Svr 2012 R2 DC 的 AD 问题:无法将 XP VM 加入域,但 Win7、8 和 Win10 VM 可以加入

Svr 2012 R2 DC 的 AD 问题:无法将 XP VM 加入域,但 Win7、8 和 Win10 VM 可以加入

域控制器是运行 Windows Server 2012 R2 的物理服务器。FF 级别是 2008 R2,DF 级别是 2012 R2。但是,我发现一篇 MS 文章指出 XP 甚至与 2012 R2 FFL 完全兼容。此问题仅影响 Windows XP(及更早版本)虚拟机。当我尝试将计算机加入域时,确切的错误是:

尝试加入域“MyDomain”时发生以下错误:指定的网络名称不再可用。

迄今为止尝试的故障排除步骤:
- 重新启动 DC
- 重新启用 SMB1 并重新启动 DC(已启用)编辑:不对!继续阅读...
- 在 DC(无问题)和 XP VM(不保持启动状态)上重新启动 NETLOGON 服务
- 运行 DCDIAG(所有测试通过)
- 在 DC 上禁用 IPv6
- 在 DevMgmt.msc 中禁用 ISATAP NIC 适配器(隐藏设备)

以下是DCDiag /v

    PS C:\> DCDiag /v

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine MY-SERVER, is a Directory Server.
   Home Server = MY-SERVER
   * Connecting to directory service on server MY-SERVER.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=acme,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=acme,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MY-SERVER
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... MY-SERVER passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MY-SERVER
      Starting test: Advertising
         The DC MY-SERVER is advertising itself as a DC and having a DS.
         The DC MY-SERVER is advertising as an LDAP server
         The DC MY-SERVER is advertising as having a writeable directory
         The DC MY-SERVER is advertising as a Key Distribution Center
         The DC MY-SERVER is advertising as a time server
         The DS MY-SERVER is advertising as a GC.
         ......................... MY-SERVER passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         Skip the test because the server is running DFSR.
         ......................... MY-SERVER passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         ......................... MY-SERVER passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... MY-SERVER passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... MY-SERVER passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com
         ......................... MY-SERVER passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC MY-SERVER on DC MY-SERVER.
         * SPN found :LDAP/MY-SERVER.acme.com/acme.com
         * SPN found :LDAP/MY-SERVER.acme.com
         * SPN found :LDAP/MY-SERVER
         * SPN found :LDAP/MY-SERVER.acme.com/acme
         * SPN found :LDAP/121ee01d-112f-4dff-8dd1-ba8463ea8203._msdcs.acme.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/121ee01d-112f-4dff-8dd1-ba8463ea8203/acme.com
         * SPN found :HOST/MY-SERVER.acme.com/acme.com
         * SPN found :HOST/MY-SERVER.acme.com
         * SPN found :HOST/MY-SERVER
         * SPN found :HOST/MY-SERVER.acme.com/acme
         * SPN found :GC/MY-SERVER.acme.com/acme.com
         ......................... MY-SERVER passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC MY-SERVER.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=acme,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=acme,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=acme,DC=com
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=acme,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=acme,DC=com
            (Domain,Version 3)
         ......................... MY-SERVER passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\MY-SERVER\netlogon
         Verified share \\MY-SERVER\sysvol
         ......................... MY-SERVER passed test NetLogons
      Starting test: ObjectsReplicated
         MY-SERVER is in domain DC=acme,DC=com
         Checking for CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com in domain DC=acme,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com in domain CN=Configurat
ion,DC=acme,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... MY-SERVER passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
         ......................... MY-SERVER passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 1601 to 1073741823
         * MY-SERVER.acme.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1101 to 1600
         * rIDPreviousAllocationPool is 1101 to 1600
         * rIDNextRID: 1147
         ......................... MY-SERVER passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... MY-SERVER passed test Services
      Starting test: SystemLog
         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... MY-SERVER passed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference) CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com and backlink on
         CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com are correct.
         The system object reference (serverReferenceBL) CN=MY-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=acme,DC=com
         and backlink on CN=NTDS Settings,CN=MY-SERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acme,DC=com are correct.
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=MY-SERVER,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=acme,DC=com and backlink on
         CN=MY-SERVER,OU=Domain Controllers,DC=acme,DC=com are correct.
         ......................... MY-SERVER passed test VerifyReferences
      Test omitted by user request: VerifyReplicas

      Test omitted by user request: DNS
      Test omitted by user request: DNS

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : acme
      Starting test: CheckSDRefDom
         ......................... acme passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... acme passed test CrossRefValidation

   Running enterprise tests on : acme.com
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\MY-SERVER.acme.com
         Locator Flags: 0xe000f1fd
         PDC Name: \\MY-SERVER.acme.com
         Locator Flags: 0xe000f1fd
         Time Server Name: \\MY-SERVER.acme.com
         Locator Flags: 0xe000f1fd
         Preferred Time Server Name: \\MY-SERVER.acme.com
         Locator Flags: 0xe000f1fd
         KDC Name: \\MY-SERVER.acme.com
         Locator Flags: 0xe000f1fd
         ......................... acme.com passed test LocatorCheck
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided.
         ......................... acme.com passed test Intersite
PS C:\>

到现在我完全没有主意了?这可能是什么问题?NTLM 问题吗?

答案1

这个问题现在已经解决了。DC 错误地报告了 SMB1 的状态(显示已启用,但实际上尚未启用): 在此处输入图片描述

运行此 PowerShell 命令解决了该问题(资源链接在这里):
Set-SmbServerConfiguration -EnableSMB1Protocol $true

答案2

您是否配置了组策略来限制旧版 Kerberos 加密类型?某些强化指南或审计策略会强制您进行此项配置,这可能会导致 XP 等旧版客户端无法正确进行身份验证。

设置在Windows Settings - Security Settings - Local Policies - Security Options - Network security: Configure encryption types allowed for Kerberos。更多信息请点击这里:

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos

相关内容