你好Candy,
今天发现Server-d上不再显示ID:1126 “Active Directory 域服务无法建立与全局编录的连接”这个错误了。于是在Server-d上重新添加了DNS角色,DNS服务未报错,可以正常运行了。
但是两台服务器之间还是无法进行AD复制,无论在server-d或者server-f上的站点和服务中,手动执行复制,都会返回错误信息:“在尝试同步从域控制器SERVER-D到域控制器SERVER-F的命名上下文wellsigned.com时出现如下错误:目标主要名称不正确”。此操作不能继续。
在Server-d上以管理员身份执行Dcdiag.exe,返回结果如下:
目录服务器诊断
正在执行初始化设置:
正在尝试查找主服务器...
* 正在验证本地计算机 Server-D 是否为目录服务器。
主服务器 = Server-D
* 正在连接到服务器 Server-D 上的目录服务。
* 已识别的 AD 林。
Collecting AD specific global data
* 正在收集站点信息。
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wellsigned,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com
Getting ISTG and options for the site
* 正在标识所有服务器。
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wellsigned,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=SERVER-D,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=SERVER-F,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* 标识所有 NC 交叉引用。
* 找到 2 DC。正在测试其中的 1。
已完成收集初始化信息。
正在进行所需的初始化测试
正在测试服务器: Default-First-Site-Name\SERVER-D
开始测试: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... SERVER-D 已通过测试 Connectivity
正在执行主要测试
正在测试服务器: Default-First-Site-Name\SERVER-D
开始测试: Advertising
The DC SERVER-D is advertising itself as a DC and having a DS.
The DC SERVER-D is advertising as an LDAP server
The DC SERVER-D is advertising as having a writeable directory
The DC SERVER-D is advertising as a Key Distribution Center
The DC SERVER-D is advertising as a time server
The DS SERVER-D is advertising as a GC.
......................... SERVER-D 已通过测试 Advertising
用户请求忽略的测试: CheckSecurityError
用户请求忽略的测试: CutoffServers
开始测试: FrsEvent
* 文件复制服务事件日志测试
SYSVOL 共享后的最近 24 小时内出现了警告或错误事件。 失败的 SYSVOL 复制问题可能导致组策略问题。
发生了一个警告事件。EventID: 0x800034C4
生成时间: 08/21/2017 06:57:37
事件字符串:
文件复制服务有困难启用复制: 从 SERVER-F 到 SERVER-D 为 c:\windows\sysvol\domain 用 DNS 名称 server-f.wellsigned.com。FRS 将继续重试。
以下是您看到此警告的一些原因。
[1] FRS 不能从此计算机正确解析此 DNS 名称 server-f.wellsigned.com。
[2] FRS 不在 server-f.wellsigned.com 上运行。
[3] Active Directory 域服务里此副件的拓扑信息还没有复制到所有域控制器。
这个事件纪录消息将每个连接出现一次。问题解决后,您将看到另一个事件日志消息, 它表明连接被建立。
......................... SERVER-D 已通过测试 FrsEvent
开始测试: DFSREvent
The DFS Replication Event Log.
跳过该测试,因为服务器正在运行 FRS。
......................... SERVER-D 已通过测试 DFSREvent
开始测试: SysVolCheck
* 该文件复制服务 SYSVOL 已准备好测试
文件复制服务的 SYSVOL 已就绪
......................... SERVER-D 已通过测试 SysVolCheck
开始测试: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... SERVER-D 已通过测试 KccEvent
开始测试: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=SERVER-D,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com
Role Domain Owner = CN=NTDS Settings,CN=SERVER-D,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com
Role PDC Owner = CN=NTDS Settings,CN=SERVER-D,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com
Role Rid Owner = CN=NTDS Settings,CN=SERVER-D,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER-D,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com
......................... SERVER-D 已通过测试 KnowsOfRoleHolders
开始测试: MachineAccount
Checking machine account for DC SERVER-D on DC SERVER-D.
* SPN found :LDAP/Server-D.wellsigned.com/wellsigned.com
* SPN found :LDAP/Server-D.wellsigned.com
* SPN found :LDAP/SERVER-D
* SPN found :LDAP/Server-D.wellsigned.com/WELLSIGNED
* SPN found :LDAP/f9b466b9-13e0-4bdb-875b-cf007eb4c328._msdcs.wellsigned.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/f9b466b9-13e0-4bdb-875b-cf007eb4c328/wellsigned.com
* SPN found :HOST/Server-D.wellsigned.com/wellsigned.com
* SPN found :HOST/Server-D.wellsigned.com
* SPN found :HOST/SERVER-D
* SPN found :HOST/Server-D.wellsigned.com/WELLSIGNED
* SPN found :GC/Server-D.wellsigned.com/wellsigned.com
......................... SERVER-D 已通过测试 MachineAccount
开始测试: NCSecDesc
* Security Permissions check for all NC's on DC SERVER-D.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* 安全权限检查
CN=Schema,CN=Configuration,DC=wellsigned,DC=com
(Schema,Version 3)
* 安全权限检查
CN=Configuration,DC=wellsigned,DC=com
(Configuration,Version 3)
* 安全权限检查
DC=wellsigned,DC=com
(Domain,Version 3)
......................... SERVER-D 已通过测试 NCSecDesc
开始测试: NetLogons
* Network Logons Privileges Check
Verified share \\SERVER-D\netlogon
Verified share \\SERVER-D\sysvol
......................... SERVER-D 已通过测试 NetLogons
开始测试: ObjectsReplicated
SERVER-D is in domain DC=wellsigned,DC=com
Checking for CN=SERVER-D,OU=Domain Controllers,DC=wellsigned,DC=com in domain DC=wellsigned,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=SERVER-D,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com in domain CN=Configuration,DC=wellsigned,DC=com on 1 servers
Object is up-to-date on all servers.
......................... SERVER-D 已通过测试 ObjectsReplicated
用户请求忽略的测试: OutboundSecureChannels
开始测试: Replications
* Replications Check
* Replication Latency Check
CN=Schema,CN=Configuration,DC=wellsigned,DC=com
Latency information for 3 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=wellsigned,DC=com
Latency information for 3 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=wellsigned,DC=com
Latency information for 3 entries in the vector were ignored.
3 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
......................... SERVER-D 已通过测试 Replications
开始测试: RidManager
* Available RID Pool for the Domain is 4603 to 1073741823
* Server-D.wellsigned.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 3103 to 3602
* rIDPreviousAllocationPool is 3103 to 3602
* rIDNextRID: 3114
......................... SERVER-D 已通过测试 RidManager
开始测试: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... SERVER-D 已通过测试 Services
开始测试: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... SERVER-D 已通过测试 SystemLog
用户请求忽略的测试: Topology
用户请求忽略的测试: VerifyEnterpriseReferences
开始测试: VerifyReferences
系统对象参考(serverReference)
CN=SERVER-D,OU=Domain Controllers,DC=wellsigned,DC=com 和
CN=SERVER-D,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com
上的反向链接正确。
系统对象参考(serverReferenceBL)
CN=SERVER-D,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=wellsigned,DC=com
和
CN=NTDS Settings,CN=SERVER-D,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wellsigned,DC=com
上的反向链接正确。
系统对象参考(frsComputerReferenceBL)
CN=SERVER-D,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=wellsigned,DC=com
和 CN=SERVER-D,OU=Domain Controllers,DC=wellsigned,DC=com 上的反向链接正确。
......................... SERVER-D 已通过测试 VerifyReferences
用户请求忽略的测试: VerifyReplicas
用户请求忽略的测试: DNS
用户请求忽略的测试: DNS
正在 Schema
上运行分区测试
开始测试: CheckSDRefDom
......................... Schema 已通过测试 CheckSDRefDom
开始测试: CrossRefValidation
......................... Schema 已通过测试 CrossRefValidation
正在 Configuration
上运行分区测试
开始测试: CheckSDRefDom
......................... Configuration 已通过测试 CheckSDRefDom
开始测试: CrossRefValidation
......................... Configuration 已通过测试 CrossRefValidation
正在 wellsigned
上运行分区测试
开始测试: CheckSDRefDom
......................... wellsigned 已通过测试 CheckSDRefDom
开始测试: CrossRefValidation
......................... wellsigned 已通过测试 CrossRefValidation
正在 wellsigned.com
上运行企业测试
用户请求忽略的测试: DNS
用户请求忽略的测试: DNS
开始测试: LocatorCheck
GC 名称: \\Server-D.wellsigned.com
Locator Flags: 0xe00033fd
PDC Name: \\Server-D.wellsigned.com
Locator Flags: 0xe00033fd
Time Server Name: \\Server-D.wellsigned.com
Locator Flags: 0xe00033fd
Preferred Time Server Name: \\Server-D.wellsigned.com
Locator Flags: 0xe00033fd
KDC Name: \\Server-D.wellsigned.com
Locator Flags: 0xe00033fd
......................... wellsigned.com 已通过测试 LocatorCheck
开始测试: Intersite
正在跳过站点 Default-First-Site-Name,该站点位于给定命令 行参数提供的范围之外。
......................... wellsigned.com 已通过测试 Intersite
同时,发现在Server-f的事件记录中,持续出现Kerberos错误ID4:如下
Kerberos 客户端收到了来自服务器 server-d$ 的 KRB_AP_ERR_MODIFIED 错误。使用的目标名称为 RPCSS/SERVER-D.wellsigned.com。这表明目标服务器无法解密客户端提供的票证。如果不是在目标服务正在使用的帐户上注册目标服务器主体名称(SPN),则会出现该问题。请确保仅在服务器使用的帐户上注册目标 SPN。如果目标服务使用的目标服务帐户密码与 Kerberos 密钥发行中心上配置的密码不同,也会出现该问题。请确保服务器和 KDC 上的服务均配置为使用同一密码。如果服务器名称未完全限定,并且目标域(WELLSIGNED.COM)与客户端域(WELLSIGNED.COM)不同,则请检查这两个域中是否有相同名称的服务器帐户,或使用完全限定的名称标识服务器。
还发现在Server-f的事件记录中,持续出现DCOM错误ID10028:
DCOM无法使用任何配置的协议与计算机SERVER-D.wellsigned.com进行通讯;请求人PID 8ac(c:\windows\system32\ServerManager.exe)。
请问下一步如何排查?
Thanks & best regards,
XuDavid
