我对此特定事件有疑问:
Index : 865
EntryType : Warning
InstanceId : 5802
Message : None of the IP addresses (192.168.254.17) of this Domain Controller map to the configured site 'North'.
While this may be a temporary situation due to IP address changes, it is generally
recommended that the IP address of the Domain Controller (accessible to machines in
its domain) maps to the Site which it services. If the above list of IP addresses is
stable, consider moving this server to a site (or create one if it does not already
exist) such that the above IP address maps to the selected site. This may require the
creation of a new subnet object (whose range includes the above IP address) which maps
to the selected site object.
Category : (0)
CategoryNumber : 0
ReplacementStrings : {North, 192.168.254.17}
Source : NETLOGON
TimeGenerated : 11/10/2018 4:45:42 PM
TimeWritten : 11/10/2018 4:45:42 PM
UserName :
该事件被域控制器反复记录,该域控制器的 IPv4 地址当时未与其所服务的站点相关联,如在 Active Directory 站点和服务控制台上配置的那样。我通过创建/32
映射到所服务站点的子网对象来抑制它,但我想知道实际后果。
- 为什么域控制器的 IPv4 地址应该映射到它所服务的站点?
- 为什么 Netlogon 要进行这样的测试?为什么一般都会建议这样做?
- 除了事件日志之外,这种配置不匹配会如何影响 Active Directory 基础设施?
虽然连接站点的网络基础设施只有几米长的光纤,并且具有低延迟和高带宽,但是为了在保持 IPv4 地址不变的情况下建立用户和域控制器之间的亲和性,还是创建了多个站点。这是容量管理的目的。
在测试环境下,几行 Windows PowerShell 代码可能会重现该问题。
DC1:
New-NetIPAddress -IPAddress 192.168.254.16 `
-InterfaceAlias Ethernet -AddressFamily IPv4 `
-Type Unicast -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias Ethernet `
-ServerAddresses @('192.168.254.17','192.168.254.16')
Import-Module ServerManager
Install-WindowsFeature -IncludeManagementTools ("AD-Domain-Services")
Import-Module ADDSDeployment
$dsrm_password = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force
Install-ADDSForest `
-DomainName 'contoso.com' `
-InstallDns `
-SafeModeAdministratorPassword $dsrm_password
#--------------
New-ADReplicationSite -Name 'North'
New-ADReplicationSite -Name 'South'
Get-ADReplicationSite -Identity 'Default-First-Site-Name' | `
Get-ADObject | Rename-ADObject -NewName 'CPD'
New-ADReplicationSubnet -Name '192.168.0.0/16' -Site 'CPD'
New-ADReplicationSubnet -Name '192.168.0.0/18' -Site 'North'
New-ADReplicationSubnet -Name '192.168.128.0/18' -Site 'South'
New-ADReplicationSiteLink -Name 'CPD-North' `
-SitesIncluded @('CPD', 'North') `
-InterSiteTransportProtocol IP `
-ReplicationFrequencyInMinutes 15 `
-OtherAttributes @{'Options'=5}
New-ADReplicationSiteLink -Name 'CPD-South' `
-SitesIncluded @('CPD', 'South') `
-InterSiteTransportProtocol IP `
-ReplicationFrequencyInMinutes 15 `
-OtherAttributes @{'Options'=5}
Get-ADReplicationSiteLink 'DEFAULTIPSITELINK' | Remove-ADReplicationSiteLink
数据中心2:
New-NetIPAddress -IPAddress 192.168.254.17 `
-InterfaceAlias Ethernet -AddressFamily IPv4 `
-Type Unicast -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias Ethernet `
-ServerAddresses @('192.168.254.16','192.168.254.17')
Import-Module ServerManager
Install-WindowsFeature -IncludeManagementTools ("AD-Domain-Services")
Import-Module ADDSDeployment
$dsrm_password = ConvertTo-SecureString 'Pa$$w0rd' -AsPlainText -Force
Install-ADDSDomainController `
-InstallDns `
-SiteName 'North' `
-DomainName 'contoso.com' `
-SafeModeAdministratorPassword $dsrm_password `
-Credential (Get-Credential)
#--------------
Get-EventLog -LogName 'System' -InstanceId 5802 -Newest 1
答案1
这是客户端定位最近域控制器的方式。如果客户端找不到映射到其网络的站点,或者找不到该站点中具有与客户端匹配的适当子网的域控制器,则客户端将选择任何域控制器进行身份验证。如果您同意,则不会有任何影响。