none
EVENT ID 1645 RRS feed

  • 一般討論

  • 大家好...
    因為不小心刪除了 叢集(兩台)的SERVER2003 DOMAIN 上的organization unit,
    用備份 復原系統狀態後, 所有用戶的主機也無法進入網上芳鄰的 域 中.......而用IP 則可以連入域中的其他主機....


    在DC1 的EVENT LOG 中只有兩個ERROR, 而且每一小時都會重覆, DC2的ERROR 亦類同
    叢集中的Storage Group 亦無法使, 希望大家可以幫忙解決, 感謝

    Event Type:    Error
    Event Source:    NTDS Replication
    Event Category:    DS RPC Client
    Event ID:    1645
    Date:        10/27/2009
    Time:        3:43:02 PM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:  DC2
    Description:
    Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
     
    Destination domain controller:
    \\dc1.123.com
    SPN:
    GC/dc1.123.com/123.com@123.com
     
    User Action
    Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controller’s computer account data to replicate to the KDC before this computer can be authenticated.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type:    Error
    Event Source:    NTDS General
    Event Category:    Global Catalog
    Event ID:    1126
    Date:        10/27/2009
    Time:        3:43:02 PM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:    DC2
    Description:
    Active Directory was unable to establish a connection with the global catalog.
     
    Additional Data
    Error value:
    8430 The directory service encountered an internal failure.
    Internal ID:
    3200c89
     
    User Action:
    Make sure a global catalog is available in the forest, and is reachable from this domain controller.  You may use the nltest utility to diagnose this problem.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.





    • 已編輯 NicKin 2009年11月4日 上午 03:43
    • 已變更類型 Vincent Lin 2009年11月16日 上午 02:52 重建AD解決
    2009年10月27日 上午 02:17

所有回覆

  • 先確認下面幾點問題

    1.當初你在還原系統狀態的時候..你是還原一台還是還原兩台??
    2.是使用授權還原還是非授權還原?
    3.DC1 & DC2是組成Cluster?
    4.還有別台DC嗎?


    微軟技術支援服務
    2009年10月28日 上午 02:21
  • 感謝你的回覆
    1,只還原了DC1 因為只有DC1的 OU 給刪除了....不知為什麼沒有影響到DC2
    2,用了授權還原
    3,只有dc1和dc2 兩台組成的cluster, 而且都是server 2003
    4沒有別的dc...

    期待你的回覆
    2009年10月28日 上午 07:17
  • 建議你在兩台DC上面分別使用 dcdiag 的工具來檢查看看目前的狀態如何
    分別在兩台DC上面執行

    dcdiag -v > C:\dcdiag.txt

    然後把兩個檔案上傳到免費空間(如http://www.badongo.com)給大家看看
    微軟技術支援服務
    2009年10月28日 上午 07:44
  • 謝謝Vincent的回覆

    我已把兩台DC 執行Dcdiag的結果上載, 請訪問以下的連結

    DC1
    DC2

    感謝
    2009年10月29日 上午 07:46
  • 請你在DC1 & DC2上面執行下面指令..然後把輸出結果貼上來看看

    nltest /server:DCx /dsgetdc:xxx.com /gc  (針對你的環境輸入)

    此問題有可能是你的AD環境裡面找不到Global Catalog(GC)的關係
    微軟技術支援服務
    2009年10月29日 上午 08:29
  • Thanks Vincent,

    here is the result  after DC1&DC2 running the command

    DC1-nltest       

    DC: \\DC1.DomainA.Domain.com
    Address: \\10.1.254.1
    Dom Guid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    Dom Name: DomainA.Domain.com
    Forest Name: DomainA.Domain.com
    Dc Site Name: Default-First-Site-Name
    Our Site Name: Default-First-Site-Name
    Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE
    The command completed successfully

    DC2-nltest        
    DC: \\DC1.DomainA.Domain.com
    Address: \\10.1.30.1
    Dom Guid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    Dom Name: DomainA.Domain.com
    Forest Name: DomainA.Domain.com
    Dc Site Name: Default-First-Site-Name
    Our Site Name: Default-First-Site-Name
    Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE
    The command completed successfully

    Regards.

    2009年10月29日 上午 09:54
  • 兩台DC的DNS Server IP分別是指向哪一台?
    在該台DNS Server上面檢查看看是否有下面CNAME紀錄

    正向對應區域 - msdcs.DomainA.Domain.com - "89951d47-b949-4e06-af1f-3702b1129239"

    如果沒有的話..請手動新增一個別名(CNAME)
    別名輸入: 89951d47-b949-4e06-af1f-3702b1129239
    目標主機完整網域名稱輸入: DC1.DomainA.Domain.com

    然後再觀察看看是否有改善


    微軟技術支援服務
    2009年11月3日 上午 04:04
  • 謝謝Vincent
    都是指向dc2 中的dns server


    以下是dc2的dns 的event log, 之前一直認為沒用...所以沒有貼上來, 感謝大大的熱心幫忙
    Event Type:    Error
    Event Source:    DNS
    Event Category:    None
    Event ID:    4001
    Date:        10/22/2009
    Time:        4:19:36 PM
    User:        N/A
    Computer:    DC2
    Description:
    The DNS server was unable to open zone 30.1.10.in-addr.arpa in the Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 03 d6 11 00               .?.   
    --------------------------------------------------------
    Event Type:    Error
    Event Source:    DNS
    Event Category:    None
    Event ID:    4015
    Date:        10/22/2009
    Time:        3:34:29 PM
    User:        N/A
    Computer:    DC2
    Description:
    The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 51 00 00 00               Q...   
    --------------------------------------------------------
    Event Type:    Error
    Event Source:    NTDS General
    Event Category:    Global Catalog
    Event ID:    1126
    Date:        10/27/2009
    Time:        4:43:02 PM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:    DC2
    Description:
    Active Directory was unable to establish a connection with the global catalog.
     
    Additional Data
    Error value:
    8430 The directory service encountered an internal failure.
    Internal ID:
    3200c89
     
    User Action:
    Make sure a global catalog is available in the forest, and is reachable from this domain controller.  You may use the nltest utility to diagnose this problem.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    -------------------------------------------------------
    Event Type:    Error
    Event Source:    NTDS Replication
    Event Category:    DS RPC Client
    Event ID:    1645
    Date:        10/27/2009
    Time:        4:43:02 PM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:    DC2
    Description:
    Active Directory did not perform an authenticated remote procedure call (RPC) to another domain controller because the desired service principal name (SPN) for the destination domain controller is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
     
    Destination domain controller:
    \\DC1.DomainA.Domain.com
    SPN:
    GC/DC1.DomainA.Domain.com/DomainA.Domain.com@DomainA.Domain.com
     
    User Action
    Verify that the names of the destination domain controller and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination domain controller has been recently promoted, it will be necessary for the local domain controller computer account data to replicate to the KDC before this computer can be authenticated.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    -------------------------------------------------------
    Event Type:    Error
    Event Source:    DNS
    Event Category:    None
    Event ID:    4007
    Date:        10/22/2009
    Time:        4:19:36 PM
    User:        N/A
    Computer:    DC2
    Description:
    The DNS server was unable to open zone DomainA.Domain.com in the Active Directory from the application directory partition DomainDnsZones.DomainA.Domain.com. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 0d 00 00 00               ....   
    2009年11月4日 上午 03:52
  • 我前一篇提到的DNS紀錄有檢查過嗎?是否有該筆紀錄存在..若沒有是否已經建立?

    而DNS的訊息也是每小時都會出現嗎?還是只有開機時才會出現?
    試試看重新啟動DNS的服務看看是否有改善

    最後..麻煩你幫我分別在兩台DC上面蒐集一些系統資訊讓我進行分析看看是否可以看到一些問題

    Microsoft Product Support Reports
    http://www.microsoft.com/downloads/details.aspx?familyid=cebf3c7c-7ca5-408f-88b7-f9c79b7306c0&displaylang=en

    執行時..會勾選要蒐集的項目..請全部勾選..最後結束時選擇儲存檔案..會產生一個.cab的壓縮檔
    再將檔案上傳到下面空間 (進入後直接輸入密碼)

    https://sftasia.one.microsoft.com/choosetransfer.aspx?key=556ed802-944b-4007-9ff9-0cc466e421f4

    密碼: gH*3G]qrf89Lr@


    微軟技術支援服務
    2009年11月4日 上午 06:32
  • 感謝VINCENT的回覆
    沒有那條DNS 記錄....即使加了也一樣....
    但因為AD 的問題太多...包括所有USER無法登入等.....
    所以這幾天直接重建 AD和DNS......替代...現有的DC1...中的AD 服務和DC2的DNS服務.
    2009年11月9日 上午 10:12