背景
我们目前正在进行几个域控制器升级。在我开始之前,一位前任管理员已经开始将我们的 DC 从 2008 R2 Standard 迁移到 2008 R2 Enterprise。当时有一个 PDC,DC2008S-0,还有一个额外的 DC,DC2008E-1 正在运行。第三个 2008 Enterprise DC 位于已关闭的 VM 上。所有这些都是升级 2003 年 DC 的遗留项目。前任管理员认为标准 DC 不足以满足 DC 的需求,并且这些许可证是错误购买的,因此在浮动两个标准 DC 后,添加了企业 DC,并降级了标准 DC。
企业 DC 根本没有复制 SYSVOL。企业 DC 上也缺少 MSDCS 区域。对于完全墓碑化的 DC(位于关闭 VM 上的备用 2008E),还必须进行一些元数据清理。经过大量故障排除后,我们从 PDC 进行了权威恢复。之后 SYSVOL 似乎正在正确复制,我们手动添加了 MSDCS 并提取了所有记录。这可能是 8 或 9 个月前的事了。从那时起,一切都进展顺利;登录、gpo 复制、新 gpos、新 AD 帐户 - 以及混合迁移到 O365,所有 AD 同步和 Dir 同步工作也都很好。
在那段时间之后,我们又回到了这个 DC 项目。我的任务清单如下:
将域和林的功能级别从 2003 更新到 2008(这包括从 FRS 迁移到 DFRS)核对已关闭的第二个企业 DC,重新安装它,为其赋予 DC 角色并将其添加到域中。将 FSMO 角色等移动到第一个企业 DC 并使其成为 PDC。退役标准 DC。
当这个 DNS RReg 问题曝光时,我正处于停用标准 DC 的边缘。我不相信在复制 SYSVOL 和 AD 和 DNS 项目后它就不存在了,但我可能是错的。
当前的问题
我们所有的 DC 均未通过 DCDIAG 的 RReg 测试。
这是我们用 DCDIAG 检查每个 DC 的 DC 健康状况时唯一的失败。运行 gui AD 复制状态工具 v1.0 以及来自 TechNET 的两个 PS 脚本时,AD 和 SYSVOL 复制/延迟收敛检查。
以下是 DCDIAG DNS 测试的失败输出
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: domain.com
DC2008S-0 PASS PASS PASS PASS PASS FAIL n/a
DC2008E-0 PASS PASS PASS PASS PASS FAIL n/a
DC2008E-1 PASS PASS PASS PASS PASS FAIL n/a
Total Time taken to test all the DCs:2 min. 55 sec.
......................... domain.com failed test DNS
这些故障都与新 PDC DC2008E-0 上的单个 CNAME、单个 A 记录和多个 SRV 记录有关
Starting test: DNS
Test results for domain controllers:
DC: DC2008E-0.domain.com
Domain: domain.com
TEST: Records registration (RReg)
Network Adapter [00000007] vmxnet3 Ethernet Adapter:
Warning:
Missing CNAME record at DNS server 10.1.1.27:
7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com
Warning:
Missing A record at DNS server 10.1.1.27:
DC2008E-0.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kerberos._tcp.dc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.dc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kerberos._tcp.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kerberos._udp.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kpasswd._tcp.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.siteName._sites.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kerberos._tcp.siteName._sites.dc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.siteName._sites.dc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_kerberos._tcp.siteName._sites.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.gc._msdcs.domain.com
Warning:
Missing A record at DNS server 10.1.1.27:
gc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_gc._tcp.siteName._sites.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.siteName._sites.gc._msdcs.domain.com
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.pdc._msdcs.domain.com
Error: Record registrations cannot be found for all the network adapters
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
_________________________________________________________________
Domain: domain.com
DC2008E-0 PASS PASS PASS PASS PASS FAIL n/a
......................... domain.com failed test DNS
迄今为止的调查
我已经手动检查了所有这些记录,并且可以确认所有记录都存在于我的所有 DC 中。
我还比较了所有 DC 上的 MCDCS 区域,所有其他记录都匹配。
SOA 上的区域序列号与所有 DC 匹配,这也适用于所有 DC 上的所有区域,而不仅仅是 MCDCS 区域。
我不确定这是否是表达我可以手动找到记录的最佳方式,但是我针对上面列出的其中一条记录对所有三个 DC 运行了 NSLOOKUP,并且似乎在所有三个 DC 上都找到了它。
c:\Users\userName\Desktop\replication>nslookup -type=SRV _ldap._tcp.pdc._msdcs.domain.com
Server: DC2008E-0.domain.com
Address: 10.1.1.27
_ldap._tcp.pdc._msdcs.domain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC2008E-0.domain.com
DC2008E-0.domain.com internet address = 10.1.1.27
c:\Users\userName\Desktop\replication>nslookup -type=SRV _ldap._tcp.pdc._msdcs.domain.com DC2008S-0
Server: DC2008S-0.domain.com
Address: 10.1.1.3
_ldap._tcp.pdc._msdcs.domain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC2008E-0.domain.com
DC2008E-0.domain.com internet address = 10.1.1.27
c:\Users\userName\Desktop\replication>nslookup -type=SRV _ldap._tcp.pdc._msdcs.domain.com DC2008E-1
Server: DC2008E-1.domain.com
Address: 10.1.1.28
_ldap._tcp.pdc._msdcs.domain.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = DC2008E-0.domain.com
DC2008E-0.domain.com internet address = 10.1.1.27
我还检查了 _MSDCS 区域根目录中的 CNAME 记录,这是我发现唯一奇怪的地方。记录本身都是 100% 正确的,权限看起来也正确 - 至少我应该说,它们在 3 个 CNAME 记录之间以及每个 DC 查看 CNAME 记录的方式之间都是匹配的。但是,所有者的设置不同。DC2008S-0 的记录归系统,DC2008E-0 的记录归DC2008E-0$,并且 DC2008E-1 的记录归DC2008E-1$ (域\DC2008E-1$)。无论我在哪个 DC 上查看记录,情况都是一样的。
我不知道这是否恰当,但这似乎是我能找到的唯一不匹配和/或不遵循相同模式的东西。这很可能是一个误称。
从 DC2008E-0 我也运行了ipconfig /registerdns事件查看器中没有报告任何错误。我还运行了nltest /dsregdns
C:\Windows\system32>nltest /dsregdns
Flags: 0
Connection Status = 0 0x0 NERR_Success
The command completed successfully
这似乎并不能解决问题。
进一步调查
看来我忽略了我正在运行的完整 DCDIAG 测试集的一些输出。报告了一些更具体的错误。而且,在报告 DNS SRV 记录的方式方面,也有更详细的信息。
我将发布相关输出dcdiag.exe /V /C /D /E /s:dc0 (实际上,由于字符数已达到限制,因此我必须发布一些片段)
DC:DC2008S-0.domain.com 域:domain.com 适配器 [00000012] Intel(R) PRO/1000 MT 网络连接:
MAC address is 00:0C:29:9A:77:BA
IP Address is static
IP address: 10.1.1.3
DNS servers:
10.1.1.3 (DC2008S-0) [Valid]
10.1.1.27 (DC2008E-0) [Valid]
127.0.0.1 (DC2008S-0) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Records registration (RReg)
Network Adapter
[00000012] Intel(R) PRO/1000 MT Network Connection:
Matching CNAME record found at DNS server 10.1.1.3:
f11ae1a7-ab57-47d9-bf47-11eca1e33936._msdcs.domain.com
Matching A record found at DNS server 10.1.1.3:
DC2008S-0.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Matching CNAME record found at DNS server 10.1.1.27:
f11ae1a7-ab57-47d9-bf47-11eca1e33936._msdcs.domain.com
Matching A record found at DNS server 10.1.1.27:
DC2008S-0.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Warning:
Missing CNAME record at DNS server 10.1.1.3:
f11ae1a7-ab57-47d9-bf47-11eca1e33936._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Warning:
Missing A record at DNS server 10.1.1.3:
DC2008S-0.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.3:
_ldap._tcp.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.3:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error: Record registrations cannot be found for all the network
adapters
Total query time:0 min. 0 sec.. Total RPC connection
time:0 min. 0 sec.
Total WMI connection time:1 min. 3 sec. Total Netuse connection
time:0 min. 0 sec.
[...]
DC: DC2008E-0.domain.com
Domain: domain.com
Network adapters information:
Adapter [00000007] vmxnet3 Ethernet Adapter:
MAC address is 00:50:56:12:34:56
IP Address is static
IP address: 10.1.1.27, fe80::3464:a8c8:13fa:7116
DNS servers:
10.1.1.3 (DC2008S-0) [Valid]
10.1.1.27 (DC2008E-0) [Valid]
127.0.0.1 (DC2008E-0) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Records registration (RReg)
Network Adapter [00000007] vmxnet3 Ethernet Adapter:
Matching CNAME record found at DNS server 10.1.1.3:
7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com
Matching A record found at DNS server 10.1.1.3:
DC2008E-0.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Matching CNAME record found at DNS server 10.1.1.27:
7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com
Matching A record found at DNS server 10.1.1.27:
DC2008E-0.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Warning:
Missing CNAME record at DNS server 10.1.1.27:
7ae71958-74b2-4dc3-bf0e-224ec881bafa._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Warning:
Missing A record at DNS server 10.1.1.27:
DC2008E-0.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.27:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
[...]
Error: Record registrations cannot be found for all the network
adapters
Total query time:0 min. 4 sec.. Total RPC connection
time:0 min. 0 sec.
Total WMI connection time:1 min. 3 sec. Total Netuse connection
time:0 min. 0 sec.
[...]
DC: DC2008E-1.domain.com
Domain: domain.com
Network adapters information:
Adapter [00000007] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:0C:29:75:FF:46
IP Address is static
IP address: 10.1.1.28, fe80::b81a:c109:24a0:9d3d
DNS servers:
10.1.1.3 (DC2008S-0) [Valid]
10.1.1.27 (DC2008E-0) [Valid]
127.0.0.1 (DC2008E-1) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found primary
Root zone on this DC/DNS server was not found
TEST: Records registration (RReg)
Network Adapter
[00000007] Intel(R) PRO/1000 MT Network Connection:
Matching CNAME record found at DNS server 10.1.1.3:
eafe6486-f76c-4900-8a20-46404fdbae57._msdcs.domain.com
Matching A record found at DNS server 10.1.1.3:
DC2008E-1.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.3:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Matching CNAME record found at DNS server 10.1.1.27:
eafe6486-f76c-4900-8a20-46404fdbae57._msdcs.domain.com
Matching A record found at DNS server 10.1.1.27:
DC2008E-1.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.domain.com
Matching SRV record found at DNS server 10.1.1.27:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[...]
Warning:
Missing CNAME record at DNS server 10.1.1.28:
eafe6486-f76c-4900-8a20-46404fdbae57._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Warning:
Missing A record at DNS server 10.1.1.28:
DC2008E-1.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.28:
_ldap._tcp.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error:
Missing SRV record at DNS server 10.1.1.28:
_ldap._tcp.5f315a51-10e4-4785-a4db-50312543bf35.domains._msdcs.domain.com
[Error details: 10054 (Type: Win32 - Description: An existing connection was forcibly closed by the remote host.)]
Error: Record registrations cannot be found for all the network
adapters
Total query time:0 min. 0 sec.. Total RPC connection
time:0 min. 0 sec.
Total WMI connection time:0 min. 44 sec. Total Netuse connection
time:0 min. 0 sec.
那么看起来 NIC 设置可能出了问题?这就是我现在开始倾向于的地方。
NIC 配置
DC2008S-0
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
Physical Address. . . . . . . . . : 00-0C-29-9A-77-BA
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.1.3
10.1.1.27
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
DC2008E-0
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-12-34-56
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3464:a8c8:13fa:7116%15(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.1.27(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DHCPv6 IAID . . . . . . . . . . . : 335564886
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-4A-CD-9F-00-50-56-12-34-56
DNS Servers . . . . . . . . . . . : ::1
10.1.1.3
10.1.1.27
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
DC2008E-1
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-75-FF-46
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b81a:c109:24a0:9d3d%10(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.1.28(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DHCPv6 IAID . . . . . . . . . . . : 251661353
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-34-D6-43-00-0C-29-75-FF-46
DNS Servers . . . . . . . . . . . : ::1
10.1.1.3
10.1.1.27
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
答案1
通过在运行 IPv6 的两个 DC 上删除 IPv6 并重新安排网卡上的 DNS 配置来解决此问题。
DC2008S-0
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
Physical Address. . . . . . . . . : 00-0C-29-9A-77-BA
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.1.27
10.1.1.3
NetBIOS over Tcpip. . . . . . . . : Enabled
DC2008E-0
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-12-34-56
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.1.27(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.1.28
10.1.1.27
NetBIOS over Tcpip. . . . . . . . : Enabled
DC2008E-1
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-75-FF-46
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.1.1.28(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.1.27
10.1.1.28
NetBIOS over Tcpip. . . . . . . . : Enabled