas.  

"Access Denied" Error Message During Active Directory Promotion of Replica Domain Controller
Microsoft Knowledge Base Article: 250874 - During Active Directory promotion of a replica domain controller, the following error message may be displayed: The operation failed because: Failed to modify the necessary properties for the machine account %computername%$ "Access Denied"

Access Violation in sbTableGetDSName Causes Global Catalog to Crash
Microsoft Knowledge Base Article: 253868 - A Windows 2000 Global Catalog server may stop responding (crash) with the following call stack: 

Active Directory DNSHostName Property Does Not Include Subdomain
Microsoft Knowledge Base Article: 240942 - When a computer joins an Active Directory domain (for example, MICROSOFT.COM), Active Directory stores the fully qualified domain dame (FQDN) of the computer with the computer account in a property called DNSHostName. 

Active Directory Integrated Reverse Zones Do Not Load on DNS Servers
Microsoft Knowledge Base Article: 252314 - Active Directory integrated zones may not update their reverse zone information to their DNS servers unless you stop and restart the DNS service (although the reverse zone information is correctly listed in Active Directory). 

"Active Directory Installation Failed" Error Message When You Use Dcpromo.exe to Promote a Server 
Microsoft Knowledge Base Article: 259567 - When you attempt to use Dcpromo.exe to promote a Windows 2000 Server-based computer to a domain controller, you may receive the following error message: Active Directory Installation Failed The operation failed with the following error. The network location cannot be reached. For further information about network troubleshooting, see Windows Help. This problem can occur if the network cable is not plugged into a hub or other network device. 

Active Directory MMC Tools Are Slow to Initialize
Microsoft Knowledge Base Article: 270915 - Active Directory Microsoft Management Console (MMC) utilities may be slow to initialize and run. They may also stop responding (hang) during the initialization procedure. 

Active Directory Objects May Be Modified Programmatically
Microsoft Knowledge Base Article: 259401 - If a user has permission to modify an attribute in an object, it may be possible programmatically to also modify attributes in the same object to which the person does not have permissions to modify. 

Active Directory Replication and Knowledge Consistency Checker Fail without Trusted Domain Object
Microsoft Knowledge Base Article: 257844 - In the event log of a Windows 2000 domain controller, one of the following error messages may appear: The Directory Service received a failure while trying to perform an authenticated RPC call to another Domain Controller. The failure is that the desired Service Principal Name (SPN) is not registered on the target server. 

Active Directory Users and Computers Snap-in Always Contacts PDC When User Properties Is Opened
Microsoft Knowledge Base Article: 270643 - Each time a user properties dialog box is opened, Windows 2000-based computers that are running the Active Directory Users and Computers snap-in contact the PDC FSMO role owner by using a LSARPC pipe. 

Authoritative Restore Triggers Communication Error on Bridgehead Servers
Microsoft Knowledge Base Article: 289901 - After you perform an authoritative restore operation (a database restore) on a domain controller in the forest, event IDs 1311 and 1566 may occur every 15 minutes on the forest's inter-site topology generator servers. 

Backup and Restore of Directory Service on Domain Controller Causes Duplicate SIDs 
Microsoft Knowledge Base Article: 289154 - When you back up and then restore the Directory Service on a domain controller, duplicate Security ID (SID) events may appear in Event Viewer. 

Cannot Completely Hide an Object in Active Directory
Microsoft Knowledge Base Article: 276679 - Active Directory in Windows 2000 supports a security model that prevents you from completely hiding an object. When you attempt to hide an object, the hidden object is displayed in the member list, but the client computer cannot retrieve any additional information on this object. 

Cannot Create an Organizational Unit in the Parent Domain with the Same Name as a Child Domain in Windows 2000
Microsoft Knowledge Base Article: 240147 - You cannot create an organizational unit (OU) in a parent domain with the same name as a child domain in Windows 2000 because a name conflict is created.

Cannot Delete Cloned User Accounts that Include Security Identifier History from Local Groups
Microsoft Knowledge Base Article: 278693 - When you use a tool, such as, the Active Directory Migration Tool (ADMT), to migrate user accounts from a Microsoft Windows NT 4.0 domain to a Microsoft Windows 2000-based system, and then you add these users to a Local group, the accounts cannot be deleted, and you may receive the following error message: The specified account Name is not a member of the local group.  

Cannot Publish a Printer to Active Directory from a Cluster in a Child Domain
Microsoft Knowledge Base Article: 286254 - If you have a cluster in a child domain and the Cluster Service account exists in the parent domain, you cannot publish to Active Directory a printer that is shared on the cluster virtual node. The following event will be posted to the System event log: Event ID 38
Source: Print PrintQueue printer CN name was successfully deleted from container LDAP://container 

Cannot Remove Active Directory from a Replica Domain Controller
Microsoft Knowledge Base Article: 263624 - When you attempt to promote a replica domain controller by using the Dcpromo.exe tool, you may receive the following error message:

Cannot Remove Active Directory from a Replica Domain Controller
Microsoft Knowledge Base Article: 263624 - When you attempt to promote a replica domain controller by using the Dcpromo.exe tool, you may receive the following error message: The operation failed because: The directory service failed to replicate off changes made locally. The DSA operation is unable to proceed because of a DNS lookup failure.  

Cannot Repair the Active Directory Database by Using the Ntdsutil Tool
Microsoft Knowledge Base 305500 - When you try to use the Ntdsutil tool to repair the Active Directory database (the Ntds.dit file), you may not be able to perform an integrity check or to repair the database successfully. You may receive error messages similar to the following:.

Cannot Set Up Trust in Window 2000 Domain from Windows NT 4.0
Microsoft Knowledge Base Article: 255551 - When you are using User Manager for Domains from Microsoft Windows NT 4.0 to establish a trust from a Windows 2000-based domain to any other domain, you may receive an error message. When you are adding a domain name to "Trusted Domains," the error message is "Parameter is Incorrect." When you are adding a domain name to "Trusting Domains," the error message is: Access Denied  

Cannot Turn Off "User Cannot Change the Password" Option After Windows 2000 Upgrade
Microsoft Knowledge Base Article: 253512 - When you upgrade your Microsoft Windows NT 4.0 domain to Windows 2000 Active Directory and you click to clear the User cannot change the password check box in Active Directory, the user may still be unable to change his or her password. In addition, the Active Directory user interface shows that the check box is cleared, but the user cannot change the password. 

Dcpromo Does Not Allow All-Numeric Label in a Domain Name
Microsoft Knowledge Base Article: 258101 - The Active Directory Installation Wizard (Dcpromo) may display the following error message: The syntax of the domain name 111.edu is incorrect. In general, acceptable naming conventions for domain names include the use of alphanumeric characters (the letters A through Z and numerals 0 through 9) and the hyphen (-). A period (.) in a domain name is always used to separate the discrete parts of a domain name commonly known as labels. Each domain label can be no longer than 63 bytes. The first label may not be a number. 

DFS Site Information Is Not Updated When You Move Server to a New Active Directory Site
Microsoft Knowledge Base Article: 260857 - After you move a server that is a replica member of a Domain Distributed File System (DFS), client computers that connect through the DFS namespace seem to disregard the relocation of a server to a different Active Directory site.

Dial-In Options Unavailable with Active Directory in Mixed Mode
Microsoft Knowledge Base Article: 193897 - Some dial-in options for user accounts in the Active Directory may be unavailable. This occurs when Active Directory is in Mixed mode. 

Directory Service Does Not Start If Disk Is Full
Microsoft Knowledge Base Article: 259278 - The following error message may occur when you start a Windows 2000-based Active Directory domain controller:

Directory Service Stops Responding on Heavily Loaded Domain Controller 
Microsoft Knowledge Base Article: 313657 - A heavily loaded domain controller may stop responding to client requests. You may be able to confirm a network connection to the domain controller by using the Ping.exe utility, but when a client tries to view or connect to a share, you receive network error 58

DNS Server Generates Event 4011
Microsoft Knowledge Base Article: 252695 - In certain rare cases, you may find the following entries in the Event log on a Windows 2000-based Active Directory-integrated DNS server: Event ID: 4011 The DNS server was unable to add or write an update of domain name _ldap in zone name.com to the Active Directory. OR  The DNS server was unable to add or write an update of domain name _gc in zone name.com to the Active Directory. OR The DNS server was unable to add or write an update of domain name gc in zone name.com to the Active Directory.  

Duplicate Certificate Templates Appear in Active Directory
Microsoft Knowledge Base Article: 264589 - Duplicate certificate templates may appear in Active Directory when you attempt to create or modify an Automatic Certificate Request, Public-Key Policy. 

Duplicate Connections Appear in the Active Directory Sites and Services Snap-in
Microsoft Knowledge Base Article: 292592 - On a computer that runs Windows 2000 Server, when you view the Active Directory Sites and Services snap-in for Microsoft Management Console (MMC), you see numerous duplicate connections that were created over a period of time. (updated 4/11/2001)

Error Message: "Active Directory Installation Failed: The Network Location Could Not Be Reached"
Microsoft Knowledge Base Article: 271750 - When you use the Dcpromo.exe tool to install Active Directory, the following error message may be displayed: Active Directory installation failed: The network location could not be reached. This behavior can occur because the server's network adapter is not securely attached to a hub nor to a switch with a network cable. 

Error Message: Object Picker Cannot Open Because no Locations from Which to Choose Objects Can Be Found
Microsoft Knowledge Base Article: 263231 - When you try to select objects from an Active Directory domain, you may receive the following error message: Object Picker cannot open because no locations from which to choose objects can be found. 

Error Messages When Windows 2000 Client in Windows 2000 Domain Attempts to Open Active Directory Snap-in
Microsoft Knowledge Base Article: 261203 - A Windows 2000 client in a Windows 2000 domain may not be able to open any Active Directory snap-ins. When the client attempts to open a snap-in, the following error messages may be displayed: 

Dial-In Options Unavailable with Active Directory in Mixed Mode
Microsoft Knowledge Base Article: 193897 - Some dial-in options for user accounts in the Active Directory may be unavailable. This occurs when Active Directory is in Mixed mode. 

Directory Service Stops Responding on Heavily Loaded Domain Controller (Q313657) 
Microsoft Knowledge Base Article: 313657 - A heavily loaded domain controller may stop responding to client requests. You may be able to confirm a network connection to the domain controller by using the Ping.exe utility, but when a client tries to view or connect to a share, you receive network error 58

DNS Server Does Not Start with DBCS Domain Names
Microsoft Knowledge Base Article: 258072 - A Windows 2000-based Domain Name System (DNS) server that is integrated with Active Directory may not start if you are using a double-byte character set (DBCS) domain name. When this issue occurs, you may see an error messages 

Domain Controller Server Object Not Removed After Demotion
Microsoft Knowledge Base Article: 216364 - After you demote a domain controller to a server, the object that represents the server in the Active Directory Sites and Services Manager snap-in remains. 

GUID of Pre-Staged Computer Appears Different Than as Typed
Microsoft Knowledge Base Article: 228905 - When you pre-stage a computer to Active Directory using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in and you select the "This is a managed computer" option, you must type the computer's globally unique identifier (GUID). A pre-staged system with a GUID entered in this way refers to the clients that will be using the Remote Install service (RIS) to install Windows 2000. Pre-staging ensures that only clients that have been pre-staged by the administrative staff can use this service. When you view the GUID of the pre-staged computer, the GUID may be different from the GUID you entered. 

Large Numbers of ACEs in ACLs Impair Directory Service Performance
Microsoft Knowledge Base Article: 271876 - The performance of Active Directory can be severely impaired by an overly complex access control policy. For maximum performance, you should minimize the number of Active Directory objects to which you assign specific access control lists 

LDIFDE Does Not Import Users from Trusted Domains
Microsoft Knowledge Base Article: 279259 - When you use the LDIFDE utility (Ldifde.exe) to export and import users or groups for Windows 2000-based domains, users from trusted domains do not get added back to the Windows 2000 domain groups. When you run the import command using the the Verbose mode, you may receive the following message, and LDIFDE may skip the object: The object does not exist. 

Lsass.exe Stops Working Intermittently on a Domain Controller or Global Catalog 
Microsoft Knowledge Base Article: 300621 - When Lsass.exe is running on a domain controller, Lsass.exe may generate an access violation. The server reboots automatically after the access violation. This problem may occur on a domain controller that is a global catalog and is also the target of the Recipient Update service from Microsoft Exchange 2000 Server.

Malformed Request to Domain Controller Can Cause Memory Exhaustion 
Microsoft Knowledge Base Article: 294391 -  A core service that runs on all Windows 2000 domain controllers (but not on any other computers), contains a memory leak that can be triggered when the service attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller (DC) could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. Note that an affected computer could be restored to service by rebooting 

Maximum of 854 DHCP Servers in Active Directory
Microsoft Knowledge Base Article: 264631 - You can define a maximum of 854 DHCP servers in Active Directory. If you try to authorize additional DHCP servers, you receive an error message 

Mixed Mode Active Directory Users Denied Access to Exchange 2000 Public Folder 
Microsoft Knowledge Base Article: 252470 - Active Directory users are unable to gain access to public folders. 

MSDSS May Delete a User Account 
Microsoft Knowledge Base Article: 323738 - When Microsoft Directory Synchronization Services (MSDSS) reverse synchronization does not read a GUID from the Novell Directory Services (NDS) tree, MSDSS may delete the account from Active Directory. 

MSDSS Migration of Users from NDS Does Not Finish Successfully
Microsoft Knowledge Base Article: 291134 - When you use Microsoft Directory Synchronization Services (MSDSS) to migrate users from Novel Directory Services (NDS) to Active Directory, the migration may not finish successfully and you may receive an error message that is similar to: MSDSS did not initialize the reverse synchronization or migration session - not enough storage is available. 

MSDSS Migration Does Not Work If Multiple Naming Attributes Are Present for an Object Microsoft Knowledge Base Article: 270159 - When you perform a migration from Novell Directory Services (NDS) to Active Directory by using Microsoft Directory Synchronization Services (MSDSS), the migration process may stop unexpectedly and you may receive the following error message 

Mixed Mode Active Directory Users Denied Access to Exchange 2000 Public Folder
Microsoft Knowledge Base Article: 252470 - Active Directory users are unable to gain access to public folders. 

More Than 15 IP Addresses Assigned to Server Causes Active Directory-Related Problems
Microsoft Knowledge Base Article: 258960 - After you add 16 or more IP addresses to a domain controller and then try to apply Group Policy, events similar to the following events are recorded in the Application log and the policy settings are not applied: 

More Than 15 IP Addresses Assigned to Server Cause Active Directory Problems
Microsoft Knowledge Base Article: 261197 - Adding more than 15 IP addresses to a Windows 2000-based domain controller causes Group Policy to stop being refreshed. The following system events are reported simultaneously in the Application Service log: 

MSDSS Migration Does Not Work If Multiple Naming Attributes Are Present for an Object
Microsoft Knowledge Base Article: 270159 - When you perform a migration from Novell Directory Services (NDS) to Active Directory by using Microsoft Directory Synchronization Services (MSDSS), the migration process may stop unexpectedly and you may receive the following error message: Windows cannot run the initial reverse synchronization or migration session, the ADSI path was not found. This problem occurs when MSDSS encounters an object with multiple naming attributes set  

MSDSS Migration of Users from NDS Does Not Finish Successfully 
Microsoft Knowledge Base Article: 291134 - When you use Microsoft Directory Synchronization Services (MSDSS - to migrate users from Novel Directory Services (NDS - to Active Directory, the migration may not finish successfully and you may receive an error message that is similar to:

Ntbackup.exe Does Not Truncate Active Directory Logs During a System-State Backup
Microsoft Knowledge Base Article: 272425 - When you create a system-state backup on a domain controller (DC), the NTDS logs are not cleaned up. The NTDS logs are being copied from the Edb.log file to an Edbxxxxx.log file each time backup runs, but the Edbxxxxx.log files are not deleted. The log files would normally be deleted by the circular logging nature of the DS. However, because some environments do not incur many changes, circular logging may appear to not work because it takes a long time to purge these files and disk space is wasted during this time. 

On-Line Restoration of Active Directory Is Not Supported in Windows 2000 
Microsoft Knowledge Base Article: 296257 - This article provides information about the Microsoft policy regarding technical support for products from Independent Software Vendors (ISVs) that perform on-line restoration of selected objects (such as user objects) within Active Directory

Permissions for Distribution Group Are Not in the Standard Format
Microsoft Knowledge Base Article: 290801 - When you use Active Directory Users and Computers to view permissions for a distribution group whose membership is hidden, the Special Security message box is displayed. The following message is displayed in the message box: 

Problems Changing Nested Global Group Scope to Universal Group
Microsoft Knowledge Base Article: 268277 - In the Active Directory Users and Computers tool, you can change a nested global group's scope to a universal group in Native mode. You should not do this because global groups can only contain users from the group's domain or other global group. 

"Run Only Allowed Applications" List in Organizational Unit GPO Becomes Corrupted
Microsoft Knowledge Base Article: 263179 - If you add long file names in the "Run Only Allowed Applications" list in an organizational unit group policy, the list becomes corrupted after the total number of characters exceeds 1,024.

Server for NIS Cannot Process Commas in User's Display Name 
Microsoft Knowledge Base Article: 298831 - With Windows 2000, new users are added by using the Active Directory Users and Computers tool. The display name field for a user is normally formatted as "FirstName LastName". However, depending on what other software you have installed, the display names may be formatted as "LastName, Firstname" . Note that Microsoft Exchange is an example of a program that may format the displays differently.

Time Synchronization May Not Work Properly on Domain Controllers on the Same Site as the Child Domain PDC 
Microsoft Knowledge Base Article: 297025 - If you have a Windows 2000 Active Directory architecture with a parent domain and a child domain, the default time-synchronization mechanism may not work if a domain controller in the child domain is used for synchronization because it is closest, even though the parent domain controller is available for synchronization. 

Unable to Add More Than One User or Object with the Same Name to Active Directory
Microsoft Knowledge Base Article: 234051 - When you attempt to add a new user or object to the Active Directory (AD), you are unable to do so and one of the following error messages may be displayed: 

Unable to Establish an Explicit Trust Between Windows 2000-Based Domains 
Microsoft Knowledge Base Article: 312003 - When you attempt to establish an explicit trust between two Windows 2000-based domains that are in different forests, you may receive the following error message: 

Unable to Obtain Home Directory Drive Connection in a Mixed Environment
Microsoft Knowledge Base Article: 262890 - When a user's environment is mixed with Microsoft Windows NT 4.0 BDCs and Windows 2000 DCs while the LmCompatibilityLevel registry entry is in use for higher security, the home directory drive connection may not appear on the Windows 2000 Professional client computer.

Unsuccessful Replication Without Partner Listed
Microsoft Knowledge Base Article: 232538 - Any of the following situations may occur with Active Directory replication: 1) A replication connection object to a domain controller, either in the same domain or a trusted domain, is not created because the remote domain controller is not listed in the Active Directory Sites and Services Find Domain Controllers dialog box. 2) A replication connection is not automatically established between a local domain controller and a remote domain controller, either in the same or a trusted domain, because the necessary NTDS Settings object does not appear for the server in the Active Directory Sites and Services administrative tool. 

Users Cannot Log On to the Domain After Password Changes on a Remote Domain Controller 
Microsoft Knowledge Base Article: 318364 - After you change a user account password on a remote domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role, the user may not be able to log on to a local domain controller by entering the new password. However, the user may still be able to log on to the domain by using their previous password

Windows 2000 Cluster Service Does Not Publish Clustered Printers in Active Directory
Microsoft Knowledge Base Article: 300896 - The Cluster service supports the clustering of printer resources to provide highly-available printers to users. The Cluster service is not Active Directory aware and because of this, it does not use Kerberos authentication. If the Cluster service is unable to do this, access is not allowed. When clustered printers are published to Active Directory, they may not be registered properly, and because of this, may not be returned on a search (depending on the choices that are made during the Dcpromo.exe process). 

Windows 2000 Directory Service Agent Fails to Maintain Exclusive Control of Port 389
Microsoft Knowledge Base Article: 266657 - If you install an application on a Domain Controller (DC) that binds to port 389 with a listener, multiple failures are seen on the DCs. These include failures running dcpromo, startup failures with Inter-Site Messaging service, as well as NTFRS preventing a machine from becoming a DC. This can usually be detected by using Ldp.exe from the Support Tools to confirm that you are succeeding in connecting to the Active Directory on each DC. 

You Cannot Update the SID History for Group with the Active Directory Migration Tool
Microsoft Knowledge Base Article: 269352 - When you migrate groups with the Active Directory Migration tool, you may receive the following error message in the Active Directory Migration log file: SID History cannot be updated for <group> because the SID for <group> already exists in the forest. rc=8539. A net helpmsg for 8539 yields the following error text: The source object's SID already exists in destination forest.