开始尝试将累积更新 CU14 应用于 Exchange 2013,由于错误而失败:
> Error: Setup can't use the domain controller 'Default-First-Site-Name'
> because it belongs to Active Directory site ''. Setup must use a
> domain controller in the same site as this computer
> (xxxxx.xxxxxxxx.com). For more information, visit:
> http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DomainControllerIsOutOfSite.aspx
因此我查看了链接,上面写着:
> The schema master is not running Windows Server 2003 Service Pack 1 or
> later_DomainControllerIsOutOfSite
但是我的两个域控制器都运行 Win Server 2016。错误消息显示:
> *because it belongs to Active Directory site ''*,
一片空白。那是什么意思?
于是我开始检查我的 DC。我在主 DC (Asgard) 上运行了 DCDiag,结果报告了错误。
> D:\ExchangeCU14>dcdiag
>
> Directory Server Diagnosis
>
> Performing initial setup: Trying to find home server... Home
> Server = Asgard * Identified AD Forest. Done gathering initial
> info.
>
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\ASGARD
> Starting test: Connectivity
> ......................... ASGARD passed test Connectivity
>
> Doing primary tests
>
> Testing server: Default-First-Site-Name\ASGARD
> Starting test: Advertising
> Warning: **DsGetDcName returned information for** **\\Elsinore.areteind.com, when we were trying to reach**
> **ASGARD.**
> **SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.**
> **......................... ASGARD failed test Advertising**
所以我检查了一下,Asgard 被设置为 PDC,并且它是架构主控,并且分配了所有五个 FSMO 角色。Elsinore 是备份或辅助 DC,也是架构主控。两者都在运行 DNS,并且复制似乎在两个方向上运行。
为什么是DsGetDcName .... 返回 Elsinore 的信息.... (备份)....试图到达阿斯加德...... (PDC)?
当我检查时,Active Directory 站点和服务“无法找到主域控制器”
我检查了 DNS,发现 Asgard 和 Elsinore 都已正确注册了正确的 IP。凭直觉,我对它们都进行了 ping 操作,结果很有趣。(Asgard IP4 设置为 192.168.87.2,Elsinore 设置为 192.168.87.3)
> D:\ExchangeCU14>ping 192.168.87.2
> Pinging 192.168.87.2 with 32 bytes of data:
> Reply from 192.168.87.2: bytes=32 time<1ms TTL=128 Reply from
> 192.168.87.2: bytes=32 time<1ms TTL=128
> D:\ExchangeCU14>ping Asgard
> Pinging Asgard.areteind.com
> [fe80::f410:6f29:783e:9b6d%9] with 32 bytes of data:
> Reply from fe80::f410:6f29:783e:9b6d%9: time<1ms Reply from
> fe80::f410:6f29:783e:9b6d%9: time<1ms
为什么通过 FQDN 进行 ping 使用的是 IPv6 地址而不是 IPv4 地址?
这是来自 Asgard 的 IpConfig /all:(机器中有两个 NIC,它们位于名为 TeamAsgard 的 TEAMed 连接上:
> D:\ExchangeCU14>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : Asgard Primary Dns Suffix .
> . . . . . . : areteind.com Node Type . . . . . . . . . . . . :
> Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy
> Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . :
> areteind.com
>
> Ethernet adapter TeamAsgard:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Microsoft Network Adapter Multiplexor Driver
> Physical Address. . . . . . . . . : 00-1F-29-C9-1E-52
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> Link-local IPv6 Address . . . . . : fe80::f410:6f29:783e:9b6d%9(Preferred)
> IPv4 Address. . . . . . . . . . . : 192.168.87.2(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.87.1
> DHCPv6 IAID . . . . . . . . . . . : 201334569
> DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-2D-CF-83-00-1F-29-C9-1E-52
> DNS Servers . . . . . . . . . . . : 192.168.87.2
_______________________192.168.87.3
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
>Tunnel adapter isatap.{FDE8723C-2280-4314-8A87-E79DE2C1A433}:
>
> Media State . . . . . . . . . . . : Media disconnected
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
> Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
如果我运行 NLTEst /DCName,我会得到:
> D:\ExchangeCU14>nlTest /DCName:Areteind.com NetGetDCName failed:
> Status = 2453 0x995 NERR_DCNotFound
错误说:
> Active Directory Domain Services was unable to establish a connection
> with the global catalog.
关于我下一步该去哪里,您有什么想法吗?
按照@Greg Askew 的建议执行了其他测试:(所有测试均从 Exchange 邮局运行 - Exchange CU14 设置最初从这里失败)
C:\Windows\system32>netdom query fsmo
Schema master Asgard.areteind.com
Domain naming master Asgard.areteind.com
PDC Asgard.areteind.com
RID pool manager Asgard.areteind.com
Infrastructure master Asgard.areteind.com
The command completed successfully.
C:\Windows\system32>nltest /dsgetdc:areteind.com /server:asgard
Getting DC name failed: Status = 1717 0x6b5 RPC_S_UNKNOWN_IF
C:\Windows\system32>nltest /dsgetdc:areteind.com /server:elsinore
DC: \\Elsinore.areteind.com
Address: \\192.168.87.3
Dom Guid: c6193583-51f3-41b3-8681-2085733d6ea1
Dom Name: areteind.com
Forest Name: areteind.com
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: GC DS LDAP KDC WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE F
ULL_SECRET WS DS_8 DS_9 0x10000
The command completed successfully
最后两个似乎暗示了为什么会发生这种情况(但现在如何解决)。系统似乎无法使用连接到 Asgard 作为 PDC dsgetDC,即使它在 DNS 中通过正确的 IP 地址注册并明确指定为 PDC。
为了解决 DNS 问题,下面是 DNS 中的 SRV 记录的屏幕截图:
答案1
nltest /dsgetdc:areteind.com /server:asgard
获取 DC 名称失败:状态 = 1717 0x6b5 RPC_S_UNKNOWN_IF
这可能是由于 NETLOGON 服务未运行造成的。我能想到的唯一原因是有人(也许是暂时的)不希望 DC 处理身份验证请求。
答案2
您的 DNS 配置正确吗?是否存在 SRV 记录,客户端计算机是否可以解析这些记录?可以找到更多信息在微软
ifconfig /registerdns在域控制器上运行可以帮助直接获取这些记录。