Active Directory/DNS 问题

Active Directory/DNS 问题

由于某种原因,我的本地域名解析出现了一些问题。我的整个网络的简要描述如下:我们有两个办公室。每个办公室都有自己的 DC 和防火墙,但两个办公室相互复制。现在,其中一个办公室网络运行正常,我遇到问题的就是我目前所在的网络。

例如,我可以访问 \\server1\myshare,但无法访问当前网络上的 \\mydomain.net\myshare。在另一个网络上,一切正常。现在,当我在 server1 上使用 RDP 时,我可以随机访问域,但其他时候则无法访问。我相信我已经找到了罪魁祸首,但我甚至不确定如何开始修复此问题。以下是 dcdiag 输出:

C:\Users\Administrator>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = BGS-HQ-VRDSVR01
   * Identified AD Forest.
   Ldap search capabality attribute search failed on server BGS-CP-VRDSVR01,
   return value = 81
   Got error while checking if the DC is using FRS or DFSR. Error:
   Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail
   because of this error.
   Done gathering initial info.

Doing initial required tests

   Testing server: BGS-HQ\BGS-HQ-VRDSVR01
      Starting test: Connectivity
         The host 6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.billsgs.net could
         not be resolved to an IP address. Check the DNS server, DHCP, server
         name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... BGS-HQ-VRDSVR01 failed test Connectivity

Doing primary tests

   Testing server: BGS-HQ\BGS-HQ-VRDSVR01
      Skipping all tests, because server BGS-HQ-VRDSVR01 is not responding to

现在...有趣的部分是,我运行了以下命令:

C:\Users\Administrator>nslookup 6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.bill
sgs.net
Server:  bgs-hq-vrdsvr01.billsgs.net
Address:  192.168.40.13

Name:    bgs-hq-vrdsvr01.billsgs.net
Address:  192.168.40.13
Aliases:  6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.billsgs.net

任何关于此的建议都将不胜感激。我是一名程序员,而不是网络管理员,所以我当然不了解很多与此相关的调试技术,尤其是 Windows 服务器。

另外,顺便提一下,我们暂时禁用了复制服务器,因为出于某种原因,它实际上占用了服务器上所有的 12gb RAM。我不确定这是否相关,但目前它被搁置了。

编辑:很抱歉,我们正在运行 Windows Server 2008 R2,下面是来自服务器的 ipconfig /all。

C:\Users\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : BGS-HQ-VRDSVR01
   Primary Dns Suffix  . . . . . . . : billsgs.net
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : billsgs.net

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-03-BA-38
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.40.13(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.40.254
   DNS Servers . . . . . . . . . . . : 192.168.40.13
                                       192.168.40.254
   Primary WINS Server . . . . . . . : 192.168.40.13
   Secondary WINS Server . . . . . . : 192.168.41.17
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{ADEC15A8-2603-40EB-964C-489CCBD11E08}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

编辑:这是我运行的 DNS 测试的输出。

C:\Users\Administrator>dcdiag /test:DNS

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = BGS-HQ-VRDSVR01
   * Identified AD Forest.
   Ldap search capabality attribute search failed on server BGS-CP-VRDSVR01, return value = 81
   Got error while checking if the DC is using FRS or DFSR. Error: Win32 Error 81The VerifyReferences, FrsEvent and DfsrEvent tests might fail because of this error.
   Done gathering initial info.

Doing initial required tests

   Testing server: BGS-HQ\BGS-HQ-VRDSVR01
      Starting test: Connectivity
         The host 6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.billsgs.net could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
         ......................... BGS-HQ-VRDSVR01 failed test Connectivity

Doing primary tests

   Testing server: BGS-HQ\BGS-HQ-VRDSVR01

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... BGS-HQ-VRDSVR01 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : billsgs

   Running enterprise tests on : billsgs.net
      Starting test: DNS
         Test results for domain controllers:

            DC: BGS-HQ-VRDSVR01.billsgs.net
            Domain: billsgs.net


               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  Warning: adapter [00000007] Intel(R) PRO/1000 MT Network Connection has invalid DNS server: 192.168.40.254 (<name unavailable>)
                  No host records (A or AAAA) were found for this DC

               TEST: Forwarders/Root hints (Forw)
                  Error: All forwarders in the forwarder list are invalid.
                  Error: Both root hints and forwarders are not configured or broken. Please make sure at least one of them works.

               TEST: Delegations (Del)
                  Error: DNS server: bgs-cp-vrdsvr01.billsgs.net. IP:192.168.41.17 [Broken delegated domain _msdcs.billsgs.net.]
                  Error: DNS server: bgs-cp-vrdsvr01.billsgs.net. IP:192.168.41.17 [Broken delegated domain cp.billsgs.net.]

               TEST: Dynamic update (Dyn)
                  Warning: Failed to add the test record dcdiag-test-record in zone billsgs.net

               TEST: Records registration (RReg)
                  Network Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
                     Warning:
                     Missing CNAME record at DNS server 192.168.40.254:
                     6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _ldap._tcp.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _ldap._tcp.22017278-29d1-493a-b72d-e44b31411a70.domains._msdcs.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _kerberos._tcp.dc._msdcs.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _ldap._tcp.dc._msdcs.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _kerberos._tcp.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _kerberos._udp.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _kpasswd._tcp.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _ldap._tcp.BGS-HQ._sites.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _kerberos._tcp.BGS-HQ._sites.dc._msdcs.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _ldap._tcp.BGS-HQ._sites.dc._msdcs.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _kerberos._tcp.BGS-HQ._sites.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _ldap._tcp.gc._msdcs.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _gc._tcp.BGS-HQ._sites.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _ldap._tcp.BGS-HQ._sites.gc._msdcs.billsgs.net

                     Error:
                     Missing SRV record at DNS server 192.168.40.254:
                     _ldap._tcp.pdc._msdcs.billsgs.net

               Error: Record registrations cannot be found for all the network adapters

         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 192.168.41.17 (bgs-cp-vrdsvr01.billsgs.net.)
               2 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.41.17
            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4
            DNS server: 192.168.40.254 (<name unavailable>)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.billsgs.net. failed on the DNS server 192.168.40.254

            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10
            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4
            DNS server: 199.7.83.42 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33
            DNS server: 209.253.113.10 (<name unavailable>)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 209.253.113.10
            DNS server: 209.253.113.2 (<name unavailable>)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 209.253.113.2
         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: billsgs.net
               BGS-HQ-VRDSVR01              PASS FAIL FAIL FAIL WARN FAIL n/a

         ......................... billsgs.net failed test DNS

和..“repadmin /bind BGS-VRDSVR01”输出..

C:\Users\Administrator.BILLSGS>repadmin /bind BGS-HQ-VRDSVR01
Bind to BGS-HQ-VRDSVR01 succeeded.
NTDSAPI V1 BindState, printing extended members.
    bindAddr: BGS-HQ-VRDSVR01
Extensions supported (cb=48):
    BASE                             : Yes
    ASYNCREPL                        : Yes
    REMOVEAPI                        : Yes
    MOVEREQ_V2                       : Yes
    GETCHG_COMPRESS                  : Yes
    DCINFO_V1                        : Yes
    RESTORE_USN_OPTIMIZATION         : Yes
    KCC_EXECUTE                      : Yes
    ADDENTRY_V2                      : Yes
    LINKED_VALUE_REPLICATION         : Yes
    DCINFO_V2                        : Yes
    INSTANCE_TYPE_NOT_REQ_ON_MOD     : Yes
    CRYPTO_BIND                      : Yes
    GET_REPL_INFO                    : Yes
    STRONG_ENCRYPTION                : Yes
    DCINFO_VFFFFFFFF                 : Yes
    TRANSITIVE_MEMBERSHIP            : Yes
    ADD_SID_HISTORY                  : Yes
    POST_BETA3                       : Yes
    GET_MEMBERSHIPS2                 : Yes
    GETCHGREQ_V6 (WINDOWS XP PREVIEW): Yes
    NONDOMAIN_NCS                    : Yes
    GETCHGREQ_V8 (WINDOWS XP BETA 1) : Yes
    GETCHGREPLY_V5 (WINDOWS XP BETA 2): Yes
    GETCHGREPLY_V6 (WINDOWS XP BETA 2): Yes
    ADDENTRYREPLY_V3 (WINDOWS XP BETA 3): Yes
    GETCHGREPLY_V7 (WINDOWS XP BETA 3) : Yes
    VERIFY_OBJECT (WINDOWS XP BETA 3): Yes
    XPRESS_COMPRESSION               : Yes
    DRS_EXT_ADAM                     : No
    GETCHGREQ_V10                    : Yes
    RECYCLE BIN FEATURE              : No
Site GUID: afe99967-2bae-4850-b6c8-a84fc37cbd87
Repl epoch: 0
Forest GUID: 1c4eb6fd-77b5-46de-a4b0-c9c51087eb7d
Security information on the binding is as follows:
    SPN Requested:  LDAP/BGS-HQ-VRDSVR01
    Authn Service:  9
    Authn Level:  6
    Authz Service:  0

另外,这里是处理列表...

https://i.stack.imgur.com/p74jP.png

https://i.stack.imgur.com/LNG7j.png

答案1

要查看这是否与基于主机的防火墙有关,请暂时关闭域、公共和私有配置文件。您是否有多个接口,因为在 Windows Server 2008 中,最严格的配置文件正在生效。从提升的命令提示符运行此命令

  • netsh advfirewall 将公共配置文件状态关闭
  • netsh advfirewall 将 privateprofile 状态关闭
  • netsh advfirewall 将域配置文件状态关闭

内存使用情况可能会产生误导。通常情况下,内存会被使用,但在必要时会被释放。查看资源耗尽检测器操作事件日志(打开 eventvwr 并转到应用程序和服务/microsoft/windows/资源耗尽检测器/操作)以确定是否内存不足。

使用 Process Explorer 查看内存使用情况并查看可用内存。如果可用内存看起来很少,请使用 Syinternals 的 RAMMap 了解使用情况。请参阅 RAMmap 说明http://blogs.technet.com/b/askperf/archive/2010/08/13/introduction-to-the-new-sysinternals-tool-rammap.aspx因为我曾遇到过图元文件“消耗”它的情况。但这是预期的行为。

DCDiag 中的错误 81 表示 LDAP 服务器无法访问。DC 本身上是否有任何第三方产品提供捆绑的防病毒 + 防火墙行为?如果您可以在 DC 上本地访问 LDAP,但无法远程访问,并且您确定没有使用基于主机的防火墙,我会检查是否有任何中间网络设备正在过滤/丢弃数据包。

答案2

如果任何适配器上都有公共网络,请确保主 DNS 服务器是“其本身的公共 IP”,这为我解决了这个问题。

相关内容