我之前有一个关于此的问题,但我获得了一些新的信息,我想我将开始一个新帖子来激起一些新的讨论。
首先,我将简要介绍一下我们的网络设置(以我的理解)。我们有 2 家商店。我们将它们称为 CP 和 HQ。现在 HQ 是一个域控制器,我们有一个名为 billsgs.net 的本地域。每个商店基本上都是独立运营的。它们各自都有一个防火墙,以及运行 Windows Server 2008 R2 的自己的服务器。它们之间唯一的交互是通过复制。我们指定了复制目录,这些目录主要是用户配置文件和我们的数据库文件。这主要是为了备份。
现在来谈谈问题……几周前(6 月初),我们注意到 HQ 服务器上的复制服务占用了大量内存,我说的大量是指它能够获得的所有可用内存。我们有 13GB,在运行 DFS 的 10 分钟内,内存使用率约为 98%。所以我们停止了它。我们并没有真正为此烦恼,但如果出现崩溃,我们的备份就完全完蛋了。我们运行了一些热修复程序,但都不起作用。所以到目前为止,DFS 还没有运行。
现在,几周前防火墙操作系统被破坏了,我不知道是怎么回事,事情发生时我不在场。这是在总部商店。所以我们的防火墙坏了,DFS 无法正常工作。我们最近在防火墙上重新安装了操作系统,即 pfsense。一切似乎都运行良好……除了我们开始注意到一些 DNS 问题。我们目前不知道这是否与 DNS/AD/DFS 问题有关,或者是否与防火墙问题有关。我们基本上打开了防火墙,所以我们决定这不是问题,至少看起来不是。以下是我们所做的一些调试工作……
这是 dcdiag 输出...
C:\Users\Administrator>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = BGS-HQ-VRDSVR01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: BGS-HQ\BGS-HQ-VRDSVR01
Starting test: Connectivity
......................... BGS-HQ-VRDSVR01 passed test Connectivity
Doing primary tests
Testing server: BGS-HQ\BGS-HQ-VRDSVR01
Starting test: Advertising
......................... BGS-HQ-VRDSVR01 passed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... BGS-HQ-VRDSVR01 passed test FrsEvent
Starting test: DFSREvent
......................... BGS-HQ-VRDSVR01 passed test DFSREvent
Starting test: SysVolCheck
......................... BGS-HQ-VRDSVR01 passed test SysVolCheck
Starting test: KccEvent
A warning event occurred. EventID: 0x8000082C
Time Generated: 08/05/2011 15:04:12
Event String:
A warning event occurred. EventID: 0x8000082C
Time Generated: 08/05/2011 15:05:12
Event String:
......................... BGS-HQ-VRDSVR01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... BGS-HQ-VRDSVR01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... BGS-HQ-VRDSVR01 passed test MachineAccount
Starting test: NCSecDesc
......................... BGS-HQ-VRDSVR01 passed test NCSecDesc
Starting test: NetLogons
......................... BGS-HQ-VRDSVR01 passed test NetLogons
Starting test: ObjectsReplicated
......................... BGS-HQ-VRDSVR01 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,BGS-HQ-VRDSVR01] A recent replication attempt failed:
From BGS-CP-VRDSVR01 to BGS-HQ-VRDSVR01
Naming Context: DC=ForestDnsZones,DC=billsgs,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2011-08-05 14:34:49.
The last success occurred at 2011-08-05 13:51:35.
1 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[Replications Check,BGS-HQ-VRDSVR01] A recent replication attempt failed:
From BGS-CP-VRDSVR01 to BGS-HQ-VRDSVR01
Naming Context: DC=DomainDnsZones,DC=billsgs,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2011-08-05 14:34:48.
The last success occurred at 2011-08-05 13:51:35.
1 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[Replications Check,BGS-HQ-VRDSVR01] A recent replication attempt failed:
From BGS-CP-VRDSVR01 to BGS-HQ-VRDSVR01
Naming Context: CN=Schema,CN=Configuration,DC=billsgs,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2011-08-05 14:34:47.
The last success occurred at 2011-08-05 13:51:34.
1 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[Replications Check,BGS-HQ-VRDSVR01] A recent replication attempt failed:
From BGS-CP-VRDSVR01 to BGS-HQ-VRDSVR01
Naming Context: CN=Configuration,DC=billsgs,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2011-08-05 14:34:46.
The last success occurred at 2011-08-05 13:51:34.
1 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
[Replications Check,BGS-HQ-VRDSVR01] A recent replication attempt failed:
From BGS-CP-VRDSVR01 to BGS-HQ-VRDSVR01
Naming Context: DC=billsgs,DC=net
The replication generated an error (1908):
Could not find the domain controller for this domain.
The failure occurred at 2011-08-05 14:34:46.
The last success occurred at 2011-08-05 13:51:34.
1 failures have occurred since the last success.
Kerberos Error.
A KDC was not found to authenticate the call.
Check that sufficient domain controllers are available.
......................... BGS-HQ-VRDSVR01 failed test Replications
Starting test: RidManager
......................... BGS-HQ-VRDSVR01 passed test RidManager
Starting test: Services
Invalid service startup type: DFSR on BGS-HQ-VRDSVR01, current value DISABLED, expected value AUTO_START
DFSR Service is stopped on [BGS-HQ-VRDSVR01]
......................... BGS-HQ-VRDSVR01 failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000458
Time Generated: 08/05/2011 14:08:10
Event String:
The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or u
ser logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot p
erformance.
An error event occurred. EventID: 0x00000456
Time Generated: 08/05/2011 14:23:08
Event String:
The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches th
e name of a trusted domain that resides in the same forest as the computer account.
An error event occurred. EventID: 0xC0001B78
Time Generated: 08/05/2011 14:28:16
Event String:
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the DFS Replication service, but this actio
n failed with the following error:
An error event occurred. EventID: 0xC000271A
Time Generated: 08/05/2011 14:31:28
Event String: The server {995C996E-D918-4A8C-A302-45719A6F4EA7} did not register with DCOM within the required timeout.
A warning event occurred. EventID: 0x8000001D
Time Generated: 08/05/2011 14:34:09
Event String:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon m
ay not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certi
ficate.
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/05/2011 14:34:13
Event String: Name resolution for the name billsgs.net timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC0001B58
Time Generated: 08/05/2011 14:34:48
Event String: The DgiVecp service failed to start due to the following error:
An error event occurred. EventID: 0x0000168E
Time Generated: 08/05/2011 14:34:55
Event String:
The dynamic registration of the DNS record '6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.billsgs.net. 600 IN CNAME BGS-HQ-VRDSVR01.billsgs.net.' failed on the follo
wing DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 08/05/2011 14:34:56
Event String:
The dynamic registration of the DNS record '_kpasswd._udp.billsgs.net. 600 IN SRV 0 100 464 BGS-HQ-VRDSVR01.billsgs.net.' failed on the following DNS server:
A warning event occurred. EventID: 0x00002724
Time Generated: 08/05/2011 14:34:56
Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses.
A warning event occurred. EventID: 0x000003F6
Time Generated: 08/05/2011 14:34:55
Event String: Name resolution for the name billsgs.net timed out after none of the configured DNS servers responded.
An error event occurred. EventID: 0xC00110F1
Time Generated: 08/05/2011 14:35:09
Event String: The WINS Server could not initialize security to allow the read-only operations.
An error event occurred. EventID: 0xC0002720
Time Generated: 08/05/2011 14:36:05
Event String: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
A warning event occurred. EventID: 0x000727AA
Time Generated: 08/05/2011 14:38:30
Event String: The WinRM service failed to create the following SPNs: WSMAN/BGS-HQ-VRDSVR01.billsgs.net; WSMAN/BGS-HQ-VRDSVR01.
A warning event occurred. EventID: 0x0000043D
Time Generated: 08/05/2011 14:47:48
Event String:
Windows failed to apply the Folder Redirection settings. Folder Redirection settings might have its own log file. Please click on the "More information" link.
An error event occurred. EventID: 0x0000168E
Time Generated: 08/05/2011 15:02:25
Event String:
The dynamic registration of the DNS record '6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.billsgs.net. 600 IN CNAME BGS-HQ-VRDSVR01.billsgs.net.' failed on the follo
wing DNS server:
An error event occurred. EventID: 0x0000168E
Time Generated: 08/05/2011 15:02:26
Event String:
The dynamic registration of the DNS record '_kpasswd._udp.billsgs.net. 600 IN SRV 0 100 464 BGS-HQ-VRDSVR01.billsgs.net.' failed on the following DNS server:
......................... BGS-HQ-VRDSVR01 failed test SystemLog
Starting test: VerifyReferences
......................... BGS-HQ-VRDSVR01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : billsgs
Starting test: CheckSDRefDom
......................... billsgs passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... billsgs passed test CrossRefValidation
Running enterprise tests on : billsgs.net
Starting test: LocatorCheck
......................... billsgs.net passed test LocatorCheck
Starting test: Intersite
......................... billsgs.net passed test Intersite
现在,请记住,每次我们重新启动服务器时,情况都会大不相同。有时我们会遇到与 DCOM 无法访问我们指定的 DNS 服务器相关的问题!现在...这是 DNS 测试的输出...
C:\Users\Administrator>dcdiag /test:DNS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = BGS-HQ-VRDSVR01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: BGS-HQ\BGS-HQ-VRDSVR01
Starting test: Connectivity
......................... BGS-HQ-VRDSVR01 passed test Connectivity
Doing primary tests
Testing server: BGS-HQ\BGS-HQ-VRDSVR01
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... BGS-HQ-VRDSVR01 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : billsgs
Running enterprise tests on : billsgs.net
Starting test: DNS
Test results for domain controllers:
DC: BGS-HQ-VRDSVR01.billsgs.net
Domain: billsgs.net
TEST: Basic (Basc)
Warning: adapter [00000007] Intel(R) PRO/1000 MT Network Connection has invalid DNS server: 192.168.40.254 (<name unavailable>)
TEST: Records registration (RReg)
Network Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
Warning:
Missing SRV record at DNS server 192.168.40.13:
_ldap._tcp.billsgs.net
Warning:
Missing SRV record at DNS server 192.168.40.13:
_ldap._tcp.22017278-29d1-493a-b72d-e44b31411a70.domains._msdcs.billsgs.net
Warning:
Missing SRV record at DNS server 192.168.40.13:
_kerberos._tcp.dc._msdcs.billsgs.net
Warning:
Missing SRV record at DNS server 192.168.40.13:
_ldap._tcp.dc._msdcs.billsgs.net
Warning:
Missing SRV record at DNS server 192.168.40.13:
_kerberos._tcp.billsgs.net
Warning:
Missing SRV record at DNS server 192.168.40.13:
_kerberos._udp.billsgs.net
Warning:
Missing SRV record at DNS server 192.168.40.13:
_kpasswd._tcp.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.13:
_ldap._tcp.BGS-HQ._sites.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.13:
_kerberos._tcp.BGS-HQ._sites.dc._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.13:
_ldap._tcp.BGS-HQ._sites.dc._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.13:
_kerberos._tcp.BGS-HQ._sites.billsgs.net
Warning:
Missing SRV record at DNS server 192.168.40.13:
_ldap._tcp.gc._msdcs.billsgs.net
Warning:
Missing A record at DNS server 192.168.40.13:
gc._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.13:
_gc._tcp.BGS-HQ._sites.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.13:
_ldap._tcp.BGS-HQ._sites.gc._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.13:
_ldap._tcp.pdc._msdcs.billsgs.net
Warning:
Missing CNAME record at DNS server 192.168.40.254:
6282bfca-ade1-41c8-84dc-516ce19b49be._msdcs.billsgs.net
Warning:
Missing A record at DNS server 192.168.40.254:
BGS-HQ-VRDSVR01.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_ldap._tcp.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_ldap._tcp.22017278-29d1-493a-b72d-e44b31411a70.domains._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_kerberos._tcp.dc._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_ldap._tcp.dc._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_kerberos._tcp.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_kerberos._udp.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_kpasswd._tcp.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_ldap._tcp.BGS-HQ._sites.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_kerberos._tcp.BGS-HQ._sites.dc._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_ldap._tcp.BGS-HQ._sites.dc._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_kerberos._tcp.BGS-HQ._sites.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_ldap._tcp.gc._msdcs.billsgs.net
Warning:
Missing A record at DNS server 192.168.40.254:
gc._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_gc._tcp.BGS-HQ._sites.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_ldap._tcp.BGS-HQ._sites.gc._msdcs.billsgs.net
Error:
Missing SRV record at DNS server 192.168.40.254:
_ldap._tcp.pdc._msdcs.billsgs.net
Error: Record registrations cannot be found for all the network adapters
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 192.168.40.254 (<name unavailable>)
1 test failure on this DNS server
Name resolution is not functional. _ldap._tcp.billsgs.net. failed on the DNS server 192.168.40.254
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: billsgs.net
BGS-HQ-VRDSVR01 PASS WARN PASS PASS PASS FAIL n/a
......................... billsgs.net failed test DNS
C:\Users\Administrator>
我相信这是我们的主要问题,但我对整个事情一头雾水。我尝试了几次 netlogon 重启技巧。我甚至运行了以下序列:
net stop netlogon
net stop dns
ipconfig /flushdns
net start dns
net start netlogon
似乎什么都不起作用。就在最近,今天,我们进入了“活动目录用户和计算机”,在“域控制器”下,没有列出 HQ 服务器。它只是显示不可用。
另外..这里有一个 IP 配置输出...
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : BGS-HQ-VRDSVR01
Primary Dns Suffix . . . . . . . : billsgs.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : billsgs.net
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-03-BA-38
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.40.13(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.40.254
DNS Servers . . . . . . . . . . . : 192.168.40.13
192.168.40.254
Primary WINS Server . . . . . . . : 192.168.40.13
Secondary WINS Server . . . . . . : 192.168.41.17
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{ADEC15A8-2603-40EB-964C-489CCBD11E08}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\Administrator>
192.168.40.13 为 HQ,192.168.41.17 为 CP。另外,192.168.40.254 为 HQ 防火墙,192.168.41.254 为 CP 防火墙。
总而言之,我们基本上可以归结为服务器无法通信。正如我所说,DNS 似乎是主要问题。任何这样的示例都是......来自总部网络,如果我运行nslookup billsgs.net地址是 192.168.41.17,这是 CP 服务器地址。话虽如此,没有人可以从 HQ 位置“访问”活动目录。这意味着.. \\billsgs.net 无法通过 HQ 网络访问。
答案1
你是对的 AD 问题几乎总是DNS 问题。我认为问题在于将防火墙设置为 DC IP 设置中的辅助 DNS。从 NIC 配置中删除它,而是在 DNS 配置中添加防火墙作为转发器。
这将强制所有 DNS 解析从 Windows DNS 开始,并且它不知道的地址将通过转发器进行查询。
重置 DNS 设置后,ipconfig /registerdns在 DC 上运行以修复 DNS 中的 AD 注册。
此外,所有 Windows 服务器和客户端都应仅指向此 DNS。如果您需要备用 DNS,请在另一台服务器上安装 DNS(它不需要)。不是需要成为 DC 才能运行 DNS)。
答案2
我认为真正的问题是域名是单标签 DNS 名称(一个单词 (billsgs),然后是一个有效的顶级域名 (.net))。默认情况下,DNS 客户端不会注册这些域名,因为它们可能是公共域名。