none
Active Directory Status Check Question - DCdiag RRS feed

  • 問題

  •  

    大家好!!最近小弟在打算安裝Exchange 2007的時候,利用Dcdiag 這個工具檢查一下我們的DC的狀況

    發現有一台檢查的時候會出現Waring 造成Exchange 2007安裝也不很順利

    我把Log貼上來煩請各位先進幫忙看一下可以怎樣處理,另外我把有Warning 的部分先用紅色的Mark

     


    Domain Controller Diagnosis

    Performing initial setup:
       * Connecting to directory service on server computerA.
       * Collecting site info.
       * Identifying all servers.
       * Identifying all NC cross-refs.
       * Found 2 DC(s). Testing 1 of them.
       Done gathering initial info.

    Doing initial required tests
      
       Testing server: Default-First-Site-Name\computerA
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             * Active Directory RPC Services Check
             ......................... computerA passed test Connectivity

    Doing primary tests
      
       Testing server: Default-First-Site-Name\computerA
          Starting test: Replications
             * Replications Check
             * Replication Latency Check
                DC=ForestDnsZones,DC=DomainB,DC=com
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                DC=DomainDnsZones,DC=DomainB,DC=com
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                CN=Schema,CN=Configuration,DC=DomainB,DC=com
                   Latency information for 6 entries in the vector were ignored.
                      6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                CN=Configuration,DC=DomainB,DC=com
                   Latency information for 6 entries in the vector were ignored.
                      6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                DC=DomainB,DC=com
                   Latency information for 6 entries in the vector were ignored.
                      6 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
             ......................... computerA passed test Replications
          Starting test: Topology
             * Configuration Topology Integrity Check
             * Analyzing the connection topology for DC=ForestDnsZones,DC=DomainB,DC=com.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for DC=DomainDnsZones,DC=DomainB,DC=com.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=DomainB,DC=com.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for CN=Configuration,DC=DomainB,DC=com.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the connection topology for DC=DomainB,DC=com.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             ......................... computerA passed test Topology
          Starting test: CutoffServers
             * Configuration Topology Aliveness Check
             * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=DomainB,DC=com.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=DomainB,DC=com.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=DomainB,DC=com.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the alive system replication topology for CN=Configuration,DC=DomainB,DC=com.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             * Analyzing the alive system replication topology for DC=DomainB,DC=com.
             * Performing upstream (of target) analysis.
             * Performing downstream (of target) analysis.
             ......................... computerA passed test CutoffServers
          Starting test: NCSecDesc
             * Security Permissions check for all NC's on DC computerA.
             * Security Permissions Check for
               DC=ForestDnsZones,DC=DomainB,DC=com
                (NDNC,Version 2)
             * Security Permissions Check for
               DC=DomainDnsZones,DC=DomainB,DC=com
                (NDNC,Version 2)
             * Security Permissions Check for
               CN=Schema,CN=Configuration,DC=DomainB,DC=com
                (Schema,Version 2)
             * Security Permissions Check for
               CN=Configuration,DC=DomainB,DC=com
                (Configuration,Version 2)
             * Security Permissions Check for
               DC=DomainB,DC=com
                (Domain,Version 2)
             ......................... computerA passed test NCSecDesc
          Starting test: NetLogons
             * Network Logons Privileges Check
             Verified share \\computerA\netlogon
             Verified share \\computerA\sysvol
             ......................... computerA passed test NetLogons
          Starting test: Advertising
             The DC computerA is advertising itself as a DC and having a DS.
             The DC computerA is advertising as an LDAP server
             The DC computerA is advertising as having a writeable directory
             The DC computerA is advertising as a Key Distribution Center
             The DC computerA is advertising as a time server
             ......................... computerA passed test Advertising
          Starting test: KnowsOfRoleHolders
             Role Schema Owner = CN=NTDS Settings,CN=ComputerC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomainB,DC=com
             Role Domain Owner = CN=NTDS Settings,CN=ComputerC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomainB,DC=com
             Role PDC Owner = CN=NTDS Settings,CN=ComputerC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomainB,DC=com
             Role Rid Owner = CN=NTDS Settings,CN=ComputerC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomainB,DC=com
             Role Infrastructure Update Owner = CN=NTDS Settings,CN=computerA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomainB,DC=com
             ......................... computerA passed test KnowsOfRoleHolders
          Starting test: RidManager
             * Available RID Pool for the Domain is 12113 to 1073741823
             * ComputerC.DomainB.com is the RID Master
             * DsBind with RID Master was successful
             * rIDAllocationPool is 11113 to 11612
             * rIDPreviousAllocationPool is 8113 to 8612
             * rIDNextRID: 8444
             ......................... computerA passed test RidManager
          Starting test: MachineAccount
             Checking machine account for DC computerA on DC computerA.
             * SPN found :LDAP/computerA.DomainB.com/DomainB.com
             * SPN found :LDAP/computerA.DomainB.com
             * SPN found :LDAP/computerA
             * SPN found :LDAP/computerA.DomainB.com/DomainB
             * SPN found :LDAP/48aeb3fe-3f49-4e03-bb66-f1b6f57e40e8._msdcs.DomainB.com
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/48aeb3fe-3f49-4e03-bb66-f1b6f57e40e8/DomainB.com
             * SPN found :HOST/computerA.DomainB.com/DomainB.com
             * SPN found :HOST/computerA.DomainB.com
             * SPN found :HOST/computerA
             * SPN found :HOST/computerA.DomainB.com/DomainB
             * SPN found :GC/computerA.DomainB.com/DomainB.com
             ......................... computerA passed test MachineAccount
          Starting test: Services
             * Checking Service: Dnscache
             * Checking Service: NtFrs
             * Checking Service: IsmServ
             * Checking Service: kdc
             * Checking Service: SamSs
             * Checking Service: LanmanServer
             * Checking Service: LanmanWorkstation
             * Checking Service: RpcSs
             * Checking Service: w32time
             * Checking Service: NETLOGON
             ......................... computerA passed test Services
          Starting test: OutboundSecureChannels
             * The Outbound Secure Channels test
             ** Did not run Outbound Secure Channels test
             because /testdomain: was not entered
             ......................... computerA passed test OutboundSecureChannels
          Starting test: ObjectsReplicated
             computerA is in domain DC=DomainB,DC=com
             Checking for CN=computerA,OU=Domain Controllers,DC=DomainB,DC=com in domain DC=DomainB,DC=com on 1 servers
                Object is up-to-date on all servers.
             Checking for CN=NTDS Settings,CN=computerA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomainB,DC=com in domain CN=Configuration,DC=DomainB,DC=com on 1 servers
                Object is up-to-date on all servers.
             ......................... computerA passed test ObjectsReplicated
          Starting test: frssysvol
             * The File Replication Service SYSVOL ready test
             File Replication Service's SYSVOL is ready
             ......................... computerA passed test frssysvol
          Starting test: frsevent
             * The File Replication Service Event log test
             ......................... computerA passed test frsevent
          Starting test: kccevent
             * The KCC Event log test
             Found no KCC errors in Directory Service Event log in the last 15 minutes.
             ......................... computerA passed test kccevent
          Starting test: systemlog
             * The System Event log test
             Found no errors in System Event log in the last 60 minutes.
             ......................... computerA passed test systemlog
          Starting test: VerifyReplicas
             ......................... computerA passed test VerifyReplicas
          Starting test: VerifyReferences
             The system object reference (serverReference)

             CN=computerA,OU=Domain Controllers,DC=DomainB,DC=com and backlink on

             CN=computerA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomainB,DC=com

             are correct.
             The system object reference (frsComputerReferenceBL)

             CN=computerA,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DomainB,DC=com

             and backlink on CN=computerA,OU=Domain Controllers,DC=DomainB,DC=com are

             correct.
             The system object reference (serverReferenceBL)

             CN=computerA,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DomainB,DC=com

             and backlink on

             CN=NTDS Settings,CN=computerA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=DomainB,DC=com

             are correct.
             ......................... computerA passed test VerifyReferences
          Starting test: VerifyEnterpriseReferences
             ......................... computerA passed test VerifyEnterpriseReferences
          Starting test: CheckSecurityError
             * Dr Auth:  Beginning security errors check!
             Found KDC ComputerC for domain DomainB.com in site Default-First-Site-Name
             Checking machine account for DC computerA on DC ComputerC.
             * SPN found :LDAP/computerA.DomainB.com/DomainB.com
             * SPN found :LDAP/computerA.DomainB.com
             * SPN found :LDAP/computerA
             * SPN found :LDAP/computerA.DomainB.com/DomainB
             * SPN found :LDAP/48aeb3fe-3f49-4e03-bb66-f1b6f57e40e8._msdcs.DomainB.com
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/48aeb3fe-3f49-4e03-bb66-f1b6f57e40e8/DomainB.com
             * SPN found :HOST/computerA.DomainB.com/DomainB.com
             * SPN found :HOST/computerA.DomainB.com
             * SPN found :HOST/computerA
             * SPN found :HOST/computerA.DomainB.com/DomainB
             * SPN found :GC/computerA.DomainB.com/DomainB.com
             Checking for CN=computerA,OU=Domain Controllers,DC=DomainB,DC=com in domain DC=DomainB,DC=com on 2 servers
                Object is up-to-date on all servers.
             [computerA] No security related replication errors were found on this DC!  To target the connection to a specific source DC use /ReplSource:<DC>.
             ......................... computerA passed test CheckSecurityError
      
       Running partition tests on : ForestDnsZones
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
      
       Running partition tests on : DomainDnsZones
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
      
       Running partition tests on : Schema
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
      
       Running partition tests on : Configuration
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
      
       Running partition tests on : DomainB
          Starting test: CrossRefValidation
             ......................... DomainB passed test CrossRefValidation
          Starting test: CheckSDRefDom
             ......................... DomainB passed test CheckSDRefDom
      
       Running enterprise tests on : DomainB.com
          Starting test: Intersite
             Skipping site Default-First-Site-Name, this site is outside the scope

             provided by the command line arguments provided.
             ......................... DomainB.com passed test Intersite
          Starting test: FsmoCheck
             GC Name: \\ComputerC.DomainB.com
             Locator Flags: 0xe00003fd
             PDC Name: \\ComputerC.DomainB.com
             Locator Flags: 0xe00003fd
             Time Server Name: \\computerA.DomainB.com
             Locator Flags: 0xe00001f8
             Preferred Time Server Name: \\ComputerC.DomainB.com
             Locator Flags: 0xe00003fd
             KDC Name: \\computerA.DomainB.com
             Locator Flags: 0xe00001f8
             ......................... DomainB.com passed test FsmoCheck
          Starting test: DNS
             Test results for domain controllers:
               
                DC: computerA.DomainB.com
                Domain: DomainB.com

                     
                   TEST: Authentication (Auth)
                      Authentication test: Successfully completed
                     
                   TEST: Basic (Basc)
                       Microsoft(R) Windows(R) Server 2003, Standard Edition (Service Pack level: 2.0) is supported
                      NETLOGON service is running
                      kdc service is running
                      DNSCACHE service is running
                      DNS service is running
                      DC is a DNS server
                      Network adapters information:
                      Adapter [00000007] VMware Accelerated AMD PCNet Adapter:
                         MAC address is 00:50:56:A7:7C:A0
                         IP address is static
                         IP address: 172.16.1.1
                         DNS servers:
                            172.16.1.10 (<name unavailable>) [Valid]
                            172.16.1.1 (<name unavailable>) [Valid]
                      The A record for this DC was found
                      The SOA record for the Active Directory zone was found
                      Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)
                      [Error details: 1753 (Type: Win32 - Description: There are no more endpoints available from the endpoint mapper.)]
            
             Summary of test results for DNS servers used by the above domain controllers:

                DNS server: 172.16.1.1 (<name unavailable>)
                   All tests passed on this DNS server
                   This is a valid DNS server.
                   Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered
                  
                DNS server: 172.16.1.10 (<name unavailable>)
                   All tests passed on this DNS server
                   This is a valid DNS server.
                   Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered
                  
             Summary of DNS test results:
            
                                                Auth Basc Forw Del  Dyn  RReg Ext 
                   ________________________________________________________________
                Domain: DomainB.com
                   computerA                     PASS WARN n/a  n/a  n/a  n/a  n/a 
            
             ......................... DomainB.com passed test DNS

    2008年5月14日 上午 05:24

所有回覆

  • Dear Ryan,
     
    您有參考過此篇KB嗎?文章後面有解決方案。
    2008年5月14日 上午 05:41
  •  

    Dear Jimmy

     

    您好先前我有參考過!!

    這次有跟著步驟做發現

    HKEY_Local_Machine\Software\Microsoft\Rpc 部分缺少ncacn_nb_tcp REG_SZ rpcrt4.dll

    利用PortQry -n problem_server -o 1094,1025,1029,6004

    只有1025是Listening

    看來是1024-65535被封鎖!!

    請問有哪邊可以打開呢???

     

    我的OS是Windows 2003 sp2

    Thanks

    Ryan

    2008年5月14日 上午 07:09
  •  

    Dear Jimmy

     

    另外一台在做PoetQry時 1094,1025,1029,6004均是 Not Listening

     

    煩請您給個建議

    2008年5月14日 上午 07:11
  • Dear Ryan,
     
       從您的log來看,DNS應該是裝在DC上,而且服務是正常啟動的,只是DC與DNS無法做RPC連線.
       建議兩個方法,您可以試試.
       1.依照前述KB,一步步確認所有步驟,如登錄檔內的資訊皆與KB相同(缺失的鍵值請手動加上),
         開啟被封鎖的port(可參考此KB)等.
       2.關閉DC上的防火牆,再執行一次DcDiag.
      
     
      另外,您DC的事件檢視器中,有沒有相關的紀錄呢?
    2008年5月14日 下午 01:04
  • Dear jimmy,

     

    小弟在把我們的環境跟您報告一下!!

    我們有兩台DC 均是Windows 2003 Standard 32bit+SP2..防火牆的部分都是沒有開啟

    第一份KB我有照做但是目前發現在Port listening 部分

    在DCA 1094.1029.6004 not listening, 1025 listening DCB(GC) 四個Port 均是 not listening

    在該兩台DC的EVENT Log 裡面也沒有相關的Warning

    您有任何建議嗎???或者我需要做哪先Capture給您幫我分析一下!!

    最近Search 好久都還沒有找到Solution..不好意思麻煩您幫忙

     

    Thanks

    Ryan

     

     

    2008年5月15日 上午 05:02