none
Demote forzato di DC windows server 2016 RRS feed

  • Domanda

  • Buongiorno,

    E' da qualche giorno che tento di fare il demote di un DC che deve essere declassato ma l'errore è sempre lo stesso, "DFS replication access denied". Purtroppo il DC è stato precedentemente rimosso in modo forzato (non del tutto completamente temo) da Active directory e non con una procedura di demote locale sul DC in questione. Ora localmente, il server non riesce nemmeno a contattare AD per verificare identità etc. Questo server deve tornare ad essere un semplice membro del dominio, niente più. Se avete qualche suggerimento sarebbe enormemente gradito.

    Grazie in anticipo, Buona pasqua a tutti. 

    sabato 11 aprile 2020 13:46

Tutte le risposte

  • Prova con il demote forzato con rete disconnessa:
    https://docs.microsoft.com/it-it/windows-server/identity/ad-ds/deploy/demoting-domain-controllers-and-domains--level-200-

    Attenzione: tutti i dati del DC dovranno essere stati già replicati in altri DC, in caso contrario andranno persi.

    Immediatamente dopo il demote dovresti poi ripulire i metadati del vecchio DC da AD:
    https://docs.microsoft.com/it-it/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup

    Potrebbe inoltre essere necessario riassegnare (non spostare in quanto il DC non esisterà più) i ruoli FSMO del dominio.





    domenica 12 aprile 2020 15:06
    Moderatore
  • Grazie per il suggerimento,

    Purtroppo il demote fallisce per impossibilità di verifica delle credenziali e non mi permette di fare il rejoin al dominio per allineare le credenziali. Esiste un modo per il rejoin da power shell?

    Grazie mille


    lunedì 13 aprile 2020 14:26
  • Hai eseguito un demote forzato? In quel caso non è richiesta la convalida delle credenziali lato dominio.
    lunedì 13 aprile 2020 14:59
    Moderatore
  • Io lancio da ps Uninstall-ADDSDomainController -IgnoreLastDCInDomainMismatch - ForceRemoval

    ma tenta sempre di verificare le credenziali, devo magari specificare un account locale?

    Inoltre continua ad indicare errore di accesso a dfs replication

    Grazie


    • Modificato seehawck lunedì 13 aprile 2020 16:09
    lunedì 13 aprile 2020 15:13
  • Usa solo il parametro -ForceRemoval e prova a disconnettere la rete. Devi aver eseguito l'accesso con un account che ha/aveva il ruolo di domain admin, anche se il dominio non è più raggiungibile.
    lunedì 13 aprile 2020 16:32
    Moderatore
  • Grazie mille per il consiglio.. Purtroppo niente da fare si blocca sempre sulla segnalazione di mancato accesso a DFS replication.. Scusa, un info, non riesco a postare le immagini.. come faccio a verificare l'account?

    Buona serata


    • Modificato seehawck lunedì 13 aprile 2020 17:15
    lunedì 13 aprile 2020 16:55
  • L'account viene verificato automaticamente dopo un po' di tempo, altrimenti va inoltrata richiesta qui:
    https://social.technet.microsoft.com/Forums/en-US/home?forum=reportabug

    Credo comunque che il problema riguardi una corruzione della configurazione DFSR utilizzata generalmente tra i DC per la replica sysvol. E' come se l'account che stai utilizzando non avesse privilegi sufficienti alla modifica della configurazione (operazione che viene eseguita automaticamente in fase di demote).
    Ti viene restituto un errore di accesso negato anche se esegui da Powershell questo comando?
    Get-DfsReplicationGroup -GroupName * -IncludeSysvol


    lunedì 13 aprile 2020 19:49
    Moderatore
  • Ciao, scusa se intervengo ma la domanda è d'obbligo... Il server che devi aggiungere al dominio può essere reinstallato? Se non ci sono indicazioni contrarie la soluzione migliore è quella di partire da una base pulita. Dopo aver messo il server a dominio, ti dovrai preoccupare di eseguire una pulizia AD dei puntamenti del serve orfano ma almeno non ti trascini il lavoro per intere giornate.

    Saluti
    Nino


     

    www.testerlab.it

    martedì 14 aprile 2020 05:45
    Moderatore
  • Faccio due prove e vi do un feed back, purtroppo questo server contiene un'installazione di un software che devo mantenere a tutti i costi e che fai il login degli utenti al suo interno con autenticazione dominio quindi.... devo riuscire solo ad abbassarne il livello da dc a normale macchina in dominio.

    Grazie mille per vs disponibilità e professionalità.. Buona serata

    martedì 14 aprile 2020 17:37
  • Potresti postare un ipconfig /all ed il risultato dei un dcdiag

    Saluti
    Nino


    www.testerlab.it

    martedì 14 aprile 2020 19:52
    Moderatore
  • Ciao a tutti,

    di seguito risultato dcdiag:


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = SERVER3

       * Identified AD Forest. 
       Done gathering initial info.


    Doing initial required tests

       
       Testing server: Mozzo\SERVER3

          Starting test: Connectivity

             ......................... SERVER3 passed test Connectivity



    Doing primary tests

       
       Testing server: Mozzo\SERVER3

          Starting test: Advertising

             Warning: DsGetDcName returned information for

             \\Server2.sariel.sede.local, when we were trying to reach SERVER3.

             SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

             ......................... SERVER3 failed test Advertising

          Starting test: FrsEvent

             ......................... SERVER3 passed test FrsEvent

          Starting test: DFSREvent

             ......................... SERVER3 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... SERVER3 passed test SysVolCheck

          Starting test: KccEvent

             A warning event occurred.  EventID: 0x80000785

                Time Generated: 04/15/2020   09:14:01

                Event String:

                The attempt to establish a replication link for the following writable directory partition failed. 


             A warning event occurred.  EventID: 0x80000785

                Time Generated: 04/15/2020   09:14:02

                Event String:

                The attempt to establish a replication link for the following writable directory partition failed. 


             A warning event occurred.  EventID: 0x80000785

                Time Generated: 04/15/2020   09:14:02

                Event String:

                The attempt to establish a replication link for the following writable directory partition failed. 


             A warning event occurred.  EventID: 0x80000785

                Time Generated: 04/15/2020   09:14:02

                Event String:

                The attempt to establish a replication link for the following writable directory partition failed. 


             A warning event occurred.  EventID: 0x80000785

                Time Generated: 04/15/2020   09:14:02

                Event String:

                The attempt to establish a replication link for the following writable directory partition failed. 


             ......................... SERVER3 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             [SERVER2] DsBindWithSpnEx() failed with error -2146893022,

             The target principal name is incorrect..
             Warning: SERVER2 is the Schema Owner, but is not responding to DS RPC

             Bind.

             [SERVER2] LDAP bind failed with error 8341,

             A directory service error has occurred..
             Warning: SERVER2 is the Schema Owner, but is not responding to LDAP

             Bind.

             Warning: SERVER2 is the Domain Owner, but is not responding to DS RPC

             Bind.

             Warning: SERVER2 is the Domain Owner, but is not responding to LDAP

             Bind.

             Warning: SERVER2 is the PDC Owner, but is not responding to DS RPC

             Bind.

             Warning: SERVER2 is the PDC Owner, but is not responding to LDAP Bind.

             Warning: SERVER2 is the Rid Owner, but is not responding to DS RPC

             Bind.

             Warning: SERVER2 is the Rid Owner, but is not responding to LDAP Bind.

             Warning: SERVER2 is the Infrastructure Update Owner, but is not

             responding to DS RPC Bind.

             Warning: SERVER2 is the Infrastructure Update Owner, but is not

             responding to LDAP Bind.

             ......................... SERVER3 failed test KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... SERVER3 passed test MachineAccount

          Starting test: NCSecDesc

             ......................... SERVER3 passed test NCSecDesc

          Starting test: NetLogons

             Unable to connect to the NETLOGON share! (\\SERVER3\netlogon)

             [SERVER3] An net use or LsaPolicy operation failed with error 67,

             The network name cannot be found..

             ......................... SERVER3 failed test NetLogons

          Starting test: ObjectsReplicated

             ......................... SERVER3 passed test ObjectsReplicated

          Starting test: Replications

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER4 to SERVER3

                Naming Context: DC=ForestDnsZones,DC=sariel,DC=sede,DC=local

                The replication generated an error (1256):

                The remote system is not available. For information about network troubleshooting, see Windows Help.

                

                The failure occurred at 2020-04-15 08:57:36.

                The last success occurred at 2019-11-16 20:16:36.

                3511 failures have occurred since the last success.

             [SERVER4] DsBindWithSpnEx() failed with error 1722,

             The RPC server is unavailable..
             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER to SERVER3

                Naming Context: DC=ForestDnsZones,DC=sariel,DC=sede,DC=local

                The replication generated an error (1256):

                The remote system is not available. For information about network troubleshooting, see Windows Help.

                

                The failure occurred at 2020-04-15 08:58:18.

                The last success occurred at 2019-12-03 17:48:45.

                3105 failures have occurred since the last success.

             [SERVER] DsBindWithSpnEx() failed with error -2146893022,

             The target principal name is incorrect..
             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER5 to SERVER3

                Naming Context: DC=ForestDnsZones,DC=sariel,DC=sede,DC=local

                The replication generated an error (1256):

                The remote system is not available. For information about network troubleshooting, see Windows Help.

                

                The failure occurred at 2020-04-15 08:58:18.

                The last success occurred at 2019-12-03 17:48:51.

                3105 failures have occurred since the last success.

             [SERVER5] DsBindWithSpnEx() failed with error -2146893022,

             The target principal name is incorrect..
             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER4 to SERVER3

                Naming Context: DC=DomainDnsZones,DC=sariel,DC=sede,DC=local

                The replication generated an error (1256):

                The remote system is not available. For information about network troubleshooting, see Windows Help.

                

                The failure occurred at 2020-04-15 08:57:36.

                The last success occurred at 2019-11-16 20:01:35.

                3511 failures have occurred since the last success.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER to SERVER3

                Naming Context: DC=DomainDnsZones,DC=sariel,DC=sede,DC=local

                The replication generated an error (1256):

                The remote system is not available. For information about network troubleshooting, see Windows Help.

                

                The failure occurred at 2020-04-15 08:58:18.

                The last success occurred at 2019-12-03 17:48:31.

                3105 failures have occurred since the last success.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER5 to SERVER3

                Naming Context: DC=DomainDnsZones,DC=sariel,DC=sede,DC=local

                The replication generated an error (1256):

                The remote system is not available. For information about network troubleshooting, see Windows Help.

                

                The failure occurred at 2020-04-15 08:58:18.

                The last success occurred at 2019-12-03 17:48:31.

                3105 failures have occurred since the last success.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER4 to SERVER3

                Naming Context:

                CN=Schema,CN=Configuration,DC=sariel,DC=sede,DC=local

                The replication generated an error (1722):

                The RPC server is unavailable.

                The failure occurred at 2020-04-15 08:59:00.

                The last success occurred at 2019-11-16 09:50:45.

                3521 failures have occurred since the last success.

                The source remains down. Please check the machine.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER to SERVER3

                Naming Context:

                CN=Schema,CN=Configuration,DC=sariel,DC=sede,DC=local

                The replication generated an error (5):

                Access is denied.

                The failure occurred at 2020-04-15 08:59:00.

                The last success occurred at 2019-12-03 17:48:31.

                3105 failures have occurred since the last success.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER5 to SERVER3

                Naming Context:

                CN=Schema,CN=Configuration,DC=sariel,DC=sede,DC=local

                The replication generated an error (5):

                Access is denied.

                The failure occurred at 2020-04-15 08:59:01.

                The last success occurred at 2019-12-03 17:48:31.

                3105 failures have occurred since the last success.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER4 to SERVER3

                Naming Context: CN=Configuration,DC=sariel,DC=sede,DC=local

                The replication generated an error (1722):

                The RPC server is unavailable.

                The failure occurred at 2020-04-15 08:58:18.

                The last success occurred at 2019-11-16 20:01:20.

                3511 failures have occurred since the last success.

                The source remains down. Please check the machine.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER to SERVER3

                Naming Context: CN=Configuration,DC=sariel,DC=sede,DC=local

                The replication generated an error (5):

                Access is denied.

                The failure occurred at 2020-04-15 08:58:18.

                The last success occurred at 2019-12-03 17:47:49.

                3105 failures have occurred since the last success.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER5 to SERVER3

                Naming Context: CN=Configuration,DC=sariel,DC=sede,DC=local

                The replication generated an error (5):

                Access is denied.

                The failure occurred at 2020-04-15 08:58:18.

                The last success occurred at 2019-12-03 17:47:49.

                3105 failures have occurred since the last success.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER4 to SERVER3

                Naming Context: DC=sariel,DC=sede,DC=local

                The replication generated an error (1722):

                The RPC server is unavailable.

                The failure occurred at 2020-04-15 08:57:36.

                The last success occurred at 2019-11-16 20:27:04.

                3511 failures have occurred since the last success.

                The source remains down. Please check the machine.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER5 to SERVER3

                Naming Context: DC=sariel,DC=sede,DC=local

                The replication generated an error (5):

                Access is denied.

                The failure occurred at 2020-04-15 08:59:01.

                The last success occurred at 2019-12-03 17:58:28.

                3105 failures have occurred since the last success.

             [Replications Check,SERVER3] A recent replication attempt failed:

                From SERVER to SERVER3

                Naming Context: DC=sariel,DC=sede,DC=local

                The replication generated an error (5):

                Access is denied.

                The failure occurred at 2020-04-15 08:59:01.

                The last success occurred at 2019-12-03 18:00:33.

                3105 failures have occurred since the last success.

             ......................... SERVER3 failed test Replications

          Starting test: RidManager

             ......................... SERVER3 failed test RidManager

          Starting test: Services

                Invalid service startup type: NtFrs on SERVER3, current value

                DISABLED, expected value AUTO_START

                NtFrs Service is stopped on [SERVER3]

             ......................... SERVER3 failed test Services

          Starting test: SystemLog

             An error event occurred.  EventID: 0xC00038D6

                Time Generated: 04/15/2020   08:37:07

                Event String:

                The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

             An error event occurred.  EventID: 0x0000410B

                Time Generated: 04/15/2020   08:39:16

                Event String:

                The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is 


             An error event occurred.  EventID: 0x40000004

                Time Generated: 04/15/2020   09:11:58

                Event String:

                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server$. The target name used was LDAP/SERVER.sariel.sede.local/sariel.sede.local@SARIEL.SEDE.LOCAL. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SARIEL.SEDE.LOCAL) is different from the client domain (SARIEL.SEDE.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

             An error event occurred.  EventID: 0x00000469

                Time Generated: 04/15/2020   09:12:00

                Event String:

                The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

             An error event occurred.  EventID: 0x40000004

                Time Generated: 04/15/2020   09:12:03

                Event String:

                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server$. The target name used was LDAP/SERVER.sariel.sede.local/sariel.sede.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SARIEL.SEDE.LOCAL) is different from the client domain (SARIEL.SEDE.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

             An error event occurred.  EventID: 0x00002720

                Time Generated: 04/15/2020   09:12:04

                Event String:

                The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 


             An error event occurred.  EventID: 0x40000004

                Time Generated: 04/15/2020   09:15:03

                Event String:

                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2$. The target name used was LDAP/0deab830-c5f1-431d-930c-191fc36e9693._msdcs.sariel.sede.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SARIEL.SEDE.LOCAL) is different from the client domain (SARIEL.SEDE.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

             An error event occurred.  EventID: 0x40000004

                Time Generated: 04/15/2020   09:15:03

                Event String:

                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server2$. The target name used was ldap/Server2.sariel.sede.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SARIEL.SEDE.LOCAL) is different from the client domain (SARIEL.SEDE.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

             An error event occurred.  EventID: 0x40000004

                Time Generated: 04/15/2020   09:15:46

                Event String:

                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server$. The target name used was LDAP/3d55f330-68bb-4c42-8192-848110fd034c._msdcs.sariel.sede.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SARIEL.SEDE.LOCAL) is different from the client domain (SARIEL.SEDE.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

             An error event occurred.  EventID: 0x40000004

                Time Generated: 04/15/2020   09:15:46

                Event String:

                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server5$. The target name used was LDAP/ea8da1d1-06ca-4df0-859c-43e2967d6167._msdcs.sariel.sede.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SARIEL.SEDE.LOCAL) is different from the client domain (SARIEL.SEDE.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

             An error event occurred.  EventID: 0x40000004

                Time Generated: 04/15/2020   09:15:52

                Event String:

                The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server server$. The target name used was ldap/server.sariel.sede.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SARIEL.SEDE.LOCAL) is different from the client domain (SARIEL.SEDE.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

             ......................... SERVER3 failed test SystemLog

          Starting test: VerifyReferences

             Some objects relating to the DC SERVER3 have problems: 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=NTDS Settings,CN=SERVER3,CN=Servers,CN=Mozzo,CN=Sites,CN=Configuration,DC=sariel,DC=sede,DC=local

                 Base Object Description: "DSA Object"

                 Value Object Attribute Name: serverReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

                 
                [1] Problem: Missing Expected Value

                 Base Object:

                CN=SERVER3,OU=Domain Controllers,DC=sariel,DC=sede,DC=local

                 Base Object Description: "DC Account Object"

                 Value Object Attribute Name: frsComputerReferenceBL

                 Value Object Description: "SYSVOL FRS Member Object"

                 Recommended Action: See Knowledge Base Article: Q312862

                 
             ......................... SERVER3 failed test VerifyReferences

       
       
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

       
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

       
       Running partition tests on : sariel

          Starting test: CheckSDRefDom

             ......................... sariel passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... sariel passed test CrossRefValidation

       
       Running enterprise tests on : sariel.sede.local

          Starting test: LocatorCheck

             [SERVER] LDAP bind failed with error 8341,

             A directory service error has occurred..
             ......................... sariel.sede.local passed test LocatorCheck

          Starting test: Intersite

             ......................... sariel.sede.local passed test Intersite

    mercoledì 15 aprile 2020 07:21
  • Puoi postare l'ipconfig /all (già che ci sei anche ipconfig /all e dcdiag dell'attuale DC)

    Saluti
    Nino



    www.testerlab.it

    mercoledì 15 aprile 2020 08:57
    Moderatore
  • Ecco ipconfig/all:


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : SERVER3
       Primary Dns Suffix  . . . . . . . : sariel.sede.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : sariel.sede.local

    Ethernet adapter Ethernet:

       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-0A-14-00
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::f9c2:c51c:66a2:fa86%12(Preferred) 
       IPv4 Address. . . . . . . . . . . : 192.168.10.19(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.10.1
       DHCPv6 IAID . . . . . . . . . . . : 33559901
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-5B-9E-EA-00-15-5D-0A-14-00
       DNS Servers . . . . . . . . . . . : ::1
                                           192.168.10.20
                                           192.168.10.250
                                           127.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{ECF812A4-C37E-4D44-AA84-EB05E023F5A5}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 3:

       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:2851:782c:1ccc:f4e:3f57:f5ec(Preferred) 
       Link-local IPv6 Address . . . . . : fe80::1ccc:f4e:3f57:f5ec%13(Preferred) 
       Default Gateway . . . . . . . . . : ::
       DHCPv6 IAID . . . . . . . . . . . : 134217728
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-5B-9E-EA-00-15-5D-0A-14-00
       NetBIOS over Tcpip. . . . . . . . : Disabled

    mercoledì 15 aprile 2020 09:14
  • Ecco il dcdiag del server principale che è anche Operation Master:


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = Server2

       * Identified AD Forest. 
       Done gathering initial info.


    Doing initial required tests

       
       Testing server: Mozzo\SERVER2

          Starting test: Connectivity

             ......................... SERVER2 passed test Connectivity



    Doing primary tests

       
       Testing server: Mozzo\SERVER2

          Starting test: Advertising

             ......................... SERVER2 passed test Advertising

          Starting test: FrsEvent

             ......................... SERVER2 passed test FrsEvent

          Starting test: DFSREvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems. 
             ......................... SERVER2 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... SERVER2 passed test SysVolCheck

          Starting test: KccEvent

             ......................... SERVER2 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... SERVER2 passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... SERVER2 passed test MachineAccount

          Starting test: NCSecDesc

             ......................... SERVER2 passed test NCSecDesc

          Starting test: NetLogons

             ......................... SERVER2 passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... SERVER2 passed test ObjectsReplicated

          Starting test: Replications

             [Replications Check,SERVER2] A recent replication attempt failed:

                From SERVER5 to SERVER2

                Naming Context: DC=ForestDnsZones,DC=sariel,DC=sede,DC=local

                The replication generated an error (8456):

                The source server is currently rejecting replication requests.

                The failure occurred at 2020-04-15 10:46:33.

                The last success occurred at 2020-04-08 11:14:52.

                170 failures have occurred since the last success.

                Replication has been explicitly disabled through the server

                options.

             [Replications Check,SERVER2] A recent replication attempt failed:

                From SERVER5 to SERVER2

                Naming Context: DC=DomainDnsZones,DC=sariel,DC=sede,DC=local

                The replication generated an error (8456):

                The source server is currently rejecting replication requests.

                The failure occurred at 2020-04-15 10:46:33.

                The last success occurred at 2020-04-08 11:15:02.

                205 failures have occurred since the last success.

                Replication has been explicitly disabled through the server

                options.

             [Replications Check,SERVER2] A recent replication attempt failed:

                From SERVER5 to SERVER2

                Naming Context:

                CN=Schema,CN=Configuration,DC=sariel,DC=sede,DC=local

                The replication generated an error (8456):

                The source server is currently rejecting replication requests.

                The failure occurred at 2020-04-15 10:46:33.

                The last success occurred at 2020-04-08 10:46:48.

                168 failures have occurred since the last success.

                Replication has been explicitly disabled through the server

                options.

             [Replications Check,SERVER2] A recent replication attempt failed:

                From SERVER5 to SERVER2

                Naming Context: CN=Configuration,DC=sariel,DC=sede,DC=local

                The replication generated an error (8456):

                The source server is currently rejecting replication requests.

                The failure occurred at 2020-04-15 10:46:33.

                The last success occurred at 2020-04-08 10:46:48.

                170 failures have occurred since the last success.

                Replication has been explicitly disabled through the server

                options.

             [Replications Check,SERVER2] A recent replication attempt failed:

                From SERVER5 to SERVER2

                Naming Context: DC=sariel,DC=sede,DC=local

                The replication generated an error (8456):

                The source server is currently rejecting replication requests.

                The failure occurred at 2020-04-15 10:54:05.

                The last success occurred at 2020-04-08 11:17:07.

                209 failures have occurred since the last success.

                Replication has been explicitly disabled through the server

                options.

             ......................... SERVER2 failed test Replications

          Starting test: RidManager

             ......................... SERVER2 passed test RidManager

          Starting test: Services

             ......................... SERVER2 passed test Services

          Starting test: SystemLog

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 04/15/2020   10:19:53

                Event String:

                The session setup from computer 'SERVER3' failed because the security database does not contain a trust account 'SERVER3$' referenced by the specified computer.  


             An error event occurred.  EventID: 0x000016AD

                Time Generated: 04/15/2020   11:04:49

                Event String:

                The session setup from the computer SERVER3 failed to authenticate. The following error occurred: 


             A warning event occurred.  EventID: 0x80000109

                Time Generated: 04/15/2020   11:13:12

                Event String:

                A pointer device did not report a valid unit of angular measurement.

             A warning event occurred.  EventID: 0x80000101

                Time Generated: 04/15/2020   11:13:12

                Event String:

                A pointer device reported a bad angular physical range.

             A warning event occurred.  EventID: 0x80000102

                Time Generated: 04/15/2020   11:13:12

                Event String:

                A pointer device reported a bad angular logical range.

             A warning event occurred.  EventID: 0x80000109

                Time Generated: 04/15/2020   11:13:12

                Event String:

                A pointer device did not report a valid unit of angular measurement.

             A warning event occurred.  EventID: 0x80000101

                Time Generated: 04/15/2020   11:13:12

                Event String:

                A pointer device reported a bad angular physical range.

             A warning event occurred.  EventID: 0x80000102

                Time Generated: 04/15/2020   11:13:12

                Event String:

                A pointer device reported a bad angular logical range.

             A warning event occurred.  EventID: 0x80000109

                Time Generated: 04/15/2020   11:13:12

                Event String:

                A pointer device did not report a valid unit of angular measurement.

             A warning event occurred.  EventID: 0x80000101

                Time Generated: 04/15/2020   11:13:12

                Event String:

                A pointer device reported a bad angular physical range.

             A warning event occurred.  EventID: 0x80000102

                Time Generated: 04/15/2020   11:13:12

                Event String:

                A pointer device reported a bad angular logical range.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:13:20

                Event String:

                Driver Adobe PDF Converter required for printer Adobe PDF is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:13:20

                Event String:

                Driver HP OfficeJet 3830 series required for printer HP5E1E12 (HP OfficeJet 3830 series) is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:13:22

                Event String:

                Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:13:23

                Event String:

                Driver Microsoft Software Printer Driver required for printer OneNote is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:13:24

                Event String:

                Driver PrimoPDF required for printer PrimoPDF is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:13:25

                Event String:

                Driver Send to Microsoft OneNote 16 Driver required for printer Send To OneNote 2016 is unknown. Contact the administrator to install the driver before you log in again.

             A warning event occurred.  EventID: 0x80000109

                Time Generated: 04/15/2020   11:15:35

                Event String:

                A pointer device did not report a valid unit of angular measurement.

             A warning event occurred.  EventID: 0x80000101

                Time Generated: 04/15/2020   11:15:35

                Event String:

                A pointer device reported a bad angular physical range.

             A warning event occurred.  EventID: 0x80000102

                Time Generated: 04/15/2020   11:15:35

                Event String:

                A pointer device reported a bad angular logical range.

             A warning event occurred.  EventID: 0x80000109

                Time Generated: 04/15/2020   11:15:36

                Event String:

                A pointer device did not report a valid unit of angular measurement.

             A warning event occurred.  EventID: 0x80000101

                Time Generated: 04/15/2020   11:15:36

                Event String:

                A pointer device reported a bad angular physical range.

             A warning event occurred.  EventID: 0x80000102

                Time Generated: 04/15/2020   11:15:36

                Event String:

                A pointer device reported a bad angular logical range.

             A warning event occurred.  EventID: 0x80000109

                Time Generated: 04/15/2020   11:15:36

                Event String:

                A pointer device did not report a valid unit of angular measurement.

             A warning event occurred.  EventID: 0x80000101

                Time Generated: 04/15/2020   11:15:36

                Event String:

                A pointer device reported a bad angular physical range.

             A warning event occurred.  EventID: 0x80000102

                Time Generated: 04/15/2020   11:15:36

                Event String:

                A pointer device reported a bad angular logical range.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:15:44

                Event String:

                Driver Adobe PDF Converter required for printer Adobe PDF is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:15:44

                Event String:

                Driver HP OfficeJet 3830 series required for printer HP5E1E12 (HP OfficeJet 3830 series) is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:15:46

                Event String:

                Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:15:46

                Event String:

                Driver PrimoPDF required for printer PrimoPDF is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:15:47

                Event String:

                Driver Microsoft Software Printer Driver required for printer OneNote is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 04/15/2020   11:15:48

                Event String:

                Driver Send to Microsoft OneNote 16 Driver required for printer Send To OneNote 2016 is unknown. Contact the administrator to install the driver before you log in again.

             ......................... SERVER2 failed test SystemLog

          Starting test: VerifyReferences

             ......................... SERVER2 passed test VerifyReferences

       
       
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

       
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

       
       Running partition tests on : sariel

          Starting test: CheckSDRefDom

             ......................... sariel passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... sariel passed test CrossRefValidation

       
       Running enterprise tests on : sariel.sede.local

          Starting test: LocatorCheck

             ......................... sariel.sede.local passed test LocatorCheck

          Starting test: Intersite

             ......................... sariel.sede.local passed test Intersite

    mercoledì 15 aprile 2020 09:20
  • Questo è ipconf /all del server principale


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : Server2
       Primary Dns Suffix  . . . . . . . : sariel.sede.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : sariel.sede.local
                                           local

    Ethernet adapter vEthernet (Broadcom NetXtreme Gigabit Ethernet #2 - Virtual Switch):

       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
       Physical Address. . . . . . . . . : 20-47-47-81-05-20
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.10.20(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.10.1
       DNS Servers . . . . . . . . . . . : 127.0.0.1
                                           192.168.10.250
                                           192.168.10.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter vEthernet (Hyper-V Main Switch):

       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
       Physical Address. . . . . . . . . : 20-47-47-81-05-1E
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.10.69(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : sabato 22 febbraio 2020 14.19.18
       Lease Expires . . . . . . . . . . : gioved� 16 aprile 2020 01.10.28
       Default Gateway . . . . . . . . . : 192.168.10.1
       DHCP Server . . . . . . . . . . . : 192.168.10.22
       DNS Servers . . . . . . . . . . . : 192.168.10.20
                                           192.168.10.250
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Ethernet:

       Connection-specific DNS Suffix  . : local
       Description . . . . . . . . . . . : iDRAC Virtual NIC USB Device
       Physical Address. . . . . . . . . : 20-47-47-81-05-23
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::4004:aa21:e9a6:38f1%15(Preferred) 
       IPv4 Address. . . . . . . . . . . : 169.254.0.2(Preferred) 
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : sabato 22 febbraio 2020 14.18.18
       Lease Expires . . . . . . . . . . : mercoled� 22 aprile 2020 14.18.11
       Default Gateway . . . . . . . . . : 
       DHCP Server . . . . . . . . . . . : 169.254.0.1
       DHCPv6 IAID . . . . . . . . . . . : 404768583
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-7C-41-69-20-47-47-81-05-1E
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.local:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : local
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{9DD963EA-603B-4C72-8025-8BDB168E53E5}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{E0BCF62E-BEB5-4FC6-BC00-F9D3F3CF5133}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : 
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    mercoledì 15 aprile 2020 09:22
  • Ok, ancora un paio di informazioni.  Te le chiedo perché credo sia meglio normalizzare l'AD eliminando i riferimenti al vecchio DC

    - Nell'infrastruttura c'è un solo DC (Server2)?

    Vedo che è attivo un puntamento DNS a 192.168.10.250 è un ulteriore DC?

    Il DC, come DNS, deve avere se stesso ed altri DC attivi, no router

    Host Name . . . . . . . . . . . . : SERVER2
    IPv4 Address. . . . . . . . . . . : 192.168.10.20
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.10.1
    DNS Servers . . . . . . . . . . . : 192.168.10.20 - 192.168.10.250

    Host Name . . . . . . . . . . . . : SERVER3
    IPv4 Address. . . . . . . . . . . : 192.168.10.19
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.10.1
    DNS Servers . . . . . . . . . . . : 192.168.10.20

    - Perché su Server2 ci sono due schede di rete di cui una è gestita da DHCP?

    - I ruoli FSMO sono tutti gestiti da Server2?


    www.testerlab.it

    mercoledì 15 aprile 2020 09:59
    Moderatore
  • L'infrastruttura e così fatta:

    - Ho due server fisici (Server2 .20(2012 STD) e Server.250(2008 STD)) e un server virtuale su Qnap (server5 .108 (2016 STD))
    - Server2 è FSMO. Su server 2 c'è una scheda dhcp usata per switch hyperv dove gira server3

    - E' attuva una replica tramite DFS per una cartella di archivio sui tre server

    - Server3 doveva essere abbassato di livello da DC a semplice membro di dominio ma è successo quello che vi ho postato.

    Grazie 

    mercoledì 15 aprile 2020 10:21
  • Sia Server2 che Server e Server5 sono DC 
    mercoledì 15 aprile 2020 10:22
  • Quindi sul fisico hai DC + HV, ti consiglio di normalizzare tutti i DNS e di eseguire una pulizia AD eliminando tutti i riferimenti al DC3. Elimina tutti i riferimenti AD di Server3. Dopo avere eseguito questa attività esegui un ipconfig /flushdns ed elimina tutti gli eventi di sistema e replica. 

    Saluti
    Nino



    www.testerlab.it

    mercoledì 15 aprile 2020 10:48
    Moderatore
  • Scusa ma cosa intendi per normalizzare il DNS, perchè sulla manutenzione del server DNS sono un pò acerbo....

    Grazie per la disponibilità..
    mercoledì 15 aprile 2020 14:47
  • Fai puntare i due DC come primo DNS a se stessi e come secondario l'altro. Devi eliminare router e loopback. Nel server3 utilizza come unico DNS server2. Questo per evitare interrogazioni DNS errate. Dopo le modifiche esegui un ipconfig /flushdns

    www.testerlab.it

    mercoledì 15 aprile 2020 16:19
    Moderatore